1. Parties & roles

You are the Data Controller. Zinerge Limited is the Data Processor. Where we sub-contract any processing (for example, to a hosting or AI sub-processor), we remain accountable for that sub-processor’s compliance.

2. Scope

This DPA governs all personal data we process on your behalf during an engagement. Categories of data, data subjects, and processing activities are defined in Annex A of the signed DPA.

3. Sub-processors

Current sub-processors include Anthropic (Claude API), OpenAI (where contracted), AWS (hosting, London region by default), Cloudflare (CDN/WAF), Stripe (billing), and Postmark (email). We maintain a sub-processor register; you may opt out of any sub-processor at engagement start.

4. Security

Technical and organisational measures are detailed in our security pack, available on request. See also our Trust & Security page.

5. Data subject rights

We support you in fulfilling data-subject requests (access, rectification, erasure, portability) within 5 business days of your request.

6. Breach notification

We notify you of any personal data breach within 24 hours of becoming aware. We assist with regulator notification where applicable.

7. End of engagement

On termination, we return or delete all personal data within 30 days. A certificate of destruction is provided on request.