Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") supplements the Zepai Terms of Service and describes the obligations of Zepai (Altiora SpA) ("the Processor") regarding personal data processing on behalf of the User ("the Controller") in the context of using the Zepai platform. This DPA applies when the User, in their use of the Service, enters or generates personal data of third parties (e.g., customer, employee, or other individual data) that is processed by Zepai.

Definitions

• Personal Data: any information that identifies or allows identification of a natural person.
• Processing: any operation performed on personal data (collection, storage, use, transmission, deletion, etc.).
• Controller: the User who determines the purposes and means of personal data processing.
• Processor: Zepai, which processes personal data on behalf of the Controller.
• Sub-processor: a third party authorized by Zepai to process personal data on its behalf.
• GDPR: General Data Protection Regulation of the European Union (Regulation 2016/679).

Scope of processing

Zepai processes personal data solely for the purpose of providing the Service described in the Terms of Service, in accordance with the Controller's documented instructions. Zepai will not process data for its own purposes, except where legally required.

Types of data processed: identification data (name, email), platform usage data, and content entered by the User in the context of missions and simulations. Data subjects: registered users and third parties whose data is entered by the User in the Service.

Obligations of Zepai as Processor

• Process personal data only according to the Controller's documented instructions.
• Ensure personnel with data access are subject to confidentiality obligations.
• Implement appropriate technical and organizational measures to protect data per GDPR Article 32.
• Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach.
• Assist the Controller in fulfilling obligations regarding data subject rights (access, rectification, deletion, portability).
• Delete or return personal data at the end of Service provision, per the Controller's choice.
• Make available information necessary to demonstrate compliance with this DPA.

Sub-processors

Zepai uses the following sub-processors to provide the Service:

Zepai will notify the Controller at least 15 days in advance of any changes to the sub-processor list, allowing the opportunity to object.

International transfers

When personal data is transferred outside the European Economic Area (EEA) or Chile, Zepai will ensure such transfers are covered by adequate legal mechanisms, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other recognized mechanisms.

Audit rights

The Controller has the right to request reasonable information to verify compliance with this DPA. Zepai will cooperate with such requests, and may require execution of a confidentiality agreement and limit access to sensitive third-party information.

Controller responsibilities

The Controller declares and warrants that: it has a valid legal basis for processing the personal data it enters in the Service; it has informed data subjects about their data processing per applicable regulations; and its instructions to Zepai comply with current data protection legislation.

Governing law

This DPA is governed by the laws of the Republic of Chile and, with respect to EU citizen data, by the GDPR. Any dispute will be submitted to the jurisdiction of Santiago, Chile courts, without prejudice to rights that European regulations may recognize to data subjects.

Term

This DPA enters into force on the same date as the Terms of Service and remains in effect while the User uses the Service. Confidentiality and security obligations survive termination of this agreement.

Contact

For DPA inquiries or data protection rights: contact@zepai.io