GDPR Policy

Zap is committed to support the privacy rights of Zap Customers

We process personal data responsibly and in line with our obligations under the GDPR.

Last updated: 24 November, 2025.

GDPR means the European Union General Data Protection Regulation (EU Regulation 2016/679), or the United Kingdom General Data Protection Regulations created by the UK Data Protection Act 2018 on the UK’s exit from the European Union.

This includes:

An update of our terms of service
The introduction of a Data Protection Addendum (DPA), as required by the GDPR
Various cookie protections and opt-out functionality on our website
Further internal and third-party security audits of our processes, Azure-based platform, and application

Zap's role in GDPR compliance

Zap acts as a data processor under the GDPR. Zap is responsible for safeguarding personal data that flows through our Services on behalf of customers.

Zap processes personal data only on documented customer instructions, including as set out in the customer agreement and DPA, unless processing is required by applicable law, and only to provide, secure, maintain, and support the Services for the term of the customer agreement. The categories of data and data subjects depend on what customers choose to load into the platform. Zap does not require or intend to process special category data.

Customer's role in GDPR compliance

As a Zap customer (or partner), you are a data controller under the GDPR, and Zap is your data processor. This means that throughout the time of your subscription to our Services, you retain ownership of and control of your customer or user data.

You will want to pay attention to the following non-exhaustive list of items:

Perform your own research, audit, internal training and strategy steps within your company to ensure you understand GDPR and how it applies to your business
Ensure your Terms and Privacy policies are up to date
If you are an organisation located in the EU or UK, and need to be GDPR compliant, you may request to sign our Data Protection Addendum (DPA)
Be mindful of the amount of personal data that may be processed in a Zap model and limit it as much as possible.
Also ensure that users’ consent is handled appropriately.

What is a Data Processing Agreement (DPA)?

This is an agreement that Zap offers, that governs the relationship between the customer (acting as a data controller) and Zap (acting as a data processor). The DPA facilitates Zap customers’ compliance with their obligations under the GDPR.

Our DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to Zap outside of the European Union or United Kingdom by relying on one of these mechanisms: Binding Corporate Rules or Standard Contractual Clauses.

The applicable SCC module or UK transfer addendum for a specific customer is set out in the DPA.

Zap's third-parties/sub-processors

A sub processor is a third party data processor engaged by Zap, including entities from within Zap, who has or potentially will have access to or process Service Data (which may contain personal data). Zap uses different types of sub processors to perform various functions in order to operate its service.

Zap requires its sub processors to satisfy equivalent obligations as those required by Zap (as a data processor). Zap maintains an up to date list of the names and locations of all sub processors used for hosting or other processing of Service Data.

Zap Group entities that may access or process Service Data are authorised in the DPA, with the current list and locations set out in the DPA or available on request. Zap may add or replace sub processors under the DPA and will notify customers of material changes and allow reasonable time to object.

Infrastructure and service sub-processors

Zap uses and administers the infrastructure used to host the Services and customer data for Zap SaaS deployments, and controls access to Zap environments. For customer hosted deployments, hosting infrastructure is controlled by the customer.

Sub-processor

Application

Location

Microsoft Azure

Cloud provider hosting customer data, user authentication, logging, and reporting. Only used by Zap SaaS. Customer data is hosted at the customer’s elected location, as set forth in our terms and conditions.

Customer elected Azure region

Microsoft Dynamics 365

Customer relationship management, service licence provider.

United States

Zendesk

Cloud based service provider, Zap customer help desk.

United States

Other sub-processors

The following sub-processors may be used by Zap employees to store the minimum relevant set of data required to perform a specific function:

Sub-processor

Slack

Microsoft Office 365

HubSpot

Intercom

GitHub

Application

User, customers, customer instance may be discussed here

User data may be discussed, referenced or stored in this hosted service, in the form of emails or files

Prospect and customer information is stored here. This CRM tool and account management system is used by Zap to manage lead, opportunity, customer records and relationships.

In app customer messaging and support chat, may contain Service Data provided by customers.

Source code hosting and CI tooling.

Location

United States

Security

Zap maintains technical and organisational security measures appropriate to the risk of processing, including encryption in transit and at rest, role based access control, monitoring and logging, and secure development and change control.

Data subject rights and assistance

Individuals in the EU and UK have rights under the GDPR, including rights of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.

Where Zap receives a request from a data subject relating to customer personal data, Zap will direct the requester to the relevant customer (controller) unless Zap is legally required to respond, and will assist the customer, where reasonably possible, to action that request under the DPA.

Privacy enquiries can be sent to: privacy@zapbi.com

Data retention and deletion

Zap retains customer personal data only for as long as required to provide the Services and meet legal or contractual obligations. On termination or expiry of the Services, Zap will delete or return customer personal data in accordance with the DPA and the customer agreement. Deletion occurs within the timeframes specified in the DPA unless a longer period is required by law.