Data Processing Addendum

This data processing addendum (this “Addendum”) is entered into as of the Effective Date (as defined in the Agreement) constitutes a schedule to the Agreement (as defined below) and is between:

(1) UserZoom; and

(2) Customer (as defined in the Agreement).

1.

Definitions and interpretation

In this Addendum, unless the context otherwise requires: 

Agreement means the master subscription and services agreement between UserZoom and the Customer;

Customer Data means any personal data generated, transferred, processed or otherwise reproduced under this Agreement or any Order Form;

Data Protection Laws means all laws and regulations in any relevant jurisdiction relating to privacy or the use or processing of data relating to natural persons, including but not limited to EU Regulation 2016/679 (“GDPR”), the Data Protection Act 2018, and/or the GDPR as enacted by the United Kingdom and the California Consumer Privacy Act; in each case, to the extent in force, and as updated, amended or replaced from time to time;

controller, processor, data subject, personal data, personal information, processing, personal data breach and supervisory authority have the meanings set out in the Data Protection Laws; 

Data Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Data transmitted, stored or otherwise processed;

International Transfer means a transfer to a country outside the European Economic Area (as it is made up from time to time) of the Customer Data which is undergoing processing or which is intended to be processed after transfer;

Relevant Communication means, in relation to any personal data in respect of which Customer is a controller: (a) a request from a data subject to exercise any of its rights under the Data Protection Laws; or (b) any complaint, notice or other communication from a data subject or Supervisory Authority, government authority or judicial body which relates to the processing of personal data; 

Sub-Processor means any third party appointed by UserZoom to process the Customer Data; and

UserZoom shall mean either (i) the UserZoom entity which enters into the first Order Form with Customer; or (ii) in the event Customer is purchasing the Services via the website the UserZoom entity shall be either (a) UserZoom, Inc., a California corporation with offices at 1801 Broadway, Suite 720, Denver, CO 80202 if Customer is located in North America, Mexico or a country in Central or South America or the Caribbean, (b) UserZoom Limited a company incorporated and registered in England and Wales with company number 06984058 whose registered office is at Unit 11, Royal Mills, Redhill Street, Manchester M4 5BA if Customer is located in Europe (excluding Spain), the Middle East, Africa, Asia or the Pacific region; or (c) UserZoom Technologies Inc. Sucursal in España, a Spanish branch company if Customer is located in Spain. 

Capitalised terms not defined within this Addendum shall have the meaning provided for within the Agreement. The terms of this Addendum shall be subject always to the terms of the Agreement.

2.

Compliance with data protection laws

2.1 Each party is responsible for its own compliance with the Data Protection Laws in relation to the Customer Data whilst under its control and each party is responsible for the exercise of data subject rights in relation to such personal data. This Addendum is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Laws.

2.2 The Parties acknowledge that Customer act as controller in respect of the Customer Data and shares the Customer Data with UserZoom to use as processor.  In connection with the performance of its obligations under the Agreement: 

a. Customer will comply with all obligations applicable to it under the Data Protection Laws as the controller; and 

b. UserZoom will comply with all obligations applicable to it under the Data Protection Laws as the processor.

2.3 Schedule 1 sets out the scope, nature and purpose of processing by UserZoom, the duration of the processing and the types of Personal Data and categories of Data Subject.

2.4 UserZoom will maintain accurate records to demonstrate its compliance with this Addendum and will make this information available to the Customer upon reasonable request.

2.5 Without prejudice to the generality of paragraph 2.1, the Customer warrants to UserZoom that it has all necessary appropriate consents and notices in place and all necessary rights to enable lawful transfer of the Personal Data to UserZoom and/or lawful collection of the Personal Data by UserZoom on behalf of the Customer for the duration and purposes of this Addendum.

3.

Data processing requirements

3.1 In relation to Customer Data that UserZoom processes as a processor on behalf of Customer, UserZoom will:

a. process personal data only in accordance with Customer’s reasonable written instructions (including those set out in the Agreement) and in accordance with its privacy policy(ies) set out at https://www.userzoom.com/privacy-policy/ unless required to do so by European Union, member state or UK law to which UserZoom is subject; in which case UserZoom will inform Customer of that legal requirement before processing unless prohibited to do so by such law;

b. inform Customer immediately if in its reasonable opinion an instruction from the Customer infringes any Data Protection Laws. In such event, UserZoom will not be obliged to carry out that processing and will not be in breach of this Agreement or otherwise liable to the Customer as a result of its failure to carry out that processing;

c. take reasonable steps to ensure the reliability of persons having access to Customer Data and ensure that persons authorised to process Customer Data are:

i. aware of the confidential nature of such data;

ii. subject to legally binding obligations to maintain its confidentiality; and 

iii. only given access to such personal data as is necessary for the performance of their duties;

d. notify Customer promptly (and within not more than five business days of receipt) if it receives any Relevant Communication, and not respond to such communication (except to the extent required by applicable law) without Customer’s prior approval;

e. taking into account the nature of the processing being undertaken by UserZoom and the information available to it, within no more than 10 calendar days of the date of Customer’s request provide reasonable cooperation and assistance to Customer in order for Customer to:

i. comply with its obligations under the Data Protection Laws relating to the security of processing of the Customer Data ;

ii. respond to or fulfil (as the case may be) a Relevant Communication; and

iii. document any Data Security Incidents and report any Data Security Incidents to any Supervisory Authority and/or Data Subjects; and

iv. conduct privacy impact assessments of any processing operations and consult with Supervisory Authorities, Data Subjects and their representatives accordingly.

