Data Processing Agreement

1. Parties

This DPA is between:

• Zentrosoft LLC, a New York limited liability company, acting as Data Processor; and
• Customer, the institution identified on the order form, acting as Data Controller.

2. Definitions

Terms used but not defined have the meanings given in the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). For convenience:

• Personal Data means information that identifies or relates to an identifiable natural person and that Customer makes available to Zentrosoft through the service.
• Data Controller means the entity that determines the purposes and means of processing Personal Data.
• Data Processor means the entity that processes Personal Data on behalf of the Controller.
• Sub-processor means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Data Subject means the individual to whom Personal Data relates.
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Subject matter and duration

Subject matter. Zentrosoft processes Personal Data to provide CeliaConnect to Customer as described in the Terms of Service and the order form.

Duration. This DPA applies for the term of the subscription and survives termination to the extent Zentrosoft continues to hold Personal Data under the deletion-grace or compliance-archive provisions.

4. Nature and purpose of processing

Zentrosoft processes Personal Data for the purpose of providing, securing, operating, monitoring, billing, and supporting CeliaConnect; for analytical outputs requested by Customer through the service; and for complying with legal obligations. Processing operations include: collection from Customer inputs and (where configured) from Customer’s Slate instance, storage in per-tenant databases, structuring into analytical signals, transmission to approved Sub-processors, and deletion in accordance with Section 10.

5. Types of Personal Data

Zentrosoft processes the following limited categories of Personal Data on behalf of Customer:

• Institutional staff contact information (names, work email addresses, job titles, roles) for users of the CeliaConnect application.
• Billing contact information for the Customer’s authorized signatory.
• Application usage data (pages visited, features used, timing, errors) attributable to named staff users for support and billing.

Explicitly not processed. By architectural design, Zentrosoft does not receive student Personal Data from Customer’s Slate instance. This includes names, email addresses, phone numbers, physical addresses, SSNs, dates of birth, health or disability information, financial account numbers, essay content, recommendation letters, photos, and biometric data. Signals drawn from the Slate instance are anonymous IDs and behavioral codes mapped through Customer’s data dictionary before reaching Zentrosoft’s systems.

6. Categories of Data Subjects

• Customer’s institutional staff who use CeliaConnect.
• Customer’s billing and administrative contacts.

Students, applicants, and other individuals represented in Customer’s Slate instance are not Data Subjects in the processing Zentrosoft performs, because their Personal Data is not transferred to Zentrosoft.

7. Processor obligations

Zentrosoft will:

• Instructions. Process Personal Data only on documented instructions from Customer, including as set out in this DPA, the Terms, and Customer’s in-product configuration. We will notify Customer if an instruction, in our reasonable opinion, infringes GDPR or other applicable law.
• Confidentiality. Ensure that personnel authorized to access Personal Data are bound by appropriate confidentiality obligations.
• Security. Implement the technical and organizational measures described in Section 8.
• Sub-processors. Engage Sub-processors only under Section 9.
• Data-subject requests. Assist Customer, by appropriate technical and organizational measures, in fulfilling obligations to respond to Data-Subject requests. Because Customer controls the application, most requests are fulfilled directly by Customer through the product.
• Assistance with DPIAs and consultations. Provide Customer with reasonable assistance for Data Protection Impact Assessments and prior consultations under GDPR Articles 35–36, limited to information available to Zentrosoft.
• Breach notification. Notify Customer without undue delay and in any event within twenty-four (24) hours of confirming a Personal Data Breach, describe what is known, and cooperate in mitigation and regulator notification.
• Audit rights. Make available to Customer the information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g., SOC 2 when available) for infrastructure providers. Enterprise customers may request a customer-led audit on reasonable notice, no more than once per twelve (12) months, at Customer’s cost, subject to confidentiality.
• Deletion. Delete or return Personal Data at the end of the service as described in Section 10.

