Data Processing Agreement
Last update: 15/03/2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Zilla Technologies Ltd. ("Processor", "we", "us") and you, the nutrition or health professional ("Controller", "you"), and governs the processing of personal data that you submit to or collect through the Foodzilla platform ("Service") on behalf of your clients or patients.
By using the Service, you agree to this DPA. This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation ("GDPR") and other applicable data protection laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, erasure, or destruction.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means the individual to whom the Personal Data relates, typically a client or patient of the Controller.
2. Roles and Responsibilities
You, as the Controller, determine the purposes and means of processing Personal Data through the Service. We, as the Processor, process Personal Data only on your behalf and in accordance with your documented instructions, which are defined by your use of the Service and this DPA.
You are responsible for ensuring that you have a lawful basis for processing Personal Data and that you have obtained all necessary consents from your clients or patients before entering their data into the Service.
3. Scope of Processing
3.1 Subject Matter and Purpose
The Processor processes Personal Data to provide the Service to the Controller, including client management, meal planning, nutritional analysis, recipe management, health tracking, messaging, and related platform features.
3.2 Categories of Data Subjects
- Clients and patients of the Controller
- The Controller (nutrition or health professional) and their staff
3.3 Types of Personal Data
- Identity data: name, email address, date of birth, gender, profile photo
- Health data: nutrition information, dietary preferences, allergies, intolerances, exercise data, weight, body measurements, health metrics, progress photos, and practitioner notes
- Communication data: messages exchanged between Controller and their clients through the platform
- Usage data: food diary entries, meal plan data, recipe interactions
- Payment data: subscription and billing information (processed by Stripe; card details are not stored by Foodzilla)
3.4 Duration of Processing
Personal Data is processed for the duration of the Controller's use of the Service. Upon account cancellation or termination, data is retained in an inactive state and is not processed for any purpose other than storage, unless required by law or to resolve disputes. The Controller may request deletion of their data at any time by contacting the Processor. Upon receiving a deletion request, data will be permanently deleted within 30 days, except where retention is required by law.
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. In such cases, the Processor will inform the Controller of the legal requirement before processing, unless prohibited by law.
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 5.
- Assist the Controller in fulfilling its obligation to respond to Data Subject requests to exercise their rights under applicable data protection laws.
- Assist the Controller in ensuring compliance with breach notification obligations, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.
5. Security Measures
The Processor implements and maintains the following technical and organisational security measures:
- Encryption in transit: All data transmitted between users and the Service is encrypted using TLS/SSL. Real-time connections use encrypted WebSocket (WSS) protocols.
- Encryption at rest: Personal Data stored in databases is encrypted at rest using industry-standard encryption.
- Access controls: Access to Personal Data is restricted to authorised personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
- Infrastructure security: The Service is hosted on secure infrastructure with DDoS protection, web application firewalls, and automated threat detection provided by Cloudflare and our hosting providers.
- Data backups: Regular automated backups are maintained to ensure data recovery in the event of a system failure.
- Payment security: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. Card details are never stored on Foodzilla servers.
- Regular review: Security measures are reviewed and updated regularly to address emerging threats and vulnerabilities.
6. Sub-processors
The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.
The following Sub-processors are currently engaged:
| Sub-processor | Purpose | Location |
|---|---|---|
| MongoDB (hosted on AWS) | Database hosting and storage | Australia (Sydney region) |
| Cloudflare | Content delivery, DNS, and security | Global |
| Stripe | Payment processing and subscription management | USA |
| OpenAI | AI-powered assistive features (no model training on your data) | USA |
| Ory | Authentication and identity management | EU |
| Help Scout | Customer support and communication | USA |
| Google Analytics | Website usage analytics | USA |
| Meta Pixel | Advertising measurement | USA |
| Datafast | Privacy-focused website analytics | EU |
| Supastory | Product analytics and user experience insights | APAC |
The Processor ensures that Sub-processors are bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its Sub-processors.
7. International Data Transfers
Personal Data may be transferred to and processed in countries outside the Controller's country of residence, including New Zealand, the United States, the European Union, and Australia. Where Personal Data is transferred outside the European Economic Area or the United Kingdom, the Processor ensures that appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
- Data processing agreements with Sub-processors that include equivalent data protection obligations.
- Reliance on adequacy decisions where the destination country has been recognised as providing an adequate level of data protection.
8. Data Breach Notification
In the event of a personal data breach affecting Personal Data processed under this DPA, the Processor shall:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach.
- Provide the Controller with sufficient information to enable the Controller to fulfil its own breach notification obligations under applicable data protection laws, including the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
9. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including the right to:
- Access their Personal Data
- Rectify inaccurate Personal Data
- Erase their Personal Data ("right to be forgotten")
- Restrict processing of their Personal Data
- Data portability
- Object to processing
Where a Data Subject contacts the Processor directly with a request, the Processor shall promptly redirect the request to the Controller, unless the Processor is legally required to respond directly.
10. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable prior written notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit unless the audit reveals a material breach of this DPA by the Processor.
11. Term and Termination
This DPA shall remain in effect for the duration of the Controller's use of the Service. Upon termination of the Service, the Processor shall, at the Controller's choice:
- Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
- Delete all Personal Data and existing copies, unless applicable law requires continued storage.
If no instruction is received, Personal Data will be retained in an inactive state following account cancellation or termination. Data is not used for any purpose while inactive. The Controller may request deletion at any time by contacting the Processor.
12. Limitation of Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
13. Governing Law
This DPA is governed by the laws of New Zealand, consistent with the governing law provisions of the Terms of Service. For Controllers located in the European Economic Area or the United Kingdom, this DPA shall also be interpreted in accordance with GDPR requirements.
14. Contact
For any questions or requests relating to this DPA, please contact us at support@foodzilla.io.
Zilla Technologies Ltd.
New Zealand
NZBN 942 904 691 0004