This document is a draft pending attorney review. It is not yet the live published policy.
ZexRail Data Processing Addendum (DPA)
Last Updated: March 21, 2026
This DPA applies to Organization accounts only. Personal account data handling is covered by the Privacy Policy.
This Data Processing Addendum ("DPA") applies when ZexRail processes personal data on behalf of an Organization account holder as a processor under GDPR Article 28.
1. Definitions
"Controller" — the Organization, determining purposes of processing.
"Processor" — ZexRail LLC, processing on the Organization's behalf.
"Personal Data" and "Processing" — as defined in GDPR Article 4.
2. Processing Details
| Field | Detail |
|---|---|
| Subject matter | Agent settlement infrastructure |
| Duration | Duration of Terms of Service |
| Nature | Storage, retrieval, transmission of settlement data |
| Purpose | Providing the ZexRail Platform |
| Personal data types | Account credentials, agent configs, API logs |
| Data subjects | Organization's users who access the Platform |
3. ZexRail's Obligations as Processor
ZexRail will:
- Process personal data only on your documented instructions
- Ensure authorized persons are bound by confidentiality
- Implement appropriate security measures (see Privacy Policy Section 11)
- Assist you in responding to data subject rights requests
- Assist with GDPR Articles 32-36 obligations
- Delete or return personal data on termination
- Provide information to demonstrate GDPR Article 28 compliance
- Notify you without undue delay of any personal data breach
4. Sub-Processors
ZexRail uses these sub-processors (30 days notice of changes):
| Sub-Processor | Location | Purpose | Safeguard |
|---|---|---|---|
| Supabase | United States | Database | SCCs |
| Railway | United States | Backend compute | SCCs |
| Vercel | United States | Frontend | SCCs |
| Cloudflare | United States | CDN, storage | SCCs |
| Upstash | United States | Caching | SCCs |
| Stripe | United States | Payments | SCCs |
5. International Transfers
Personal data transferred outside the EEA/UK is done under Standard Contractual Clauses (SCCs) as approved by the European Commission.
6. Audit Rights
One audit per year with 30 days written notice, at your expense. ZexRail may provide third-party audit reports in lieu of direct access.
7. Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service Section 11.
Draft. Attorney review required before use with enterprise customers.