Data Processing Agreement
Last Updated: December 22, 2022
This Data Processing Agreement (“DPA”) is governed and hereby attached to the Master Service Agreement, Zesty Customer Terms and Conditions, or any other agreement (“Agreement”) executed by and between Zesty Tech Ltd. (“Zesty” or “Company”), and the Customer using the Zesty Platform. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
WHEREAS, Zesty is the developer and operator of a cloud-based software-as-a-service platform (“Platform”) which offers cloud management and optimizations services (“Services”); and
WHEREAS, during the use of the Services Zesty will Process Personal Data (as such terms are defined below) on the Customer’s behalf subject to the terms and conditions of this DPA;
WHEREAS, the Parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:
- 1.1. “Adequate Country” is a country that received an adequacy decision from the European Commission.
- 1.2. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect as well as all regulations promulgated thereunder from time to time.
- 1.3. “Customer Data” means the Personal Data made available through the Data Customer Content, uploaded to Zesty Platform and processed through the Customer use of the Platform and Services, all as detailed in Annex I attached herein.
- 1.4. The terms “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process”), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider”, “Contractor”, “Third Party Business”, “Sale”, “Sell” and “Share” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such term defined in the CCPA, “Personal Data” shall include “Personal Information” under this DPA.
- 1.5. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the CCPA) as may be amended or superseded from time to time.
- 1.6. “EEA” means the European Economic Area.
- 1.7. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- 1.8. “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.
- 1.9. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (including Customer Data). Any Personal Data Breach will comprise a Security Incident.
- 1.10. “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here: Standard Contractual Clauses.
- 1.11. “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.
- 1.12. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.
- 1.13. ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
- 1.14. ”UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
- 1.15. “UK Standard Contractual Clauses” or “UK SCC” means the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as adopted, amended or updated by the UK Information Commissioner Office (“ICO”), Parliament or Secretary of State.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of CCPA, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR or UK GDPR depending on the applicable Law.
2. ROLES AND DETAILS OF PROCESSING
- 2.1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, Zesty is acting as a Data Processor and Customer is acting as a Data Controller. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law.
- 2.2. The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
- 2.3. CCPA specification are further detailed in Annex VII.
3. REPRESENTATIONS AND WARRANTIES
- 3.1. Zesty represents and warrants that it shall Process Customer Data, on behalf of the Customer, all in accordance with Customer’s written instructions under the Agreement and this DPA. Notwithstanding the above, in the event Zesty is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Customer Data other than as instructed by Customer, Zesty shall make its best efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.
- 3.2. Zesty shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of its Customer Data and to consult with the Supervisory Authority (as applicable).
- 3.3. Where applicable, Zesty shall assist the Customer in ensuring that Personal Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Personal Data it is Processing is inaccurate or has become outdated.
- 3.4. Zesty shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; (ii) that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.
- 3.5. Notwithstanding the above, in the event the Customer is an Israeli establishment or Customer Data includes Processing of Israeli Data Subjects, or in any event that the Israeli Law shall apply, the parties hereby undertake that they comply with the aforesaid regulations as well as comply with the DPA.
4. DATA SUBJECTS RIGHTS AND REQUEST
- 4.1. It is agreed that where Zesty receives a request from a Data Subject or authority in respect of Customer Data, Zesty will direct the Data Subject or the authority to the Customer in order to enable the Customer to respond directly to the applicable request, unless otherwise required under applicable laws. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject or authority request, to the extent permitted under Data Protection Law.
- 5.1. The Customer acknowledges that Zesty may transfer Customer Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Customer hereby authorizes Zesty to engage and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Zesty may continue to use those Sub-Processors already engaged by Zesty, as listed in Annex III, or to engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a thirty (30) day prior notice of its intention to do so to the Customer. In case the Customer has not objected to the adding or replacing of a Sub-Processor within five (5) days of Zesty’ notice, such Sub-Processor shall be considered approved by the Customer. In the event the Customer objects, and such objection may solely be related to data protection and security, to the adding or replacing of a Sub-Processor, Zesty may, under Zesty’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.
