This data processing Agreement (this “DPA”) constitutes a schedule to the Agreement (as defined below) and is between:
(1) UserZoom; and
(each as defined in the Agreement)
DEFINITIONS AND INTERPRETATION
In this DPA, unless the context otherwise requires:
Agreement means the master subscription and services agreement between UserZoom and the Customer;
Customer Data means any personal data generated, transferred, processed or otherwise reproduced under this Agreement or any Order Form. For the avoidance of doubt, Customer Data shall not include any data in respect of which UserZoom acts as controller;
Data Protection Laws means all laws and regulations in any relevant jurisdiction relating to privacy or the use or processing of data relating to natural persons, including but not limited to EU Regulation 2016/679 (“GDPR”) and its local implementation laws, such as the German Federal Data Protection Act (BDSG), the Data Protection Act 2018, and/or the GDPR as enacted by the United Kingdom and the California Consumer Privacy Act; in each case, to the extent in force, and as updated, amended or replaced from time to time;
controller, processor, data subject, personal data, personal information, processing, personal data breach and supervisory authority have the meanings set out in the Data Protection Laws;
Data Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Data transmitted, stored or otherwise processed;
International Transfer means a transfer of the Customer Data from the UK; or from the EEA, in each case to a person or entity to a third country (as defined by the Data Protection Laws or to an international organization which does not ensure an adequate level of protection or is not governed by an existing appropriate safeguard (e.g. binding corporate rules) in accordance with Data Protection Laws;
Relevant Communication means, in relation to any personal data in respect of which Customer is a controller: (a) a request from a data subject to exercise any of its rights under the Data Protection Laws; or (b) any complaint, notice or other communication from a data subject or Supervisory Authority, government authority or judicial body which relates to the processing of personal data;
Sub-Processor means any third party appointed by UserZoom to process the Customer Data.
Capitalised terms not defined within this DPA shall have the meaning provided for within the Agreement. The terms of this DPA shall be subject always to the terms of the Agreement.
COMPLIANCE WITH DATA PROTECTION LAWS
2.1. Each party is responsible for its own compliance with the Data Protection Laws in relation to the Customer Data whilst under its control and each party is responsible for the exercise of data subject rights in relation to such personal data. This DPA is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Laws.
2.2. The Parties acknowledge that Customer acts as controller in respect of the Customer Data and shares the Customer Data with UserZoom to use as processor. In connection with the performance of its obligations under the Agreement:
a. Customer will comply with all obligations applicable to it under the Data Protection Laws as the controller; and
b. UserZoom will comply with all obligations applicable to it under the Data Protection Laws as the processor.
2.3. Schedule 1 sets out the scope, nature and purpose of processing by UserZoom, the duration of the processing and the types of Personal Data and categories of Data Subject.
2.4. UserZoom will maintain accurate records to demonstrate its compliance with this DPA and will make this information available to the Customer upon reasonable request.
2.5. Without prejudice to the generality of paragraph 2.1, the Customer warrants to UserZoom that it has all necessary appropriate consents and notices in place and all necessary rights to enable lawful transfer of the Personal Data to UserZoom and/or lawful collection of the Personal Data by UserZoom on behalf of the Customer for the duration and purposes of this DPA.
DATA PROCESSING REQUIREMENTS
3.1. In relation to Customer Data that UserZoom processes as a processor on behalf of Customer, UserZoom will:
b. inform Customer immediately if in its reasonable opinion an instruction from the Customer infringes any Data Protection Laws. In such event, UserZoom will not be obliged to carry out that processing and will not be in breach of this Agreement or otherwise liable to the Customer as a result of its failure to carry out that processing;
c. take reasonable steps to ensure the reliability of persons having access to Customer Data and ensure that persons authorised to process Customer Data are:
i. aware of the confidential nature of such data;
ii. subject to legally binding obligations to maintain its confidentiality; and
iii. only given access to such personal data as is necessary for the performance of their duties;
d. notify Customer promptly (and within not more than five business days of receipt) if it receives any Relevant Communication, and not respond to such communication (except to the extent required by applicable law) without Customer’s prior approval;
e. taking into account the nature of the processing being undertaken by UserZoom and the information available to it, within no more than 10 calendar days of the date of Customer’s request provide reasonable cooperation and assistance to Customer in order for Customer to:
i. comply with its obligations under the Data Protection Laws relating to the security of processing of the Customer Data ;
ii. respond to or fulfil (as the case may be) a Relevant Communication; and
iii. document any Data Security Incidents and report any Data Security Incidents to any Supervisory Authority and/or Data Subjects; and
iv. conduct privacy impact assessments of any processing operations and consult with Supervisory Authorities, Data Subjects and their representatives accordingly.
