Skip to main content

Legal

Data Processing Addendum

Last updated: 15 June 2026 · Effective: 15 June 2026

Note for EU/UK procurement teams: This Data Processing Addendum ("DPA") is incorporated by reference into your subscription agreement and takes effect automatically upon platform signup. No separate countersignature is required for Standard Contractual Clauses (Module 2, controller-to-processor) — they apply by operation of this DPA.

If your institution requires a countersigned DPA for procurement purposes, email privacy@zentrovia.tech and we will provide a signed PDF within 5 business days.

1. Definitions

  • “Controller” — the Customer (publisher, learned society, aggregator, or eLearning provider) that determines the purposes and means of processing personal data of its end users.
  • “Processor” — Zentrovia Solutions Pvt. Ltd., which processes personal data on behalf of the Controller to operate the ZenPub Platform.
  • “Sub-processor” — a third party engaged by the Processor to process personal data on the Controller's behalf.
  • “Personal Data” — any information relating to an identified or identifiable natural person processed through the Platform on behalf of the Controller (patron accounts, end-user reading logs, institutional admin credentials, etc.).
  • “Processing” — any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
  • “GDPR” — the EU General Data Protection Regulation 2016/679, and where applicable, the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018).
  • “SCCs” — the Standard Contractual Clauses for the transfer of personal data to third countries, adopted by the European Commission Decision 2021/914 (Module 2: controller-to-processor).

2. Subject Matter and Nature of Processing

Subject matterOperation of the ZenPub digital publishing and content delivery platform on behalf of the Controller
DurationFor the term of the subscription agreement, plus 30 days for export, then deletion (see Section 8)
Nature of processingHosting, storing, indexing, delivering, and generating reports from Personal Data
Purpose of processingEnabling patron authentication, content access control, reading delivery, COUNTER 5.1 reporting, and AI-assisted discovery
Categories of data subjectsEnd users (patrons, students, researchers), institutional administrators, and library staff accessing the Controller's storefront
Types of personal dataEmail addresses, encrypted passwords or SSO/SAML attributes, IP addresses, institutional identifiers, content access timestamps, annotations, reading progress, and COUNTER usage metrics

3. Processor Obligations

Zentrovia (as Processor) shall:

  • Process Personal Data only on documented instructions from the Controller, including those set out in this DPA and the subscription agreement. If required to process data by applicable law, Zentrovia will inform the Controller unless legally prohibited from doing so.
  • Ensure that personnel authorised to process Personal Data are subject to confidentiality obligations.
  • Implement the technical and organisational security measures described in Section 5.
  • Respect the conditions for engaging sub-processors set out in Section 6.
  • Assist the Controller with data subject rights requests (access, rectification, erasure, portability, restriction, objection) within 10 business days of receiving the Controller's forwarded request.
  • Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation).
  • At the choice of the Controller, delete or return all Personal Data after the end of the service, and delete existing copies unless EU or Member State law requires retention.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 9).

4. Controller Obligations

The Controller represents and warrants that:

  • It has a lawful basis under GDPR (or applicable law) for the Personal Data it instructs Zentrovia to process.
  • It will provide appropriate privacy notices to its end users describing how their data is processed through the Platform.
  • It will obtain necessary consents where required by law before instructing Zentrovia to process special categories of personal data.
  • It will promptly forward data subject rights requests received from end users to Zentrovia where Zentrovia's assistance is needed.

5. Technical and Organisational Security Measures

Zentrovia maintains the following measures to protect Personal Data:

  • Encryption at rest — AES-256 encryption for all database storage and S3 file storage
  • Encryption in transit — TLS 1.2+ enforced for all data transmission; HSTS headers set
  • Tenant isolation — row-level security (RLS) in the database; all queries scoped to the tenant's orgId; signed short-lived URLs for content delivery
  • Access controls — role-based access control (RBAC) with principle of least privilege; MFA required for platform admin accounts; timing-safe token comparison to prevent timing attacks
  • Audit logging — administrative actions logged with actor, timestamp, and affected entity
  • Security testing — periodic internal security reviews; external penetration testing at least annually for enterprise customers
  • Incident response — documented incident response plan with 72-hour breach notification obligation (see Section 7)
  • Sub-processor oversight — all sub-processors assessed before onboarding; DPAs in place with all sub-processors

