Data Processing Agreement (DPA) - Zirvo

Last updated: June 12, 2026 • Headquarters: Nova Alvorada do Sul - MS • Version: 1.0

1. Introduction and Scope
2. Roles and Responsibilities
3. Categories of Processed Data
4. Processing Activities
5. Customer Instructions
6. Security Measures
7. Authorized Subprocessors
8. International Data Transfers
9. Security Incident Management
10. Audit Rights
11. Data Retention and Deletion
12. Business Confidentiality
13. Limitation of Liability
14. Term and Termination

This Data Processing Agreement (“DPA” or “Agreement”) establishes the technical and legal contractual conditions applicable to the processing of personal data conducted by the Zirvo platform, a global critical monitoring and observability solution, in connection with the services contracted by its corporate Customers.

This Agreement ensures that all personal data processing operations within the Zirvo framework are in strict compliance with the Brazilian General Data Protection Law (LGPD), the European Union General Data Protection Regulation (GDPR), and other applicable international digital compliance regulations, and shall be interpreted in an integrated manner with the Zirvo Terms of Use.

1. Introduction and Scope

1.1. Subject Matter

This DPA exclusively governs operations where Zirvo processes data under instructions and for the benefit of the Customer within the scope of providing SaaS digital observability services, connection monitoring, SSL certificate integrity, and DNS validity.

1.2. Agreement Applicability

This Agreement becomes binding on the parties from the moment data relating to identified or identifiable natural persons (personal data) begins to transit or reside in logical servers, messaging buses, or logical database instances managed by Zirvo as a result of configurations activated by the Customer.

2. Roles and Responsibilities

For all legal purposes and within the scope of LGPD and GDPR compliance, the parties explicitly assume the following regulatory positions:

A. The Customer as Data Controller: The Customer acts as the primary owner of the purpose of processing personal data of their corporate users, visitors, or technical data they configure for monitoring. The Customer is solely responsible for ensuring they have collected the appropriate legal basis - consent or legitimate interest - to submit such technical-operational information to the Zirvo analytics framework.

B. Zirvo as Data Processor: Zirvo acts in a restricted and exclusive capacity as the technical operator and processor of telemetry personal data, processing and structuring information exclusively to enable automated verification routines, maintain corporate dashboard operability, and dispatch reliable alerts as defined by the Customer instructions.

3. Categories of Processed Data

Zirvo will limit processing to the strictly necessary data categories described below:

Corporate Account Data: Full name, business email address, administrative role, and login credentials linked to authentication.
User (Seat) Identification Data: Attributes of members and guests added to the Tenant Account and Workspace (destination corporate email addresses).
Monitoring Configuration Data: Read API endpoints (REST/GraphQL/WebSocket), parameterized URLs, connection ports, response times, and domain names.
Technical Records and Session Metadata: Access IP addresses, logical server log records, logical identifiers of type “sub” contained in JWT authentication tokens, and basic operational telemetry for limits control.
Output Integrations: Logical identifiers for notification channels such as destination emails, private chat IDs (Slack, Discord, or Telegram), PagerDuty cryptographic keys, or configured webhooks.

4. Processing Activities

Electronic data processing by Zirvo will occur solely and exclusively within the technical scope necessary to:

Operation and VerificationContinuous technical reading of the operational status of URLs, SSL encryption certificates, and statistical resolution of name servers (DNS).

Routing and AlertsDetection of uptime operational deviations and corresponding dispatch of alerts from the Zirvo outbox to the Customer configured output channels.

Technical SupportResolution of dashboard bottlenecks, database corrections, and investigation of slow requests upon direct request from team members.

Performance ImprovementAggregated analysis of anonymous statistical telemetry from the Zirvo cluster for dynamic anomaly prediction and optimization of metrics time-series databases.

5. Customer Instructions

5.1. Operational Binding

Zirvo will act in strict processing compliance according to the express definitions outlined by the Customer through their choices in logical monitor panels or commands executed via APIs, refraining from using, mining, or processing such technical-operational data for any other secondary or commercial purposes not provided for.

5.2. Legality of Input Data

The Customer assumes full responsibility under civil and regulatory law (LGPD/GDPR) for the provenance, validity, and legal right associated with the submission or routing of monitored URLs, databases, or endpoints read by Zirvo probes, declaring that they do not irregularly capture or infringe third-party data without the respective documented legal authority.

6. Security Measures

We implement technical, administrative, and physical safeguards based on rigorous infrastructure security and compliance to ensure maximum protection of processed data:

Base Encryption Architecture: Mandatory use of secure TLS 1.3 connections in transit and AES-256 cryptographic storage for data persisted in PostgreSQL and cold backup disks.
Logical Multi-Tenant Isolation: Strongly logically isolated database architecture with parameterized reads filtered by primary partition keys including Tenant ID and site identifier hash (siteId).
Least Privilege Control: Internal access to billing environments, logical credentials, and production servers is personal, audited with logs, and strictly reserved only for essential authorized professionals.
SSRF Protection: Active and immediate blocking of any configured monitoring pointing to local, loopback, corporate private, or link-local addresses to prevent access to restricted networks.
Credential Hash Algorithms: Implementation of the Argon2 standard for irreversible cryptographic hashes of user and organization passwords and API Keys.

