Skip to main content

Home/Legal/Data Processing Agreement

Data Processing Agreement

Last updated: 17 April 2026

This Data Processing Agreement ("DPA") forms part of the services agreement between Zentrovia Solutions Private Limited ("Zentrovia", the "Processor") and the customer (the "Controller") under which Zentrovia processes personal data on behalf of the Controller. This public version describes the terms Zentrovia will offer; the executed DPA between the parties shall prevail in case of conflict.

1. Definitions

Terms not defined here have the meaning given in the EU General Data Protection Regulation ("GDPR") or other applicable data protection law. "Personal Data" means any information relating to an identified or identifiable natural person processed by Zentrovia on the Controller's behalf.

2. Scope and Roles

The Controller determines the purposes and means of processing. Zentrovia acts as Processor and processes Personal Data only on the Controller's documented instructions, unless required to do otherwise by applicable law.

3. Subject Matter, Duration, Nature and Purpose

  • Subject matter: provision of the services under the services agreement.
  • Duration: the term of the services agreement, plus any post-termination period required for return or deletion of Personal Data.
  • Nature and purpose: hosting, storage, processing, and delivery of the Controller's content and user interactions within the agreed services.
  • Categories of data subjects: the Controller's end-users, employees, contractors, members, readers, and contacts as applicable.
  • Categories of Personal Data: contact details, account credentials, usage data, content submitted by users, and any further categories specified in the services agreement.

4. Obligations of Zentrovia as Processor

Zentrovia shall:

  1. Process Personal Data only on documented instructions from the Controller.
  2. Ensure personnel authorized to process Personal Data are under an obligation of confidentiality.
  3. Implement appropriate technical and organizational measures to protect Personal Data (see Section 7).
  4. Assist the Controller in responding to data-subject rights requests.
  5. Assist the Controller with data protection impact assessments and regulator consultations where applicable.
  6. At the Controller's choice, return or delete all Personal Data after end of service provision, unless retention is required by law.
  7. Make available information necessary to demonstrate compliance with these obligations and allow for audits as described in Section 9.

5. Sub-processors

The Controller grants Zentrovia general authorization to engage sub-processors to deliver the services. Zentrovia will:

  • maintain an up-to-date list of sub-processors, available on request via privacy@zentrovia.tech;
  • impose data-protection obligations on each sub-processor equivalent to those in this DPA;
  • give the Controller at least 30 days' prior notice before engaging new sub-processors, during which the Controller may reasonably object.

Current sub-processor categories include cloud infrastructure, transactional email delivery, analytics, and content-delivery networks.

6. International Transfers

Where Personal Data is transferred outside the European Economic Area, the UK, or other restricted jurisdictions, Zentrovia will rely on the Standard Contractual Clauses (EU Commission Decision 2021/914) and the UK IDTA/SCC Addendum, together with supplementary measures, to ensure an adequate level of protection.

7. Security Measures

Zentrovia implements measures including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest;
  • Access control based on least-privilege principles, with multi-factor authentication for administrative access;
  • Logging and monitoring of access to production systems;
  • Regular backups with documented restoration procedures;
  • Vulnerability management and a documented change-management process;
  • Vendor due-diligence for sub-processors;
  • Documented incident response and business-continuity procedures.

See our Security page for additional detail.

8. Personal Data Breach Notification

Zentrovia shall notify the Controller without undue delay and in any case within 72 hours after becoming aware of a Personal Data Breach, provide information reasonably required for the Controller's own notification obligations, and cooperate with remediation.

9. Audits

Zentrovia shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an auditor mandated by the Controller, at the Controller's cost, subject to reasonable notice, confidentiality obligations, and scheduling that avoids disruption to Zentrovia's operations.

10. Return or Deletion of Personal Data

Upon termination or expiry of the services agreement, Zentrovia shall, at the Controller's choice, return or delete all Personal Data within 30 days, unless applicable law requires continued retention. Backups containing Personal Data are deleted in the ordinary course of business according to our backup-retention schedule.

11. Liability and Indemnity

Liability arising under this DPA is subject to the liability provisions of the services agreement.

12. Governing Law

This DPA is governed by the law specified in the services agreement, or in the absence of such specification, by the laws of India, with exclusive jurisdiction of the courts in Bengaluru, Karnataka.

13. How to Execute a DPA

Enterprise customers requiring a countersigned DPA should email legal@zentrovia.tech. Please include your company name, jurisdictions of data subjects, and any Standard Contractual Clauses modules required.