Z
Zeerus

Data Processing Addendum

Last updated: [DRAFT — insert date of legal review]

This is a working draft prepared to reflect how Zeerus actually processes data today. It has not been reviewed by a lawyer and should not be relied on for real customers until it is. Bracketed items need a decision from you (or your lawyer) before this goes live.

1. Purpose of this addendum

This Data Processing Addendum ("DPA") supplements the Zeerus Terms of Service and applies whenever your agency ("Controller", "you") uses Zeerus to store or process personal information about your own clients. In that relationship, your agency is the controller of your clients' personal information, and [legal entity name]("Zeerus", "Processor") processes it solely on your behalf and your documented instructions. Where these terms conflict with the Terms of Service on this specific point, this DPA governs.

2. Subject matter, duration, and nature of processing

Zeerus processes personal information for the duration of your subscription, for the sole purpose of providing the Service — storing, displaying, and helping you act on your book of business (client records, policy records, reminders, and related workflow). Processing ends when your account is closed and data is deleted per Section 8.

3. Categories of data subjects and personal data

Data subjects: the clients and prospective clients of your agency.

Categories of personal data processed:

  • Contact information — name, email, phone, mailing address;
  • Dates — birthday, anniversary;
  • Insurance policy information — carrier, policy number, type, premium, renewal/review dates;
  • Commission information tied to a client's policies;
  • Notes and activity history your agency records about the client;
  • CASL consent status for automated email communication.

Zeerus does not intentionally process special categories of personal information (health data, etc.) beyond what your agency chooses to enter in free-text notes. [If your product touches health/medical underwriting data, this needs specific attention — flag it for legal review rather than relying on this generic line.]

4. Processor obligations

Zeerus agrees to:

  • Process personal information only on your documented instructions (as reflected in how the Service operates), unless required otherwise by law;
  • Ensure personnel with access to personal information are subject to confidentiality obligations;
  • Implement appropriate technical and organizational security measures, including tenant-isolated database access controls (row-level security), encryption in transit, and hashed credential storage;
  • Assist you in responding to data subject access, correction, and deletion requests concerning your clients, to the extent the Service's existing tools don't already let you handle these directly;
  • Notify you without undue delay after becoming aware of a personal data breach affecting your clients' information;
  • Make available the information reasonably necessary to demonstrate compliance with this DPA.

5. Sub-processors

You authorize Zeerus to engage the following sub-processors to provide the Service:

  • Supabase — database, authentication, file storage (primary data store, hosted in the ca-central-1 / Canada region);
  • Vercel — application hosting;
  • Stripe — subscription billing (processes your agency's payment details, not your clients' personal information);
  • Resend — delivery of transactional and reminder emails to your clients;
  • Sentry — error monitoring, hosted in the EU. Sentry may incidentally capture your clients' personal information if it appears in application error reports (for example, in a stack trace or request payload at the moment of a crash).

[Confirm and state each sub-processor's actual data-processing location — Stripe and Resend in particular may process data outside Canada as part of their global infrastructure, and Sentry is EU-hosted. A DPA needs to be accurate here, not aspirational.]Zeerus will notify you before adding a new sub-processor that will process your clients' personal information, giving you the opportunity to object.

6. International data transfers

Zeerus's primary database is hosted in Canada. Where a sub-processor listed in Section 5 processes data outside Canada — including Sentry, which is hosted in the EU — Zeerus relies on that sub-processor's own compliance safeguards. [If any customer requires data to never leave Canada under any circumstances, that needs to be evaluated against what Stripe/Resend/Sentry actually do — don't promise this without verifying it.]

7. Audit rights

On reasonable request, no more than once per 12-month period, Zeerus will provide you with information reasonably necessary to demonstrate compliance with this DPA. [Decide whether you're prepared to offer on-site/third-party audits, or only documentation review — audits are expensive to support and most SaaS DPAs limit this.]

8. Return and deletion of data

On termination of your subscription, Zeerus retains your data for [e.g. 30 days] to allow export, then deletes it, except where retention is required by law (for example, billing records) or preserved in the account's audit log as described in the Privacy Policy.

9. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service. [Data-breach liability is often carved out or capped differently from general SaaS liability — get specific legal advice here rather than defaulting to the general cap.]

10. Term and governing law

This DPA remains in effect for as long as Zeerus processes personal information on your behalf, and is governed by the same law as the Terms of Service.

11. Contact

Questions about this DPA can be sent to [privacy/legal contact email].