Data Processing Agreement

For personal data entered into your workspace, the customer is the data controller: you decide what data is collected and why. ZEA International is the data processor: we process that data only to provide ZEA AssetOps, on your documented instructions, and never for our own purposes. People with workspace access act under the customer's authority.

Processing covers hosting, storage, transmission, display, backup, and deletion of workspace data; sending notifications you configure (email, SMS, push); and generating reports and evidence packs you request. Processing lasts for the duration of your subscription plus the deletion window described in section 8.

Workspace data typically includes:

• User accounts: names, work email addresses, phone numbers, roles, and authentication records of the people you invite to your workspace.
• Asset & operations records: assets, locations, tickets, work orders, inspections, maintenance, waste, and custody data you enter while operating the platform.
• Supplier contacts: supplier company details, contact persons, questionnaire responses, and ESG assessment records.
• Sensor telemetry: readings, alerts, and device metadata from sensors you connect to your workspace.

We use a small set of vetted subprocessors to run the service. Each is bound by data protection terms at least as protective as this DPA. We will notify customers before adding or replacing a subprocessor, with an opportunity to object.

• All traffic is encrypted in transit with TLS.
• Account credentials are hashed with bcrypt; sessions are server-side and revocable.
• Role-based access control (RBAC) scopes every record to your workspace and the member's role.
• An append-only audit log records state changes, approvals, and access-relevant events.
• Exported evidence packs are signed with Ed25519 so tampering is detectable.

If we become aware of a personal data breach affecting your workspace, we will notify you without undue delay and within 72 hours, describing the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to contain and remediate it.

Taking into account the nature of processing, we assist you in responding to data subject requests — access, rectification, erasure, restriction, and portability. Most records can be exported or deleted directly in the product; where they cannot, we act on your written instruction.

Workspace data is retained while your subscription is active. On termination, you may export your data; we then delete personal data from production systems within 30 days and from encrypted backups within 90 days, unless retention is required by law.

Subprocessors may process data outside your country (see the table above). Where data is transferred internationally, we rely on appropriate safeguards such as standard contractual clauses and equivalent contractual commitments from each subprocessor.

On reasonable written notice, we will make available the information necessary to demonstrate compliance with this DPA — including summaries of security measures, subprocessor terms, and audit log evidence — and will allow audits required by applicable law, subject to confidentiality and at most once per year unless a breach has occurred.