Data Processing Agreement

1. Definitions

• Controller: The Customer entity that determines the purposes and means of processing personal data.
• Processor: ZeroLimitAI, which processes personal data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person as defined under applicable data protection law, including GDPR.
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
• Sub-processor: A third party engaged by the Processor to process personal data.

2. Scope and Purpose

The Processor shall process personal data only to the extent necessary to provide the services described in the Terms of Service, including: AI chat functionality, agent management, prompt storage, usage analytics, and billing management.

The Processor shall not process personal data for any purpose other than those specified by the Controller, except where required by applicable law.

3. Processor Obligations

The Processor agrees to:

• Process personal data only on documented instructions from the Controller.
• Ensure that authorised personnel are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures (encryption at rest and in transit, access controls, 2FA for admin access).
• Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability) within 30 days.
• Notify the Controller of a personal data breach within 72 hours of becoming aware.
• Delete or return all personal data upon termination of services, as instructed.
• Provide all information necessary to demonstrate compliance with this DPA.

4. Sub-processors

The Controller grants general authorisation for the Processor to engage sub-processors. The current list of sub-processors is available at zerolimitai.com/subprocessors.

The Processor will notify the Controller of any intended changes to sub-processors with at least 14 days notice. If the Controller objects, it may terminate the affected services with written notice.

The Processor ensures that sub-processors are bound by data protection obligations equivalent to those in this DPA.

5. Data Subject Rights

If the Processor receives a data subject rights request directed to the Controller, it will promptly forward the request to the Controller. The Processor will provide technical assistance to help the Controller fulfil its obligations under applicable data protection law.

6. Security Measures

The Processor implements the following technical and organisational measures:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
• Role-based access control with least-privilege principle.
• Mandatory two-factor authentication for administrative access.
• Regular security audits and vulnerability assessments.
• Automated backups with point-in-time recovery.
• Rate limiting and DDoS mitigation at the edge.
• Content Security Policy (CSP) and security headers on all responses.

7. International Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. Such transfers are carried out under Standard Contractual Clauses (SCCs) approved by the European Commission, or where the recipient country has an adequate level of data protection.

8. Data Breach Notification

In the event of a personal data breach, the Processor will:

• Notify the Controller without undue delay and within 72 hours of becoming aware.
• Provide all available information about the breach (nature, categories of data, approximate number of individuals, likely consequences, and measures taken).
• Cooperate with the Controller's investigation and notification obligations.

9. Audit Rights

The Controller has the right to conduct audits or inspections (or commission a qualified third party) to verify the Processor's compliance with this DPA, upon 30 days written notice and no more than once per year. The Processor will cooperate with such audits and provide all reasonably requested information.

10. Term and Termination

This DPA is effective for the duration of the service agreement. Upon termination, the Processor will delete or return all personal data within 30 days, unless applicable law requires longer retention. The Processor will certify deletion in writing upon request.

11. Governing Law

This DPA is governed by the laws of the jurisdiction applicable to the main Terms of Service between the parties. To the extent that GDPR applies, this DPA shall be interpreted in accordance with GDPR requirements.

12. Contact

For DPA-related inquiries, data subject requests, or breach notifications, contact: