Data Processing Agreement
Effective Date: July 1, 2026
| Company | Zipd, Inc., a Delaware corporation |
| Governing Law | State of California, United States |
| Contact | [email protected] |
1. Definitions
For the purposes of this Data Processing Agreement ("DPA"), the following terms have the meanings set forth below:
- Controller — the Subscriber who determines the purposes and means of processing Personal Data through the Platform
- Processor — Zipd, Inc., which processes Personal Data on behalf of the Controller in accordance with documented instructions
- Personal Data — any information relating to an identified or identifiable natural person that is processed through the Platform
- Processing — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion
- Subprocessor — a third party engaged by Zipd to process Personal Data on behalf of the Controller
- Data Subject — the individual to whom Personal Data relates
2. Scope and Purpose
This DPA applies to all processing of Personal Data by Zipd on behalf of the Subscriber in connection with the provision of the Zipd.ai platform ("Platform"). Zipd processes Subscriber Data solely to provide, maintain, and improve the Platform as described in the Terms of Service. The Subscriber is the Controller of Personal Data submitted to the Platform. Zipd acts as the Processor, processing Personal Data only in accordance with the Controller's documented instructions.
3. Processing Instructions
Zipd shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data, unless required to do so by applicable law. If Zipd is legally compelled to process Personal Data in a manner not instructed by the Controller, Zipd will notify the Controller of that legal requirement before processing, unless prohibited by law from doing so.
4. Data Categories Processed
The following categories of Personal Data may be processed through the Platform:
| Category | Data Types |
|---|---|
| Advisor Contact Information | Names, email addresses, phone numbers, business addresses |
| Subscriber User Data | Account information, usage logs |
| Business Data | Pipeline data, task records, notes |
5. Subprocessors
Zipd engages third-party subprocessors to assist in providing the Platform. A current list of subprocessors is available at our Subprocessor List. Zipd will provide at least 30 days' advance written notice before engaging a new subprocessor. The Controller has the right to object to a new subprocessor by providing written notice to [email protected] within the 30-day notice period.
6. Data Security
Zipd implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures are described in detail on our Security Policy page and include:
- Encryption in transit using TLS 1.2 or higher
- Encryption at rest using AES-256
- Role-based access control (RBAC) with five permission levels
- Multi-factor authentication (MFA) support
- Documented incident response procedures
7. Data Subject Rights
Zipd will assist the Controller in fulfilling Data Subject Access Requests (DSARs) within 10 business days of receiving a request from the Controller. Where technically feasible, Zipd will provide the requested data in a structured, commonly used, and machine-readable format. The Controller is responsible for responding to Data Subjects directly; Zipd will provide the necessary data and support to facilitate the Controller's response.
8. Data Breach Notification
In the event of a confirmed data breach affecting Personal Data processed under this DPA, Zipd will notify the Controller within 72 hours of becoming aware of the breach. The notification will include:
- The nature of the breach
- The categories and approximate number of Data Subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
9. Data Transfers
All processing of Personal Data under this DPA occurs within the United States. Zipd will not transfer Personal Data outside the United States without providing prior written notice to the Controller and ensuring appropriate safeguards are in place.
10. Audit Rights
The Controller may request evidence of Zipd's compliance with this DPA on an annual basis. Zipd will provide SOC 2 reports (when available) or, where SOC 2 reports are not yet available, will permit the Controller to conduct a reasonable audit of Zipd's security practices with at least 30 days' advance written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Zipd's operations.
11. Data Deletion & Return
Upon termination of the subscription agreement, Zipd will, at the Controller's election, return or delete all Personal Data within 90 days. Zipd will certify deletion in writing upon request. Zipd may retain Personal Data beyond the 90-day period only where required by applicable law or regulation, and will inform the Controller of any such legal retention requirements.
12. Term
This DPA is effective for the duration of the subscription agreement between the Controller and Zipd. The obligations under this DPA survive termination of the subscription agreement with respect to any Personal Data retained under Zipd's data retention policy or as required by applicable law.
13. Amendments
This DPA may only be amended by mutual written agreement of the parties. Zipd will provide at least 30 days' advance written notice of any proposed material changes to this DPA. The Controller's continued use of the Platform after the effective date of an amendment constitutes acceptance of the amended terms.
14. Contact
| DPA Requests | [email protected] |
| Mailing Address | Zipd, Inc., Irvine, California, United States |