Skip to content
Zod
Data Processing Agreement

Data Processing Agreement

Last updated: July 1, 2026

1. Parties and effective date

This Data Processing Agreement ("DPA") reflects the parties' agreement regarding the processing of personal data by Zod on behalf of its commercial customers. It forms part of the Terms of Service, Enterprise Agreement, or other written agreement (the "Agreement") between:

  • Zod, Inc. (the "Data Processor"), a Delaware corporation with offices at 548 Market Street, PMB 72296, San Francisco, CA 94104-5401, United States
  • You, the customer (the "Data Controller"), as identified in the Agreement

If you have an executed DPA with Zod, the terms of that executed agreement govern. This page is a summary of our standard commitments for informational purposes. To request an executed copy of our standard DPA, please contact contact@zodagent.com.

2. Scope and roles

This DPA applies to all personal data processed by Zod in the course of providing the Service to the customer. For the purposes of this DPA:

  • Data Controller is the customer who determines the purposes and means of processing personal data
  • Data Processor is Zod, which processes personal data on behalf of and under the instructions of the controller
  • Personal data means any information relating to an identified or identifiable natural person as defined under applicable data protection laws
  • Processing means any operation performed on personal data, including collection, storage, use, disclosure, and deletion

This DPA does not apply where Zod acts as an independent data controller of personal data, such as account information collected for Zod's own business purposes (governed by the Privacy Policy).

3. Processing details

The subject matter, duration, nature, and purpose of the processing, as well as the types of personal data and categories of data subjects, are as follows:

Subject matter

The provision of Zod's AI-powered coding assistant, IDE extension, API services, and related software and services.

Duration of processing

The term of the Agreement plus the period from the end of the Agreement until all personal data is deleted or returned as described in Section 11.

Nature and purpose of processing

Processing of personal data as necessary to provide the Service, including: account management, authentication, billing, support, API access, code indexing, AI model inference, usage analytics, and security monitoring.

Types of personal data

  • Account data: name, email address, billing information
  • Usage data: logs, IP addresses, feature interactions, performance metrics
  • User content: code, prompts, file contents, communications, and other data input or generated through the Service

Categories of data subjects

  • The customer's authorized users (employees, contractors, team members)
  • Individuals whose data is included in content processed through the Service

4. Obligations of Zod (processor)

Zod will:

  • Process personal data only on documented instructions from the controller, unless required to do otherwise by applicable law (in which case Zod will inform the controller of that legal requirement before processing, unless prohibited by law)
  • Ensure that persons authorized to process the personal data are subject to obligations of confidentiality (contractual or statutory)
  • Implement appropriate technical and organizational security measures as described in Section 8
  • Not engage another processor (subprocessor) without prior specific or general written authorization from the controller
  • Assist the controller by appropriate technical and organizational measures to respond to requests from data subjects exercising their rights under applicable data protection law
  • Assist the controller in ensuring compliance with obligations regarding security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities
  • At the choice of the controller, delete or return all personal data after the end of the Service term
  • Make available to the controller all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 12

5. Obligations of the customer (controller)

The customer represents and warrants that:

  • The processing of personal data as described in the Agreement complies with all applicable data protection laws
  • The customer has provided (or will provide) all necessary notices and obtained all necessary consents and authorizations required under applicable law for Zod to process personal data as described in the Agreement
  • The customer's instructions to Zod for processing personal data will comply with applicable law
  • The customer has in place appropriate technical and organizational measures to protect personal data in its own environment

6. Data subject rights

Zod will assist the customer in fulfilling its obligations to respond to data subject requests under applicable data protection law. If Zod receives a request from a data subject directly, Zod will:

  • Promptly forward the request to the customer (the controller)
  • Not respond to the request without the customer's prior instruction, except to confirm that the request has been forwarded
  • Provide the customer with the ability to access, correct, delete, or export personal data through the Service's built-in functionality
  • Assist with additional requests that cannot be fulfilled through the Service's self-service features

The customer is responsible for responding to data subject requests within the timeframes required by applicable law.