6. Sub-Processors

The Controller provides general authorisation to Zentrovia to engage the following sub-processors. Zentrovia will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object on reasonable grounds:

Sub-processorPurposeLocation
Amazon Web ServicesCloud infrastructure, database hosting, S3 file storage, SQS message queuesUSA (eu-west-1 available on request)
CloudflareCDN, DDoS protection, bot mitigation (Turnstile)USA / Global edge
StripePayment processing (Controller billing only — no end-user payment data)USA
ResendTransactional email delivery (password resets, access notifications)USA
Anthropic / OpenAIAI-assisted content discovery and ZenGuy admin assistantUSA
Railway / VercelApplication hosting and serverless edge deliveryUSA

7. Personal Data Breach Notification

In the event of a Personal Data breach affecting data processed on behalf of the Controller, Zentrovia will:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide a description of: (a) the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed
  • Assist the Controller in notifying the relevant supervisory authority and, where required, affected data subjects
  • Preserve all evidence related to the breach and cooperate with any investigation

Breach notifications are sent to the primary account email on file. To designate an alternate security contact, email privacy@zentrovia.tech.

8. Data Deletion and Return

Upon termination of the subscription agreement, Zentrovia will:

  • Make all Customer Content and Personal Data available for export in standard formats (CSV, JSON, EPUB, PDF) for 30 days post-termination
  • After the 30-day export window, permanently delete all Personal Data from production systems within 60 days
  • Instruct sub-processors to delete their copies subject to their retention obligations
  • Retain billing records and audit logs as required by applicable law (7 years for tax records; 26 months for COUNTER audit logs)
  • Provide a written certification of deletion upon request

9. Audit Rights

Zentrovia will make available all information reasonably necessary to demonstrate compliance with this DPA. The Controller may request an audit of Zentrovia's data processing activities subject to the following conditions:

  • Audits are conducted no more than once per calendar year (except following a confirmed breach)
  • The Controller provides at least 30 days' written notice of the intended audit
  • Audits are conducted during business hours and must not unreasonably disrupt Zentrovia's operations
  • The Controller (or its appointed auditor) signs a confidentiality agreement before receiving access to system documentation
  • Costs of the audit are borne by the Controller unless the audit reveals a material breach by Zentrovia

In lieu of an on-site audit, Zentrovia may provide a third-party security assessment report (SOC 2, ISO 27001, or equivalent) where available.

10. International Data Transfers

Zentrovia is incorporated in India, and its sub-processors are primarily located in the USA. Transfers of Personal Data from the EEA or UK are governed by:

  • EU SCCs (Module 2) — European Commission Decision 2021/914, Module 2 (controller-to-processor), incorporated into this DPA by reference. The optional clauses selected are: Clause 7 (docking clause), Clause 11 (redress — optional language not included), Clause 17 (governing law: Ireland), Clause 18(b) (courts: Ireland). Annex I, II, and III are as set out in Sections 2, 5, and 6 of this DPA respectively.
  • UK Addendum — the UK International Data Transfer Addendum to the EU SCCs (version B1.0, as issued by the UK ICO) is incorporated into this DPA for transfers from the UK.
  • EU-region hosting — available on request for enterprise customers; data remains in AWS eu-west-1 (Ireland).

11. Liability

Each party's liability to the other under this DPA is subject to the limitations set out in the subscription agreement (Terms of Service, Section 11). Notwithstanding any limitation, each party remains liable for breaches of this DPA that constitute violations of applicable data protection law, to the extent that such violations cause direct damage to the other party or to data subjects.

12. Conflict

In the event of a conflict between this DPA and the subscription agreement (Terms of Service) on matters relating to the processing of Personal Data, this DPA shall prevail. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail to the extent required by applicable law.

13. Contact

DPA enquiries, countersignature requests, or breach notifications:

Data Protection Officer
Zentrovia Solutions Pvt. Ltd.
Bangalore, India
privacy@zentrovia.tech
Data Processing Addendum — ZenPub