LEGAL

Data Processing Agreement

Last updated: February 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Zalt.io and Customer for the provision of authentication services.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Data Controller" means the Customer who determines the purposes and means of processing.
  • "Data Processor" means Zalt.io, which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by Zalt.io to process Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.

2. Data Processing

Scope of Processing

Zalt.io processes Personal Data solely for the purpose of providing authentication services as described in the Terms of Service.

Categories of Data

  • Email addresses
  • Hashed passwords
  • Authentication tokens
  • Device identifiers
  • IP addresses
  • Session data

Processing Instructions

Zalt.io will only process Personal Data in accordance with documented instructions from the Customer, unless required by applicable law.

3. Security Measures

Zalt.io implements appropriate technical and organizational measures including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security assessments and penetration testing
  • Employee security training
  • Incident response procedures
  • Business continuity and disaster recovery

4. Sub-processors

Customer authorizes Zalt.io to engage the following sub-processors:

  • Amazon Web Services (AWS) - Cloud infrastructure (US, EU, Asia)
  • AWS SES - Email delivery

Zalt.io will notify Customer of any intended changes to sub-processors, allowing Customer to object within 30 days.

5. International Transfers

Zalt.io offers data residency options in:

  • European Union (eu-west-1)
  • United States (us-east-1)
  • Asia Pacific (ap-southeast-1)

For transfers outside the EEA, Zalt.io relies on Standard Contractual Clauses approved by the European Commission.

6. Data Subject Rights

Zalt.io will assist Customer in responding to Data Subject requests including:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Data portability
  • Restriction of processing
  • Objection to processing

7. Data Breach Notification

In the event of a Personal Data breach, Zalt.io will:

  • Notify Customer without undue delay (within 72 hours)
  • Provide details of the breach and affected data
  • Describe measures taken to address the breach
  • Assist Customer in meeting notification obligations

For questions about this DPA, contact dpa@zalt.io.