Data Processing Agreement

Version 1.0 · Effective 7 July 2026 · Last updated 7 July 2026

This Data Processing Agreement ("DPA") governs Supera's processing of personal information on behalf of business customers under US state privacy laws. It forms part of, and is incorporated by reference into, the Terms of Service between the customer ("Customer") and Zolopreneur LLC – Supera PS ("Supera"). By accepting the Terms of Service, Customer agrees to this DPA.

In plain terms: when your company uses Supera, you decide what employee information goes in and why — you are the business / controller. Supera is your service provider / processor: we handle that information only to run the Service for you, we don't sell it and don't use it for our own purposes, and we hold it under the protections described here and in our Security and Privacy pages.

1. Scope & applicable law

This DPA applies to Supera's processing of "personal information" that is subject to US state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and comparable comprehensive state privacy laws (including, as applicable, those of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states with such laws) (together, "US State Privacy Laws"). Supera currently offers the Service to US-based businesses only; this DPA does not cover the EU/EEA, UK, or Switzerland (a separate agreement applies if and when Supera offers the Service there).

2. Roles of the parties

For personal information processed under the Service, Customer is the "business" / "controller," and Supera is the "service provider" / "processor," as those terms are defined under US State Privacy Laws. Terms such as "personal information," "process," "consumer," "sell," and "share" have the meanings given in the applicable law.

3. Supera's processing of personal information

Supera shall process personal information only on Customer's documented instructions — the Terms of Service, this DPA, and Customer's configured use of the Service — and solely to provide the Service (the "business purpose"). Supera will inform Customer if it believes an instruction violates applicable law.

4. Service provider / processor obligations

With respect to personal information subject to US State Privacy Laws, Supera shall:

  1. Not sell or share the personal information (as "sell" and "share" are defined under the CCPA/CPRA).
  2. Not retain, use, or disclose the personal information for any purpose other than the business purpose specified above, or as otherwise permitted by US State Privacy Laws — including not for Supera's own commercial purposes, and not to train artificial-intelligence models.
  3. Not retain, use, or disclose the personal information outside the direct business relationship with Customer.
  4. Not combine the personal information with personal information from any other source, except as permitted by US State Privacy Laws and their regulations.
  5. Provide the same level of privacy protection as is required of the Customer under US State Privacy Laws.
  6. Ensure persons authorized to process the personal information are bound by an obligation of confidentiality.
  7. Implement and maintain reasonable security measures appropriate to the personal information (described in Annex C).
  8. Engage sub-processors only in accordance with Section 5.
  9. Assist Customer, taking into account the nature of the processing, in responding to verifiable consumer requests (to know/access, delete, correct, and opt-out) and in meeting Customer's security and, where applicable, data-protection-assessment obligations.
  10. Notify Customer promptly if Supera determines it can no longer meet its obligations under US State Privacy Laws.
  11. Grant Customer the right to take reasonable and appropriate steps to help ensure Supera uses the personal information consistently with Customer's obligations, and to stop and remediate any unauthorized use.
  12. Make available to Customer information reasonably necessary to demonstrate compliance with this DPA, and, on reasonable request, cooperate with reasonable assessments as described in Section 8.

Supera certifies that it understands and will comply with the restrictions in this Section 4.

5. Sub-processors

Customer provides general authorization for Supera to engage the sub-processors listed in Annex B to help provide the Service. Supera will: (a) enter into a written contract with each sub-processor imposing data-protection and confidentiality obligations substantially equivalent to those in this DPA; (b) remain responsible for its sub-processors' performance of those obligations; and (c) provide Customer advance notice of any intended addition or replacement of a sub-processor, during which Customer may object on reasonable grounds relating to data protection; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service.

6. Deletion & return of personal information

Customer may export its data at any time, including before deletion. On termination of the Service, or on Customer's request, Supera will delete Customer's personal information, unless retention is required by law. Deleting an individual record is a permanent removal from the live database; deleting or closing the entire account triggers crypto-shredding (destruction of the account's encryption key), rendering all of that Customer's data — including in backups — permanently unreadable. Personal information contained in immutable backups is rendered unreadable through crypto-shredding at whole-account deletion and otherwise expires on Supera's backup-retention cycle.

7. Consumer requests

Where Supera receives a request directly from a consumer relating to Customer's personal information, Supera will (unless legally required to act) direct the consumer to Customer and, where appropriate, notify Customer. Supera will provide reasonable assistance to Customer in fulfilling verifiable consumer requests.

8. Demonstrating compliance

Supera will make available information reasonably necessary to demonstrate its compliance with this DPA. Where a reasonable assessment is required, Supera may satisfy such a request by providing a current summary of its security controls or a relevant third-party report, or by cooperating with a reasonable, mutually agreed assessment on reasonable prior notice, no more than once per twelve (12) months (absent a documented security incident or a legal requirement), subject to confidentiality and Supera's reasonable security and operational requirements.

9. General

This DPA is subject to, and its liability is limited by, the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal information, this DPA controls. This DPA is governed by the law stated in the Terms of Service, except where US State Privacy Laws require otherwise. Supera may update this DPA to reflect changes in law or its Service; the "Version" and "Effective" dates above indicate the current version, and material changes will be communicated as required.


Annex A — Description of the processing

Annex B — Sub-processors

Sub-processorPurpose
CloudflareHosting, storage, network (SOC 2 / ISO 27001 certified)
Google Cloud (Cloud KMS)Encryption-key management
WorkOSSign-in & multi-factor authentication
AnthropicAI drafting & translation (not used to train models)
StripeSubscription billing
Twilio & Meta (WhatsApp)SMS / WhatsApp message delivery
ResendEmail delivery
Slack / Microsoft (Teams)Only if Customer enables that optional integration

The current sub-processor list is also available at [email protected].

Annex C — Security measures

Full detail: see our Security page.