Data Processing Agreement

Last updated: December 2024

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions ("Agreement") between:

ZapWizards

Bolongarostr. 102
65929 Frankfurt am Main
Germany
("Processor", "ZapWizards", "we", "us")

The Client

("Controller", "Client", "you")

together the "Parties".

This DPA governs ZapWizards' processing of personal data on behalf of the Client in accordance with:

  • EU General Data Protection Regulation (GDPR)
  • German Federal Data Protection Act (BDSG)
  • Applicable US/EU transfer rules
  • Any other relevant data protection laws

1. Definitions

Terms used in this DPA shall have the meanings assigned in:

  • Article 4 GDPR
  • ZapWizards' Terms & Conditions
  • This DPA

Key definitions:

1.1 "Personal Data"

Any information relating to an identified or identifiable natural person processed by ZapWizards on behalf of the Client.

1.2 "Processing"

Any action performed on personal data, automated or not.

1.3 "Controller"

The Client who determines the purposes and means of processing.

1.4 "Processor"

ZapWizards, who processes personal data on behalf of the Controller.

1.5 "Sub-processor"

Any third party engaged by ZapWizards to assist in processing personal data.

1.6 "Services"

All automation, AI, integration, engineering, consulting, dashboards, audits, and related work provided by ZapWizards.

2. Subject Matter & Duration

ZapWizards will process personal data solely:

  • to provide the Services defined in the Agreement
  • according to the Client's documented instructions
  • for the duration of the Agreement

Processing ends upon deletion or return of data under Section 12.

3. Nature & Purpose of Processing

ZapWizards processes personal data to:

  • automate workflows
  • build integrations
  • design dashboards
  • develop custom software and AI systems
  • analyze errors and logs
  • support and maintain systems
  • test, configure, or optimize operations
  • enable third-party platform functionality (Make.com, Zapier, etc.)

Processing may include:

collectionstoragetransmissionretrievalanalysismodificationdeletion

ZapWizards never processes personal data for its own purposes.

4. Types of Personal Data & Data Subjects

4.1 Personal data

  • Employee information
  • Customer records
  • CRM entries
  • Investor data
  • Contact details
  • Project/task data
  • Documents and files uploaded for automation
  • System logs
  • Emails used for processing
  • Operational workflow data

4.2 Data subjects

  • Client's employees
  • Client's customers
  • Investors, partners, or contractors
  • Individuals whose data appears in documents processed by automations

The Client confirms it has the legal right to provide such data to ZapWizards.

5. Instructions

ZapWizards processes personal data only according to:

  • this DPA
  • the Agreement
  • documented instructions submitted through support channels
  • technically required actions to ensure delivery

If ZapWizards believes an instruction violates GDPR, ZapWizards will inform the Client.

6. Processor Obligations

ZapWizards shall:

6.1 Confidentiality

Ensure all personnel and subcontractors are bound by confidentiality obligations.

6.2 Security Measures

Implement appropriate technical and organizational measures including:

access control
encryption
password & credential protection
secure hosting
logging
backups
least-privilege access
two-factor authentication
secure development practices

6.3 No Training of AI Models

Personal data will not be used to train public AI models.

6.4 Client Assistance

Assist the Client with:

  • data breaches
  • data subject rights
  • DPIAs (Data Protection Impact Assessments)

6.5 Data Minimization

Only process data necessary for delivering the Services.

7. Sub-processors

ZapWizards may use Sub-processors to deliver Services. These may include:

Make.comZapiern8nHubSpotGoogle CloudAWSRetoolAirtableSalesforceOpenAIAnthropicNotionDatastaxJotFormBright DataSlackDropbox

ZapWizards ensures Sub-processors:

  • are GDPR-compliant
  • are bound by data processing agreements
  • receive only the minimum data necessary

Client authorizes ZapWizards to use these Sub-processors.

8. International Data Transfers

Transfers outside the EU/EEA may occur when:

  • Using US-based platforms
  • Hosting on global cloud providers
  • Running AI or automation systems

All transfers follow:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Encryption and access controls
  • Additional safeguards

Client acknowledges that using international platforms (e.g., Make.com, HubSpot, Zapier, OpenAI) inherently requires international data transfer.

9. Client Responsibilities

The Client is responsible for:

  • Ensuring a legal basis to process personal data
  • Providing accurate instructions
  • Securing access to Client Systems
  • Managing platform permissions (Make.com, HubSpot, etc.)
  • Ensuring their employees comply with data protection rules
  • Not uploading excessive or unnecessary personal data
  • Compliance with GDPR when submitting data

ZapWizards is not responsible for:

  • Client-side misconfigurations
  • Unauthorized access granted by the Client
  • Data leaks caused by the Client
  • Data exposed through Client systems or third-party tools
  • Incorrect or unlawful data provided by the Client

10. Data Breach Notification

In the event of a personal data breach involving ZapWizards systems:

  • ZapWizards will notify the Client without undue delay
  • Provide known details
  • Assist in remediation

ZapWizards is not responsible for breaches occurring in:

  • Client Systems
  • Third-party platforms
  • Client-improperly configured access control
  • Client-mismanaged credentials

11. Audit Rights

Client may request evidence of ZapWizards' compliance.

Any on-site audit must:

  • be requested with 30 days' notice
  • occur during business hours
  • not disrupt operations
  • be limited in scope
  • maintain confidentiality
  • be at the Client's expense

ZapWizards may refuse audits that threaten security or other clients.

12. Return or Deletion of Data

Upon termination of the Agreement:

  • ZapWizards will delete personal data from its systems within 60 days unless required by law to retain it.
  • Client data stored in third-party platforms (Make.com, Zapier, HubSpot, etc.) remains under Client control.

Deletion may be delayed if:

  • The Client still has outstanding invoices
  • A legal dispute is active
  • The Client requests transfer of IP first

ZapWizards may keep anonymized or aggregated non-personal data.

13. Liability

Liability is governed by the Terms & Conditions.

Maximum liability for data-related issues is limited to fees paid by the Client in the previous 30 days.

14. Duration & Termination of DPA

This DPA:

  • Starts when the Client begins using ZapWizards Services
  • Remains valid until all processing activities cease
  • Ends automatically with the Agreement

15. Governing Law

This DPA is governed by German law, and disputes shall be resolved in Frankfurt am Main, unless mutually agreed otherwise.