Data Processing Agreement Addendum
Last Updated: July 1, 2023
This Data Processing Agreement Addendum, including the annexes attached herein (collectively, the “Addendum”), are incorporated into and forms a legally binding part of the Data Processing Agreement available here (“DPA”) and other agreements entered (“Agreement”) into by and between Zesty Tech Ltd. (“Zesty”) and the entity using the Zesty Services (“Customer”). The Customer and Zesty shall be referred to in this Addendum each a “party” and collectively as the “parties”. This Addendum is effective as of the Effective Date (as defined below).
The terms of this Addendum will not apply where and to the extent the applicable Personal Data transferred is covered by an alternative, suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection or appropriate safeguards for Personal Data (“Adequacy Mechanism”). Notwithstanding the above, the terms of this Addendum shall apply although an Adequacy Mechanism is in place, in the following events: (I) Annex III, list of Sub-Processors shall replace the list set forth in the applicable Adequacy Mechanism; and (II) to the extent applicable and required, the US Data Protection Laws Addendum attached herein as Annex VII shall apply.
In consideration of the mutual promises set out in this Addendum, the parties hereby agree as follows:
- 1.1 Capitalized terms used but not defined in this Addendum shall have the meanings given to them by the Agreement or, if not defined by the Agreement, the same meaning as defined under the EU Data Protection Laws, by the EU Standard Contractual Clauses, or by the US Data Protection Laws.
- 1.2 “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) as well as all regulations promulgated thereunder from time to time.
- 1.3 “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et (SB 21-190), including any implementing regulations and amendments thereto.
- 1.4 “CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.
- 1.5 The “Effective Date” means the July 1, 2023.
- 1.6 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- 1.7 “EU Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914of 4 June 2021 which is attached herein by linked reference: https://eur-ex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN
- 1.8 “Swiss Data Protection Laws” or “FADP” means (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing. “Swiss SCC” means the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner
- 1.9 “US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of this DPA and applies to Zesty Processing of Customer Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, and the VCDPA.
- 1.10 ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
- 1.11 “UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
- 1.12 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.
2. The parties agree that, from and including the Effective Date, the EU SCC, UK SCC and the Swiss SCC (collectively, the “SCCs”) shall be deemed incorporated by reference into and form an integral part of this Addendum and shall be deemed incorporated into and form an integral part of the DPA.
3. Annex I, Annex II and Annex III of the EU SCCs shall be deemed completed with the information set out in Annex I, Annex II and Annex III of this Addendum respectively, Annex III shall list of the updated Sub-Processors.
4. Annex IV shall include EU SCC specifications.
5. Annex V shall include UK SCC specifications.
6. Annex VI shall include Swiss SCC specifications.
7. If and to the extent any provision of this Addendum, the DPA or the Agreement conflicts, directly or indirectly, with the SCCs, the SCCs shall prevail with provisions concerning international Personal Data transfers.
8. Zesty shall promptly notify the Customer in writing of any changes to the information set out in the annexes to this Addendum.
A. LIST OF PARTIES
Data exporter: Customer.
Contact details: as set forth in the Agreement.
Activities relevant to the data transferred under these Clauses: providing the Zesty Services.
Date: July 1, 2023.
Role (controller/processor): Controller/Processor.
Data importer: Zesty.
Contact details: as set forth in the Agreement.
Activities relevant to the data transferred under these Clauses: providing the Zesty Services.
Date: July 1, 2023.
Role (controller/processor): Processor/Sub-Processor.
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred
Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: employees, agents, advisors, who use the Services and Platform, and any data subject which is included in the Customer Content.
Categories of Personal Data transferred
Credentials, contact information (email and name), cloud provider meta data (such as: names, types, locations and IP address, to the extent that it is consider personal data), any Personal Data uploaded to the Platform by Customer.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None. Unless otherwise determined by the parties.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Nature of the processing
Collection, storage, organization, communication, transfer, host and other types of processing for the purpose of providing the Services as set out in the Agreement.
