Legal
Data Processing Addendum
This Data Processing Addendum ("DPA") applies where Zuyzo LLC ("Zuyzo," the "Processor") processes personal data on behalf of a customer (the "Controller") in connection with cloud-hosted Services. It does not apply to fully self-hosted or air-gapped deployments, where Zuyzo processes no Customer data.
01Scope and roles
Customer is the controller (or a processor acting for its own controllers) of personal data contained in Customer Content and account data; Zuyzo is the processor. Details of processing — subject matter, duration, nature, purpose, data categories, and data subjects — are set out in Annex A.
02Processor obligations
Zuyzo will:
- process personal data only on Customer's documented instructions, including these Terms, unless required otherwise by law (in which case Zuyzo will notify Customer unless legally prohibited);
- ensure persons authorized to process personal data are bound by confidentiality;
- implement the technical and organizational measures in Annex B;
- assist Customer, taking into account the nature of processing, with data subject requests and with Customer's obligations regarding security, breach notification, and data protection impact assessments;
- notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data;
- at Customer's choice, delete or return personal data at the end of the Services, and delete remaining copies unless retention is required by law;
- make available information reasonably necessary to demonstrate compliance and allow audits as described in Section 5.
03Subprocessors
Customer authorizes the subprocessors listed in Annex C. Zuyzo will provide at least 30 days' notice of any new subprocessor (via the subprocessor page or email); Customer may object on reasonable data-protection grounds, and if the objection cannot be resolved, Customer may terminate the affected Services with a pro-rata refund. Zuyzo remains responsible for its subprocessors' performance.
04International transfers
Where personal data subject to GDPR or UK GDPR is transferred to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2 or 3, as applicable) and the UK Addendum, with Zuyzo as data importer. Annexes A–C serve as the SCC appendices.
05Audits
No more than once annually (or following a breach), Customer may audit Zuyzo's compliance with this DPA via written questionnaire, review of Zuyzo's then-current security documentation and third-party reports, or — where those are insufficient — a remote or on-site audit on 30 days' notice, at Customer's expense, subject to confidentiality.
06Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service or applicable Order.
AAnnex A — Details of processing
| Item | Description |
|---|---|
| Subject matter | Provision of the PLCcode application and Fableloom model services |
| Duration | Term of the agreement plus deletion period |
| Nature & purpose | Hosting, processing of code and prompts to generate output, account management, support |
| Data categories | Account identifiers (name, business email, company); usage logs (IP, timestamps); any personal data incidentally contained in Customer Content |
| Data subjects | Customer's authorized users; individuals referenced in Customer Content |
| Special categories | None intended; Customer agrees not to submit special-category data |
BAnnex B — Technical & organizational measures
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access control with SSO/OIDC and least-privilege administration
- Logical tenant separation; audit logging of administrative access
- Vulnerability management and patching processes
- Backup and recovery procedures; documented incident response plan
- Personnel confidentiality obligations and security training
- Vendor (subprocessor) security review
CAnnex C — Subprocessor list
| Subprocessor | Purpose | Location |
|---|---|---|
| [Cloud / colocation provider] | Hosting of cloud-tier Services | United States |
| [Stripe, Inc.] | Payment processing | United States |
| [Email provider] | Transactional and support email | United States |
| [Analytics provider] | Aggregate product analytics | United States |
Note: self-hosted and air-gapped deployments use no subprocessors — Customer data never reaches Zuyzo or any third party. [Fill in actual vendors before publishing.]
07Contact
Zuyzo LLC · Bethlehem, Pennsylvania, USA · info@plccode.ai