Effective Date: April 11, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Zentriscan (“Processor”) and Customer (“Controller”) for processing of Personal Data under Texas and U.S. federal law.
1. Definitions
- Personal Data: Information relating to an identified or identifiable natural person
- Processing: Any operation performed on Personal Data (collect, store, use, disclose)
- Texas Data Privacy Act (TDPSA): Texas Business & Commerce Code Chapter 541
- Controller: Customer determining processing purposes
- Processor: Zentriscan processing on Controller’s instructions
2. Processing Scope
Zentriscan processes Personal Data only as instructed by Controller for:
- Order fulfillment and service delivery
- Billing and payment processing
- Customer support and communication
- Technical service execution (scanning, repair diagnostics)
Processing locations: United States only (Texas servers)
3. Processor Obligations (Texas/U.S. Law)
Zentriscan shall:
- Process Personal Data only on documented Controller instructions
- Ensure personnel are bound by confidentiality obligations
- Implement technical/organizational security measures
- Assist Controller with data subject requests (access, deletion)
- Notify Controller of Personal Data Breach within 48 hours
- Return/delete Personal Data at termination (Controller election)
4. Security Measures
Zentriscan maintains industry-standard security:
| Control | Implementation |
|---|---|
| Encryption | TLS 1.3 (transmission), AES-256 (storage) |
| Access | Role-based access, MFA, least privilege |
| Network | Firewalls, DDoS protection, WAF |
| Monitoring | SIEM, intrusion detection, audit logs |
| Backup | Encrypted, geo-redundant, 30-day retention |
5. Subprocessors
Zentriscan uses only these approved subprocessors:
| Subprocessor | Service | Location | Purpose |
|---|---|---|---|
| Namecheap | Hosting | US | Website infrastructure |
| Stripe/PayPal | Payments | US | Transaction processing |
| Google Workspace | US | Communication | |
| Cloudflare | CDN/Security | US | Performance/security |
Controller may object to subprocessors with 30 days written notice.
6. Data Subject Rights Assistance
Zentriscan will assist Controller with:
- Right to access (7 days)
- Right to rectification (7 days)
- Right to deletion (30 days, subject to legal retention)
- Right to restrict processing
- Data portability requests
Contact: privacy@zentriscan.com
7. Data Breach Notification
Notification within 48 hours of confirmed breach containing:
- Nature of Personal Data involved
- Likely consequences
- Measures taken or proposed
- Controller’s recommended response
8. Data Transfer
All processing occurs within United States. No international transfers.
9. Audits and Inspections
Upon 30 days written notice, Controller may audit Zentriscan’s compliance:
- Frequency: Once per year
- Scope: Security controls, processing logs
- Duration: 2 business days maximum
- Expense: Controller bears costs
10. Termination and Data Return
Upon termination/expiration:
- 30-day period to return or delete all Personal Data
- Secure deletion per NIST 800-88 standards
- Certification of destruction available upon request
- Backups deleted within 90 days
11. Liability and Indemnification
Each party’s liability capped at 12 months fees paid under this DPA.
Processor indemnifies Controller for claims arising from Processor’s breach of this DPA.
12. Governing Law & Dispute Resolution
Governed by laws of State of Texas, Galveston County jurisdiction.
Mandatory binding arbitration per Zentriscan Terms of Service.
Class action waiver applies.
13. Miscellaneous
No waiver: Failure to enforce = no waiver of rights
Entire Agreement: This DPA + main services agreement
Severability: Invalid provisions don’t affect remainder
All cancellations/adjustments:
📧 info@zentriscan.com