Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cristin Griu trading as ZentraSnap ("Processor", "we", "us", or "our") and the user of the ZentraSnap application ("Controller", "you", or "your").
This DPA sets out the terms that apply when Personal Data is processed by ZentraSnap on your behalf, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Acts 1988-2018.
1. Definitions
"Client Data" means any Personal Data contained within financial documents (such as bank statements, invoices, and receipts) or images that the Controller loads into the ZentraSnap application.
"Cloud AI Processing Architecture" refers to the mechanism by which the ZentraSnap application executes document data extraction: utilizing secure API transmission to authorized Sub-processors for all document types, with strict minimal retention policies applied solely for security and abuse monitoring.
The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" shall have the same meaning as in the GDPR.
2. Roles of the Parties
2.1. For the purposes of processing Client Data via the application, you are the Data Controller and ZentraSnap is the Data Processor.
2.2. The Privacy Policy governing how ZentraSnap handles your own account and billing information (where ZentraSnap acts as a Controller) is separate from this DPA.
3. Nature and Scope of Processing (Minimal Retention)
- 3.1. Cloud AI Execution:The parties acknowledge that ZentraSnap utilizes a Cloud AI Processing Architecture. All financial documents (Bank Statements, Invoices, and Receipts) are securely transmitted to a certified Sub-processor (Google) via encrypted API for data extraction.
- 3.2. Security Logging & Minimal Retention:The Processor does not store Client Data on its own proprietary databases. However, to ensure platform security and prevent abuse, logs of AI inputs are temporarily retained directly by our Sub-processor (Google AI Studio). These logs are strictly access-controlled and automatically deleted in accordance with the Sub-processor's retention policies.
- 3.3. No AI Training:The Processor ensures that Client Data is never used by the Processor or its Sub-processors to train, fine-tune, or develop centralized artificial intelligence or machine learning models.
3.4. Instructions: The Processor shall process Client Data only on the documented instructions of the Controller. The Controller’s use of the application to execute API-based data extraction constitutes its complete and final instructions.
4. Obligations of the Controller
4.1. The Controller warrants that it has all necessary rights, consents, and lawful bases under the GDPR to process the Client Data using the ZentraSnap application.
4.2. The Controller is solely responsible for ensuring the physical, technical, and network security of the device, browser, and environment used to access the application and transmit documents.
5. Obligations of the Processor
The Processor shall ensure that any personnel authorized to maintain the ZentraSnap software application have committed themselves to confidentiality. The Processor's personnel do not have routine access to Client Data.
The Processor shall implement appropriate technical and organizational measures to ensure the ZentraSnap web application and its API connections are served securely (e.g., via HTTPS/TLS encryption in transit and at rest).
Upon termination of this agreement, the Processor holds no persistent Client Data in its own databases to return or delete. Any Client Data temporarily retained in security logs by our Sub-processor (Google AI Studio) is automatically purged at the end of its strict retention cycle. Therefore, the obligation to delete data is fulfilled automatically by the architecture of the service.
6. Sub-processing
6.1. Use of Sub-processors: The Processor uses Sub-processors to facilitate specific features of the application. The Processor ensures that all Sub-processors are bound by contractual obligations that mirror the strict security and minimal-retention standards outlined in this DPA.
For AI-based document extraction of all financial documents (Bank Statements, Invoices, Receipts) and secure retention of input logs via Google AI Studio for abuse monitoring.
For API rate-limiting and security to protect infrastructure integrity.
6.3. Application Delivery: The Controller acknowledges that the Processor also uses third-party infrastructure providers (such as Vercel and Clerk) solely to deliver the software application to the Controller's browser and manage the Controller's account credentials, not to process Client Data.
6.4. Changes to Sub-processors: The Processor shall notify the Controller (e.g., via email or in-app notification) of any intended changes concerning the addition or replacement of Sub-processors at least 15 days before the new Sub-processor processes any Client Data, giving the Controller the opportunity to object to such changes.
6.5. International Transfers: If the Processor or its Sub-processors transfer Client Data outside the European Economic Area (EEA), the Processor shall ensure such transfers are governed by a valid legal mechanism under the GDPR, such as the EU-U.S. Data Privacy Framework or the European Commission’s Standard Contractual Clauses (SCCs).
7. Data Subject Rights
7.1. The Controller shall be solely responsible for responding to any requests from Data Subjects (e.g., clients asking for a copy of their data or requesting deletion).
7.2. Because Client Data is only retained temporarily in Sub-processor security logs (which are not indexed for individual data retrieval), the Processor has no technical ability to search for, retrieve, or manually delete specific Client Data. The Processor’s obligation to assist the Controller with Data Subject requests is fulfilled by providing this statement of architectural limitation and confirming the automatic deletion of logs.
8. Personal Data Breaches
8.1. If the Processor becomes aware of a security breach affecting the ZentraSnap application delivery infrastructure or APIs that could potentially compromise the integrity of the processing environment, the Processor shall notify the Controller without undue delay.
8.2. The Controller is responsible for managing and reporting any Personal Data Breaches that occur as a result of a compromise of the Controller’s own device, network, or localized browser environment.
9. Audits and Compliance
9.1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
9.2. Given that the Processor does not host or store Client Data in its own databases, any audit rights exercised by the Controller shall be reasonably limited to verifying the Minimal Retention Architecture of the ZentraSnap software (e.g., reviewing technical documentation or architectural declarations provided by the Processor).
10. Liability
The Processor’s liability arising out of or related to this DPA is subject to the "Limitation of Liability" provisions set forth in the ZentraSnap Terms of Service.
ANNEX 1: DETAILS OF PROCESSING
A. Nature and Purpose of Processing
The Processor provides a web-based software application that allows the Controller to extract text and financial transaction data from PDF documents and images, and convert them into spreadsheet formats (e.g., Excel). The processing is fully automated and is completed via secure transmission to third-party AI APIs for all document types (Bank Statements, Invoices, and Receipts).
B. Duration of the Processing
Processing for data extraction lasts only for the duration of the task. However, input logs containing Client Data are retained temporarily by our Sub-processor (Google AI Studio) strictly for security and abuse monitoring purposes. These logs are automatically and permanently deleted in accordance with Google's standard data retention policies.
C. Categories of Data Subjects
The personal data transferred concerns the clients, customers, employees, or associates of the Controller whose financial data is contained within the uploaded bank statements, invoices, or images.
D. Types of Personal Data
Financial data contained in bank statements, invoices, receipts, or transaction logs, which may include:
- Names of individuals or businesses
- Supplier names and contacts
- Account numbers, IBANs, or sort codes
- Tax ID / VAT numbers
- Physical addresses, email addresses, and phone numbers
- Transaction dates, descriptions, and monetary amounts
- Account balances