Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Z Marketing Service Agreement (the "Agreement") between Client (as defined in the Agreement) and Z Marketing Digital Inc. (“Zazmic”) when the GDPR applies to Client’s use of Zazmic’s Services to process Client Data.
This DPA is effective from the date Client agrees with the terms and conditions of the Agreement. If there is any conflict between this DPA and the Agreement, the relevant terms of this DPA take precedence.
Capitalized terms not defined in the DPA shall have the meanings assigned in the Agreement.
- "Account Data" means information about Client that Client provides to Zazmic in connection with the Services. Client shall ensure that all Account Data is current and accurate at all times during the term of the Agreement.
- "Client Credentials" means access passwords, keys or other credentials used by Client in connection with the Services.
- "Data Controller" means an entity that determines the purposes and means of the Processing of Personal Data.
- "Data Processor" means an entity that Processes Personal Data on behalf of a Data Controller.
- "Data Protection Laws" means all data protection and privacy laws and regulations of the EU, EEA and their member states, applicable to the Processing of Personal Data.
- "Data Subject" means the identified or identifiable person to whom Personal Data relates.
- "EEA" means the European Economic Area, the United Kingdom, and Switzerland.
- "EU" means the European Union.
- "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR.
- "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. "Process", "Processes" and "Processed" shall be interpreted accordingly.
- "Processor" means a natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of the Data Controller.
- “SCC” means the standard contractual clauses as approved by the European Commission.
- "Sub-Processor" means any third-party Processor engaged by Zazmic.
Scope and Roles
- Zazmic has agreed to enter into this DPA based on Client’s belief that Client Data may include Personal Data that originates from EU/EEA and/or that is otherwise subject to the GDPR. Accordingly, this DPA supplements the Agreement and applies exclusively to Zazmic’s Processing of Client Data in providing Services under the Agreement to Client.
- Zazmic agrees to comply with the following provisions with respect to any Personal Data Processed for Client in connection with the provision of the Services.
- The Parties agree that with regard to the Processing of Personal Data, Client is the Data Controller and Zazmic is a Data Processor, acting on behalf of Client, as further described in Annex 1 (“Details of Data Processing”) of this DPA. Each Party will comply with its respective obligations under EU Data Protection Law.
Client’s Processing of Personal Data
- Client is responsible for the control of Personal Data and must comply with its obligations as a Data Controller under Data Protection Laws, in particular for justification of any transfer of Client Data to Zazmic and its decisions and actions regarding the Processing and use of Personal Data.
- Client agrees that it has provided notice and received all consents and rights necessary under Data Protection Laws for Zazmic to Process Client Data and provide the Services.
Zazmic’s Processing of Client Data
- By entering into this DPA, Client instructs Zazmic to Process Client Data to provide the Services in accordance with the features and functionality of the Services.
- In connection with Zazmic’s delivery of the Services to Client, Zazmic shall Process certain categories and types of Client Data, only for the purposes described in this DPA and only in accordance with Client’s documented lawful instructions, including with regard to transfers of Client data to a third country or an international organization, unless required to do so by EU or Member State of the EU law to which Zazmic is subject. In such a case, Zazmic shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
- The Parties agree that this DPA sets out Client’s complete and final instructions to Zazmic in relation to the Processing of Client Data. The Processing outside the scope of these instructions shall require a prior written agreement between Client and Zazmic. Notwithstanding the foregoing, Zazmic will inform Client promptly if it becomes aware that Client’s instructions may violate applicable EU Data Protection Law.
Client Responsibilities and Restrictions
- Without limiting its responsibilities under the Agreement, Client is solely responsible for: (a) Account Data, Client Data and Client Credentials (including activities conducted with Client Credentials), subject to Zazmic’s Processing obligations under the Agreement and this DPA; (b) providing any notices required by EU Data Protection Law to, and receiving any required consents and authorizations required by EU Data Protection Law from, persons whose Personal Data may be included in Account Data, Client Data or Client Credentials; and (c) ensuring no Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Services.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Zazmic shall in relation to Client Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Annex 2, "Security Measures"). In assessing the appropriate level of security, Zazmic shall take into account the risks that are presented by Processing Client Data including, in particular, the risks presented by a Client Data Breach (as defined in Section 10). Zazmic may make such changes to the Security Measures as Zazmic deems necessary or appropriate from time to time, including without limitation to comply with applicable law, but no such changes will reduce the overall level of protection for Client Data. Zazmic will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Client Data have agreed to appropriate obligations of confidentiality.
