Data Processing Agreement

1. Client-Directed Service Relationship

The Client authorizes the Company to Process Client Data to the extent reasonably required for the Company to perform its contractual, support, administrative, analytical, automation, reporting, and operational obligations under the Services. Except as otherwise required by Applicable Law, the Company will not knowingly Process Client Data outside the bounds of the Services requested by the Client.

2. Operational Discretion

The Company retains discretion over the technical, administrative, and organizational methods used to deliver the Services, including the format, timing, workflow, sequencing, and service architecture through which Processing occurs, provided that such Processing remains tied to the provision of the Services and the Company's legitimate operational requirements.

1. Customer Data from Client Point-of-Sale and Related Customer Systems

Customer Data may be received from the Client's point-of-sale systems and other Client-authorized customer systems and may include the following categories of information:

(a) Names.

(b) Contact information.

(c) Date of birth.

(d) Driver's license numbers.

(e) Purchase and transaction history.

2. Employee Data

Employee Data may be Processed where the Services support workforce administration, reporting, analytics, document handling, or operational record management and may include the following categories of information:

(a) Names.

(b) Contact information.

(c) Social Security numbers.

(d) Tax documents, including W-2, W-9, and I-9 records.

(e) Banking and payroll information.

(f) Performance records and employment history.

3. Business and Operational Data

Business Data and operational records may be Processed where the Services support financial administration, procurement, reporting, reconciliation, workflow automation, or operational oversight and may include the following categories of information:

(a) Vendor data.

(b) Invoices.

(c) Manifests.

(d) Purchase records.

(e) Expense tracking data.

4. Payment Data Exclusion

For avoidance of doubt, the Company does not Process credit card data or banking transaction data for payment settlement or payment acceptance. Payment processing is handled by an independent third-party payment processor, and the Company is not the merchant processor of record for payment card transactions.

1. Client-Authorized Systems Only

The Company does not independently source, scrape, purchase, or obtain Client Data outside Client-authorized systems or Client-authorized data flows for purposes of this Agreement. Any Processing performed by the Company is dependent on the Client's affirmative decision to provide access to a particular source or dataset.

2. Credentials and Access Materials

The Client must provide the access credentials, integration permissions, application programming interface keys, exports, tokens, user access, and other access materials reasonably necessary for the Company to perform the Services. The Company may rely on the apparent validity of such access materials without independent investigation into the Client's internal approval chain.

3. Client Control and Revocation

The Client controls whether access is granted, limited, modified, or revoked and may revoke access at any time through the applicable source system, credential rotation, permission change, written instruction, or other access-control method. The Client acknowledges that revocation or degradation of access may suspend, limit, delay, or prevent the Services.

4. No Independent Collection

Except for routine operational metadata generated through the Company's provision of the Services, the Company does not independently collect Client Data outside of Client-authorized sources. The Company has no duty to collect or maintain datasets that the Client has not affirmatively chosen to make available.

1. Customer Data Retention

Retention of Customer Data is governed by the Company's Privacy Policy and internal retention practices applicable to the Services. Unless the Company expressly agrees otherwise in a separate signed writing, purging of Customer Data begins at ninety (90) days after Client offboarding, and complete deletion or final removal from active and archival locations may take up to one (1) year following offboarding.

The Client acknowledges that staged deletion, archival cycling, system integrity controls, dispute preservation, backup rotation, and related operational factors may affect the timing of full deletion. The Customer Data retention rule stated in this subsection is non-negotiable unless the Company expressly agrees otherwise in writing.

2. Business Data and Employee Data Retention

Business Data and Employee Data may be retained indefinitely. Their retention period depends on service requirements, record-keeping requirements, operational continuity, legal considerations, reporting history, platform integrity, dispute preservation, and other business needs determined by the Company in its discretion.

The Client expressly acknowledges that indefinite retention of Business Data and Employee Data is part of the Company's standard operating model and is not conditioned on the continuation of active Services. The Company is not obligated to apply a fixed deletion schedule to such categories of data.

