Data Processing Addendum
Last updated: June 1, 2026
This Data Processing Addendum ("DPA") supplements the Terms of Service (the "Agreement") entered into by and between you ("Customer") and Zoey OS, LLC, a Florida limited liability company ("Zoey OS"). By accepting the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.
1. Definitions
"Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means ownership of fifty percent (50%) or more of the voting interests.
"Authorized Sub-Processor" means a third party engaged by Zoey OS to Process Customer Personal Data, as listed in Exhibit B or subsequently authorized under Section 3 of this DPA.
"Customer Personal Data" means any personal data that Customer provides to Zoey OS or that Zoey OS Processes on behalf of Customer in connection with the Services.
"Data Protection Laws" means all applicable laws relating to the processing of personal data, including: (i) the CCPA/CPRA; (ii) the EU GDPR; (iii) the UK GDPR and UK Data Protection Act 2018; (iv) the Swiss Federal Act on Data Protection; and (v) any other applicable data protection laws.
"Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates.
"Personal Data Breach" means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
"Process" / "Processing" means any operation performed on Customer Personal Data, whether or not by automated means.
"SCCs" means (i) for EU transfers, the Standard Contractual Clauses approved by the European Commission; and (ii) for UK transfers, the International Data Transfer Addendum to the EU SCCs.
2. Relationship of the Parties; Processing
2.1 Roles
Customer is the Controller (or Processor on behalf of its own controller) of Customer Personal Data. Zoey OS is the Processor of Customer Personal Data, processing it solely on behalf of and under the documented instructions of Customer.
2.2 Documented Instructions
Zoey OS shall Process Customer Personal Data only:
- To fulfill its obligations under the Agreement, including this DPA
- On Customer's behalf and in accordance with Customer's documented instructions
- In compliance with applicable Data Protection Laws
Customer's instructions for Processing are set forth in this DPA, the Agreement, and any written instructions expressly agreed upon by the parties. Zoey OS will inform Customer if, in Zoey OS's opinion, an instruction infringes Data Protection Laws.
2.3 Purpose Limitation
Zoey OS will not:
- Process Customer Personal Data for any purpose other than providing the Services
- "Sell" Customer Personal Data (as defined under CCPA)
- "Share" Customer Personal Data for cross-context behavioral advertising
- Retain, use, or disclose Customer Personal Data outside of the direct business relationship
- Use Customer Personal Data to train AI models
- Attempt to re-identify any pseudonymized or de-identified Customer Personal Data without Customer's express written permission
Zoey OS certifies that it understands the restrictions in this Section 2.3 and will comply with them.
2.4 Completion of Services
Upon termination of the Agreement, at Customer's choice, Zoey OS shall:
- Return Customer Personal Data in a machine-readable format (JSON); or
- Delete Customer Personal Data within 30 days from production systems and within 1 year from backup systems
Zoey OS will provide written certification of deletion upon Customer's request.
3. Sub-Processors
3.1 Authorization
Customer authorizes Zoey OS to engage the Authorized Sub-Processors listed in Exhibit B to Process Customer Personal Data in connection with the Services.
3.2 Notice of New Sub-Processors
Zoey OS will maintain an up-to-date list of Sub-Processors at zoeyos.com/legal/subprocessors. Zoey OS will provide Customer with at least thirty (30) days' prior written notice before engaging any new Sub-Processor. Customer may subscribe to Sub-Processor change notifications by emailing legal@zoeyos.com.
3.3 Objection Right
Customer may object to a new Sub-Processor by providing written notice to Zoey OS within fifteen (15) days of receiving notification, provided such objection is based on reasonable grounds relating to data protection. If Customer objects:
- The parties will work together in good faith to resolve the objection within thirty (30) days
- If resolution is not possible, Customer may terminate the affected Services upon written notice, and Zoey OS will issue a pro-rata refund of prepaid fees for the terminated Services
3.4 Sub-Processor Agreements
Zoey OS will enter into written agreements with each Sub-Processor imposing data protection obligations no less protective than those in this DPA. Zoey OS remains liable for its Sub-Processors' compliance with their obligations.
4. Security
4.1 Security Measures
Zoey OS shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described in Exhibit C. These measures include, at minimum:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Tenant-level data isolation at the database level preventing cross-tenant data access
- Multi-factor authentication on all administrative accounts
- Regular vulnerability scanning and dependency updates
- Network segmentation between production and development
- Audit logging of all data access events
4.2 Personal Data Breach Notification
In the event of a Personal Data Breach, Zoey OS shall:
- Notify Customer without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide Customer with sufficient information to enable Customer to comply with its own notification obligations under Data Protection Laws
- Take reasonable steps to contain and remediate the breach
- Cooperate with Customer's reasonable requests regarding breach investigation and response
Notification shall include: (i) the nature of the breach; (ii) categories and approximate number of affected Data Subjects and records; (iii) likely consequences; and (iv) measures taken or proposed to address the breach.
5. Data Subject Rights
5.1 Assistance
Zoey OS shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to Data Subject requests exercising their rights under Data Protection Laws.
5.2 Direct Requests
If Zoey OS receives a Data Subject request directly, Zoey OS shall:
- Promptly notify Customer within five (5) business days
- Advise the Data Subject to submit their request to Customer
- Not respond to the request without Customer's authorization (unless required by law)
6. Data Protection Impact Assessments
Where required by Data Protection Laws, Zoey OS shall provide Customer with reasonable cooperation and assistance for Customer's performance of data protection impact assessments and prior consultations with supervisory authorities, at Customer's reasonable expense.