- The Parties shall take steps to ensure that any natural person acting under the authority of Client or Zazmic who has access to Personal Data does not Process them except on instructions from Client, unless he or she is required to do so by EU or EU Member State law.
- Client is responsible for reviewing the information made available by Zazmic relating to its data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Laws. Client acknowledges that Zazmic may update or modify Zazmic’s security standards from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Client.
- Client agrees it is responsible for its secure use of the Services, including securing its Client Credentials, protecting the security of Client Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Client Data uploaded to the Services.
- Client acknowledges and agrees that Zazmic may engage third-party Sub-Processors in connection with the provision of Services, and hereby consents to Zazmic’s use of Sub-Processors. As a condition to permitting a third-party Sub-Processor to Process Client Data, Zazmic will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Client Data. Zazmic will restrict its Sub-Processors’ access to only what is necessary to maintain the Services or to provide the Services to Clients. Subject to this Section 7, Zazmic reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall: (a) remain responsible to Client for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Zazmic’s performance of this DPA to the same extent Zazmic would be liable if performing the Services directly.
Upon Client’s request by email to email@example.com, Zazmic will provide Client with a list of
then-current third-party Sub-Processors and the nature of the services they provide. Client can find an
up-to-date list of Sub-Processors in Annex 3 of this DPA. Client may object to any new Sub-Processor on
reasonable legal grounds (the "Objection Notice") relating to the protection of Client Data, in which
case Zazmic shall have the right to satisfy the objection through one of the following:
- Zazmic will cancel its plans to use the Sub-Processor with regard to Client Data or will offer an alternative to provide the Services without such Sub-Processor;
- Zazmic will take the corrective steps requested by Client in its Objection Notice (which removes Client’s objection) and proceed to use the Sub-Processor with regard to Client Data; or
- Zazmic may cease to provide, or Client may agree not to use (temporarily or permanently), the particular aspect of the Services that would involve the use of such Sub-Processor with regard to Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Services considering their reduced scope.
- All Objection Notices under Section 7.2 must be submitted by email to Zazmic at firstname.lastname@example.org. If none of the options outlined in Clause (a), (b) or (c) of Section 7.2 are reasonably available and Client’s objection has not been resolved to the Parties’ mutual satisfaction within 30 days of Zazmic’s receipt of the Objection Notice, either Party may terminate the affected Services and Zazmic will refund to Client a pro rata share of any unused amounts prepaid by Client. The refund will be calculated in proportion to what Services have been provided until the time Client has informed Zazmic on terminating the Services. Zazmic will not provide any refunds if the Objection Notice does not have reasonable legal grounds.
Data Subject Rights
- If Zazmic receives a request from a Data Subject in relation to Client Data then, to the extent legally permissible, Zazmic will advise the Data Subject to submit their request to Client and Client will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Client hereby agrees that Zazmic may confirm to a Data Subject that his or her requests relate to Client. To the extent Client is unable through its use of the Services to address a particular Data Subject request, Zazmic will, upon Client’s request and taking into account the nature of Client Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Zazmic is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by applicable law, Client shall be responsible for any costs arising from Zazmic’s provision of such assistance.
Deletion Upon Expiration
- Upon termination of the Agreement and/or DPA, Zazmic will initiate a process upon Client’s written request that deletes Client Data in its possession or control. This requirement shall not apply to the extent Zazmic is required by the applicable law to retain some or all of Client Data, or to Client Data it has archived on back-up systems, which Client Data Zazmic shall securely isolate and protect from any further processing, except to the extent required by applicable law.
