Third parties — ZevID¶
Every external service ZevID talks to. NDPA §29 requires a written DPA with every data processor; DPAs are held by the DPO.
Categorisation¶
- Processor — vendor handles personal data on our behalf.
- Joint controller — vendor and Zev jointly determine purposes + means.
- Independent controller — vendor processes for their own purposes after we hand off.
- No personal data — vendor doesn't see personal data.
Active vendors¶
| Vendor | Category | What they process for ZevID | Fields shared | Location |
|---|---|---|---|---|
| Neon-on-AWS (database) | Processor | Stores every ZevID row | All of ZevID's tables | AWS us-east-1 (N. Virginia) |
| Hetzner (VPS — NestJS app + cleanup cron) | Processor (host of the runtime; no data access on disk) | Hosts the NestJS process; all ZevID request data passes through at runtime | Application memory + disk | Ashburn, VA, US |
| Cloudflare R2 | Processor | Stores image / file uploads. Profile-picture uploads use a dedicated directory inside the shared ecosystem R2 bucket | Image bytes; object key includes <accountId> |
Cloudflare R2 |
| ZeptoMail | Processor | Delivers every email notification (signup OTP, sign-in OTP, password change, new-login alerts, welcome email) | Recipient email, recipient first name, event-specific template variables | — |
| Termii | Processor | Delivers every SMS (ZevID's phone verification + SMS MFA + product-driven re-verification on user's behalf) | E.164 phone number, 6-digit code, sender id | Nigeria |
| Better Stack | Processor | Application exceptions (Sentry-compatible ingest at SENTRY_DSN) + structured logs (LOGTAIL_*). Both endpoints belong to the same Better Stack vendor |
Stack traces, scrubbed request context, structured log lines (may include accountId / IP / UA in security events) | — |
| ip-api.com | Processor (transient) | Resolves IP to city, country for sessions.location |
IP address | Public free API; cached in Redis |
| Cloudflare (CDN / edge / Pages / Access) | Processor | Edge caching + TLS termination + DDoS protection; hosts this compliance-docs site and gates it via Cloudflare Access | Request IPs, headers (transient); staff emails for compliance-docs access | Global edge |
Shared-services vendors (ZeptoMail, Termii, Cloudflare R2, Better Stack, AWS, Hetzner) are used ecosystem-wide; the canonical record is at Cross-product / Shared services.
Cross-border transfers¶
ZevID's primary database (Neon-on-AWS) and the NestJS application (Hetzner) operate in the US. Cross-border transfer to the US is covered by Standard Contractual Clauses signed with the relevant vendors (held by the DPO). Termii is in Nigeria — no cross-border transfer for SMS. Better Stack and Cloudflare operate under their published DPAs and SCCs.