Legal
Data Processing Agreement
Last updated: 18 May 2026
This Data Processing Agreement ("DPA") governs the processing of personal data carried out by Zentria on your behalf as part of providing the Service. It implements Article 28 of the GDPR and forms an integral part of our Terms of Service.
1. Parties
- Processor: Happy Cloud Studio Sp. z o.o., Ul. Grzybowska 87, 00-844 Warszawa, Poland, NIP 5272786566 ("we", "us", or "Zentria").
- Controller: the customer that has agreed to the Zentria Terms of Service ("you" or "Controller").
2. Definitions
Capitalized terms have the meanings given in the GDPR (Regulation (EU) 2016/679). "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Personal Data Breach" are used as defined there. "Service" has the meaning given in the Terms of Service.
3. Subject matter and duration
This DPA covers the Processing of Personal Data that Zentria carries out on your behalf solely to provide the Service. The Processing continues for as long as you have an active workspace, and ends on the closure of your workspace, subject to the deletion and return obligations in section 12.
4. Nature, purpose, and types of data
Details are set out in Annex 1 (Description of Processing).
5. Your instructions
We process Personal Data only on your documented instructions. Your use of the Service in its standard configuration constitutes a documented instruction. The Terms of Service, this DPA, and any features you activate within the Service together describe the scope of those instructions. You may issue additional instructions in writing; we will tell you if we believe an instruction infringes applicable data protection law before acting on it.
6. Confidentiality
We ensure that personnel authorized to process Personal Data are subject to written confidentiality obligations or appropriate statutory duties of confidentiality, and that access is limited to staff who need it to perform their role.
7. Security of processing
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art and the nature of the data we process. A description of current measures is set out in Annex 3 (Technical and Organizational Measures).
8. Sub-processors
You give a general authorization for us to engage Sub-processors to provide the Service. Each Sub-processor is bound by a written agreement that imposes data protection obligations no less protective than those in this DPA.
The current list of Sub-processors is set out in Annex 2. We will give you at least 30 days' notice before adding or replacing a Sub-processor, either by email to the Owner of the workspace or through a notice in the Service. If you object to the change on reasonable data protection grounds, you may terminate your subscription with respect to the affected Service before the new Sub-processor begins processing. Termination for this reason during a paid plan entitles you to a prorated refund of any prepaid fees.
We remain liable for the acts and omissions of our Sub-processors to the same extent as we are liable under this DPA.
9. International transfers
Personal Data is primarily processed within the European Economic Area. Where Personal Data is transferred to a country outside the EEA that has not been recognised by the European Commission as providing an adequate level of protection, the transfer is governed by the European Commission's Standard Contractual Clauses (Module 3 for Processor-to-Processor transfers, Module 2 for Controller-to-Processor transfers as relevant), with supplementary technical and organizational measures where appropriate. You authorize us to enter into Standard Contractual Clauses with Sub-processors on your behalf for this purpose.
10. Assistance with data subject rights
The Service includes features that allow you, as Controller, to fulfil Data Subject requests directly (access, rectification, erasure, restriction, and data export from your workspace settings). Where we receive a request from a Data Subject relating to your workspace, we will, without undue delay:
- Forward the request to you.
- Not respond to the request ourselves except to confirm receipt and direct the Data Subject to you.
We will assist you, at your cost where the assistance is substantial, in responding to such requests through appropriate technical and organizational measures.
11. Personal data breaches
We will notify you without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting your Personal Data. The notification will include, to the extent known:
- The nature of the breach, including categories and approximate numbers of Data Subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
- The name and contact details of the person to contact for more information.
You remain responsible for notifying the competent supervisory authority and, where required, the affected Data Subjects under Articles 33 and 34 GDPR.
12. Deletion and return of data
On termination or expiry of your subscription, and at your choice:
- You may export your workspace contents in a machine-readable format from the Service before termination.
- After workspace deletion, Customer Data is soft-deleted immediately and hard-purged within 30 days, except where retention is required by law (for example, invoices required by Polish tax law).
