Data Processing Agreement
Last updated: June 2026 · Effective: June 2026
Summary: When you use SeySuite to manage employee records, payroll, and other personal data, you are the Data Controller. Zil Smart Solutions is the Data Processor. This agreement defines our obligations to protect that data.
1. Definitions
- Controller — You, the SeySuite customer, who determines the purposes and means of processing personal data through the platform
- Processor — Zil Smart Solutions, who processes personal data on behalf of the Controller through the SeySuite platform
- Personal Data — Any data relating to an identified or identifiable individual, including employee names, NIN, contact details, salary, bank details, and leave records
- Processing — Any operation performed on personal data, including collection, storage, retrieval, use, modification, transmission, and deletion
- Sub-processor — A third party engaged by the Processor to process personal data on behalf of the Controller
2. Scope and Purpose
This Data Processing Agreement ("DPA") applies to all personal data processed by Zil Smart Solutions through the SeySuite platform on behalf of the Controller. Processing is limited to what is necessary to provide the SeySuite service, including:
- Storing and displaying employee records
- Calculating payroll, PAYE, and SPF contributions
- Managing leave balances and requests
- Generating payslips, invoices, receipts, and reports
- Providing time recording and supplier management functionality
- Maintaining audit logs for compliance
3. Categories of Data Processed
| Category | Examples | Basis |
| Identity | Name, NIN, date of birth, gender, photo | Employment contract |
| Contact | Email, phone, physical address, district | Employment contract |
| Employment | Position, department, hire date, employment type | Employment contract |
| Financial | Salary, allowances, bank account details | Payroll processing |
| Tax | PAYE calculations, SPF contributions, tax residency | SRC compliance |
| Leave | Leave balances, requests, approvals | Employment contract |
| Immigration | Passport, GOP number, validity dates (expats) | Employment law compliance |
| Time | Hours worked, billable entries, task descriptions | Service delivery |
4. Processor Obligations
Zil Smart Solutions shall:
- Process personal data only on documented instructions from the Controller (i.e., through the SeySuite platform functionality)
- Not process personal data for any purpose other than providing the SeySuite service
- Implement appropriate technical and organisational security measures to protect personal data
- Ensure that persons authorised to process personal data are bound by confidentiality obligations
- Assist the Controller in responding to data subject access requests within 30 days
- Notify the Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach
- Delete or return all personal data to the Controller upon termination of the service, subject to the 90-day retention period in the Terms of Service
- Make available information necessary to demonstrate compliance with this DPA upon reasonable request
5. Security Measures
We implement the following technical and organisational measures:
Technical
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Cryptographic password hashing (bcrypt) — we never store or see plaintext passwords
- Role-based access control within the platform
- Account lockout after repeated failed login attempts
- EU-hosted infrastructure (Supabase/AWS eu-west-1)
- Automated database backups with point-in-time recovery
Organisational
- Access to production systems restricted to authorised Zil Smart Solutions personnel
- Multi-factor authentication required for infrastructure access
- Tamper-evident audit logging within the platform
- Regular review of access permissions
- Staff confidentiality obligations
6. Sub-processors
The following sub-processors are currently engaged:
| Sub-processor | Purpose | Location |
| Supabase (AWS) | Database hosting and authentication | EU (eu-west-1) |
| Netlify | Frontend hosting and CDN | Global CDN, US origin |
| Railway | Backend API hosting | US |
| Resend | Transactional email delivery | US |
We will notify the Controller before engaging any new sub-processor. The Controller may object to a new sub-processor within 30 days of notification.
7. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Controller by email within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate
- Cooperate with the Controller in any required notifications to regulatory authorities or affected individuals
- Document the breach and remediation actions taken
8. Data Subject Rights
We will assist the Controller in fulfilling data subject rights requests, including:
- Access — Providing copies of personal data held in SeySuite
- Rectification — Correcting inaccurate personal data
- Erasure — Deleting personal data when requested and legally permissible
- Portability — Exporting data in standard machine-readable formats
- Restriction — Limiting processing of specific data upon request
The Controller can fulfil most requests directly through the SeySuite platform. For requests requiring our assistance, contact privacy@zilsmartsolutions.com.
9. International Transfers
Primary data storage is in the EU (eu-west-1). Some sub-processors operate in the United States. Where personal data is transferred outside the EU, we ensure appropriate safeguards are in place through the sub-processor's data protection commitments and standard contractual clauses where applicable.
10. Duration and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination:
- Processing of personal data ceases immediately except as necessary for data export
- The Controller has 90 days to export their data
- After 90 days, all personal data is permanently deleted
- Backup copies are purged within 30 days of the deletion date
11. Governing Law
This DPA is governed by the laws of the Republic of Seychelles and is subject to the exclusive jurisdiction of the courts of Seychelles.
12. Contact
Data Protection queries: privacy@zilsmartsolutions.com
Zil Smart Solutions, Republic of Seychelles