Skip to main content
ZZypflow

Data Processing Agreement

How Zypflow processes personal data on your behalf.

This Data Processing Agreement forms part of the Zypflow subscription agreement and sets out the terms on which we process personal data as your processor under UK GDPR.

Last updated 14 April 2026

1. Definitions

  • Controller means the client business that subscribes to Zypflow and determines the purposes and means of processing personal data.
  • Processor means Zypflow, which processes personal data on behalf of the Controller.
  • Data Protection Laws means the UK GDPR, the Data Protection Act 2018, and any successor legislation.
  • Personal Data means any information relating to an identified or identifiable natural person processed under this agreement.
  • Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Subject matter and scope

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Zypflow platform, including lead management, review response handling, social media automation, and communication automation services. Processing continues for the duration of the subscription agreement.

3. Types of personal data

  • Names and contact details (email addresses, phone numbers)
  • Booking and appointment information
  • Review content and ratings
  • Communication history (messages, emails, chat transcripts)
  • Lead and enquiry data
  • Service preferences and interaction history

4. Categories of data subjects

Data subjects include the Controller's customers, patients, clients, leads, prospects, and any individuals whose personal data is processed through the Zypflow platform on behalf of the Controller.

5. Processor obligations

  • Process Personal Data only on documented instructions from the Controller, unless required by law.
  • Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures, including encryption at rest and in transit, access controls, and regular security reviews.
  • Assist the Controller with data subject access requests (DSARs), including requests for access, rectification, erasure, restriction, portability, and objection.
  • Assist the Controller in meeting obligations related to data protection impact assessments and prior consultation with supervisory authorities.
  • Delete or return all Personal Data upon termination of the subscription agreement, unless retention is required by applicable law.
  • Make available to the Controller all information necessary to demonstrate compliance with this agreement.

6. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. A current list of Sub-processors is available at /sub-processors.

The Processor will provide at least 30 days' written notice before adding or replacing a Sub-processor. If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties will work together to find a resolution. If no resolution is possible, the Controller may terminate the affected services.

The Processor will impose equivalent data protection obligations on all Sub-processors by way of a written contract.

7. Data breach notification

The Processor will notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a personal data breach. The notification will include, where possible:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
  • The likely consequences of the breach.
  • The measures taken or proposed to address and mitigate the breach.
  • Contact details for further information.

8. Audit rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with this agreement and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

Audits will be carried out with reasonable prior notice, during normal business hours, and in a manner that minimises disruption to the Processor's operations.

9. International transfers

Personal Data is processed within the United Kingdom and European Economic Area where possible. Where transfers to countries outside the UK and EEA are necessary (for example, to Sub-processors in the United States), the Processor will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement or equivalent mechanisms approved under UK Data Protection Laws.

10. Duration

This Data Processing Agreement applies for the term of the subscription agreement between the Controller and the Processor. The obligations in this agreement survive termination to the extent necessary to complete the deletion or return of Personal Data.

11. Termination and data deletion

Upon termination of the subscription agreement, the Processor will delete all Personal Data within 30 days, unless applicable law requires retention for a longer period. The Processor will confirm deletion in writing upon request.

12. Contact

For questions about this Data Processing Agreement or to exercise any rights, contact us at hello@zypflow.com.