Data Processing Agreement (DPA)
For: ZyCloud Educator-tier institutional customers. Operator: Zyqual Ltd, a company incorporated in Jamaica. Effective: on signature by both parties.
This is the template DPA we offer to schools and institutions. Individual teacher accounts (Free / Starter / Plus / Pro) are governed by the standard TERMS_OF_SERVICE.md and PRIVACY_POLICY.md, which together provide equivalent processor terms.
For the underlying privacy posture, see docs/07-PRIVACY_AND_DPA.md. For subprocessors, see SUBPROCESSORS.md.
1. Parties
- Controller: the institution signing this agreement (the "Customer").
- Processor: Zyqual Ltd ("Zyqual"), of [registered address — <!-- TODO: confirm with Leon -->].
The Customer determines the purposes and means of processing personal data through ZyCloud. Zyqual processes that data on the Customer's instructions.
2. Subject matter and duration
The subject matter is the personal data processed by ZyCloud as part of providing the cloud-storage service to the Customer. The processing continues for the duration of the Customer's subscription, plus the 30-day grace period for account deletion.
3. Categories of personal data
- Identity: name, email, display name, role.
- Authentication: password hashes, tokens.
- Account state: plan, quota, subscription status.
- Content: files uploaded by the Customer's users.
- File metadata: name, size, mime type, sha256.
- Usage telemetry: IP, user-agent, action timestamps.
- AI embeddings (if Pro tier features are used): vectors derived from content.
4. Categories of data subjects
- Customer's authorised users (teachers, administrators).
- Recipients of shared content.
5. Nature and purpose of processing
- Storage and retrieval of Customer files.
- Sharing with recipients the Customer authorises.
- Search across the Customer's content.
- Audit logging for security and dispute resolution.
- Backup, disaster recovery, abuse defence.
- AI semantic search (Pro+) where the Customer has enabled it.
Zyqual does not process personal data for any purpose other than those listed, and does not combine Customer data with data from other customers.
6. Zyqual's obligations
Zyqual will:
- Process personal data only on documented instructions from the Customer (these terms + the Customer's product configuration).
- Ensure that personnel authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see docs/06-SECURITY.md).
- Engage subprocessors only as listed in SUBPROCESSORS.md, with prior notice of changes (§9).
- Assist the Customer in responding to data subject rights requests.
- Notify the Customer of any personal data breach without undue delay and within 72 hours.
- Delete or return personal data at the end of the engagement.
- Make available all information necessary to demonstrate compliance and contribute to audits (within reason — one audit per year, with 30 days' notice).
7. Customer's obligations
The Customer will:
- Provide instructions to Zyqual that are lawful and consistent with this agreement.
- Configure the product (sharing, retention, member access) to reflect its own data-protection obligations to its data subjects.
- Notify its own data subjects of the processing carried out by Zyqual where required by law.
- Pay subscription fees promptly.
8. Security
Zyqual will implement and maintain the technical and organisational measures described in docs/06-SECURITY.md, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3 only).
- Argon2id password hashing.
- Role-based access control with audit logging of administrative actions.
- ClamAV malware scanning on every upload.
- Quarterly key rotation; immediate rotation on suspected compromise.
- Backup and disaster recovery testing quarterly.
9. Subprocessors
Zyqual may engage subprocessors. The current list is published at SUBPROCESSORS.md. Zyqual will:
- Notify the Customer at least 30 days before adding or replacing a subprocessor.
- Impose data-protection obligations on each subprocessor that are at least as strict as those in this agreement.
- Remain liable to the Customer for the acts and omissions of its subprocessors.
The Customer may object to a new subprocessor within the 30-day notice window. If the parties cannot agree, the Customer may terminate the affected service with a prorated refund.
10. International transfers
Personal data may be transferred to subprocessors outside Jamaica as listed in SUBPROCESSORS.md. Each transfer is governed by the subprocessor's standard contractual clauses or equivalent safeguards.
11. Data subject rights
Zyqual will assist the Customer in responding to data subject rights requests within the SLAs of the underlying law (typically 30 days under the Jamaica DPA). Self-service flows in the product handle most requests; complex requests are handled within 5 business days of the Customer escalating to privacy@zyqual.com.
12. Personal data breaches
Zyqual will notify the Customer of any personal data breach affecting the Customer's data within 72 hours of becoming aware. The notification will include:
- The nature of the breach, categories and approximate number of data subjects and records affected.
- The likely consequences.
- The measures taken or proposed to address the breach.
- A contact point for further information.
The detailed runbook is at docs/06-SECURITY.md §Incident response.
13. Audits
The Customer may audit Zyqual's compliance with this DPA once per calendar year, with 30 days' written notice and during business hours. Audits will be limited to information necessary to demonstrate compliance, will respect the confidentiality of other customers' data, and will be at the Customer's cost unless they identify a material breach.
In place of an audit, Zyqual may provide a SOC 2 Type II report (V3 onward) or equivalent attestation.
14. End of engagement
On termination, the Customer can:
- Export all data using the in-product export tool.
- Request deletion via privacy@zyqual.com.
Within 30 days of termination, Zyqual will hard-delete all personal data, with provider-side verification, except where retention is required by law (audit logs per docs/06-SECURITY.md §3).
15. Liability
Liability for breaches of this DPA is governed by the Customer's main subscription agreement (see TERMS_OF_SERVICE.md §10).
16. Order of precedence
If there is a conflict between this DPA and other agreements between the parties, this DPA prevails on data-protection matters.
17. Signatures
For Zyqual Ltd:
Name: ________________________________ Title: ________________________________ Date: ________________________________ Signature: ____________________________
For the Customer:
Name: ________________________________ Title: ________________________________ Date: ________________________________ Signature: ____________________________
Template owner: Leon Pennicooke Last updated: 2026-05-08
<!-- TODO: confirm with Leon — registered company address; whether to require both wet signature and DocuSign, or DocuSign only. -->