- 5.2. Zesty shall, where it engages any Sub-Processor, impose, through a legally binding contract between Zesty and the Sub-Processor, data protection obligations similar to those set out in this DPA. Zesty shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law.
- 5.3. Zesty shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA. Zesty shall notify the Customer of any failure by the Sub-Processor to fulfill its contractual obligations.
6. TECHNICAL AND ORGANIZATIONAL MEASURES
- 6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Zesty hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful Processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental Processing, access, disclosure, loss, alteration or destruction. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
- 6.2. Zesty is SOC2 certified. The security measures are further detailed in Annex II.
7. SECURITY INCIDENT
- 7.1. Zesty will notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer Data. The notification regarding or response to a Security Incident under this Section 7 shall not be construed as an acknowledgment by Zesty of any fault or liability with respect to the Security Incident.
- 7.2. Zesty will: (i) take necessary steps to remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a Supervisory Authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Customer and assist Customer with its obligation to notify the affected individuals in the case of a Security Incident.
8. AUDIT RIGHTS
- 8.1. Zesty shall maintain accurate written records of any and all the Processing activities of any Personal Data carried out under this DPA and shall make such records available to the Customer and applicable supervisory authorities upon written request. Such records provided shall be considered Confidential Information and shall be subject to confidentiality obligations.
- 8.2. In the event the records and documentation provided subject to Section 8.1 above are not sufficient, Zesty shall make available, solely upon prior reasonable written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Zesty may object to an auditor appointed by the Customer in the event Zesty reasonably believes the auditor is not suitably qualified or independent, is a competitor of Zesty or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Zesty. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Zesty’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Zesty immediately.
9. CROSS BORDER PERSONAL DATA TRANSFERS SUBJECT TO GDPR AND FADP
- 9.1. If the Processing of Customer Data includes a transfer (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland, that is not an Adequate Country, such transfer shall be subject to an appropriate safeguard approved by Data Protection Law: the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable).
- 9.2. The Customer acknowledges that Zesty has a California establishment Zesty Tech Inc., and an Israeli establishment Zesty Tech Ltd., as between Zesty Tech Inc. and Zesty Tech Ltd., Zesty Tech Ltd. is the data controller, the headquarters and the management are under Zesty Tech Ltd.
- 9.3. When the parties rely on the Standard Contractual Clauses to facilitate a transfer then:
- 9.3.1. transfer of Personal Data from the EEA the terms set forth in Annex IV shall apply.
- 9.3.2. transfer of Personal Data from the UK, the terms set forth in Annex V shall apply; and
- 9.3.3. transfer of Personal Data from Switzerland, the terms set forth in Annex VI shall apply.
10. LIMITATION OF LIABILITY
- 10.1. The Limitation of Liability provided under the Agreement shall also apply to this DPA.
11. TERM, TERMINATION AND CONFLICT
- 11.1. This DPA shall be effective as of the Effective Date (as defined in the agreement) and shall remain in force until the Agreement terminates.
- 11.2. Zesty shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s instructions or this DPA infringe applicable legal requirements.
- 11.3. Following the termination of this DPA, Zesty shall, at the choice of the Customer, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or, return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that Zesty continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA.
- 11.4. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Terms shall remain in full force and effect.
DETAILS OF PROCESSING
This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Categories of Data Subjects:
Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: employees, agents, advisors, who use the Service and Platform, and any data subject which is included in the Customer Content.
Categories of Personal Data Processed:
Credentials, contact information (email and name), cloud provider meta data (such as: names, types, locations and IP address, to the extent that it is considered personal data), any Personal Data uploaded to the Platform by Customer.
Special Categories of Personal Data:
None. Unless notified by Customer and approved by Zesty, the Customer shall not share, upload or in any way enable Zesty to Process Special Categories of Personal Data.
Nature of the Processing:
Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.
Purpose(s) of Processing:
To provide the Services.
For as long as is necessary to provide the Service by Zesty; provided there is no legal obligation to retain the Personal Data past termination or unless otherwise requested by the Customer.
