Data Processing Addendum
The contract that governs how Zegami handles personal data your team uploads.
Last updated April 2026
Scope
This Data Processing Addendum (the “DPA”) forms part of the agreement between Videntai Ltd trading as Zegami (the “Processor”) and the customer (“Controller”) that subscribes to the Zegami service. It applies whenever the Processor processes Personal Data on behalf of the Controller.
Capitalised terms not defined here have the meaning given in the UK GDPR / EU GDPR.
Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4 of the UK GDPR / EU GDPR.
- Processing — the operations described in Article 4(2) of the UK GDPR / EU GDPR.
- Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Standard Contractual Clauses (SCCs) — the European Commission’s standard contractual clauses (Decision (EU) 2021/914) and the UK International Data Transfer Addendum.
Subject matter and duration
The Processor processes Personal Data only as necessary to provide the Zegami service to the Controller. The Processing continues for the duration of the subscription plus the data-retention windows described in §6.
Nature and purpose
The Processor processes Personal Data to:
- Operate the visual data-exploration features of the service (rendering collections, similarity search, filtering, etc.).
- Authenticate users and enforce access controls within the Controller’s workspace.
- Send transactional service emails (account confirmation, billing notifications, lifecycle reminders).
- Provide customer support when the Controller requests it.
Processing for any purpose outside the above requires the Controller’s prior written consent.
Categories of data + data subjects
| Category | Data subjects |
|---|---|
| Account data: name, email, sign-in identifiers | Controller’s authorised users |
| Workspace metadata: workspace + collection names, descriptions, tags | Controller’s authorised users |
| Content uploaded to collections | As determined by the Controller |
| Audit + access logs | Controller’s authorised users |
The Controller decides which data is uploaded to a collection and is responsible for ensuring it has a lawful basis to do so.
Sub-processors
The Processor uses the following sub-processors to deliver the service. The Controller authorises engagement of these sub-processors on signing this DPA.
| Sub-processor | Service | Region |
|---|---|---|
| Microsoft Azure (Container Apps, Blob Storage) | Application hosting + storage | UK / EU per environment |
| Stripe Inc. | Payment processing | US (under SCCs) |
| Resend Inc. | Transactional email | US (under SCCs) |
Material changes to this list (adding a new sub-processor or substituting one) will be announced at least 30 days before the change takes effect, by email to the address on the Controller’s account. The Controller may object in writing within 14 days of notice; if the Processor cannot accommodate the objection, either party may terminate the affected portions of the agreement.
International transfers
Where Personal Data is transferred outside the UK or EEA, the Processor relies on:
- The European Commission’s adequacy decisions where applicable.
- The Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum for transfers to sub-processors not covered by an adequacy decision.
Security
The Processor implements appropriate technical and organisational measures including:
- Transport encryption (TLS 1.2+) for all customer-facing endpoints.
- At-rest encryption of customer data and database backups.
- Role-based access control internally; access to production data is granted on a need-to-know basis with audit logging.
- Vulnerability scanning of dependencies and container images on every deployment.
- Annual penetration testing by an external firm.
A more detailed Information Security Schedule is available to Enterprise customers on request.
Data subject rights
The Processor will assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR / EU GDPR Articles 15–22 (access, rectification, erasure, portability, etc.).
The Zegami application surfaces self-service export and account
deletion at app.zegami.com/account for individual users. For
bulk requests covering multiple workspace members, contact
hello@zegami.com.
Personal data breaches
The Processor will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting the Controller’s data. The notification will include the information required by Article 33(3) UK GDPR / EU GDPR to the extent reasonably available.
Audits
The Controller may, on reasonable written notice and no more than once per twelve-month period, audit the Processor’s compliance with this DPA. Audits must be carried out during business hours, must not unreasonably interfere with the Processor’s operations, and must respect the confidentiality of other customers’ data. The Processor may satisfy this obligation by providing relevant third-party audit reports (e.g. SOC 2, ISO 27001) where available.
Return and deletion
On termination of the agreement, the Processor will, at the Controller’s option, return or delete all Personal Data processed under this DPA. Deletion is completed within 90 days of termination unless retention is required by law.
Liability
The liability of each party under this DPA is governed by the liability provisions of the underlying agreement.
Governing law
This DPA is governed by the laws of England and Wales, and any disputes are subject to the exclusive jurisdiction of the courts of England and Wales.
Contact
For DPA-related queries, including signing a counter-signed copy: hello@zegami.com.