f. not permit any Sub-Processor to process personal data except in the following circumstances:

i. UserZoom has complied with paragraph 4 of this Addendum in respect of the processing of personal data by the Sub-Processor; and

ii. the processing of personal data by the Sub-Processor is solely for the purpose of performing UserZoom’s obligations under the Agreement;

g. ensure that appropriate technical, physical and organisational measures, as detailed at https://www.userzoom.com/technical-and-organisational-measures/ shall be taken to ensure the ongoing confidentiality, security, availability and integrity of the Customer Data and to prevent unauthorised or unlawful processing of Customer Data and accidental loss or destruction of, or damage to, Customer Data; and

h. if a personal data breach relating to Customer’s personal data occurs:

i. notify Customer in writing of such personal data breach promptly and without undue delay after discovering the personal data breach relating to Customer Data (and within not more than 48 hours of discovering the personal data breach if, in UserZoom’s reasonable opinion, either UserZoom or Customer will be required by any Data Protection Laws to notify the personal data breach to a Supervisory Authority);

ii. provide all cooperation, assistance and information reasonably requested by Customer in respect of such personal data breach; 

iii. except to the extent required by Data Protection Laws, not make any notification to any third party (including any Supervisory Authority or data subject) regarding the personal data breach without Customer’s prior written consent;

iv. assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and

v. take such steps as are reasonably required to mitigate the impact of the personal data breach on Customer and any data subjects and to prevent its reoccurrence.

3.2. Customer warrants to UserZoom that its instructions to UserZoom relating to processing of the Customer Data will not put UserZoom in breach of Data Protection Laws.

4.

Sub-processors

4.1. The Customer consents to UserZoom engaging any person as a Sub-Processor for the processing of the Customer Data. UserZoom maintains an up-to-date list of Sub-Processors at https://www.userzoom.com/sub-processors/ and shall ensure that such list is updated in advance of appointing or replacing any Sub-Processor thereby giving Customer the opportunity to object to such changes in accordance with clause 4.3 of this Addendum. 

4.2. In respect of any Sub-Processor that UserZoom uses to process personal data on behalf of Customer, UserZoom must:

a. remain liable for any breach of this Addendum that is caused by an act, error or omission of its Sub-Processor;

b. ensure that the Sub-Processor is subject to written terms no less onerous than the terms contained in this Addendum;

c. ensure that the use of the Sub-Processor does not result in:

i. UserZoom breaching any of its obligations under the Agreement; 

ii. a material risk to the confidentiality, security, availability, or integrity of any personal data processed on behalf of Customer; or

iii. an adverse effect on Customer’s ability to comply with Data Protection Laws,

each a “Data Protection Risk”.

4.3. Customer will be entitled to object to the use of a Sub-Processor if it has reasonable grounds to believe that the use of that Sub-Processor has caused, or is likely to cause, a Data Protection Risk provided that Customer issues UserZoom with written notice of its objection within 30 days of the later of:

a. the date on which it becomes aware of the grounds for objecting; and 

b. the date on which it receives notice by way of Sub-processor list update of the use of the Sub-Processor from UserZoom. 

4.4. If Customer objects to the use of a Sub-Processor in accordance with paragraph 4.3 above, then the parties will (acting reasonably and in good faith) promptly discuss Customer’s objections and UserZoom must either:

a. not use (or, in respect of an existing Sub-Processor, cease to use) that Sub-Processor to process personal data on behalf of Customer; or 

b. permit Customer to terminate the Agreement immediately without additional liability.

5.

Audit

5.1. The Customer (or another auditor mandated by the Customer) may monitor UserZoom's compliance with the terms of this Addendum by requiring UserZoom to complete the Customer’s Security Assessment Questionnaire on an annual basis. Alternatively this may also be satisfied by the provision to the Customer of appropriate information; records; and certifications and audit reports issued by reputable independent third parties (provided that there have been no material changes to the controls used by UserZoom since the certification or audit report was issued). The Customer shall also have the option to conduct penetration testing and vulnerability assessments at the Customer’s own cost.

6.

Transfers of personal data

6.1. In the event that an International Transfer occurs to a location without an adequacy decision, the parties agree that it shall be governed by the terms of the Standard Contractual Clauses, outlined at https://www.userzoom.com/sccs/.

7.

Return and destruction of personal data

7.1. Upon termination of the Agreement (or as otherwise instructed by Customer in writing), UserZoom will cease processing the personal data and return (by way of making available for download) or delete all of Customer’s data in UserZoom’s possession or control and, in the event of a return, subsequently irretrievably delete all copies of such data, subject to paragraph 7.2 below.

7.2. UserZoom may retain one copy of Customer’s personal data solely to the extent that it is required to do so by law or which it is required to retain for insurance, accounting, taxation or record keeping purposes, provided that it informs Customer of such requirement and continues to comply with the requirements of this Addendum with regard to such personal data.  For the purposes of this paragraph 7.2, Customer accepts that UserZoom may retain a secure backup of Customer’s data for a period of up to 90 days (or up to 2 month for the EnjoyHQ platform and/or up to 30 days in relation to the UserZoom Go platform) post-termination.

8.

Term

8.1. The provisions in this Addendum shall apply as long as the UserZoom processes personal data for which the Customer is the data controller.

9.

General

9.1. Any notice or other communication to be provided by one party to the other party under this Addendum, shall be provided in accordance with the notices provision of the Agreement.

9.2. This Addendum and the documents referred to in it including the Agreement constitute the entire understanding and agreement of the parties in relation to the processing of the Customer Personal Data and supersede all prior agreements, discussions, negotiations, arrangements and understandings of the parties and/or their representatives in relation to such processing.