Data Processing Addendum (B2B)

This Data Processing Addendum ("DPA") applies where you ("Customer") use ZovGen as a business and act as a controller (or equivalent) of personal data processed by BFAT SASU ("Processor") in the course of providing the Service. It supplements the Terms of Use and the Privacy Policy for that relationship.

Consumer-only use without a business contract may not require a separate DPA; the Privacy Policy still applies.

1. Subject matter

Processor processes personal data on behalf of Customer to deliver ZovGen (URL-based content generation, storage of jobs for the retention period, optional OAuth/publish flows, and related support).

2. Duration

Processing lasts for the term of the Service agreement and until Processor deletes data in accordance with the Privacy Policy (including the job retention window) unless longer retention is required by law.

3. Nature and purpose

• Hosting and execution of generation jobs initiated by Customer;
• Storage of outputs/metadata for the defined retention period;
• Security, logging, and abuse prevention;
• Optional integrations requested by Customer (payments, OAuth, AI vendors).

4. Types of personal data

May include: identifiers (IP, device/browser metadata), optional contact email, OAuth tokens for connected accounts, URLs and derived text/media relating to Customer's campaigns, and billing-related references held by our merchant of record.

5. Categories of data subjects

Customer's end users, Customer's staff who use the Service, and individuals identified in content Customer submits.

6. Customer instructions

Customer instructs Processor to process data as described in the Terms, Privacy Policy, and Product documentation. Additional instructions must be documented and reasonably feasible.

7. Subprocessors

Customer authorizes Processor to engage subprocessors (hosting, Lemon Squeezy, AI/media vendors, OAuth providers) listed or described in the Privacy Policy. Processor remains responsible for their performance and will impose appropriate data protection terms.

8. Security

Processor implements appropriate technical and organizational measures, summarized in the Privacy Policy and maintained in line with industry practice.

9. International transfers

Where data is transferred outside the EEA, Processor will use appropriate safeguards (e.g. SCCs or adequacy) where legally required.

10. Assistance

Processor will assist Customer, considering the nature of processing, with responding to data subject requests and with DPIAs or breach notifications where GDPR-style duties apply and Customer cannot reasonably do so alone.

11. Deletion / return

At the end of the retention period or on request where technically feasible and legally permitted, Processor deletes or returns personal data as described in the Privacy Policy.

12. Audit

Processor will make available reasonable information necessary to demonstrate compliance and allow audits required by Article 28 GDPR, subject to confidentiality and security, and limited to once per year unless mandated by authority.

13. Contact

Contact BFAT SASU for countersigned DPA requests or EU representative questions.