Data Processing Agreement (DPA)
Zation acts as a data processor on your behalf when the Platform analyzes your usage and consumption data. The terms are set out in our Personal Data Processor Agreement (PDPA-G), in force since March 2025 and compliant with both the GDPR and the revised Swiss Data Protection Act (revDSG).
The complete PDPA-G is published at zation.io/en/pdpa. A signable PDF is available to all Platform customers — contact platform@zation.io and we'll send the current template within one business day.
What the DPA covers
- Role as data processor (Art. 28 GDPR / Art. 9 revDSG)
- Categories of personal data processed (see below)
- Categories of data subjects (see below)
- Purpose and scope of processing
- Sub-processor engagement (see Sub-Processors)
- Technical and organizational measures (see Security)
- Data residency and cross-border transfer rules
- Data breach notification obligations
- Return and deletion at end of contract
Data we process
The Platform processes the following categories of personal data on your instructions:
| Category | Examples |
|---|---|
| User credentials | Usernames, user principal names (UPNs), Microsoft Entra ID directory data |
| Application usage data | Sign-in activity, feature and license usage |
| Consumption owner data | Attribution of cloud and software consumption to individuals |
Data subjects
Processing concerns technical Microsoft Entra ID users in your tenant — both members and guests.
Purpose of processing
We process the data solely to analyze usage and consumption of your software and cloud products so you can optimize, modernize, reduce costs, and increase utilization. We process data only on your documented instructions and for no other purpose.
Data residency and transfers
- Customer content and personal data is hosted in Switzerland North (see Security).
- Processing by Microsoft identity sub-processors may occur within the EEA, which Switzerland recognizes as providing adequate protection (Annex 1 of the Swiss Data Protection Ordinance, DSV).
- Any transfer to a third country relies on Standard Contractual Clauses or another mechanism recognized under Art. 16–17 revDSG (see Sub-Processors).
Term, return, and deletion
- Either party may terminate with 90 days' written notice.
- On termination, you choose whether we return or delete all personal data we hold on your behalf.
- Deletion includes backups — residual backup copies are overwritten within the normal backup rotation cycle.
This page summarizes the PDPA-G for orientation. The signed agreement is the legally binding version.