Data Processing Agreement
How ZeroBot processes personal data on behalf of our customers.
legal@zerobot.info; ZeroBot will countersign
without material modification to this published version.
1. Parties and Roles
Processor: ZeroBot (once incorporated: ZeroBot Ltd, company registered in England and Wales). Referred to in this DPA as "ZeroBot".
Controller: The customer entering into the Terms of Service (referred to as the "Customer"). In relation to end-user personal data processed through the Services, the Customer is the data controller and ZeroBot is the data processor acting on the Customer's documented instructions.
2. Subject Matter, Duration, Nature, and Purpose
| Subject matter | Processing of personal data of end-users who interact with Customer's websites, APIs, or content protected by the Services. |
|---|---|
| Duration | The term of the Customer's subscription, plus the retention periods set out in section 10. |
| Nature of processing | Collection, inspection, scoring, logging, and conditional blocking of network requests for bot / fraud detection and access control. |
| Purpose | Providing the Services to the Customer: detecting and mitigating automated traffic, abuse, and fraud. |
3. Categories of Personal Data
- Network identifiers: IP addresses, autonomous-system numbers (ASN), referring URL.
- Device signals: user-agent string, HTTP headers, TLS fingerprints, browser fingerprint signals (canvas, WebGL, fonts), device characteristics.
- Behavioural signals: timestamps, request frequency, geographic inferences derived from IP.
- Scoring output: bot-risk score, classification, reason codes, action taken.
ZeroBot does not intentionally collect special-category data (as defined in Article 9 UK GDPR) and instructs Customers not to route special-category data through the Services except as strictly necessary and with a valid lawful basis.
4. Categories of Data Subjects
- Visitors to Customer's websites, APIs, and applications protected by the Services.
- The Customer's own personnel who administer their ZeroBot account (dashboard account data).
5. Obligations of ZeroBot as Processor
ZeroBot shall:
- Process personal data only on the Customer's documented instructions, including with regard to international transfers, unless required by applicable law. Where applicable law applies, ZeroBot will inform the Customer before processing, unless the law prohibits such notification on important grounds of public interest.
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with section 7.
- Use sub-processors only in accordance with section 8.
- Assist the Customer, taking into account the nature of the processing, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) through appropriate technical and organisational measures.
- Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation).
- At the Customer's choice, delete or return all personal data at the end of the provision of Services, and delete existing copies, unless applicable law requires storage.
- Make available to the Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set out in section 11.
6. Customer Responsibilities
The Customer warrants that it has a valid lawful basis under Article 6 UK GDPR (and Article 9 where applicable) for the processing instructed, has provided appropriate notice to data subjects, and has obtained consents where required. The Customer is responsible for the accuracy of personal data it directs ZeroBot to process.
7. Security Measures
ZeroBot implements the following technical and organisational measures (see Annex A at the bottom of this page for detail):
- Encryption in transit (TLS 1.2+) for all API traffic; encryption at rest for personal data stores.
- Role-based access control with least-privilege principles; MFA required for administrative access.
- Isolation of production and non-production environments.
- Centralised logging and monitoring with tamper-evident audit trails.
- Regular vulnerability scanning and periodic third-party penetration testing.
- Documented incident-response procedures, tested at least annually.
- Personnel security screening and mandatory data-protection training on hire and annually.
8. Sub-processors
The Customer grants ZeroBot a general authorisation to engage sub-processors subject to the conditions in this section. ZeroBot will maintain a current list of sub-processors at #subprocessors (below). ZeroBot will notify the Customer of any intended addition or replacement at least thirty (30) days in advance by email or dashboard notice, and the Customer may reasonably object on data-protection grounds within that period. If the objection cannot be resolved, the Customer may terminate the affected Services on written notice.
ZeroBot will impose data-protection obligations on each sub-processor that are substantially the same as those in this DPA and remains fully liable for each sub-processor's performance.
Current Sub-processors
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Cloud infrastructure provider | Compute, storage, managed database for production Services | European Union |
| CDN / edge provider | Request routing, DDoS protection at the edge | Global (EEA-resident data where possible) |
| Email service provider | Transactional email (account, security, billing notifications) | European Union |
| Payment processor | Billing, invoicing, payment card processing (PCI DSS compliant) | European Union / United States |
| Observability / logging | Application monitoring and error reporting | European Union |
9. International Data Transfers
Where personal data is transferred outside the UK or EEA, ZeroBot relies on one of the following transfer mechanisms: (a) an adequacy decision by the UK Secretary of State or European Commission; (b) the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses; (c) the EU Standard Contractual Clauses (2021/914) as applicable. These transfer mechanisms are incorporated into this DPA by reference and apply automatically where relevant.
10. Data Breach Notification
ZeroBot will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal-data breach affecting Customer data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, measures taken or proposed to address the breach, and a contact point for further information. ZeroBot will cooperate with the Customer's reasonable efforts to investigate and mitigate the breach.
11. Audit Rights
ZeroBot will, on reasonable written request by the Customer and no more than once per year (unless otherwise required following a confirmed breach or regulatory request), make available information necessary to demonstrate compliance with this DPA. Where available, ZeroBot may discharge this obligation by providing the most recent SOC 2 or ISO 27001 audit report, or equivalent. On-site audits may be conducted by the Customer or a mutually agreed independent auditor subject to reasonable confidentiality obligations, during business hours, and with at least thirty (30) days' notice, at the Customer's expense.
12. Retention, Return, and Deletion
During the term, personal data is retained only as long as necessary for the purpose of the Services:
- Network-request log data: up to 90 days unless the Customer configures a longer retention window.
- Aggregated analytics: up to 24 months.
- Dashboard account data: for the duration of the account plus 30 days for recovery.
Following termination, ZeroBot will delete or, at the Customer's choice, return all personal data within thirty (30) days, subject to any retention required by applicable law (e.g. financial records). Backups are purged on the normal backup-expiration schedule, not exceeding 90 days.
13. Liability and Indemnity
Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where applicable law prohibits such limitation for data-protection matters.
14. Order of Precedence
In the event of conflict between this DPA and any other agreement between the parties, this DPA prevails with respect to personal data protection. The Standard Contractual Clauses / UK IDTA, where they apply, prevail over any conflicting term of this DPA.
15. Governing Law
This DPA is governed by the laws of England and Wales and is subject to the jurisdiction clause set out in the Terms of Service.
16. Contact
Data protection enquiries and DPA execution: legal@zerobot.info
Data-breach notifications (customer-initiated): legal@zerobot.info
Annex A — Technical and Organisational Measures
- Access control: Role-based access control, least-privilege, MFA for administrative access, quarterly access reviews.
- Encryption: TLS 1.2+ in transit, AES-256 at rest for personal-data stores.
- Network security: Firewalled production network, DDoS mitigation, WAF on customer-facing APIs.
- Application security: Code review, static analysis, dependency scanning, annual third-party penetration test.
- Backup and recovery: Encrypted daily backups, tested restore procedures, defined RTO / RPO.
- Logging and monitoring: Centralised logs with integrity protection, anomaly alerting, on-call rotation.
- Incident response: Documented IR plan, annual tabletop exercises, 72-hour breach notification commitment.
- Physical security: Data processed exclusively in SOC 2 / ISO 27001-certified cloud data centres.
- Personnel: Background screening where permitted, confidentiality agreements, security and data-protection training on hire and annually.
- Vendor management: Data-protection due diligence on every sub-processor, contractual flow-down of obligations.