Meet Zhoo, Zopto's new AI companion for fully automated campaign creation! LEARN MORE!

Last updated: November 16, 2023

This Data Processing Agreement (“DPA”) is issued by Zopto LTD (“Zopto,” “we,” “us,” or “our”) and forms part of our Terms of Service (“Agreement”), available at with our Customers (“Customer,” “you,” or “your”). It defines the responsibilities, obligations, and rights of Zopto and its Customers for ensuring the protection of all data pursuant to the applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any implementing, derivative or similar legislation.


“All Personal Data” means any personal information/data relating to an individual that can be used to directly or indirectly identify the individual.

“Data Protection Laws” refer to any law, regulation, legislative decree, or subsidiary legislation relating to data protection, privacy, and the use of information relating to individuals.

“Signup Form” means the Zopto approved form or online subscription process by which you agree to subscribe to the Subscription Service.

“Subscription Service” means all of our web-based applications, tools and platforms that you have subscribed to under an Signup Form or that we otherwise make available to you, and are developed, operated, and maintained by us, accessible via or another designated URL, and any ancillary products and services that we provide to you.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. “Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any Zopto employee or consultant.

“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.


2.1. The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Data Controller, and Zopto is the Data Processor.

2.2. Zopto shall process the Personal Data only on the documented instructions from the Customer unless required to do so by Data Protection Laws, in which case,

2.3. Zopto shall inform the Customer of that legal requirement before processing unless that law prohibits this on important grounds of public interest.

2.4. Zopto shall ensure that its personnel involved in processing Personal Data on behalf of the Customer are subject to a duty of confidentiality.

2.5. Zopto shall take appropriate technical and organizational measures to secure the Personal Data and to protect it against unauthorized or unlawful processing and accidental loss, destruction or damage.


3.1. Zopto shall not subcontract any of its processing operations performed on behalf of the Customer under this Agreement without the prior written consent of the Customer.

3.2. Where Zopto engages a sub-processor for carrying out specific processing activities on behalf of the Customer, Zopto shall ensure that the same data protection obligations set out in this Agreement are imposed on the sub-processor.

3.3. To help Zopto deliver the Subscription Service, we engage Sub-Processors to support our infrastructure. By agreeing to the DPA, you agree all of these Sub-Processors may have access to Customer Data.

  • 3.3.1. Infrastructure Sub-Processors
  • To help Zopto deliver the Subscription Service, we engage Sub-Processors to support our infrastructure. By agreeing to the DPA, you agree all of these Sub-Processors may have access to Customer Data.
    • Amazon Web Services, Inc. – Purpose: Hosting & Infrastructure
    • Google, LLC – Purpose: Calendar, Data hosting provider
    • GitHub, Inc. – Purpose: Source code management system
  • 3.3.2. Feature Specific Sub-Processors
    • Google, LLC – Purpose: Form submission spam prevention (Google reCAPTCHA)
    • HubSpot, Inc. – Purpose: Customer Relationship Management (CRM) system
    • Stripe, Inc. – Purpose: Credit card payment processing
    • Slack Technologies LLC – Purpose: Internal operational messaging
    •, Inc. – Purpose: Internal ticketing system
    • OpenAI, LLC – Purpose: AI Products



4.1. Zopto shall assist the Customer, insofar as possible, in fulfilling its obligation to respond to requests for exercising the Data Subject’s rights under the Data Protection Laws.

4.2. Zopto shall not respond to any request from a Data Subject without prior consultation from the Customer.


Zopto acknowledges and agrees that it will not transfer the Personal Data to any third country or international organization unless required by the Data Protection Laws or authorized by the Customer or unless the transfer is made to ensure an appropriate level of protection as per the Data Protection Laws.

5.1. Additional Provisions for European Data

5.1.1. Scope. This ‘Additional Provisions for European Data’ section will apply only with respect to European Data.

5.1.2. Roles of the Parties. When Processing European Data in accordance with your Instructions, the parties acknowledge and agree that you are the Controller of European Data and we are the Processor.

5.1.3. Transfer Mechanisms for Data Transfers. If we believe that your Instruction infringes European Data Protection Laws (where applicable), we will inform you without delay.

  • Zopto will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
  • You acknowledge that in connection with the performance of the Subscription Services, Zopto is a recipient of European Data in the United States. To the extent that Zopto receives European Data in the United States, Zopto will comply with the following:
    • (1) Data Privacy Framework. Zopto will use the Data Privacy Framework to lawfully receive European Data in the United States and ensure that it provides at least the same level of protection to such European Data as is required by the Data Privacy Framework Principles and will let you know if it is unable to comply with this requirement.
    • (2) Standard Contractual Clauses. If European Data Protection Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer to Zopto and/or the Data Privacy Framework is invalidated), the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows: In relation to European Data that is subject to the GDPR Customer is the “data exporter” and Zopto is the “data importer”;
  • Alternative Transfer Mechanism. In the event that Zopto is required to adopt an alternative transfer mechanism for European Data, in addition to or other than the mechanisms described in sub-section ( above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.



In case of a Personal Data breach, Zopto will without undue delay notify the Customer after becoming aware of the breach. The notification will contain details of the breach, its potential consequences, and the measures taken or proposed to be taken to address the breach.


  1. 7.1. Zopto shall make available to the Customer all necessary information to demonstrate compliance with the obligations laid down in this Agreement.
  2. 7.2. Zopto shall allow for, and contribute to, audits conducted by the Customer or the Customer’s designated auditor and cooperate fully with such audits.



Upon termination or expiry of this Agreement, Zopto shall cease all processing of the Personal Data and shall erase all Personal Data unless retention of the Personal Data is required by applicable law.

This DPA is dated and effective from: October 27, 2023