Data Processing Agreement

Last updated: 2026-04-28

This Data Processing Agreement ("DPA") supplements the Zen Forms Terms of Use and applies whenever Zen Forms processes personal data on your behalf as a Processor under GDPR Art. 28 (or equivalent laws like UK GDPR / Swiss FADP). For B2C customers, our Privacy Policy is the controlling document — this DPA is intended for B2B / enterprise relationships.

1. Roles and scope

You ("Controller") determine the purposes and means of processing the personal data covered by this DPA. Zen Software LLC ("Processor") processes that data only on your documented instructions, including those embedded in your use of the Service. Processing is limited to the duration of the underlying subscription, plus the retention windows in our Privacy Policy.

2. Categories of data and data subjects

Categories: identifiers (name, email), authentication data, content you upload to the Service, content respondents submit through tests you publish, derived AI outputs, billing and account metadata. Data subjects: your end users, your respondents, your team members.

3. Sub-processors

You authorise the sub-processors listed at /sub-processors. We will give 30 days' notice before adding a sub-processor that materially changes the processing scope. You may object in writing within that window; if we cannot accommodate your objection, you may terminate the affected portion of the Service for a pro-rata refund.

4. Security measures

We maintain commercially reasonable technical and organisational measures: encryption in transit (TLS 1.2+), encryption at rest for production databases, role-based access, audit logging, vendor diligence, and incident-response procedures. Material changes to our security posture will not weaken these baselines.

5. Data subject requests and breach notification

We assist you, at your reasonable expense, with responding to data-subject requests (access, deletion, portability, etc.). We will notify you without undue delay — and within 72 hours where feasible — of any confirmed personal data breach affecting your data.

6. International transfers

When personal data is transferred outside the EEA / UK / Switzerland, we rely on the EU Standard Contractual Clauses (2021/914, Module 2) plus supplementary measures as needed. The UK Addendum and Swiss equivalents are incorporated where applicable.

Want a counter-signed PDF?

Email [email protected] with your company's full legal name, registered address, and the email of the signatory. We typically counter-sign within five business days.