This data processing Agreement (this “DPA”) constitutes a schedule to the Agreement (as defined below) and is between:
(1) UserZoom; and
(2) Customer
(each as defined in the Agreement)
DEFINITIONS AND INTERPRETATION
In this DPA, unless the context otherwise requires:
Agreement means the Master Services Agreement between UserZoom and the Customer;
Customer Data means any personal data or personal information generated, transferred, processed or otherwise reproduced under this Agreement or any SOW or Order Form. For the avoidance of doubt, Customer Data shall not include any data in respect of which UserZoom acts as controller;
Data Protection Laws means all relevant laws and regulations in any relevant jurisdiction relating to privacy or the use or processing of data relating to natural persons, including but not limited to EU Regulation 2016/679 (“GDPR”) and its local implementation laws, such as the German Federal Data Protection Act (BDSG), the Data Protection Act 2018, and/or the GDPR as enacted by the United Kingdom and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA"); in each case, to the extent in force, and as updated, amended or replaced from time to time;
controller, processor, data subject, personal data, personal information, processing, supervisory authority, business, service provider, sell, and share have the meanings set out in the relevant Data Protection Laws;
Data Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Data transmitted, stored or otherwise processed;
International Transfer means a transfer of the Customer Data from the UK; or from the EEA, in each case to a person or entity to a third country (as defined by the relevant Data Protection Laws or to an international organization which does not ensure an adequate level of protection or is not governed by an existing appropriate safeguard (e.g. binding corporate rules) in accordance with the relevant Data Protection Laws;
Relevant Communication means, in relation to any Customer Data: (a) a request from a data subject to exercise any of its rights under the relevant Data Protection Laws; or (b) any complaint, notice or other communication from a data subject or Supervisory Authority, government authority or judicial body which relates to the processing of personal data;
Sub-Processor means any third party appointed by UserZoom to process the Customer Data.
Capitalised terms not defined within this DPA shall have the meaning provided for within the Agreement.
COMPLIANCE WITH DATA PROTECTION LAWS
2.1. Each party is responsible for its own compliance with the relevant Data Protection Laws in relation to the Customer Data whilst under its control and each party is responsible for the exercise of data subject rights in relation to such personal data. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the relevant Data Protection Laws.
2.2. The Parties acknowledge that Customer acts as controller and UserZoom acts as processor, each in respect of the Customer Data. To the extent that processing of the Customer Data is subject to the CCPA, the parties agree that UserZoom is a service provider and Customer is a business. In connection with the performance of its obligations under the Agreement:
a. Customer will comply with all obligations applicable to it under the relevant Data Protection Laws as the controller; and/or a business (as applicable); and
b. UserZoom will comply with all obligations applicable to it under the relevant Data Protection Laws as the processor and/or a service provider (as applicable).
2.3. Schedule 1 sets out the scope, nature and purpose of processing by UserZoom, the duration of the processing and the types of Customer Data and categories of data subject.
2.4. UserZoom will maintain accurate records to demonstrate its compliance with this DPA and will make this information available to the Customer upon reasonable written request.
2.5. Without prejudice to the generality of paragraph 2.1, the Customer warrants to UserZoom that it has all necessary appropriate consents and notices in place and all necessary rights to enable lawful transfer of the Customer Data to UserZoom and/or lawful collection of the Customer Data by UserZoom on behalf of the Customer for the duration and purposes of this DPA.
DATA PROCESSING REQUIREMENTS
3.1. In relation to Customer Data that UserZoom processes as a processor on behalf of Customer, UserZoom will:
a. keep Customer Data confidential;
b. process Customer Date only in accordance with Customer’s reasonable written instructions (including those set out in the Agreement) and in accordance with its privacy policy(ies) set out at https://www.userzoom.com/privacy-policy/ unless required otherwise by European Union, member state or applicable local laws to which UserZoom is subject; in which case UserZoom will inform Customer of that legal requirement before processing, unless prohibited to do so by such law;
c. inform Customer immediately if in its reasonable opinion an instruction from the Customer infringes any relevant Data Protection Laws. In such event, UserZoom will not be obliged to carry out that processing and will not be in breach of this Agreement or otherwise liable to the Customer as a result of its failure to carry out that processing;
d. take reasonable steps to ensure the reliability of persons having access to Customer Data and ensure that persons authorised to process Customer Data are:
i. aware of the confidential nature of such data;
ii. subject to legally binding obligations to maintain its confidentiality; and
iii. only given access to such Customer Data as is necessary for the performance of their duties;
e. notify Customer promptly (and within not more than five working days of receipt) if it receives any Relevant Communication, and not respond to such communication (except to the extent required by applicable law) without Customer’s prior approval;
f. taking into account the nature of the processing being undertaken by UserZoom and the information available to it, within no more than 10 calendar days of the date of Customer’s request provide reasonable cooperation and assistance to Customer in order for Customer to:
i. comply with its obligations under the relevant Data Protection Laws relating to the security of processing of the Customer Data ;
ii. respond to or fulfil (as the case may be) a Relevant Communication; and
iii. conduct privacy impact assessments of any processing operations and consult with supervisory authorities, data subjects and their representatives accordingly.
