1. Key Terms (Plain English)

  • We’re the Processor.
    You (the customer) control the data. ZipKit only processes it so the service works.

  • You stay in control.
    We only ever process data based on your instructions (e.g., API requests).

  • We don’t store your zipped content.
    The actual files you ask us to fetch and zip are never stored persistently.
    They exist only in memory long enough to build the archive, then they are discarded.

  • We store limited metadata.
    We keep job metadata (like job IDs, timestamps, file sizes, input URLs) for your logs, billing, and debugging.

  • Your data is not used for anything else.
    No training, no profiling, no analytics based on contents, no selling.

  • We use subprocessors.
    Mainly cloud infrastructure providers required to deliver the service securely.

  • You can request deletion of metadata at any time.
    And at termination, we delete everything we hold.

2. Definitions

These terms follow the meanings in the GDPR:

  • “Personal Data”

  • “Processing”, “Processor”, “Controller”, “Data Subject”

  • “Data Protection Laws”

  • “Supervisory Authority”

  • “Subprocessor”

“Customer Data” means all data (including Personal Data) you submit or process through the ZipKit service.

3. Roles and Responsibilities

  • You are the Controller of Customer Data.

  • ZipKit is the Processor.

  • ZipKit will only process Customer Data:

    • to provide the ZipKit service,

    • based on your instructions,

    • and in compliance with Data Protection Laws.

If required by law to process data in another way, we’ll tell you (unless legally prevented).

4. Scope of Processing

ZipKit processes Customer Data solely to:

  1. Fetch files from URLs you provide.

  2. Compress them into a zip archive.

  3. Upload the archive to your configured storage bucket or return it through the API.

ZipKit does not persist the contents of the files being zipped. The underlying file bytes exist only transiently in memory during processing.

ZipKit does retain necessary metadata:

  • job identifiers

  • timestamps

  • file sizes

  • input URL references

  • processing logs

  • billing-related metadata

ZipKit does not inspect, analyse, or repurpose the contents of any files involved in a zip job.

ZipKit does not process Customer Data for advertising, profiling, AI model training, or any unrelated purpose.

5. Data Retention

  • Zip content: Not stored. Not logged. Not backed up. Not cached.

  • Metadata: Retained only as long as needed for billing, support, system integrity, or legal requirements.

  • At termination of your account, all metadata is deleted.

  • You may request metadata deletion at any time.

6. Subprocessors

We currently use the following trusted vendors to process data: AWS, Cloudflare, PlanetScale.

We may add or replace subprocessors, and will update this page when we do.

7. International Data Transfers

ZipKit may process metadata or job information in regions outside the EEA.
Transfers are safeguarded through mechanisms such as:

  • Standard Contractual Clauses (SCCs)

  • adequacy decisions

  • supplemental technical and organisational measures

Customers may choose storage regions for their buckets, and ZipKit can process jobs in the closest available region to minimise data transfer.

8. Security Measures

ZipKit maintains administrative, physical, and technical security measures including:

  • encryption in transit (HTTPS/TLS)

  • strict access controls and audit logging

  • region-specific workers to minimise cross-border data flow

  • infrastructure segmentation

  • secrets management and key rotation

  • monitoring for unauthorised access

  • no persistent storage of zip contents

These measures are designed to ensure confidentiality, integrity, and availability of Customer Data.

9. Data Subject Rights

ZipKit will help you meet your GDPR obligations by:

  • notifying you of any requests from Data Subjects

  • providing reasonable assistance in responding to requests for access, correction, deletion, or portability

  • implementing appropriate tools to help you address such requests efficiently

ZipKit does not respond directly to Data Subjects unless legally required.

10. Personal Data Breach

If ZipKit becomes aware of a Personal Data breach involving Customer Data, we will:

  1. Notify you without undue delay.

  2. Provide information about the breach as it becomes available.

  3. Cooperate to support your legal obligations and mitigation efforts.

11. Audit and Compliance

Upon reasonable request, ZipKit will:

  • provide information required to demonstrate compliance with this DPA, and

  • allow for audits or assessments (subject to confidentiality and operational limitations).

12. Termination

When the Agreement ends:

  • all Customer Data and metadata is deleted, unless law requires retention

  • no content files exist to return, as we do not store them

You may request earlier deletion of metadata at any time.

13. Governing Law

This DPA is governed by the laws of Australia. Any disputes will be resolved exclusively in the courts of Australia.