Pages referenced in this agreement:
EU and CCPA Data Processing Agreement Zealot Technology Corporation
DPA Background This EU and CCPA Data Processing Agreement ("DPA") supplements our Terms of Service, Privacy Policy, or any other online or paper contract (together and individually, the "Agreement") with clients ("Client" or "you") insofar as they relate to processing of data that is subject to the European Union's General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), and the California Consumer Privacy Act of 2018 California Civil Code ยง 1798.100 et seq., as supplemented or amended by the California Privacy Rights Act of 2020 ("CCPA") (collectively the "Data Privacy Laws"). To the extent this DPA conflicts with our Terms of Service, our Privacy Policy, or any other agreement you have with us, this DPA will control. Capitalized terms used in this DPA shall have the same meaning set forth for those terms or similar terms in the Data Privacy Laws, unless a different meaning is specified herein.
Zealot Technology Corporation ("Zealot," "we," or "us") is a software as a service provider. As such, we act as a "Processor" under the GDPR. As one of our clients, you control the means and purposes for the processing of the data you gather using our services (the "Services"), and thus, you are a Controller under the GDPR. Unless otherwise agreed between us in writing, those items the GDPR requires of Processors will be our responsibility, and those items required of Controllers will be your responsibility. Under the CCPA, we qualify as a service provider, and we agree to comply with the requirements of service providers as described in the CCPA and as specifically described in this DPA.
Specifically, the parties agree as follows:
How to Execute this DPA We have adopted this DPA and made it effective through the Agreement into which our Clients enter with us. Each provision of the DPA, including the provisions of the EU Standard Contractual Clauses as seen in Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs") details of which are included in Exhibit A, and the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022 ("UK Addendum"), details of which are included in Exhibit B, are enforceable against the parties as if each had been separately signed. Because both parties have assented to the Agreement, no further execution of the DPA is necessary by you or Zealot; provided, however, that both parties explicitly agree to cooperate and sign additional documents, if necessary, to effectuate the EU SCCs and UK Transfer Addendum.
Our GDPR and CCPA Obligations When you use the Services, you may ask us to process Personal Data about the individuals with whom you interact, including without limitation your ambassadors, applicants, prospects, employees, clients, marketplace partners, customers, vendors, suppliers, or other individuals with whom you interact, or about whom you gather Personal Data ("Your Personal Data") using the Services (collectively and individually, "Your Data Subjects"). That Personal Data may be subject to the protections of the Data Privacy Laws. For purposes of clarity, the parties agree that Your Personal Data does not include data that is anonymized, aggregated, or de-identified in a manner that eliminates the possibility that the data can be tracked or identified to any specific individual ("De-Identified Data").
Acknowledging that certain of your obligations as a Controller must be passed along to any company or individual that processes the Personal Data of Your Data Subjects, we agree to perform the following functions and to facilitate your compliance with the Data Privacy Laws in the following ways:
We agree that, in order to assist you in your obligations as a Controller, we will implement the appropriate technical and organizational measures to allow you to (1) respond to any request by any Data Subject to exercise his or her rights under the Data Privacy Laws, and (2) respond to correspondence, inquiries, or complaints from entitled third parties such as individuals, regulators, courts, and other authorities in connection with the processing of Personal Data. If any such requests or correspondence is received directly by us, we will forward you the request or correspondence and will wait for further direction from you before taking action. We will not communicate with authorities or Your Data Subjects without receiving your advance written permission, except as required by applicable law. Upon documented request from you, we will correct, supplement, modify, or delete any of Your Personal Data, except as required by applicable law.
We agree that we will not use or process any of Your Personal Data for any purpose other than the purpose set forth in the Agreement, except to respond to specifically document requests from you regarding Your Personal Data. In no event will we process, rent, sell, use, or transfer any of Your Personal Data for our own purposes or for the purposes of any third party. In addition, we will delete all Your Personal Data from our systems ninety (90) days after termination of the Agreement, except as may be required or allowed by applicable law. You also agree that you will not use or process any Personal data of any Data Subject for any purpose other than the purposes for which you have consent from the Data Subject.
International Transfers of DataTo the extent your transfer of Your Personal Data to us involves a transfer out of the EU or UK, we agree to comply, where applicable, with the EU SCCs, details of which are included as Exhibit A and the UK Transfer Addendum, details of which are included in Exhibit B (collectively the "Transfer Mechanisms").
In the event of any conflict between the Transfer Mechanisms and this DPA, the Transfer Mechanisms shall control and supersede. If the European Union, United Kingdom, or courts thereof decide that the Transfer Mechanisms are insufficient protection for citizens of the EU or UK, respectively, then the parties agree to work in good faith together to determine how a new valid method can be implemented to meet any new requirements.
We agree that we will not process or transfer any of Your Personal Data originating from the European Economic Area or United Kingdom in any country or territory that has been determined to offer an inadequate level of data protection unless it has first obtained your consent or ensured that a valid method similar to the Transfer Mechanisms is in place with respect to such country or territory.
Processing Confidentiality and Agreements by Agents