Data Processing Agreement (DPA)
Last updated: January 29, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between you (“Customer”, “Controller”) and ioZen (“Processor”) and governs the processing of personal data by ioZen on behalf of the Customer.
By using the Service, you agree to this DPA. If you require a signed copy, contact us at privacy@iozen.ai.
1. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person
- “Processing” means any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.)
- “Controller” means the entity that determines the purposes and means of processing Personal Data (you, the Customer)
- “Processor” means the entity that processes Personal Data on behalf of the Controller (ioZen)
- “Sub-processor” means any third party engaged by the Processor to process Personal Data
- “Data Subject” means the individual to whom Personal Data relates
- “Applicable Data Protection Law” means GDPR, PIPEDA, CCPA, and any other applicable data protection legislation
2. Scope and Roles
2.1 Roles
- Customer is the Controller. You determine why and how Personal Data is processed through the Service.
- ioZen is the Processor. We process Personal Data solely on your instructions to provide the Service.
2.2 Processing Details
| Element | Details |
|---|---|
| Subject matter | Provision of the ioZen platform |
| Duration | For the term of your Agreement with ioZen |
| Nature and purpose | Processing Personal Data to provide FlowApp functionality including data collection, storage, workflow automation, and CRM features |
| Types of Personal Data | As determined by Customer: may include names, email addresses, phone numbers, addresses, form responses, and any other data collected through Customer’s FlowApps |
| Categories of Data Subjects | As determined by Customer: may include Customer’s end users, clients, employees, and prospects |
3. ioZen’s Obligations
We will:
3.1 Process Only on Instructions
Process Personal Data only on your documented instructions, unless required by law. If we are required by law to process Personal Data for another purpose, we will inform you before processing (unless prohibited by law).
3.2 Confidentiality
Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
3.3 Security Measures
Implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and role-based permissions
- Regular security assessments and monitoring
- Private field isolation (sensitive data stored separately)
- Encrypted vault storage for highest-sensitivity data
- Incident detection and response procedures
- Business continuity and disaster recovery measures
3.4 Sub-processor Management
- Maintain a list of current Sub-processors at /legal/subprocessors
- Notify you of any new Sub-processors at least 30 days before they begin processing
- You may object to a new Sub-processor within 30 days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected Service
- Ensure all Sub-processors are bound by data protection obligations no less protective than this DPA
3.5 Data Subject Requests
Assist you in responding to Data Subject requests (access, correction, deletion, portability, etc.) by:
- Providing tools within the Service for you to access and manage data
- Promptly notifying you if we receive a request directly from a Data Subject
- Providing reasonable assistance for requests we cannot fulfill through self-service tools
3.6 Data Protection Impact Assessments
Provide reasonable assistance for data protection impact assessments and prior consultations with supervisory authorities, as required under Applicable Data Protection Law.
3.7 Breach Notification
Notify you of any Personal Data breach without undue delay and within 48 hours of becoming aware of it. The notification will include:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Likely consequences
- Measures taken or proposed to address the breach
3.8 Data Deletion
Upon termination of the Agreement:
- Provide you with a 30-day window to export your data
- Delete all Personal Data within 30 days after the export window, unless retention is required by law
- Provide written confirmation of deletion upon request
3.9 Audit Rights
Upon reasonable request (no more than once per year), and with at least 30 days’ written notice:
- Provide information necessary to demonstrate compliance with this DPA
- Allow audits by you or an independent third-party auditor (bound by confidentiality), at your cost
- We may propose an alternative audit mechanism (such as providing a SOC 2 report) that reasonably addresses your audit requirements
4. Customer’s Obligations
You will:
- Ensure you have a lawful basis for processing Personal Data through the Service
- Provide appropriate privacy notices to your Data Subjects
- Comply with Applicable Data Protection Law in your use of the Service
- Not instruct us to process Personal Data in violation of any law
5. International Transfers
Where Personal Data is transferred outside the EEA/UK:
- We rely on adequacy decisions (Canada) and Standard Contractual Clauses (SCCs) for transfers to other countries
- The EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference
- We implement supplementary measures as needed to ensure adequate protection
6. Liability
Each party’s liability under this DPA is subject to the limitations of liability in the Agreement (Terms of Service).
7. Term
This DPA takes effect when you start using the Service and remains in effect for as long as we process Personal Data on your behalf. Obligations related to confidentiality, data deletion, and security survive termination.
8. Contact
For questions about this DPA or to request a signed copy:
- Email: privacy@iozen.ai
- Address: ioZen, Vancouver, BC, Canada