g. not permit any Sub-Processor to process Customer Data except in the following circumstances:
i. UserZoom has complied with paragraph 4 of this DPA in respect of the processing of personal data by the Sub-Processor; and
ii. the processing of Customer Data by the Sub-Processor is solely for the purpose of performing UserZoom’s obligations under the Agreement;
h. ensure that appropriate technical, physical and organisational measures in accordance with Article 32 GDPR, as detailed at https://www.userzoom.com/technical-and-organisational-measures/ shall be taken to ensure the ongoing confidentiality, security, availability and integrity of the Customer Data and to prevent unauthorised or unlawful processing of Customer Data and accidental loss or destruction of, or damage to, Customer Data; and
i. if a personal data breach relating to Customer’s personal data occurs:
i. notify Customer in writing of such Data Security Incident promptly and without undue delay after discovering the Data Security Incident relating to Customer Data (and within not more than 48 hours of discovering the Data Security Incident if, in UserZoom’s reasonable opinion, either UserZoom or Customer will be required by any relevant Data Protection Laws to notify a Supervisory Authority of such Data Security Incident);
ii. provide all cooperation, assistance and information reasonably requested by Customer in respect of such Data Security Incident;
iii. except to the extent required by relevant Data Protection Laws, not make any notification to any third party (including any Supervisory Authority or data subject) regarding the Data Security Incident without Customer’s prior written consent;
iv. assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the relevant Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
v. take such steps as are reasonably required to mitigate the impact of the Data Security Incident on Customer and/or any data subjects and to prevent its reoccurrence.
3.2. UserZoom shall have no liability for failure to comply with the terms of clause 3.1(h) to the extent that the Data Security Incident was caused by the Customer or on the basis of the Customer’s instructions.
3.3. Customer warrants to UserZoom that its instructions to UserZoom relating to processing of the Customer Data will not put UserZoom in breach of Data Protection Laws.
SUB-PROCESSORS
4.1 The parties expressly agree that UserZoom’s Affiliates may be retained as Sub-Processors. The Customer provides general authorisation to UserZoom to engage any person as a Sub-Processor for the processing of the Customer Data. UserZoom maintains an up-to-date list of Sub-Processors at https://www.userzoom.com/sub-processors/ and shall ensure that such list is updated in advance of appointing or replacing any Sub-Processor thereby giving Customer the opportunity to object to such changes in accordance with clause 4.3 of this DPA. Customer shall provide an email address to receive notifications of intended changes concerning the addition of new Sub-Processors at https://www.userzoom.com/privacy-policy/. If Customer subscribes to receive such notifications, UserZoom shall notify Customer when the list is updated,
4.2. In respect of any Sub-Processor that UserZoom uses to process personal data on behalf of Customer Data, UserZoom must:
a. remain liable for any breach of this DPA that is caused by an act, error or omission of its Sub-Processor;
b. ensure that the Sub-Processor is subject to written terms no less onerous than the terms contained in this DPA;
c. ensure that the use of the Sub-Processor does not result in:
i. UserZoom breaching any of its obligations under the Agreement;
ii. a material risk to the confidentiality, security, availability, or integrity of any Customer Data; or
iii. an adverse effect on Customer’s ability to comply with any relevant Data Protection Laws,
each a “Data Protection Risk”.
4.3. Customer will be entitled to object to the use of a Sub-Processor if the use of that Sub-Processor objectively has caused, or is likely to cause, a Data Protection Risk provided that Customer provides UserZoom with written notice of its objection within 30 days of the date on which it receives notice by way of updating its list of Sub-processors at https://www.userzoom.com/sub-processors is updated to reflect the use of the Sub-Processor from UserZoom.
