Aller au contenu
Ztract

Data Processing Agreement

Last updated:

This Data Processing Agreement (DPA) forms part of the Terms of Service between Interval Limited (operating as Ztract) and the Customer using the Service. Where Customer Content includes personal data of third parties, this DPA sets out how Ztract processes that personal data on Customer's behalf.

1. Definitions

Capitalized terms used but not defined here have the meaning given in the Terms of Service. In addition:

  • "Applicable Data Protection Law" means: (a) the EU General Data Protection Regulation 2016/679 (GDPR); (b) the UK Data Protection Act 2018 and the UK GDPR; (c) the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA); (d) the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (PDPO); and (e) any other applicable privacy or data-protection law.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor", "Personal Data Breach" have the meanings given in the GDPR.
  • "Customer" means the entity or individual that has agreed to the Terms of Service and uses the Service.
  • "Customer Personal Data" means Personal Data within Customer Content that Ztract processes on Customer's behalf.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), as amended.

2. Scope and roles

This DPA applies where Ztract processes Customer Personal Data on Customer's behalf in the course of providing the Service. For that processing, Customer is the Controller (or, where Customer is itself a processor for another entity, a Processor acting on behalf of its own controller) and Ztract is the Processor (or sub-processor, as applicable).

Ztract acts as a Controller for: account registration data, billing data, operational logs, and other Personal Data described in our Privacy Policy. That processing is not governed by this DPA.

3. Subject matter, duration, nature, and purpose

  • Subject matter. Processing of Customer Personal Data contained in documents and schemas Customer submits to the Service for the purpose of document understanding and structured-data extraction.
  • Duration. The term of the Terms of Service plus any post-termination period during which Ztract is required to return or delete data.
  • Nature and purpose. Ingesting Customer Content; performing layout-aware OCR and field extraction using the AI providers listed in Annex II; returning structured results to Customer; and retaining both the original Customer Content and the extracted results in object storage until Customer deletes them.
  • Categories of Data Subjects. The individuals whose personal data appears in Customer Content. Depending on Customer's use case this may include Customer's customers, suppliers, employees, contractors, patients, applicants, end users, or other counterparties.
  • Categories of Personal Data. Whatever appears in documents Customer chooses to upload — for example: names, addresses, telephone numbers, email addresses, dates of birth, government-issued identifier numbers, financial-account numbers, transaction information, employment information, and signatures.

4. Special categories of personal data

Customer may use the Service to process documents that contain special categories of personal data as defined in Article 9 GDPR — including health and medical records, identification documents (which may reveal racial or ethnic origin), and similar sensitive information. Where that is the case:

  • Customer warrants that it has a lawful basis for the processing under both Article 6 and Article 9 GDPR (or the equivalent under other Applicable Data Protection Law).
  • Customer is responsible for obtaining any required explicit consent or other legal authorization from Data Subjects.
  • Ztract will apply the security measures described in Annex I to all Customer Personal Data, with no additional contractual restriction on special categories beyond those measures unless specifically agreed in writing.

5. Ztract's obligations as Processor

Ztract will:

  • Process Customer Personal Data only on Customer's documented instructions, including those set out in the Terms of Service and this DPA. Where Ztract is required by law to process Customer Personal Data for other purposes, Ztract will inform Customer before doing so unless that law prohibits informing Customer on important grounds of public interest.
  • Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
  • Implement and maintain the technical and organizational measures described in Annex I.
  • Engage only the sub-processors listed in Annex II, and any additional sub-processor approved under section 6.
  • Assist Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
  • Assist Customer with data-protection impact assessments and prior consultations with supervisory authorities, where applicable.
  • Notify Customer of any Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hours of becoming aware, with such information as Customer reasonably requires to meet its own notification obligations.
  • At Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, subject to backup retention described in section 8.

6. Sub-processors

Customer authorizes Ztract to engage the sub-processors listed in Annex II to process Customer Personal Data. Ztract will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.

Ztract will give Customer at least 30 days' notice before engaging any new sub-processor that processes Customer Personal Data. Notice will be given by updating the Annex II list at this URL and emailing the Customer's billing-contact address. Customer may object to a new sub-processor on reasonable data-protection grounds by notifying support@ztract.com within the notice period. If Customer's objection cannot be resolved, Customer may terminate the affected portion of the Service on written notice to Ztract; pre-paid unused pages will be refunded on a pro-rata basis.