7. Subprocessors

The customer provides general authorization for Zod to engage subprocessors. Zod currently uses the following subprocessors:

  • Amazon Web Services (AWS) — Cloud infrastructure, hosting, storage (US regions)
  • Stripe, Inc. — Payment processing (US)
  • Anthropic, OpenAI, Google (Gemini), xAI — AI model providers (subject to zero data retention agreements)
  • Baseten, Together AI, Fireworks — AI inference providers
  • Datadog, Inc. — Application monitoring and observability (US)

Zod will notify the customer at least 30 days before adding or replacing any subprocessor. The customer may object to a new subprocessor by providing a written objection within 14 days of notice. If the objection cannot be resolved, either party may terminate the affected Service without penalty. A current list of subprocessors is available upon request.

8. Security measures

Zod maintains appropriate technical and organizational security measures to protect personal data, including:

  • Encryption: AES-256 encryption at rest for all data stores; TLS 1.2+ encryption in transit for all network communications
  • Access controls: Least-privilege access principles with multi-factor authentication enforced for all production access
  • Infrastructure security: SOC 2 Type II certified; annual penetration testing by independent third parties; vulnerability scanning; intrusion detection
  • Personnel security: Background checks where permitted; confidentiality agreements; security awareness training; role-based access controls
  • Incident response: Documented incident response plan with defined escalation procedures; 24/7 security monitoring
  • Data segregation: Customer data segregated by account with strict access controls between tenants
  • Physical security: Data hosted in AWS data centers with industry-standard physical security controls (access cards, biometrics, surveillance, 24/7 guards)

Zod's SOC 2 Type II report is available under NDA upon request. See our Security page for additional details.

9. International data transfers

Personal data may be transferred to and processed in the United States and other jurisdictions where Zod, its affiliates, and its subprocessors operate. For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed adequate by the European Commission, Zod ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) — The European Commission's Standard Contractual Clauses (Module Two: controller-to-processor and Module Three: processor-to-processor) as adopted by Commission Implementing Decision 2021/914
  • UK International Data Transfer Agreement (IDTA) — For transfers from the UK
  • Supplementary measures — Technical and organizational measures to ensure an equivalent level of protection as required under applicable law

Zod does not host any infrastructure in China and maintains zero data retention (ZDR) agreements with all AI model providers.

10. Data breach notification

Zod will notify the customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the customer's data. The notification will include:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
  • The name and contact details of Zod's data protection officer or security contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its adverse effects

Zod will cooperate fully with the customer in investigating and remediating the breach. Zod's obligations under this section do not apply to breaches that are unlikely to result in a risk to the rights and freedoms of natural persons.

11. Data deletion and return

Upon termination or expiration of the Agreement, Zod will, at the customer's option, delete or return all personal data processed on behalf of the customer. Zod will:

  • Provide the customer with the ability to export personal data through the Service's built-in functionality prior to termination
  • Upon request, provide a copy of personal data in a commonly used, machine-readable format
  • Securely delete all personal data within 90 days of the termination date, unless retention is required by applicable law
  • Provide written certification that deletion has been completed

This obligation does not apply to personal data that Zod is required to retain under applicable law, in which case Zod will maintain the data in accordance with confidentiality and security obligations for the duration of the retention period.

12. Audits and compliance

Zod will make available to the customer all information necessary to demonstrate compliance with this DPA. This includes:

  • SOC 2 Type II audit reports (available under NDA)
  • Penetration testing summaries
  • Information security policies and procedures overview

The customer may request an audit of Zod's processing activities not more than once per 12-month period, at the customer's expense. Audits will be conducted during normal business hours with reasonable notice and will not unreasonably interfere with Zod's operations. If Zod's SOC 2 Type II report or equivalent certification demonstrates compliance, no additional audit rights are triggered.

13. Contact us

To request a copy of our standard DPA or for questions about data processing:

Email: contact@zodagent.com

Subject for DPA request: "DPA Request — [Your Company Name]"

Response time: Within 3 business days

Need a signed DPA?

Contact us to execute our standard Data Processing Agreement for your organization.