7. Audits
7.1 Compliance Demonstration
Zoey OS shall maintain records sufficient to demonstrate compliance with this DPA and retain such records for three (3) years after termination of the Agreement.
7.2 Audit Rights
Upon Customer's written request (no more than once per calendar year), Zoey OS shall:
- Make available certifications, reports, or audit summaries demonstrating compliance; or
- If the above is not reasonably sufficient, permit Customer's independent third-party representative to conduct an audit, subject to: reasonable prior written notice (minimum 30 days); audit conducted during business hours; scope limited to Customer's data and relevant controls; Customer bears the cost; auditor bound by confidentiality obligations
8. Cross-Border Transfers
8.1 Transfer Mechanisms
Customer acknowledges that Zoey OS's primary processing operations are in the United States. Where Customer Personal Data originates from the EEA, UK, or Switzerland, Zoey OS shall ensure appropriate safeguards through:
- The EU SCCs (Module Two: Controller to Processor, or Module Three: Processor to Sub-Processor, as applicable)
- The UK International Data Transfer Addendum for UK transfers
- Any successor mechanisms approved by relevant authorities
8.2 Supplementary Measures
Zoey OS represents that, as of the effective date of this DPA:
- It has not received any government requests for access to Customer Personal Data
- If it receives such a request, it will attempt to redirect the requesting authority to Customer
- It will notify Customer of any such request (to the extent legally permitted)
- It will not voluntarily disclose Customer Personal Data to any government authority
9. CCPA Compliance
For purposes of the CCPA/CPRA:
- Zoey OS is a "Service Provider" processing Customer Personal Data on behalf of Customer
- Zoey OS will not sell or share Customer Personal Data
- Zoey OS will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement
- Zoey OS will not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer
- Zoey OS certifies that it understands these restrictions and will comply with them
10. Conflict and Precedence
In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Personal Data. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail.
11. Term
This DPA shall remain in effect for the duration of the Agreement and shall survive until all Customer Personal Data has been returned or deleted in accordance with Section 2.4.
Exhibit A — Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of AI productivity platform services |
| Duration | For the term of the Agreement |
| Nature and purpose | Hosting, processing, and displaying Customer data to provide AI agent services, workflow automation, and integrations |
| Categories of Data Subjects | Customer's employees, contractors, and end users of the Services |
| Categories of Personal Data | Names, email addresses, conversation content, voice transcripts (if enabled), usage data, IP addresses, device identifiers, and any other personal data Customer submits to the Services |
| Sensitive data | None required. Customer shall not submit special category data unless Customer has obtained appropriate consent and legal basis. |
Exhibit B — Authorized Sub-Processors
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Anthropic, PBC | AI model inference | United States | Conversation inputs/outputs |
| Deepgram, Inc. | Speech-to-text transcription | United States | Audio data (real-time, not retained) |
| Cartesia, Inc. | Text-to-speech synthesis | United States | Text for voice synthesis |
| Stripe, Inc. | Payment processing | United States | Billing information |
| Cloudflare, Inc. | DDoS protection, WAF, CDN | Global | Network traffic metadata |
| DigitalOcean, LLC | Cloud infrastructure and database | United States | All Customer data (encrypted) |
| Resend, Inc. | Transactional email | United States | Email addresses, email content |
| Functional Software, Inc. (Sentry) | Error monitoring | United States | Error data, session metadata |
| Better Stack, Inc. | Uptime monitoring | United States | Endpoint availability only |
| Composio Technologies | Third-party API integration | United States | Integration credentials, API call data |
| LiveKit, Inc. | Real-time voice streaming | United States | Audio stream data |
| Twilio, Inc. | SMS and voice communications | United States | Phone numbers, message content |
Exhibit C — Technical and Organizational Security Measures
| Category | Measures |
|---|---|
| Encryption | Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Database-level encryption via managed provider. |
| Access control | Tenant-level data isolation on all user-scoped tables. Multi-factor authentication on all administrative accounts. Role-based access control for any team members. No shared credentials. |
| Network security | Cloudflare WAF and DDoS protection on all public endpoints. Network segmentation between production and development. No publicly accessible storage buckets. |
| Data isolation | Multi-tenant architecture with logical separation. Per-tenant data scoping enforced at database level. Cross-tenant queries architecturally prevented. |
| Backup and recovery | Daily automated backups with tested restore capability. Backup restoration tested at least once per 90-day period. |
| Monitoring and logging | Audit logging of all administrative data access. Error monitoring and uptime monitoring via third-party providers. Automated alerting on security-relevant events. |
| Vulnerability management | Regular dependency updates (automated scanning). Penetration testing scheduled 2-3 months post-launch, annually thereafter. |
| Incident response | Documented incident response plan. Breach notification within 72 hours. Post-incident review process. |
| Personnel security | Background checks for employees with data access. Confidentiality obligations in employment agreements. Security awareness training. |
| Physical security | No self-hosted physical servers. All infrastructure managed by cloud provider (DigitalOcean) with SOC 2 Type II certification. Endpoint protection on all development machines. |
| Data minimization | Only data necessary for service provision is collected. Retention periods defined per data type. Automated deletion of expired data. |
| Certifications | None at this time |
By using the Services and accepting the Terms of Service, you agree to the terms of this Data Processing Addendum.