7. International transfers

Customer acknowledges that Interval Limited is established in Hong Kong and that the technical infrastructure that delivers the Service is located in the United States (see Annex II for region detail). Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to Ztract or any sub-processor in a third country not subject to an adequacy decision, the parties incorporate by reference and agree to the Standard Contractual Clauses on the following terms:

  • Module Two applies where Customer is a Controller and Ztract acts as Processor.
  • Module Three applies where Customer acts as a Processor on behalf of its own controller and Ztract acts as Sub-processor.
  • In Clause 7, the optional docking clause applies.
  • In Clause 9(a), Option 2 (general written authorization) applies, with a notice period of 30 days as set out in section 6 above.
  • In Clause 11, the optional language enabling Data Subjects to lodge complaints with an independent dispute-resolution body is omitted.
  • In Clause 17, Option 1 applies and the SCCs are governed by the law of Ireland.
  • In Clause 18, disputes are resolved by the courts of Ireland; this is without prejudice to the dispute-resolution provisions of the Terms of Service for other matters.
  • Annex I.A (List of Parties) is populated by: (i) Customer's information as recorded in Customer's Ztract account; (ii) Interval Limited at the address in section 12 of this DPA.
  • Annex I.B (Description of Transfer) is populated by sections 3 and 4 of this DPA.
  • Annex I.C (Competent Supervisory Authority) is the supervisory authority of the EEA Member State in which Customer is established or, if Customer is not established in the EEA, the supervisory authority of the EEA Member State in which Customer's EU representative is established.
  • Annex II (Technical and Organisational Measures) is populated by Annex I of this DPA.
  • Annex III (List of Sub-processors) is populated by Annex II of this DPA.

For transfers from the United Kingdom, the parties additionally incorporate the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner, with the same modular and clause selections set out above.

8. Return and deletion

Customer may delete Customer Content at any time through the Service. On deletion, Ztract removes the affected Customer Personal Data from active systems immediately and from routine backups within 14 days.

On termination or expiry of the Terms of Service, Ztract will, at Customer's choice, return or delete all Customer Personal Data within 30 days, except where retention is required by law or for legal claims.

9. Audit

Ztract will make available to Customer, on request and no more than once per calendar year (or more frequently if required by a supervisory authority or following a Personal Data Breach), information reasonably necessary to demonstrate compliance with this DPA. Where a Customer reasonably requires an on-site audit, the parties will agree on scope, timing, and confidentiality arrangements in advance, and Customer will bear its own costs and reasonable costs incurred by Ztract.

10. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Where Customer is established in the EEA or the UK, nothing in the Terms of Service limits or excludes either party's liability under Article 82 GDPR (or the UK GDPR equivalent) for damages caused by an infringement of those laws to a level lower than is permitted under those laws.

11. Order of precedence

In the event of any conflict, the following order of precedence applies, from highest to lowest: (i) the Standard Contractual Clauses; (ii) this DPA; (iii) the Terms of Service; (iv) any other agreement between the parties relating to the Service.

12. Contact

For matters arising under this DPA, contact support@ztract.com, addressed to:

Interval Limited
Unit 2A, 17/F, Glenealy Tower
No.1 Glenealy
Central, Hong Kong S.A.R


Annex I — Technical and Organisational Measures

Ztract implements and maintains the following technical and organisational measures to protect Customer Personal Data:

Encryption

  • Data in transit between Customer's browser, Ztract's servers, and all sub-processors is encrypted using TLS 1.2 or higher.
  • Data at rest in object storage (Cloudflare R2), the application database (Supabase / AWS), and backup snapshots is encrypted using AES-256.

Access controls

  • Production system access is restricted to authorized Ztract personnel and granted on a least-privilege basis.
  • All production access requires multi-factor authentication.
  • Production credentials are rotated regularly and on personnel changes.
  • Customer-facing authentication is performed by Supabase Auth using salted hashes for password storage.

Isolation

  • Each Customer's data is logically isolated by tenant identifier and access is enforced at the database and object-storage layer.
  • Customer Content is not used to train AI models — Ztract's own or any sub-processor's.

Operational security

  • Application and infrastructure dependencies are scanned for known vulnerabilities and patched on a defined cadence.
  • Production systems generate audit and security logs that are retained for at least 90 days.
  • Backups of the application database are taken on a defined cadence and tested for restorability.
  • Ztract maintains an incident-response procedure, including the breach-notification timelines set out in section 5.

Annex II — Authorized Sub-processors

The following sub-processors are authorized to process Customer Personal Data:

Sub-processor Service provided Processing location
Fly.io, Inc. Application hosting and compute United States (LAX — Los Angeles)
Supabase, Inc. Database and authentication (built on AWS) United States (AWS us-east-2, Ohio)
Cloudflare, Inc. Object storage (Cloudflare R2) for uploaded documents and extracted results Western North America (R2 WNAM)
Stripe, Inc. Payment processing, invoicing, and tax Global; primarily United States
Resend, Inc. Transactional email delivery United States
OpenAI, L.L.C. Large language model API used for document extraction United States
Anthropic, PBC Large language model API used for document extraction United States
Google LLC Large language model API (Gemini) used for document extraction United States