Client Data Breach Management
- Zazmic will notify Client without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach with respect to Client Data transmitted, stored or otherwise Processed by Zazmic or its Sub-Processors (a “Client Data Breach”). Such notice may be provided (1) by posting a notice in the Services; (2) by sending an email to the email address from which the account of Authorized User was created; and/or (3) pursuant to the notice provisions of the Agreement. Client shall ensure that its contact information is current and accurate at all times during the terms of this DPA. Zazmic will promptly take all actions relating to its Security Measures (and those of its Sub-Processors) that it deems necessary and advisable to identify and remediate the cause of a Client Data Breach. In addition, Zazmic will promptly provide Client with: (i) reasonable cooperation and assistance with regard to Client Data Breach, (ii) reasonable information in Zazmic’s possession concerning Client Data Breach insofar as it affects Client, including remediation efforts and any notification to Supervisory Authorities and, (iii) to the extent known: (a) the possible cause of Client Data Breach; (b) the categories of Client Data involved; and (c) the possible consequences to Data Subjects. Zazmics’s notification of or response to a Client Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to Client Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by Client, Authorized Users or providers of Client components (such as systems, platforms, services, software, devices, etc.). If Client decides to notify a Supervisory Authority, Data Subjects or the public of a Client Data Breach, Client will provide Zazmic with advance copies of the proposed notices and, subject to applicable law (including any mandated deadlines under EU Data Protection Law), allow Zazmic an opportunity to provide any clarifications or corrections to those notices. Subject to applicable law, Zazmic will not reference Client in any public filings, notices or press releases associated with Client Data Breach without Client’s prior consent.
Compliance and Reviews
- Upon request, Zazmic shall supply, on a confidential basis, a copy of its audit reports (if any) to Client, so that Client can verify Zazmic's compliance with the audit standards and this DPA.
- Zazmic shall also provide written responses, on a confidential basis, to all Client’s reasonable requests for information to confirm Zazmic's compliance with this DPA.
Where required by EU Data Protection Law, Zazmic will allow Client (directly or through a third-party
auditor subject to written confidentiality obligations) to conduct an audit of Zazmic’s procedures
relevant to the protection of Client Data to verify Zazmic’s compliance with its obligations under this
DPA. In such case:
- Client shall: (i) provide Zazmic at least 30 days’ prior written notice of any proposed audit; (ii) undertake an audit no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Client Data Breach; and (iii) conduct any audit in a manner designed to minimize disruption of Zazmic’s normal business operations. To that end and before the commencement of any such audit, Client and Zazmic shall mutually agree upon any reimbursement of expenses for which Client shall be responsible as well as audit’s participants, schedule and scope, which shall in no event permit Client or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure.
- Representatives of Client performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement and shall abide by Zazmic’s security policies while on Zazmic’s premises. Upon completion of an audit, Client agrees to promptly furnish to Zazmic any written audit report or, if no written report is prepared, to promptly notify Zazmic of any non-compliance discovered during the course of the audit.
Impact Assessment and Additional Information
- Zazmic will provide Client with reasonable cooperation, information and assistance as needed to fulfill Client’s obligation under EU Data Protection Law, including as needed to carry out a data protection impact assessment related to Client’s use of the Services (in each case to the extent Client does not otherwise have access to the relevant information, and such information is in Zazmic’s control). Without limiting the foregoing, Zazmic shall provide reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.
- Zazmic shall at all times provide an adequate level of protection (within the meaning of Data Protection Laws) for Client Data Processed, in accordance with the requirements of Data Protection Laws. In the case of a transfer of Client Personal data to a country not providing an adequate level of protection pursuant to the Data Protection Laws, the parties shall cooperate to ensure compliance with the applicable Data Protection Laws.
- Sub-Processors used by Zazmic to Process any Client Data protected by Data Protection Laws and/or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) will provide an adequate level of protection for Personal Data and have SCC integrated in their Data Processing Agreements.
