data processing agreement
last updated: december 2025
1. overview
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and Zanode ("Processor") for the use of our hosting platform services. This DPA governs how we process your data and the data of your end users.
2. definitions
- Customer data: code, assets, environment variables, databases, logs, and any other data you deploy or store on the platform.
- Personal data: any information relating to an identified or identifiable natural person.
- Processing: any operation performed on customer data, including storage, access, transmission, and deletion.
3. data we process
As your hosting provider, we process the following categories of data:
- Application code and assets: your source code, build artifacts, and static files.
- Environment variables: configuration and secrets you define for your applications (encrypted at rest).
- Database contents: data stored in managed PostgreSQL instances.
- Logs: build logs, deployment logs, and application runtime logs.
- Account information: your name, email, and authentication credentials.
4. how we access your data
Zanode staff may access your data only in the following circumstances:
- Platform operations: to run builds, deployments, and serve your applications.
- Customer support: when you request assistance and grant us permission.
- Security incidents: to investigate and resolve security issues.
- Legal compliance: when required by law or court order.
Access is exception-based, logged, and governed by least-privilege principles. We do not access your data for marketing or advertising purposes.
5. security measures
- Encryption at rest: environment variables and secrets are encrypted using AES-256-GCM.
- Encryption in transit: all data is transmitted over TLS/HTTPS.
- Data residency: all data is stored on servers located in South Africa.
- Access controls: role-based access, two-factor authentication available.
- Daily backups: automated backups with point-in-time recovery.
6. subprocessors
We use the following subprocessors to deliver our services. All subprocessors are bound by data processing agreements:
| subprocessor | purpose | location |
|---|---|---|
| Cloud.co.za | Compute infrastructure | South Africa |
| PostgreSQL (self-hosted) | Database services | South Africa |
| Resend | Transactional email | USA/EU |
| GitHub | Source code integration | USA |
7. data retention and deletion
We retain your data for as long as your account is active. Upon account deletion, we will delete all your customer data within 30 days, except where retention is required by law. You may request data export or deletion at any time by contacting us.
8. popia compliance
We comply with the Protection of Personal Information Act (POPIA) of South Africa. Your data never leaves South African borders except where explicitly required for subprocessor integrations (e.g., email delivery). You have the right to access, correct, or delete your personal information at any time.
9. your responsibilities
- Ensure you have lawful grounds to process any personal data you deploy on our platform.
- Do not store highly sensitive data (e.g., payment card numbers, health records) without appropriate safeguards.
- Use strong passwords and enable two-factor authentication.
- Rotate secrets and API keys regularly.
10. contact us
For any questions about this DPA or to exercise your
data rights, please contact us at:
support@zanode.co.za