Data Processing Agreement
Version 1.0 — 14 March 2026
This Data Processing Agreement (“DPA”) applies between Zolo (the “Processor”) and the user of the Zolo service (the “Controller”). By creating an account you accept this DPA as part of the Terms of Service.
1. Parties
Processor: Zolo, sole proprietorship based in the Netherlands, reachable at admin@getzolo.app.
Controller: the user (freelancer or self-employed professional) who creates an account with Zolo.
2. Subject and duration
The Processor processes personal data on behalf of the Controller for the purpose of providing the Zolo service. Processing takes place for as long as the Controller holds an active account. Upon termination, article 9 of this DPA applies.
3. Categories of personal data and data subjects
The Processor processes on behalf of the Controller:
- Client contact details — name, address, city, email address and phone number of the Controller's clients.
- Financial data — VAT numbers, invoice amounts, bank account details of clients.
- Client email addresses — used to send invoices and quotes on behalf of the Controller.
- Controller's own account data — name, email, company details, logo.
4. Purposes of processing
The Processor processes personal data exclusively for the purpose of delivering the Zolo service: storing and displaying client data, generating invoices and quotes, sending emails on behalf of the Controller, and providing financial administration insights. Processing for other purposes is not permitted.
5. Sub-processors
The Processor engages the following sub-processors. The Controller provides general authorisation for these sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Supabase | Database, authentication & file storage | Frankfurt, EU |
| Vercel | Hosting & serverless compute | EU region (fra1) |
| Anthropic | AI models for quote generation and document scanning | US — no training data, no data retention |
| Resend | Transactional email delivery | EU-compatible (AWS eu-west-1) |
| Stripe | Payment processing & subscription management | Ireland, EU (PCI DSS Level 1) |
The Processor will inform the Controller prior to engaging any new sub-processors that process personal data. Changes to this list are published on this page.
6. Security
- Encryption at rest (AES-256 via Supabase).
- Encryption in transit (TLS 1.2+).
- Row Level Security (RLS): users can only access their own data.
- Access restrictions: only authorised staff have access.
- Regular backups by Supabase.
7. Data breaches
The Processor will notify the Controller as soon as possible, and no later than within 48 hours of discovering a data breach affecting the Controller's personal data. The notification will include at minimum: the nature of the breach, categories and approximate number of affected persons, measures taken, and a contact person at the Processor.
The Controller is responsible for reporting the breach to the supervisory authority where required by law.
8. Data subject rights
The Processor will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability). Requests can be submitted via admin@getzolo.app. The Processor responds within 72 hours.
9. Deletion upon termination
Upon termination of the agreement the Processor deletes all personal data of the Controller within 30 days, unless a legal retention obligation applies. The Processor will provide confirmation of deletion upon request.
10. Contact
For questions about this DPA: admin@getzolo.app