Our DPA covers Zippy's role as processor for any personal data you bring to a study. Aligned with CCPA/CPRA and the major US state privacy laws. Signed alongside the order form for paid plans.
Applies whenever you bring personal data into Zippy. For example, an uploaded customer list used to condition a synthetic population, or a CRM export used to seed an ICP.
Synthetic personas generated by Zippy are not personal data under CCPA/CPRA. They don't identify or relate to a particular real person. The DPA still governs any real-world data you upload as input.
You are the business (controller) of any personal data you upload. Zippy is the service provider (processor) and acts solely on your documented instructions.
Our subprocessors (hosting, model inference, monitoring, etc.) are listed in the Privacy summary and bound by terms at least as protective as the ones in this DPA. All subprocessors process data within the United States.
Encryption at rest (AES-256) and in transit (TLS 1.3), role-based access, audit logging on Enterprise, MFA for all staff, principle-of-least-privilege provisioning, quarterly access reviews. Audited security controls in place; security posture summary available on request.
We support access, correction, deletion, restriction, and portability requests through the workspace UI or via email to privacy@zippypays.com. Acknowledged within one business day; completed within 30. California, Colorado, Connecticut, Virginia, and Utah resident requests are honored under their respective state privacy laws.
Zippy is US-only by design. All customer data is processed and stored in the United States. Customer content does not leave US soil. Specific region details available on request.
We do not currently support international (EU, UK, APAC) customers or data subjects. International expansion will ship with separate, region-specific DPAs.
Confirmed personal-data incidents affecting your workspace are notified to your primary contact within 72 hours, with scope, impact, and remediation steps. Post-incident reports are shared on request. State-mandated notification timelines are tracked and honored separately.
You may request our current security posture summary annually. On Enterprise plans we accommodate customer-driven audits subject to reasonable scope and scheduling.
On contract termination, customer personal data is exported on request and hard-deleted within 30 days, including from backups. Deletion certificates available on request.
Procurement, security, or legal review? Email the team and we'll respond within one business day.