Purpose(s) of the data transfer and further processing
To provide the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For as long as necessary to provide the Services by Zesty; provided there is no legal obligation to retain the Personal Data post termination or unless otherwise requested by the Customer.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Sub-Processor list, Annex III.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Republic of Ireland.
TECHNICAL AND ORGANIZATIONAL MEASURES
The following description reviews the technical and organizational measures implemented by Zesty as the Data Importer to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Zesty’s Platform is built on Amazon Web Services (AWS) and based on a serverless architecture.
This allows Zesty to operate without managing traditional servers and databases. Zesty does not host or run its own routers, load balancers, DNS servers, or physical servers.
The security objectives of Zesty are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):
- Availability – information and associated assets should be accessible to authorized users when required. The computer network must be resilient. Zesty will detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
- Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.
- Integrity – safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
Access to the Zesty’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. Zesty’s has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are required to choose unique and complex passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. Zesty is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack, in addition multi-factor authentication is enforced
Data Access Control
User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and a second authentication factor, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by Zesty. Furthermore, Zesty conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. Zesty revokes access to Personal Data immediately upon termination of employment.
Physical Access Control
Zesty recognizes the significance of physical security controls as a key component in its overall security program. Physical access methods, procedures and controls have been implemented to help prevent unauthorized access to data, assets and restricted areas. Processes are in place to remove access to physical resources when an individual no longer requires access. Physical Access to Zesty office does not provide any privileges to the production environment.
Zesty’s physical infrastructure is hosted on Amazon’s data centers and utilizes the AWS technologies. Amazon’s data center operations have been accredited under ISO 27001; SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II); PCI Level 1; FedRAMP; and Sarbanes-Oxley (SOX).
For more information on Amazon certification, please see link here.
Organizational and Operational Security
Zesty puts a lot of effort and invests a lot of resources into ensuring that Zesty’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. Zesty strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, Zesty has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Zesty hardware and software, in order to protect against malicious software.
Zesty maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, Zesty’s cloud deployment includes an automated backup procedure. Zesty ensures that regular checks are carried out to determine whether it is possible to recover from the backup, as required and applicable.
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable third-party vendor. In addition, Zesty conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans are performed using external tools, in order to detect potential security breaches
Zesty implements Encryption at rest of customer data as well as encryption in transit of all communication between Customer and service, as well as communication on and to the services. Zesty uses TLS encryption on our web assets to ensure the highest security and data protection standards. We regularly verify our security certificates and encryption algorithms to keep customer data safe.
At-rest user data is encrypted. Learn more about Server-Side Encryption with Amazon S3-Managed Encryption Keys.
Zesty does not store any private keys, passwords, or authentication tokens. The authentication is made based on the AWS Identity and Access Management (IAM) Cross Account role along with Google Workspace ID that provides a two-factor authentication.
Compliance and Certification
Zesty operations, policies and procedures are audited regularly to ensure Zesty meets all the Service Organization Control (SOC2) standards expected as a SaaS platform. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Zesty’s systems and Services were audited and verified by such SOC2 compliance certification. Zesty is SOC2 certified.
Such certifications and audits are meant to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons are according to the System and Organization Controls 2 (SOC2) industry standard. Upon Customer request and subject to Customer’s confidentiality undertaking Zesty shall provide with the Customer with the SOC2 reports.
For more information regarding the SOC2, please see our SOC2 webpage in our blog here.
Additional Safeguards implemented by Zesty for Customer Data Transfers to the US:
Measures and assurances regarding U.S. government surveillance have been implemented by Zesty, and Zesty agrees and hereby represents it maintains the following additional safeguards:
- Zesty maintains industry standard measures to protect the Personal Data from interception (including in transit from Customer to Zesty and between different systems and services). This includes maintaining encryption in transit and at rest.
- As of the Effective Date stated above, Zesty has not received any national security orders.
- No court has found Zesty to be the type of entity eligible to receive directives issued under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”) as (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- In the event that FISA applies to Zesty, Zesty will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data in compliance with applicable laws.
