Last updated: [DRAFT — insert date of legal review]
This is a working draft prepared to reflect how Zeerus actually processes data today. It has not been reviewed by a lawyer and should not be relied on for real customers until it is. Bracketed items need a decision from you (or your lawyer) before this goes live.
This Data Processing Addendum ("DPA") supplements the Zeerus Terms of Service and applies whenever your agency ("Controller", "you") uses Zeerus to store or process personal information about your own clients. In that relationship, your agency is the controller of your clients' personal information, and [legal entity name]("Zeerus", "Processor") processes it solely on your behalf and your documented instructions. Where these terms conflict with the Terms of Service on this specific point, this DPA governs.
Zeerus processes personal information for the duration of your subscription, for the sole purpose of providing the Service — storing, displaying, and helping you act on your book of business (client records, policy records, reminders, and related workflow). Processing ends when your account is closed and data is deleted per Section 8.
Data subjects: the clients and prospective clients of your agency.
Categories of personal data processed:
Zeerus does not intentionally process special categories of personal information (health data, etc.) beyond what your agency chooses to enter in free-text notes. [If your product touches health/medical underwriting data, this needs specific attention — flag it for legal review rather than relying on this generic line.]
Zeerus agrees to:
You authorize Zeerus to engage the following sub-processors to provide the Service:
[Confirm and state each sub-processor's actual data-processing location — Stripe and Resend in particular may process data outside Canada as part of their global infrastructure, and Sentry is EU-hosted. A DPA needs to be accurate here, not aspirational.]Zeerus will notify you before adding a new sub-processor that will process your clients' personal information, giving you the opportunity to object.
Zeerus's primary database is hosted in Canada. Where a sub-processor listed in Section 5 processes data outside Canada — including Sentry, which is hosted in the EU — Zeerus relies on that sub-processor's own compliance safeguards. [If any customer requires data to never leave Canada under any circumstances, that needs to be evaluated against what Stripe/Resend/Sentry actually do — don't promise this without verifying it.]
On reasonable request, no more than once per 12-month period, Zeerus will provide you with information reasonably necessary to demonstrate compliance with this DPA. [Decide whether you're prepared to offer on-site/third-party audits, or only documentation review — audits are expensive to support and most SaaS DPAs limit this.]
On termination of your subscription, Zeerus retains your data for [e.g. 30 days] to allow export, then deletes it, except where retention is required by law (for example, billing records) or preserved in the account's audit log as described in the Privacy Policy.
Liability under this DPA is subject to the limitations set out in the Terms of Service. [Data-breach liability is often carved out or capped differently from general SaaS liability — get specific legal advice here rather than defaulting to the general cap.]
This DPA remains in effect for as long as Zeerus processes personal information on your behalf, and is governed by the same law as the Terms of Service.
Questions about this DPA can be sent to [privacy/legal contact email].