3. Retention After Termination

Termination, cancellation, expiration, suspension, or offboarding does not create an immediate deletion obligation. The Company may retain, archive, suppress, anonymize, restrict, or delete Client Data in accordance with this Agreement, its internal practices, and Applicable Law.

1. Client Ownership of Original Source Data

As between the parties, the Client retains whatever ownership rights it possesses in the original source data maintained within the Client's own source systems and records. Nothing in this Agreement transfers ownership of the Client's original source-system records while such records remain within the Client-controlled environment.

2. Company Ownership of Processed and Derived Data

The Company owns all processed, structured, normalized, transformed, mapped, enriched, aggregated, analyzed, organized, reformatted, derived, output, and otherwise modified data residing within or generated through the Company's systems, workflows, reports, records, and service environments, together with all related metadata, logs, summaries, models, analytics, and operational records.

For purposes of this Agreement, any Client Data that has been imported into, handled within, or materially processed through the Company's systems may be maintained as part of the Company's service records, derived datasets, operational datasets, or analytical records, and the Company retains all rights, title, and interest in those processed and derived forms to the fullest extent permitted by Applicable Law.

3. No Return, Export, or Transfer Obligation

Upon termination or at any other time, the Company is not obligated to return, export, transfer, migrate, deliver, package, or make available any Client Data, processed data, derived data, or other records maintained within the Company's systems unless the Company separately agrees to do so in a signed writing. Any such work, if accepted by the Company, may be subject to additional fees, timing constraints, verification requirements, and scope limitations determined by the Company.

4. Company Discretion Over Retention and Deletion

The Company may retain or delete data within its systems at its discretion, subject to the express retention rules stated in this Agreement and any non-waivable requirements imposed by Applicable Law. Nothing in this Agreement obligates the Company to preserve data for the Client's convenience, future portability, or internal archival preferences.

1. Submission Requirements

All data access requests, deletion requests, and related privacy rights requests must be submitted in writing to support@zyntron.dev. Requests must identify the requesting party, the Client relationship if any, the data or records at issue, and the action requested with sufficient detail to permit reasonable verification and response.

2. Company Assistance

The Company may coordinate with the Client before acting on a request where the Company reasonably determines that the request concerns Client-directed Processing, requires validation of the Client's instructions, or implicates records that are maintained as part of broader service, legal, security, payroll, employment, or operational files.

3. Deletion Timing

The Company will process validated deletion requests within thirty (30) business days after receipt of the applicable Written Request. For purposes of this subsection, processing a deletion request may include deletion, anonymization, suppression, restriction, or a written determination that all or part of the requested data will be retained pursuant to this Agreement or Applicable Law.

This Section applies to Client Data and Customer Data where applicable. Nothing in this Section requires the Company to disregard the retention rights, ownership rights, confidentiality obligations, or lawful preservation rights expressly stated elsewhere in this Agreement.

1. Access Control and Encryption

Client Data is protected through access-control measures, role-based limitations, and encryption practices appropriate to the nature of the Services and the sensitivity of the data involved. Access is limited to authorized personnel and authorized service providers with a legitimate operational need to know.

2. Ongoing Review

The Company continuously reviews and improves its security practices in light of evolving operational requirements, risk conditions, service changes, and recognized security standards. Security governance is designed to be practical, risk-based, and appropriate for an enterprise SaaS and managed services environment.

3. Framework Alignment

Without committing to any particular certification unless expressly stated in a signed writing, the Company aligns its security posture with recognized security frameworks and control principles, including ISO 27001-aligned concepts relating to access management, confidentiality, integrity, availability, change control, and operational discipline.

1. Permitted Categories of Subprocessors

Subprocessors may include providers of infrastructure, hosting, communications, support tooling, security tooling, observability tooling, professional services, consulting support, and payment processing or payment administration services, as applicable to the Services.