8. Technical and organizational measures

Zentrosoft maintains the following measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Per-tenant database isolation, enforced by Organization ID scoping on every query, cache lookup, and AI call.
• Envelope encryption of Slate service credentials with per-tenant Data Encryption Keys.
• Hash-chained audit log capturing every write to Slate and every privileged operation, exportable on demand.
• Runtime PII guardrails that fail closed before any outbound AI call, preventing transmission of PII-shaped values to the AI sub-processor.
• Least-privilege access for Zentrosoft personnel with multi-factor authentication and quarterly access reviews.
• Documented incident-response plan with 24-hour notification SLA.
• Code review, dependency scanning, and secret scanning in the development pipeline.
• Infrastructure hosted on Cloudflare’s global network, which maintains ISO 27001, ISO 27018, SOC 2 Type II, and PCI DSS certifications.

9. Sub-processors

Customer authorizes Zentrosoft to engage the Sub-processors listed at /legal/subprocessors/. Current Sub-processors:

• Cloudflare, Inc. (United States) — cloud infrastructure.
• Anthropic, PBC (United States) — AI reasoning (anonymized inputs only).
• Stripe, Inc. (United States) — payment processing.
• Mailgun Technologies (Pathwire) (United States) — transactional email.

Zentrosoft will (a) enter into a written agreement with each Sub-processor containing data-protection obligations substantially equivalent to those in this DPA, (b) remain liable to Customer for Sub-processor performance, and (c) give Customer at least thirty (30) days’ advance notice by email and on the Sub-processors page before engaging a new Sub-processor. Customer may object to a new Sub-processor within that notice period on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected subscription with a pro-rated refund for the unused portion of the current billing period.

10. Deletion and return of data

During the term. Customer may export Personal Data at any time in CSV or JSON.

On termination. Zentrosoft applies a thirty (30) day grace period during which the tenant can be reactivated. After the grace period, Zentrosoft permanently deletes the tenant database and operational caches.

Compliance archive. Zentrosoft retains an envelope-encrypted compliance archive in Cloudflare R2 for seven (7) years after deletion, aligned with higher-education retention norms (FERPA baseline). The archive is not accessible in the normal course of operations; access requires dual-control and is logged. The parties may agree in writing to a shorter or longer archive period.

Certification. On Customer’s written request, Zentrosoft will certify in writing that deletion has occurred.

11. International data transfers

Zentrosoft and its current Sub-processors are based in the United States. Customer data is primarily hosted on United-States regions of Cloudflare’s global network, with edge caching at global Cloudflare locations for performance. Where Personal Data of EU/UK/EEA Data Subjects is transferred outside the EEA or UK, the parties rely on the European Commission’s Standard Contractual Clauses (Module 2, Controller-to-Processor) and, for UK data, the UK International Data Transfer Addendum, both incorporated by reference into this DPA. Where additional measures are required under Schrems II case law, the technical measures in Section 8 apply.

12. GDPR Article 28 compliance

The parties agree that this DPA satisfies the requirements of GDPR Article 28(3) and the equivalent provisions of the UK GDPR. Zentrosoft processes Personal Data only on Customer’s documented instructions, applies confidentiality to personnel, implements appropriate security, observes the Sub-processor rules in Section 9, assists Customer with Data-Subject rights, supports Customer with DPIAs, deletes Personal Data at end of service, and makes information available to demonstrate compliance.

13. Liability and indemnification

Each party’s liability arising out of or related to this DPA is subject to the limitations of liability in the Terms of Service, with the exception that breach of data-protection obligations under this DPA is not subject to the general liability cap, and is instead subject to the liability rules of applicable data-protection law. The parties will indemnify each other as provided in the Terms.

14. Governing law

This DPA is governed by the laws of the State of New York, USA, except that obligations specific to GDPR or UK GDPR are interpreted in accordance with those regulations. Venue and dispute-resolution mechanics follow the Terms of Service.

15. Order of precedence

In case of conflict between documents, the following order applies: (1) the Standard Contractual Clauses or UK Addendum where they apply, (2) this DPA, (3) the order form, (4) the Terms of Service.

16. Signatures

This DPA is signed as part of the order-form execution. The order-form signature constitutes signature of this DPA.

17. Contact

Data-protection questions: solutions@zentrosoft.com

Zentrosoft LLC — New York, USA.