- Backups containing deleted data are rotated and overwritten within 30 days.
We will confirm completion of deletion in writing on your written request.
13. Audits and inspections
We will make available all information reasonably necessary to demonstrate compliance with Article 28 GDPR, including by providing summaries of relevant third-party audit reports from our Sub-processors (such as SOC 2 reports). You may, on reasonable prior written notice and no more than once per twelve-month period, carry out an audit limited to verifying our compliance with this DPA. Audits are conducted at your cost, during normal business hours, in a manner that does not unreasonably disrupt our operations, and subject to confidentiality obligations.
14. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this section limits a Data Subject's right to bring claims against either party under Article 82 GDPR.
15. Conflict
If any provision of the Terms of Service conflicts with this DPA in relation to the Processing of Personal Data, this DPA prevails.
16. Governing law
This DPA is governed by the laws of Poland, without prejudice to the protections afforded to Data Subjects under their local law.
17. Contact
Happy Cloud Studio Sp. z o.o.Ul. Grzybowska 87, 00-844 Warszawa, Poland
Privacy contact: Franco Toccu
Email: zentriacrm@happycloudstudio.com
Annex 1: Description of Processing
Subject matter
Provision of the Zentria CRM Service, including hosting, storage, and presentation of Customer Data on behalf of the Controller.
Duration
The duration of the Controller's subscription to the Service, plus any post-termination retention period as described in section 12.
Nature and purpose
Storing, organizing, retrieving, displaying, and exporting Customer Data so that the Controller and its authorized users can manage their commercial pipeline.
Categories of Data Subjects
- The Controller's authorized users (Owner, Sales Reps).
- The Controller's customers, prospects, and business contacts, as entered into the Service.
Types of Personal Data
- Identification and contact data: names, email addresses, phone numbers, company names, job titles.
- Commercial data: deal value, currency, pipeline stage, lead source, notes, tasks, attachments uploaded to the Service.
- Authentication data for authorized users: hashed passwords, session tokens.
- Any additional Personal Data the Controller chooses to enter into free-text fields.
The Controller agrees not to enter special categories of Personal Data (as defined in Article 9 GDPR) or data on criminal convictions (Article 10 GDPR) into the Service.
Annex 2: Sub-processors
Current list as of the "Last updated" date above. The most recent version is always published at zentriacrm.com/dpa.
| Sub-processor | Service | Location |
|---|---|---|
| Supabase Inc. | Managed Postgres database, authentication, object storage | Frankfurt, Germany (EU). Corporate entity in the United States. |
| Cloudflare, Inc. | Web hosting, CDN, application edge runtime, DDoS protection | Global edge network. United States corporate entity. |
| Formspree, Inc. | Delivery of messages sent through our website contact form | United States |
Planned additions, which will be added to this Annex with at least 30 days' notice before they begin processing Personal Data:
- Brevo (Sendinblue SAS): transactional email delivery, France (EU).
- Revolut Bank UAB: payment processing for paid subscriptions, Lithuania (EU).
Annex 3: Technical and Organizational Measures
Access control
- Role-based access inside the application (Owner, Sales Rep, Superuser).
- Row-level security policies at the database layer to enforce workspace isolation.
- Principle of least privilege for staff access to production systems.
- Multi-factor authentication available on user accounts.
Encryption
- TLS 1.2 or above for all data in transit.
- Encryption at rest for the database and object storage at the infrastructure layer.
- Passwords stored as salted hashes; no plaintext passwords on disk.
Integrity and availability
- Regular automated backups of the production database, retained for up to 30 days.
- Periodic restore tests.
- DDoS protection and Web Application Firewall at the edge.
- Application logs reviewed for anomalies.
Confidentiality and personnel
- Written confidentiality obligations on all staff with access to production data.
- Security awareness expectations communicated to staff.
Incident response
- Documented Personal Data Breach response procedure with a 72-hour controller-notification target.
- Defined responsibilities and an internal escalation path.
Continuous review
These measures are reviewed periodically and updated to reflect changes in technology, threats, and our processing activities.