2. Protection Standards

The Company will take commercially reasonable steps to ensure that Subprocessors engaged for Processing activities are bound by contractual, professional, or legal obligations requiring appropriate confidentiality and data protection standards suitable for the nature of the work performed.

3. No Vendor Disclosure Obligation

Unless otherwise required by Applicable Law or expressly agreed in a signed writing, the Company is not obligated to disclose the identity, architecture, internal operating methods, or commercial terms of its Subprocessors as a condition of performing the Services.

1. No Direct Audit Access

The Company does not provide the Client, the Client's auditors, or any third party with direct audit access to the Company's internal systems, facilities, tooling, logs, personnel, environments, repositories, or operational records. No on-site inspection, live penetration activity, intrusive testing, or unrestricted system review is permitted absent the Company's separate written consent.

2. No Disclosure of Proprietary Architecture

The Company does not disclose proprietary infrastructure details, internal security architecture, confidential operating procedures, source materials, or internal design documentation except to the limited extent the Company independently determines necessary and appropriate. Requests that would expose trade secrets, sensitive security information, or competitively sensitive information may be declined in full.

3. General Information Upon Request

Upon a reasonable Written Request, the Company may provide general information regarding its data protection practices, administrative controls, and general security posture. Any such response may be provided in summary form and may be conditioned on confidentiality, scope limitations, identity verification, and reimbursement of extraordinary response costs where appropriate.

1. Use Restriction

Confidential information may be used solely for the performance, receipt, administration, enforcement, or lawful protection of the Services and the parties' rights and obligations. Neither party may disclose the other party's confidential information except as permitted by this Agreement or as required by Applicable Law.

2. Permitted Recipients

The Company may disclose confidential information to its personnel, contractors, advisors, and Subprocessors with a legitimate need to know, provided such recipients are subject to confidentiality obligations or professional duties no less protective than those reflected in this Agreement.

3. Survival

The confidentiality obligations in this Section survive termination or expiration of the Services and continue for so long as the applicable information remains confidential or protected under Applicable Law.

1. Exclusion of Indirect Damages

In no event will the Company be liable for any indirect, incidental, consequential, special, exemplary, punitive, or similar damages, or for any loss of profits, loss of goodwill, loss of anticipated savings, loss of business opportunity, business interruption, reputational harm, or loss or corruption of data, even if advised of the possibility of such damages.

2. No Service Guarantee

The Company does not warrant that the Services will be uninterrupted, error-free, immune from delay, or free from every defect, vulnerability, or incompatibility. The Client acknowledges that data Processing services necessarily depend on third-party systems, source-system quality, timely Client cooperation, and numerous factors outside the Company's direct control.

3. Aggregate Liability Cap

To the fullest extent permitted by Applicable Law, the aggregate liability of the Company arising out of or relating to this Agreement, the Processing of Client Data, or the parties' relationship will not exceed the greater of: (a) the total amounts actually paid by the Client to the Company for the Services during the three (3) months immediately preceding the event first giving rise to the claim; or (b) five hundred United States dollars (US$500).

The limitations stated in this Section apply regardless of the form of action, whether in contract, tort, statute, strict liability, or otherwise, and they will not be enlarged by any failure of essential purpose or by any heightened theory of damages asserted by the Client or a third party.

1. Termination Upon Service Cancellation

Unless the parties execute a separate signed writing stating otherwise, this Agreement automatically terminates when the Services are fully cancelled or otherwise concluded and the Company no longer maintains an active service relationship with the Client, except to the extent that continuing Processing, retention, or preservation is permitted or required under this Agreement or Applicable Law.

2. Surviving Provisions

All provisions that by their nature should survive termination will survive, including those relating to retention, ownership, confidentiality, limitation of liability, notices, governing law, dispute venue, payment obligations, and the Company's rights to retain or delete data in accordance with this Agreement.