TECHNICAL AND ORGANIZATIONAL MEASURES
The following description reviews the technical and organizational measures implemented by Zesty as the Data Importer to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.
Zesty’s Platform is built on Amazon Web Services (AWS) and based on a serverless architecture.
This allows Zesty to operate without managing traditional servers and databases. Zesty does not host or run its own routers, load balancers, DNS servers, or physical servers.
The security objectives of Zesty are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):
Availability – information and associated assets should be accessible to authorized users when required. The computer network must be resilient. Zesty will detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.
Integrity – safeguarding the accuracy and completeness of information and Processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons:
Access to the Zesty’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. Zesty’s has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are required to choose unique and complex passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. Zesty is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack, in addition multi-factor authentication is enforced
Data Access Control
User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and a second authentication factor, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by Zesty. Furthermore, Zesty conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. Zesty revokes access to Personal Data immediately upon termination of employment.
Organizational and Operational Security
Zesty puts a lot of effort and invests a lot of resources into ensuring that Zesty’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. Zesty strives to raise awareness regarding the risks involved in the Processing of Personal Data. In addition, Zesty has implemented applicable safeguards for its hardware and software, including installing firewalls and anti-virus software on applicable Zesty hardware and software, in order to protect against malicious software.
Zesty maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, Zesty’s cloud deployment includes an automated backup procedure. Zesty ensures that regular checks are carried out to determine whether it is possible to recover from the backup, as required and applicable.
Physical Access Control
Zesty recognizes the significance of physical security controls as a key component in its overall security program. Physical access methods, procedures and controls have been implemented to help prevent unauthorized access to data, assets and restricted areas. Processes are in place to remove access to physical resources when an individual no longer requires access. In addition, Zesty does not hold any Customer Data or Personal Information on site. Physical Access to Zesty office does not provide any privileges to the production environment.
Zesty’s physical infrastructure is hosted on Amazon’s data centers and utilizes the AWS technologies. Amazon’s data center operations have been accredited under ISO 27001; SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II); PCI Level 1; FedRAMP; and Sarbanes-Oxley (SOX).
For more information on Amazon certification, please see link Here.
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, Zesty conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans are performed using external tools, in order to detect potential security breaches
Zesty Implements Encryption at rest of customer data as well as encryption in transit of all communication between C and service, as well as communication between elements in the services. We use TLS encryption on our web assets to ensure the highest security and data protection standards. We regularly verify our security certificates and encryption algorithms to keep your data safe.
At-rest user data is encrypted. Learn more about Server-Side Encryption with Amazon S3-Managed Encryption Keys.
Zesty does not store any private keys, passwords, or authentication tokens. The authentication is made based on the AWS Identity and Access Management (IAM) Cross Account role along with Google Workspace ID that provides a two-factor authentication.
Compliance and Certification
Zesty operations, policies and procedures are audited regularly to ensure Zesty meets all standards expected as a cloud service provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Zesty’s systems and Services were audited and verified by such compliance certification. Zesty is SOC2 certified.
Such certifications and audits are meant to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons are according to the System and Organization Controls 2 (SOC2) industry standard. Upon Customer request and subject to Customer’s confidentiality undertaking Zesty shall provide with the Customer with the SOC2 reports.
For more information regarding the SOC2, please see our SOC2 webpage in our blog Here.
Measures and assurances regarding U.S. government surveillance have been implemented by Zesty, and Zesty agrees and hereby represents it maintains the following additional safeguards:
- Zesty maintains industry standard measures to protect the Personal Data from interception (including in transit from Customer to Zesty and between different systems and services). This includes maintaining encryption in transit and at rest.
- As of the Effective Date, Zesty has not received any national security orders.
- No court has found Zesty to be the type of entity eligible to receive directives issued under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”) as (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- In the event that FISA applies to Zesty, Zesty will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under Section 702 of the FISA.
- If Zesty becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Zesty shall: inform the relevant Authority that Zesty is a Processor of the Personal Data and that Customer, as the Controller has not authorized Zesty to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Zesty’s control.
- Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Zesty has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Zesty shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
List of Sub-Processors
Description of the processing
Amazon Web Services (AWS), Inc.
