Data Processing Addendum
GDPR Article 28 — Processor Agreement
Last updated: May 16, 2026
1. Parties and Definitions
This Data Processing Addendum ("DPA") is entered into between:
- Data Controller ("Customer"): The legal entity that has accepted the Convertzap Terms of Service and that determines the purposes and means of processing personal data through the Service.
- Data Processor ("Provider"): UPMAX INC., a California corporation registered at 44 Bennett Avenue, Long Beach, CA 90803, USA, which processes personal data on behalf of the Customer.
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in Regulation (EU) 2016/679 ("GDPR") and applicable national implementations.
2. Subject Matter and Duration
The Provider processes personal data on behalf of the Customer solely to provide the Convertzap Service as described in the Terms of Service. Processing begins on the date the Customer first uses the Service and continues until the Customer's account is deleted or this DPA is terminated.
3. Nature and Purpose of Processing
The Provider processes personal data for the following purposes:
- Storing and serving funnel pages and lead capture forms created by the Customer.
- Receiving and persisting lead submissions from the Customer's end-users.
- Generating AI-assisted copy, briefs, and qualification flows on the Customer's behalf.
- Firing server-side attribution events (Conversions API, GA4 Measurement Protocol) as configured by the Customer.
- Storing voice session transcripts where the Customer enables the voice concierge feature.
4. Categories of Personal Data
- Name, email address, phone number submitted by the Customer's end-users via funnels.
- Ad click IDs (gclid, fbclid, ttclid, li_fat_id, msclkid) and UTM parameters.
- IP address and browser fingerprint (for fraud prevention and deduplication).
- Voice recordings and transcripts (where the voice feature is enabled).
- Any additional fields the Customer configures in their funnel forms.
5. Categories of Data Subjects
End-users of the Customer's funnels (prospective customers, website visitors, leads).
6. Obligations of the Processor (Provider)
The Provider shall:
- Process personal data only on the documented instructions of the Customer (which include these Terms and the configuration chosen by the Customer in the dashboard).
- Ensure that authorised personnel are subject to appropriate confidentiality obligations.
- Implement technical and organisational security measures in accordance with GDPR Art. 32 (see §8 below).
- Assist the Customer in fulfilling its obligations to respond to data subject rights requests under GDPR Arts. 15–22.
- Delete or return all personal data upon termination of the DPA, at the Customer's choice, within 30 days.
- Make available all information necessary to demonstrate compliance with GDPR Art. 28 and allow for audits.
- Notify the Customer without undue delay (within 48 hours) upon becoming aware of a personal data breach.
7. Sub-processors
The Customer provides general authorisation for the Provider to engage sub-processors. The Provider will notify the Customer of changes to this list at least 14 days in advance.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic | AI generation (Claude) | USA | SCCs |
| OpenAI | AI generation (supporting models, moderation) | USA | SCCs |
| Stripe | Payment processing | USA | SCCs |
| Resend | Transactional email | USA | SCCs |
| Supabase | Database hosting (PostgreSQL) | AWS us-east-1 | SCCs |
| LiveKit | WebRTC voice sessions | USA | SCCs |
| Deepgram | Speech-to-text transcription | USA | SCCs |
| Cartesia | Text-to-speech synthesis | USA | SCCs |
| Replicate | AI image generation (FLUX) | USA | SCCs |
| Cloudflare | CDN, WAF, rate limiting | Global | SCCs |
| Railway | Application hosting (site, API, dashboard) | USA | SCCs |
| Trigger.dev | Background job orchestration | USA | SCCs |
"SCCs" = EU Standard Contractual Clauses (Commission Decision 2021/914 — Module 2: Controller to Processor).
8. Technical and Organisational Security Measures (Art. 32)
- TLS 1.2+ encryption for all data in transit.
- AES-256 encryption for data at rest (managed by Supabase/AWS).
- Row-Level Security (RLS) enforced on all
cz_*tables — no cross-workspace data leakage. - Access control with least-privilege principles; service accounts use scoped API keys.
- Regular automated backups with point-in-time recovery.
- Vulnerability scanning and dependency auditing in CI/CD pipeline.
- Incident response plan with 48-hour breach notification SLA.
- Periodic penetration testing: annually.
9. International Transfers
Where personal data is transferred to a country not covered by an EU adequacy decision, the Provider relies on Standard Contractual Clauses (Module 2: Controller to Processor, Commission Implementing Decision (EU) 2021/914 of 4 June 2021) with each sub-processor. Copies are available on request at [email protected].
10. Governing Law
This DPA shall be governed by the laws of the State of California, USA, unless the Customer's main establishment is in the EEA, in which case GDPR applies directly.
11. Contact
DPA enquiries and data subject rights requests:
UPMAX INC.
[email protected] · See our contact page for mailing address.