How it worksProductSolutionsShopify StoresLocal BusinessesWhatsApp & Instagram BusinessesFAQ

Data Processing Addendum

This DPA governs Zevvlo's processing of personal data on behalf of business customers under the GDPR, UK GDPR, and equivalent data-protection laws. It forms part of our Terms of Service.

Last updated: 11 June 2026

1. Background And Scope

This Data Processing Addendum ("DPA") is entered into between Zevvlo ("Processor") and the business customer that has accepted the Zevvlo Terms of Service("Controller" or "Customer"), and forms part of the Terms. It applies where Zevvlo Processes Personal Data on behalf of the Customer in connection with the Service and where such Processing is subject to Data Protection Laws, including the EU GDPR, the UK GDPR, India's Digital Personal Data Protection Act, the CCPA/CPRA, and other applicable laws. Where this DPA conflicts with the Terms with respect to data protection, this DPA prevails.

2. Definitions

Capitalised terms not defined here have the meaning given in the Terms or in applicable Data Protection Laws. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given under the GDPR. "Customer Personal Data" means Personal Data contained in Customer Data that Zevvlo Processes on the Customer's behalf.

3. Roles Of The Parties

With respect to Customer Personal Data, the Customer is the Controller (or processor acting on behalf of a third-party controller) and Zevvlo is the Processor (or sub-processor). For CCPA purposes, Zevvlo acts as a Service Provider and does not sell or share Personal Data, and will not retain, use, or disclose it except to provide the Service.

4. Processing Instructions

Zevvlo will Process Customer Personal Data only: (a) to provide the Service in accordance with the Terms; (b) on the Customer's documented instructions, including configurations made through the Service; and (c) as required by applicable law, in which case Zevvlo will inform the Customer unless legally prohibited. The Customer warrants that its instructions and the Processing comply with Data Protection Laws and that it has a lawful basis and any required consents.

5. Subject Matter And Details Of Processing

  • Subject matter: provision of the Zevvlo customer engagement and recovery platform.
  • Duration: the term of the subscription, plus the retention/deletion periods in Section 11.
  • Nature and purpose: collecting feedback, sending review and recovery messages, analytics, and related processing.
  • Categories of Data Subjects:the Customer's end customers and contacts.
  • Types of Personal Data: names, email addresses, phone numbers, order and transaction details, feedback, review content, and communication records.
  • Special categories: not intended; the Customer must not submit special-category data unless separately agreed.

6. Confidentiality

Zevvlo will ensure that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations and are trained on their data-protection responsibilities, and that access is limited on a need-to-know basis.

7. Security Measures

Zevvlo will implement appropriate technical and organisational measures to protect Customer Personal Data, taking into account the state of the art and the risks of Processing. These include encryption in transit and at rest, access controls and Row-Level Security, secure credential storage, logging and monitoring, regular patching, and least-privilege access. The Customer is responsible for the security of its own credentials and connected integrations.

8. Sub-processors

The Customer authorises Zevvlo to engage Sub-processors to Process Customer Personal Data. Zevvlo will impose data-protection obligations on Sub-processors that are materially consistent with this DPA and remains responsible for their performance. Current categories of Sub-processors include:

  • Cloud hosting and database providers;
  • Email and messaging (SMS/WhatsApp) delivery providers;
  • AI/model providers used for assisted features;
  • Payment processors (e.g. Stripe, Razorpay);
  • Analytics, logging, and customer-support providers.

Zevvlo will make available a current list of Sub-processors on request and will provide a mechanism to notify the Customer of changes, giving the Customer the opportunity to object on reasonable data-protection grounds.

9. Data Subject Rights

Taking into account the nature of the Processing, Zevvlo will provide reasonable assistance, through appropriate technical and organisational measures, to help the Customer respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, and objection). If Zevvlo receives such a request directly, it will, where lawful, direct the Data Subject to the Customer.

10. Personal Data Breach Notification

Zevvlo will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to assist the Customer in meeting its breach-notification obligations. Zevvlo's notification is not an acknowledgement of fault or liability.

11. Return And Deletion Of Data

Upon termination or expiry of the Service, and on the Customer's request, Zevvlo will delete or return Customer Personal Data. Unless legal retention obligations apply, Zevvlo will delete or anonymise Customer Personal Data within 90 days of termination, subject to routine backup cycles after which residual copies are overwritten.

12. Audits And Compliance

Zevvlo will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer — subject to reasonable notice, confidentiality, frequency limits, and not unreasonably disrupting Zevvlo's operations. Where available, Zevvlo may satisfy audit requests by providing relevant third-party certifications or reports.

13. International Data Transfers

Where Processing involves transferring Customer Personal Data outside the EEA, the UK, or other regulated regions, the parties agree that such transfers will be governed by an appropriate transfer mechanism, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed with the details set out in Section 5 and the Sub-processor list. Where the SCCs apply, the Customer is the data exporter and Zevvlo is the data importer.

14. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, including the aggregate liability cap.

15. General

This DPA is governed by the same law as the Terms, except where mandatory Data Protection Laws require otherwise. If any provision is held invalid, the remainder continues in effect. In the event of conflict between this DPA and the SCCs, the SCCs prevail with respect to the transfers they govern.

16. Contact

To execute a countersigned copy of this DPA or to raise data-protection questions, contact legal@zevvlo.com.

Related legal documents

Privacy PolicyTerms of UseCookie Policy