Data Processing Agreement
This DPA sets out how ZORC AB processes personal data on your behalf when you use sSystm. It reflects the BYOC architecture: for your business data, you are the controller and it stays in your own cloud.
Last updated:
01Roles & the BYOC model
This Data Processing Agreement ("DPA") forms part of theTerms of Service between you (the "Controller") andZORC AB, Org.nr 559481-8857, Sweden (the "Processor"), and applies to the extent the Processor processes personal data on the Controller's behalf under Article 28 GDPR.
Unlike a typical SaaS DPA, sSystm does not hold your business data in a central database. Your workspace data lives in a dedicated database on your own Cloudflare account. You are the controllerand the infrastructure holder; sSystm processes that data only throughlimited, revocable, OAuth-scoped access. Cloudflare is the sub-processor / infrastructure provider.
02Scope, nature & purpose
- Subject-matter: provision of the sSystm platform and the modules you enable.
- Duration: for as long as sSystm has access to your Cloudflare account, ending when you revoke the OAuth grant or terminate.
- Nature & purpose: hosting, structuring, retrieving and operating on workspace data on your instructions, including AI-assisted actions you initiate or approve.
- Types of personal data: whatever you choose to store — typically business-contact details, project and document data, and calendar information.
- Data subjects: your clients, contacts, staff and others whose data you enter.
03Processing on instructions
The Processor processes personal data only on the Controller's documented instructions — including the instructions embodied in the platform's features and the actions you take within it — unless required to do otherwise by law, in which case it will inform you unless legally prohibited. Personnel authorised to process the data are bound by confidentiality.
04BYOC as a data-minimisation measure
The BYOC architecture is itself a data-protection control. Because your business data physically resides in your own Cloudflare account and not in a central sSystm store, the Processor's exposure to your data is minimised by design, and you retain direct, independent control of the underlying infrastructure and the ability to cut off access at any moment.
05Security measures
The Processor implements appropriate technical and organisational measures, including:
- Least-privilege access — access is granted through fine-grained Cloudflare OAuth scopes, each risk-labelled, rather than a broad master key.
- Encrypted credentials — Cloudflare access tokens are encrypted at rest with AES-256-GCM using a per-token random IV, under a key held only as a server secret.
- Tenant isolation — each organisation's data lives in its own database on its own account; queries, vector-search namespaces and real-time instances are scoped per organisation, and access fails closed if it cannot be resolved.
- Passwordless authentication — sign-in is via Cloudflare OAuth only; no passwords are stored.
- EU jurisdiction option — you can pin your database to an EU jurisdiction, enforced by Cloudflare's D1 jurisdiction guarantee.
- Human-in-control — AI-proposed infrastructure operations that are not provably read-only are staged as pending until a human approves, with actions logged.
06Sub-processors
The Controller authorises the Processor to engage the sub-processors listed on oursub-processors page — currently Cloudflare (infrastructure/hosting/AI), Resend (email) and Anthropic (the Claude models behind the built-in AI, via Cloudflare's AI Gateway). The Processor imposes data-protection obligations on each sub-processor no less protective than this DPA, and will give reasonable notice of any intended addition or replacement so the Controller may object on reasonable grounds.
07International transfers
Where personal data is transferred outside the EEA, the parties rely on appropriate safeguards under Chapter V GDPR, including the European Commission's Standard Contractual Clauses (SCCs) and any supplementary measures required. Choosing the EU jurisdiction at sign-in keeps your database within EU infrastructure.
08Breach notification
The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting data it processes on the Controller's behalf, and will provide the information reasonably needed for the Controller to meet its own notification duties under Articles 33–34 GDPR. Because of tenant isolation, an incident is contained to a single tenant by construction.
09Assistance & audit
Taking account of the nature of processing, the Processor will assist the Controller with data-subject requests and with obligations under Articles 32–36 GDPR. The Processor will make available information reasonably necessary to demonstrate compliance with Article 28 and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice and subject to confidentiality.
10Return & deletion on termination
Because your business data lives in your own Cloudflare account, ending the relationship does not require the Processor to "hand back" your data — it never left your account. Revoking the OAuth grant locks the Processor out; your database and its contents remain with you. You control retention and deletion of that data directly.
On termination the Processor will delete or return the limited central data it holds (identity, membership, metadata) in line with the Privacy Policy, except where retention is required by law.
11Term & precedence
This DPA is effective while the Terms are in force and the Processor has access to your account. In the event of conflict on data-protection matters, this DPA prevails over the Terms. Where you require a counter-signed DPA or the SCCs executed as a separate instrument, contactsupport@zorc.se.