- If Zesty becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or receive a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Zesty shall: (i) inform the relevant Authority that Zesty is a Processor of the Personal Data and that Customer, as the Controller has not authorized Zesty to disclose the Personal Data to the Authority; (ii) inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and (iii) use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Zesty’s control.
- Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Zesty has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Zesty shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
- Zesty will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Customer Data Zesty has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.
List of Sub-Processors
Description of the processing
Amazon Web Services (AWS), Inc.
Ireland however the headquarters are located in Seattle, Washington, United States
Google Cloud Platform LLC – currently not active
Microsoft Azure – currently not active
Salesforce (SFDC Ireland Limited.)
Processing region in EU, however, the Headquarters are located in the state of San Francisco, US
Authentication & authorization solution
Slack Technologies, LLC
Internal communication tool for Support.
|Oracle Binding Corporate Rules|
1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the data controller of the Personal Data and Zesty is the data processor of the Personal Data and the Module Three (Processor to Sub-Processor) shall apply where the transfer is effectuated by Customer as the data processor of the Personal Data on behalf of a third party data controller and Zesty is the data sub-processor of the Personal Data.
3. The parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Zesty (as Data Importer), the following shall apply:
- a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
- b) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of sub-processor changes shall be as set forth in the applicable section of the DPA.
- c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).
- e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
4. Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II.
1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.
3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
5. Amendments to the UK Standard Contractual Clauses:
- 5.1. Part 1: Tables
- 5.1.1. Table 1 Parties: shall be completed as set forth in Annex I.A above.
- 5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 Annex IV above, as well as Annex I.A above.
- 5.1.3. Table 3 Appendix Information:
- Annex 1A: List of Parties: shall be completed as set forth in Annex I.A above.
- Annex 1B: Description of Transfer: shall be completed as set forth in Annex I.B above.
- Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.
- Annex III: List of Sub-Processors: shall be completed as set forth in Annex III above.
- 5.1.4. Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:
- The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
- The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the upcoming revised FDPA.
- All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
- References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
- In respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
- The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.
US Data Protection Laws Addendum
This US Data Protection Laws Addendum (“US Addendum“) adds specifications applicable to the US Data Protection Laws. All terms used but not defined in this CCPA Addendum shall have the meaning set forth in the DPA.
1. CCPA Specifications:
- a. Zesty shall Process Customer Data on behalf of the Customer as a Service Provider under the CCPA and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
- b. If, and to the extent applicable, Zesty shall assist Customer in respect of a Consumer request to limit the use of its Sensitive Personal Information (“SPI”) by
- c. Zesty certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling any Customer Data.
2. US Applicable States Specifications:
- a. For the purpose of this US Addendum ”Applicable States” shall mean Virginia, California, Colorado, and Connecticut.
- b. Zesty agrees to notify the Customer if Zesty makes a determination that it can no longer meet its obligations under this US Addendum or US Data Protection
- c. Zesty shall provide information necessary to enable Customer to conduct and document any data protection assessments required by US Data Protection Laws. Notwithstanding the above, Zesty is responsible for only the measures allocated to it.
- d. Zesty shall provide assistance and procures that its subcontractors will provide assistance, as Customer may reasonably request, where and to the extent applicable, in connection with any obligation by Customer to respond to Consumer’s requests for exercising their rights under the US Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s respective obligation. Zesty acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for processing the Customer Data.
- e. Each party shall, taking into account the context of processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. Zesty technical measures are detailed in the DPA and Annexes above.
- f. The transfer instructions, including the nature of transfer, purpose of transfer, the duration of transfer, the type of Personal Data and categories of data subjects, are set forth in Annex I
- g. In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and subject to Customer’s consent, Zesty my alternately, in response to Customer’s on premise audit request, initiate a third-party auditor to verify Zesty’s compliance with its obligations under this US Data Protection Laws. During such audit, Zesty will make available to the third-party auditor all information necessary to demonstrate such compliance.
- h. Each party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data; as such term is defined under the applicable US Data Protection Law.
3. When processing Customer Data or Usage Data (as defined in the Agreement) for the permitted purposes under US Data Protection Laws, Zesty shall ensure it complies with applicable laws and shall be liable for such processing activities.