The parties further agree that the SCC (if applicable) will apply to Client Data that is transferred via
the Service from Europe to outside Europe, either directly or via onward transfer, to any country or
recipient not recognized by the European Commission as providing an adequate level of protection for
personal data (as described in the EU Data Protection Law). Zazmic agrees to abide by and process
Personal Data that originates from the EU in compliance with the SCC, which are incorporated in full by
reference and form an integral part of this DPA for the SCC purposes:
- Zazmic agrees that it is the "data importer" and Client is the "data exporter" under the SCC;
- Annexes 1 and 2 of this DPA shall replace Appendixes 1 and 2 of the SCC, respectively.
Processing as Controller
- The Parties believe Zazmic’s role is as a Processor with respect to Client Data. In relation to the Processing of Account Data, and to the extent (if any) that Zazmic may be considered a Controller in relation to certain Processing of Client Personal Data, each Party will comply with its obligations as a Controller and agrees to provide reasonable assistance as is necessary: (a) to each other to enable each Party to comply with any Data Subject access requests and to respond to any other queries or complaints from Data Subjects in accordance with the EU Data Protection Law; and (b) to each other to facilitate the handling of any Personal Data Breach as required under EU Data Protection Law.
Limitation of Liability and Applicable Law
- Each Party’s liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.
- Any claims brought under or in connection with this DPA are subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
- No one other than a Party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
- Any claims against Zazmic under this DPA shall be brought solely against the entity that is a Party to the DPA. In no event shall any Party limit its liability with respect to any individual's data protection rights under this DPA or otherwise. Client further agrees that any regulatory penalties incurred by Zazmic in relation to Client Data that arise as a result of, or in connection with, Client's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Zazmic’s liability under the DPA.
- This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
- Client ensures that the decision to agree with the terms and conditions of this DPA was made lawfully by Client, in case Client is a natural person, or, by Client’s director, authorized representative or other person having signatory powers, in case Client is a legal person.
- This DPA replaces any previous DPAs concluded between Zazmic and Client.
Details of Data Processing
- Subject matter: The subject matter of the data Processing under this DPA is Client Data.
- Duration of Processing: Zazmic will Process Client Data for the duration of the Services, as described in the Agreement.
- Nature of the Processing: Zazmic provides product development software as a service and other related services, as described in the Agreement.
- Purpose of the Processing: The purpose of the data Processing under this DPA is the provision of the Services.
Categories of Data subjects:
- "Users" - any individual accessing and/or using the Services through Client's account;
Types of Client Data:
- Users: identification and contact data (name, contact details, including email address, username); billing information (credit card details, account details, payment information); organization information (name, address, geographic location, area of responsibility, VAT code), IT information (IP address, usage data, cookies data, online navigation data, location data, browser data, access device information);
- Subscribers: identification and contact data (name, date of birth, gender, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences, and publicly available social media profile information); IT information (IP address, usage data, cookies data, online navigation data, location data, browser data, access device information) and/or any other information Client provides to Zazmic.
Certain of Zazmic’s Security Measures as of the date of this DPA:
Access Control and Employees Education
- Zazmic restricts access to Client Data to employees with a defined need-to-know or a role requiring such access.
- Zazmic’s employees are introduced with the best security practices which allow them to identify Client Data Breach and take any actions needed.
- Zazmic maintains business continuity and backup plans in order to minimize the loss of service and comply with applicable laws.
- The Backup plan addresses threats to the Services and any dependencies, and has an established procedure for resuming access to, and use of, the Services.
- The Backup plan is tested at regular intervals.
- Zazmic maintains policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.
- Zazmic undergoes a penetration test of its network and Services on an annual basis. Any vulnerabilities found during this testing will be remediated in accordance with Zazmic’s procedures.
- Zazmic maintains technical safeguards and other security measures to ensure the security and confidentiality of Client Data.
- Zazmic’s data storage centers ensure safety of Client Data.
Encryption and Key Management
- Zazmic maintains policies and procedures for the management of encryption mechanisms and cryptographic keys in Zazmic’s cryptosystem.
- Zazmic enlists encryption at rest and in transit between public networks, as applicable, according to industry-standard practice.
List of Zazmic Sub-Processors
Zazmic uses a range of third-party Sub-Processors to assist it in providing the Services (as described in the DPA).