Refer Zentriq and earn 30% recurring, for life on every customer you bring.Become an affiliate →
PunchOutAgentDocument CaptureDocsPricingBlogHow-to GuidesUse CasesGlossaryFAQAbout
Sign inGet started free

Data Processing Agreement

Last updated: June 3, 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of, and is governed by, the Zentriq Terms of Service. It applies whenever Zentriq Software processes personal data on behalf of a customer (the “Customer”) in connection with the Services, and sets out the obligations of the parties under Article 28 of the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP).

Processor: Zentriq Software
Sole proprietorship of Guillaume Fernandes
UID: CHE-228.383.878
Switzerland
Email: privacy@zentriqsoftware.com

2. Roles of the Parties

For personal data processed through the Services, the Customer acts as the data controller and Zentriq acts as the data processor. Where Zentriq engages subprocessors (Section 6), they act as subprocessors of the Customer's personal data.

3. Subject Matter and Details of Processing

  • Subject matter: Provision of the Zentriq Agent, Document Capture, and PunchOut Services for Microsoft Dynamics 365 Business Central.
  • Nature and purpose: Hosting, processing, and AI-assisted analysis of the data the Customer submits to the Services in order to deliver the contracted functionality.
  • Duration: For the term of the Customer's subscription, plus any deletion period described in Section 9.
  • Types of personal data: Account and identity data (name, email, Microsoft account identifier, tenant information), conversation content and uploaded documents, Business Central record data fetched on the user's behalf, and billing data.
  • Categories of data subjects: The Customer's authorized users (employees, contractors, and administrators), and individuals referenced in the Business Central data or documents the Customer processes.

4. Processor Obligations

  • Process personal data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by applicable law.
  • Ensure that persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational measures pursuant to Article 32 GDPR. Our current measures are described on our Security page (TLS 1.2+ in transit, AES-256 at rest, OAuth 2.0 delegated access, EU data residency).
  • Assist the Customer, taking into account the nature of the processing, in responding to data-subject requests (access, rectification, erasure, portability, objection).
  • Notify the Customer without undue delay, and in any case within 72 hours of becoming aware, of any personal data breach affecting Customer personal data (Articles 33 and 34 GDPR).
  • Make available the information necessary to demonstrate compliance with these obligations.

5. International Transfers

Personal data processed through the Services is hosted in the European Union (Frankfurt, Germany). Where a subprocessor processes personal data outside the EU or Switzerland, such transfers rely on the European Commission's Standard Contractual Clauses (SCCs) together with the Swiss addendum issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC), and on appropriate supplementary safeguards.

6. Subprocessors

The Customer authorizes Zentriq to engage the subprocessors listed below. Each subprocessor is bound by a data processing agreement imposing protection obligations no less protective than those in this DPA.

SubprocessorPurposeUsed byRegion
Microsoft (Entra ID)Sign-in & identityAgent & PunchOutEU / global (per Microsoft tenant)
Microsoft (Dynamics 365 Business Central)ERP data source via delegated OAuth (never relocated)Agent & PunchOutYour BC tenant region
Anthropic (Claude)AI inference, zero retentionAgent & PunchOutEU (Frankfurt, via AWS Bedrock)
StripePayments & subscriptionsAgent & PunchOutEU / US
VercelApplication hostingAgent & PunchOutEU (Frankfurt + Paris)
Vercel BlobDocument / file storage (Document Capture)AgentEU
NeonPostgreSQL database (accounts, billing, conversation history)Agent & PunchOutEU (Frankfurt)
ResendTransactional emailAgent & PunchOutEU / US
SentryError & performance monitoringAgent & PunchOutEU (Frankfurt)
FirstPromoterAffiliate / referral tracking (marketing website only)Website visitorsEU / US

Where a region is shown as “EU / US”, the precise location depends on the provider's infrastructure; please refer to the relevant provider's own DPA for details. FirstPromoter operates only on our public marketing website to attribute referrals; it is not a subprocessor of Customer personal data processed through the authenticated Services.

We give the Customer prior notice of any intended addition or replacement of a subprocessor and a reasonable opportunity to object on legitimate grounds. To subscribe to subprocessor-change notifications, email privacy@zentriqsoftware.com.

7. Audit and Security Documentation

On reasonable request, Zentriq will make available the security documentation needed to demonstrate compliance with this DPA. A SOC 2 Type II readiness assessment is in progress; Zentriq is not yet SOC 2 or ISO 27001 certified and does not claim such certifications.

8. Return and Deletion of Data

Upon termination of the Services, and at the Customer's choice, Zentriq will delete or return all Customer personal data and delete existing copies, unless retention is required by applicable law (for example, Stripe billing records retained for statutory accounting periods). Customers may also delete their data, or close their account, at any time from the dashboard.

9. Executing this DPA

To countersign this DPA for your organization, email privacy@zentriqsoftware.com. We will return a signed copy.

10. Contact

For data-protection inquiries, contact us at privacy@zentriqsoftware.com.