Processing region is in Ireland, however the headquarters are located in the State of Washington, United States
Google Cloud Platform LLC – currently not active
Microsoft Azure – currently not active
Salesforce (SFDC Ireland Limited.)
Processing region is in the EU, however the Headquarters are located in the state of San Francisco, United State
Authentication & authorization solution
Slack Technologies, LLC
Internal communication tool for Support
Twilio Inc. (SendGrid)
EU INTERNATIONAL TRANSFERS AND SCC
1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the data Controller of the Personal Data and Zesty is the data Processor of the Personal Data and the Module Three (Processor to Sub-Processor) shall apply where the transfer is effectuated by Customer as the data Processor of the Personal Data on behalf of a third party data Controller and Zesty is the Sub-Processor of the Personal Data.
3. The parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Zesty (as Data Importer), the following shall apply:
- a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
- b) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-Processor changes shall be as set forth in the Sub-Processing Section of the DPA.
- c) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).
- e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
- 4.a.1. “Data Exporter“: Customer
- 4.a.2. “Data Importer“: Zesty
- 4.a.3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data Controller and (ii) the Data Importer is a data Processor; and (B) with respect to Module Three: (i) Data Exporter is a data Processor and (ii) the Data Importer is a Sub-Processor.
- 4.a.4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.
- 4.a.5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
- a) The purpose of the Processing, nature of the Processing, categories of Data Subjects, categories of personal data and the parties’ intention with respect to the transfer of Special Categories are as described in Annex I (Details of Processing) of this DPA.
- b) The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.
- c) The Sub-Processors to which Personal Data is transferred are listed in Annex III.
6. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent Supervisory Authority in accordance with Clause 13 is the Supervisory Authority in the Member State stipulated in Section 3 above.
7. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
8. Annex III of this DPA (List of Sub-Processors) serves as Annex III of the Standard Contractual Clauses.
9. Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II.
UK INTERNATIONAL TRANSFERS AND SCC
1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.
3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
5. Amendments to the UK Standard Contractual Clauses:
- 5.1 Part 1: Tables
- 5.1.1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV
- 5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV
- 5.1.3. Table 3 Appendix Information:
- Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.
- Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.
- Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.
- Annex III: List of Sub-Processors: shall be completed as set forth in Annex III above.
- 5.1.4. Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.
SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:
- The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
- The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.
- All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
- References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
- In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.
- The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.
In addition to the requirements set forth under the DPA, which shall apply to the collection, processing, use, sharing, sale, and retention of California residents’ Personal Information, the obligations set forth under this addendum (“CCPA Addendum”) shall further apply. All terms used but not defined in this CCPA Addendum shall have the meaning set forth in the DPA.
- For the purpose of the CCPA, Customer is the Business and Zesty is the Service Provider.
- Zesty shall Process Personal Information on behalf of the Customer as a Service Provider under the CCPA and shall not: (1) Sell or Share the Personal Information; (2) retain, use or disclose the Personal Information for any purpose other than for a Business purpose specified in the Agreement; or (3) combine the Personal Information that Zesty receives from, or on behalf of, Customer with other Personal Information that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
- Zesty permits Customer to monitor its compliance with this CCPA Addendum subject to Section 8 in the DPA “Audit Rights”.
- Zesty agrees to notify the Customer if Zesty makes a determination that it can no longer meet its obligations under this Addendum or CCPA requirements.
- Zesty shall assist Customer in respect of consumer request to limit the use of Sensitive Personal Information (“SPI”), Zesty shall provide assistance and procures that its subcontractors will provide assistance as Customer may request, where applicable, in connection with any obligation by Customer to respond to requests for exercising the rights of a Consumer under the CCPA. Zesty shall (a) promptly notify Customer; (b) only act upon the consumer’s request with the prior written consent of the Customer; and (c) make available to Customer all needed information which is necessary to demonstrate compliance.
- Zesty acknowledges and confirms that it does not receive or Process any Personal Information as consideration for any Services or other items that Zesty provides to Customer under the Agreement.
- Zesty certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Personal Information.