4.4. If Customer objects to the use of a Sub-Processor in accordance with paragraph 4.3 above, then the parties will (acting reasonably and in good faith) promptly discuss Customer’s objections and UserZoom must either:
a. not use (or, in respect of an existing Sub-Processor, cease to use) that Sub-Processor to process Customer Data; or
b. permit Customer to terminate the Agreement immediately without additional liability.
CCPA
5.1. Solely to the extent the Customer Data is subject to the CCPA, the provisions of this section 5 will apply.
5.2. UserZoom shall not:
a. “sell” or “share” the Customer Data (as those terms are defined in the CCPA);
b. retain, use, disclose, or otherwise process Customer Data for purpose other than the business purposes of providing the Services set out in the Agreement, or as otherwise permitted by the CCPA;
c. retain, use, disclose, or otherwise process Customer Data in any manner outside of the direct business relationship between UserZoom and Customer; and/or
d. combine Customer Data with any personal data that UserZoom collects itself or receives from another source, except to perform any business purpose permitted by the CCPA
5.3. UserZoom certifies that it understands the contractual restrictions set out in this section 5 and it will comply with them.
5.4. If UserZoom determines that it can no longer meet its obligations under this DPA, UserZoom shall notify the Customer no later than the time period prescribed by the CCPA.
5.5 If UserZoom is engaged in unauthorised use of Customer Data, Customer may (upon reasonable notice to UserZoom), take reasonable and appropriate steps to stop and remediate the unauthorised use of such Customer Data
5.6 The parties hereby acknowledge and agree that the transfer of Customer Data from the Customer shall not constitute a sale of personal information to UserZoom. UserZoom receives such Customer Data pursuant to the business purpose of providing the Services in accordance with the Agreement.
AUDIT
6.1. The Customer (or another auditor mandated by the Customer, bound by appropriate confidentiality obligations) may monitor UserZoom’s compliance with the terms of this DPA by:
a. requiring UserZoom to complete the Customer’s Security Assessment Questionnaire on an annual basis.
b. providing appropriate information; records; and certifications and audit reports issued by reputable independent third parties (provided that there have been no material changes to the controls used by UserZoom since the certification or audit report was issued) to the customer; and /or
c. allowing the Customer, at its own cost, to conduct penetration testing and vulnerability assessments
TRANSFERS OF PERSONAL DATA
7.1 In the event that an International Transfer occurs between the parties, such transfer shall be on the basis of standard contractual clauses approved under the Data Protection Laws (“SCCs”). The parties hereby enter into and execute the SCCs by deeming that the SCCs are attached to and incorporated into this DPA, and by subsequently executing this DPA. Where the SCCs require the parties to supplement the SCCs with additional information, all required information is set forth exclusively at https://www.userzoom.com/sccs/. If any SCCs the parties rely on are superseded or otherwise invalidated, the parties agree to enter into a new or modified adequate transfer mechanism, if appropriate, within a commercially reasonable time period and in accordance with the Data Protection Laws.
RETURN AND DESTRUCTION OF PERSONAL DATA
8.1. Upon termination of the Agreement (or as otherwise instructed by Customer in writing), UserZoom will cease processing the Customer Data and return (by way of making available for download) or delete all of Customer’s data in UserZoom’s possession or control and, in the event of a return, subsequently irretrievably delete all copies of such data, subject to section 8.2 below.
8.2. UserZoom may retain one copy of Customer Data solely to the extent that it is required to do so by law or which it is required to retain for insurance, accounting, taxation or record keeping purposes, provided that it informs Customer of such requirement and continues to comply with the requirements of this DPA with regard to such personal data. For the purposes of this paragraph 7.2, Customer accepts that UserZoom may retain a secure backup of Customer’s data for a period of up to 90 days (or up to 2 month for the EnjoyHQ platform and/or up to 30 days in relation to the UserZoom Go platform) post-termination.
TERM
The provisions in this DPA shall apply as long as UserZoom processes Customer Data, in accordance with the Agreement.
GENERAL
10.1. Any notice or other communication to be provided by one party to the other party under this DPA, shall be provided in accordance with the notices provision of the Agreement.
10.2. This DPA and the documents referred to in it including the Agreement constitute the entire understanding and agreement of the parties in relation to the processing of the Customer Data and supersede all prior agreements, discussions, negotiations, arrangements and understandings of the parties and/or their representatives in relation to such processing. The terms of this DPA shall be subject always to the terms of the Agreement. Notwithstanding the foregoing, in the event of any conflict or inconsistency between any documents, the following order of precedence shall apply: (i) the SCCs (where applicable); (ii) the relevant Order Form; (iii) this DPA; and (iv) the Agreement.