Data Processing Agreement

Effective: March 26, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between zyberspace ("Processor") and the entity agreeing to these terms ("Controller") for the provision of static site hosting, deployment, AI builder, and MCP/sandbox editing services.

This DPA establishes the terms under which zyberspace will process personal data on behalf of the Controller in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) 2016/679, the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA).

1. Interpretation

In this DPA, the following terms have the meanings set out below:

  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Processor" means zyberspace, which processes Personal Data on behalf of the Controller.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including but not limited to the EU General Data Protection Regulation (GDPR) 2016/679, the UK Data Protection Act 2018, UK GDPR, and the California Consumer Privacy Act (CCPA), as amended from time to time.
  • "Subprocessor" means any third party engaged by zyberspace to process Personal Data on behalf of the Controller.

2. Relationship of the Parties

With respect to Personal Data processed under this DPA:

  • The Controller determines the purposes and means of processing Personal Data.
  • zyberspace acts as a Processor and shall process Personal Data only in accordance with the Controller's documented instructions.
  • The Controller warrants that its instructions comply with all applicable Data Protection Laws.
  • zyberspace shall inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

3. Processing of Personal Data

3.1 Purposes of Processing

zyberspace processes Personal Data for the following purposes:

  • Providing static site hosting and deployment services
  • Processing and publishing site files and deployments
  • AI-powered site building via MCP and sandbox editing
  • Custom domain configuration and TLS provisioning
  • ChatGPT, OAuth, and third-party agent integrations
  • Analytics and performance monitoring
  • Billing and account management

3.2 Categories of Personal Data

The following categories of Personal Data may be processed:

  • Contact information (name, email address)
  • Account credentials and authentication data
  • Uploaded site files and deployment metadata
  • Deployment counts, bandwidth usage, and error logs
  • OAuth tokens and API keys (stored encrypted)
  • Device and browser information
  • IP addresses and location data
  • Billing information (processed via secure payment providers)

3.3 Categories of Data Subjects

Personal Data may be processed relating to:

  • Controller's employees and authorized users
  • Controller's customers and end-users
  • Visitors to sites hosted on the Controller's account (where analytics are enabled)

4. Technical and Organizational Measures

zyberspace implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Access Controls: Role-based access controls limiting access to Personal Data to authorized personnel only.
  • Encryption: Encryption of Personal Data in transit (TLS 1.2+) and at rest.
  • Infrastructure Security: Hosting on secure cloud infrastructure with industry-standard security certifications.
  • Regular Updates: Regular security updates and vulnerability assessments.
  • Backups: Regular secure backups with appropriate retention and recovery procedures.
  • Personnel Training: Data protection and security awareness training for all personnel.
  • Incident Response: Documented incident response procedures for security events.

5. Subprocessors

The Controller authorizes zyberspace to engage the following Subprocessors to assist in providing the services:

SubprocessorPurposeLocation
CloudflareR2 object storage, CDN, custom domain TLSUnited States / global edge
Vercel Inc.Ephemeral sandbox build environments for AI editingUnited States
NeonAccount, site, and deployment metadata storageUnited States / EU (region-dependent)
PostHogProduct analytics (cookieless by default)United States / EU (project-dependent)
StripeSubscription billing and payment processingUnited States
OpenAIAI inference for site builder and agent editingUnited States

zyberspace ensures that all Subprocessors are bound by data protection obligations equivalent to those in this DPA. The Controller may object to the appointment of a new Subprocessor by providing written notice within 14 days of being informed.

6. Data Subject Rights

zyberspace shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

  • Right of Access: The right to obtain confirmation of processing and access to Personal Data.
  • Right to Rectification: The right to correct inaccurate or incomplete Personal Data.
  • Right to Erasure: The right to request deletion of Personal Data under certain circumstances.
  • Right to Restrict Processing: The right to limit how Personal Data is used.
  • Right to Data Portability: The right to receive Personal Data in a structured, commonly used format.
  • Right to Object: The right to object to processing in certain circumstances.

zyberspace shall notify the Controller without undue delay upon receiving any request from a Data Subject.

7. Personal Data Breach

In the event of a Personal Data breach, zyberspace shall:

  • Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach.
  • Provide the Controller with sufficient information to enable compliance with breach notification obligations.
  • Cooperate with the Controller in investigating and mitigating the effects of the breach.
  • Take reasonable steps to prevent recurrence of such breaches.

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, zyberspace ensures appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) for transfers to third countries.
  • Adequacy decisions by the European Commission where applicable.
  • Supplementary technical and organizational measures to ensure data protection.

9. Data Retention and Deletion

zyberspace shall:

  • Process Personal Data only for the duration necessary to fulfill the purposes outlined in this DPA.
  • Upon termination of services or upon the Controller's written request, delete or return all Personal Data unless retention is required by applicable law.
  • Certify deletion of Personal Data upon the Controller's request.

10. Audits and Compliance

zyberspace shall:

  • Maintain records of processing activities as required by Data Protection Laws.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.
  • Allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

11. Contact Information

For questions or concerns regarding this DPA or data protection matters, please contact:

W3 Dev LLC (operating as zyberspace)
1309 Coffeen Avenue
Sheridan, WY 82801
United States

Email: privacy@zyberspace.com

12. Changes to this DPA

zyberspace may update this DPA from time to time to reflect changes in our practices or applicable laws. We will notify Controllers of any material changes in accordance with applicable legal requirements. Continued use of our services after such notification constitutes acceptance of the updated DPA.

13. Effective Date

This Data Processing Agreement is effective as of March 26, 2026.