Skip to content

Processing purposes + lawful basis — ZevCloud

The purposes ZevCloud processes personal data for. Lawful bases under NDPA §25.

Account access + authentication

What. Customers sign in to console.zevcloud.net via ZevID OAuth. ZevCloud receives the identity token + accountId and creates the corresponding team-membership rows if not yet present.

Lawful basis. Contract (necessary to provide the deployment service the customer signed up for).

Automated decisions / profiling. None.

Team + collaboration management

What. Adding/removing team members, role assignment, API-key issuance + revocation.

Lawful basis. Contract.

Automated decisions. None.

Application deployment + hosting

What. Building and running the customer's source code on the shared Coolify hosts. Storing service metadata, environment variables (encrypted), deployment events.

Lawful basis. Contract.

Note. For the data the customer's app processes about its OWN end-users, ZevCloud is a processor — the customer is the controller and decides the purpose. Our processor obligations sit in our terms of service and (where requested) a DPA between ZevCloud and the customer.

Domain registration + DNS management

What. Registering, renewing, transferring, and managing DNS for customer-purchased domains. Submitting required registrant contact PII to NIRA (.ng) and NameSilo (non-.ng).

Lawful basis. Contract + legal obligation (ICANN policy + NIRA registry rules require the registrant contact to be submitted to the registry).

Automated decisions. None. WHOIS visibility is governed by the customer's ID-Protection setting (see security controls).

Billing + invoicing

What. Generating invoices, taking payments via ZevPay, recording subscription state, applying Zev Credit.

Lawful basis. Contract + legal obligation (financial-record retention).

Automated decisions. None that affect data-subject rights. Auto-renew of subscriptions is contract-driven; the customer can disable it from the dashboard.

Email forwarding for customer domains

What. When a customer enables email forwarding on a domain they have DNS for, ZevCloud provisions the domain on Forward Email and writes the required MX + SPF + verification TXT records to the Cloudflare zone. The customer then explicitly creates each forward alias (e.g. sales@theirdomain.com → their existing inbox) through the dashboard. ZevCloud never auto-creates an alias on the customer's behalf — every forward is a customer action.

Lawful basis. Contract (the feature the customer enabled).

Automated decisions. None.

Audit + abuse response

What. Logging admin actions against customer resources, capturing source IP + user-agent on auth flows and admin actions, recording every cross-product (ZPIP) token issued or consumed.

Lawful basis. Legitimate interest — operational forensics + fraud / abuse response, balanced against the data subject's privacy interest.

Automated decisions. Per-domain abuse signals can lead to a customer's domain being suspended (admin-permission-gated). Decisions are taken by a human admin reading the audit trail; no automated suspension is in place today.

Transactional notifications

What. Account / billing / domain-lifecycle emails (deploy succeeded, invoice issued, domain expiring soon, transfer-in completed). Delivered via ZeptoMail.

Lawful basis. Contract (operational notifications necessary to deliver the service).

Automated decisions. None. The user can opt out of non-essential notifications from the dashboard once that toggle ships; today only essential transactional notifications are sent.


Notes

  • We do not run marketing email, behavioural analytics, profiling, or fraud-scoring on ZevCloud data subjects. If we ever do, that's a new purpose requiring its own row here + a fresh consent UI before any data is processed for it.
  • No special-category (NDPA Sensitive) data is processed. See data-inventory.md.