7. Authorized Subprocessors

7.1. General Authorization

The Customer provides their general and valid authorization to Zirvo to engage infrastructure subprocessors and processing services that operate in compliance with the integrity directives described in this agreement.

7.2. List of Essential Subprocessors

Currently, Zirvo uses only the following third-party technical infrastructure entities for the correct provision of essential logical routines:

Entity	Activity	Processing Location
Cloud Infrastructure and Hosting Providers	Cloud servers, logical probe virtualization, and primary database persistence	South America (Sao Paulo - BR) and USA (North Virginia)
Encrypted Billing Gateways (e.g., Stripe)	Recurring payment processing in a secure PCI-DSS billing environment	United States and European Union
Google (Gemini APIs)	Corporate infrastructure and models for incident intelligence and RCA	United States and European Union

7.3. Update and Notification Right

Zirvo will notify the Customer with at least 15 business days advance notice before changing, adding, or replacing any partner or subprocessor on its official critical list. If the Customer presents a reasonable and well-founded objection based on objective privacy risks, the parties will initiate internal amicable mitigation to resolve the contractual impasse.

8. International Data Transfers

Given the distributed and redundant integrity of Zirvo active-active probe operational mesh, monitored reading loads from your Workspace may undergo geographic security replication under confidentiality across redundant data centers operated in the USA and European Union. Zirvo ensures that such operations are based on valid and documentable transfer mechanisms in compliance with GDPR and LGPD guidelines (such as Standard Contractual Clauses - SCCs - signed by the operating parties).

9. Security Incident Management

9.1. Timely Notification

In the event of confirmed internal network security incidents that result in logical integrity breach, involuntary loss, destruction, or leakage of personal data processed by Zirvo, we commit to formally notifying the affected Customer within 48 consecutive business hours of firm confirmation of the event.

9.2. Technical Cooperation and Mitigation

The notification will include details on the scope of affected records, volume, and urgent risk mitigation measures taken by our response team. Zirvo will provide legitimate and proportional cooperation to support the Customer in their regulatory obligations for timely communication to the Brazilian National Data Protection Authority (ANPD) or European regulatory institutions where applicable.

10. Audit Rights

10.1. Reasonable Limits

The Customer, upon formal written notice with at least 30 business days advance notice and under strict confidentiality limits, is entitled to conduct one annual virtual security technical audit to confirm the adherence of Zirvo technical practices to the provisions of this agreement.

10.2. Multi-Tenant Security and Integrity Protection

To preserve the integrity, resilience, and privacy of other Customers sharing Zirvo distributed multi-tenant logical environment, the audit will be strictly limited to vulnerability report queries, documented firewall architectures, internal policies, and code audits conducted by independent technical auditors. Active invasive penetration testing (pentests) or aggressive scans on real production servers are strictly prohibited without the knowledge and written authorization of Zirvo security teams.

11. Data Retention and Deletion

11.1. Active Retention Cycle Period

Fine operational telemetry data receives aggressive and automated discard cycles: raw metrics expire after 30 days; hourly aggregated metrics are persisted for 1 year; incident logs remain active according to the commercial contract term.

11.2. Post-Termination Deletion Protocol

Upon discontinuation of their respective administrative account, Zirvo will execute irrecoverable and definitive technical removal (or rigorous mathematical strict anonymization processes that prevent ownership reconstruction) of the entire relational history of logical corporate tables and parameterizations within the final regulatory period of 30 business days from the executed post-contractual request.

12. Business Confidentiality

We consider all parameterizations, Customer server topologies, logical architectures, technical monitoring read paths, and alert integrations to be Confidential Information of utmost importance. Zirvo commits to maintaining irrevocable protection against deviations or leakage of such commercial intellectual assets, and extends this same fiduciary compliance obligation to its entire team through Confidentiality Agreements with proper civil force.

13. Limitation of Liability

Civil indemnifications, technically computed data losses in service provision, and breaches inherent to the data processing contingencies covered under this DPA are limited in accordance with the general specifications provided in the Limitation of Liability clause set forth in Section 30 of Zirvo central Terms of Use, acting to maintain proportional integrity and resilience between the corresponding net billing versus the SaaS service provided.

14. Term and Termination

This Agreement is effective for the period directly associated with and supported by the contracted term and licensing of your company Zirvo Services Account. Operational obligations that, by express legal nature, survive contract termination (such as confidentiality safeguards, remaining confidential guidelines, and legal obligations to preserve digital logs under applicable regulatory framework) will remain active until the complete legal expiration of applicable limitation periods.