f. not permit any Sub-Processor to process personal data except in the following circumstances:
i. UserZoom has complied with paragraph 4 of this DPA in respect of the processing of personal data by the Sub-Processor; and
ii. the processing of personal data by the Sub-Processor is solely for the purpose of performing UserZoom’s obligations under the Agreement;
g. ensure that appropriate technical, physical and organisational measures in accordance with Article 32 GDPR, as detailed at https://www.userzoom.com/technical-and-organisational-measures/ shall be taken to ensure the ongoing confidentiality, security, availability and integrity of the Customer Data and to prevent unauthorised or unlawful processing of Customer Data and accidental loss or destruction of, or damage to, Customer Data; and
h. if a personal data breach relating to Customer’s personal data occurs:
i. notify Customer in writing of such personal data breach promptly and without undue delay after discovering the personal data breach relating to Customer Data (and within not more than 48 hours of discovering the personal data breach if, in UserZoom’s reasonable opinion, either UserZoom or Customer will be required by any Data Protection Laws to notify the personal data breach to a Supervisory Authority);
ii. provide all cooperation, assistance and information reasonably requested by Customer in respect of such personal data breach;
iii. except to the extent required by Data Protection Laws, not make any notification to any third party (including any Supervisory Authority or data subject) regarding the personal data breach without Customer’s prior written consent;
iv. assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
v. take such steps as are reasonably required to mitigate the impact of the personal data breach on Customer and any data subjects and to prevent its reoccurrence.
3.2. UserZoom shall have no liability for failure to comply with the terms of clause 3.1(h) to the extent that the personal data breach was caused by the Customer or on the basis of the Customer’s instructions.
3.3. Customer warrants to UserZoom that its instructions to UserZoom relating to processing of the Customer Data will not put UserZoom in breach of Data Protection Laws.
4.1. The parties expressly agree that UserZoom’s Affiliates may be retained as Sub-Processors. The Customer provides general authorisation to UserZoom to engaging any person as a Sub-Processor for the processing of the Customer Data. UserZoom maintains an up-to-date list of Sub-Processors at https://www.userzoom.com/sub-processors/ and shall ensure that such list is updated in advance of appointing or replacing any Sub-Processor thereby giving Customer the opportunity to object to such changes in accordance with clause 4.3 of this DPA. Customer shall provide an email address to receive notifications of intended changes concerning the addition of new Sub-Processors at https://www.userzoom.com/privacy-policy/. If Customer subscribes to receive such notifications, UserZoom shall notify Customer when the list is updated,
4.2. In respect of any Sub-Processor that UserZoom uses to process personal data on behalf of Customer, UserZoom must:
a. remain liable for any breach of this DPA that is caused by an act, error or omission of its Sub-Processor;
b. ensure that the Sub-Processor is subject to written terms no less onerous than the terms contained in this DPA;
c. ensure that the use of the Sub-Processor does not result in:
i. UserZoom breaching any of its obligations under the Agreement;
ii. a material risk to the confidentiality, security, availability, or integrity of any personal data processed on behalf of Customer; or
iii. an adverse effect on Customer’s ability to comply with Data Protection Laws,
each a “Data Protection Risk”.
4.3. Customer will be entitled to object to the use of a Sub-Processor if the use of that Sub-Processor objectively has caused, or is likely to cause, a Data Protection Risk provided that Customer issues UserZoom with written notice of its objection within 30 days of the date on which it receives notice by way of updating its list of Sub-processors at https://www.userzoom.com/sub-processors of the use of the Sub-Processor from UserZoom.
4.4. If Customer objects to the use of a Sub-Processor in accordance with paragraph 4.3 above, then the parties will (acting reasonably and in good faith) promptly discuss Customer’s objections and UserZoom must either:
a. not use (or, in respect of an existing Sub-Processor, cease to use) that Sub-Processor to process personal data on behalf of Customer; or
b. permit Customer to terminate the Agreement immediately without additional liability.
5.1. The Customer (or another auditor mandated by the Customer, bound by appropriate confidentiality obligations) may monitor UserZoom’s compliance with the terms of this DPA by requiring UserZoom to complete the Customer’s Security Assessment Questionnaire on an annual basis. Alternatively this may also be satisfied by the provision to the Customer of appropriate information; records; and certifications and audit reports issued by reputable independent third parties (provided that there have been no material changes to the controls used by UserZoom since the certification or audit report was issued). The Customer shall also have the option to conduct penetration testing and vulnerability assessments at the Customer’s own cost.
TRANSFERS OF PERSONAL DATA
6.1. In the event that an International Transfer occurs between the parties, such transfer shall be on the basis of standard contractual clauses approved under the Data Protection Laws (“SCCs”). The parties hereby enter into and execute the SCCs by deeming that the SCCs are attached to and incorporated into this DPA, and by subsequently executing this DPA. Where the SCCs require the parties to supplement the SCCs with additional information, all required information is set forth exclusively at https://www.userzoom.com/sccs/ (“SCCs”). If any SCCs the parties rely on are superseded or otherwise invalidated, the parties agree to enter into a new or modified adequate transfer mechanism, if appropriate, within a commercially reasonable time period and in accordance with the Data Protection Laws.
RETURN AND DESTRUCTION OF PERSONAL DATA
7.1. Upon termination of the Agreement (or as otherwise instructed by Customer in writing), UserZoom will cease processing the personal data and return (by way of making available for download) or delete all of Customer’s data in UserZoom’s possession or control and, in the event of a return, subsequently irretrievably delete all copies of such data, subject to paragraph 7.2 below.
7.2. UserZoom may retain one copy of Customer’s personal data solely to the extent that it is required to do so by law or which it is required to retain for insurance, accounting, taxation or record keeping purposes, provided that it informs Customer of such requirement and continues to comply with the requirements of this DPA with regard to such personal data. For the purposes of this paragraph 7.2, Customer accepts that UserZoom may retain a secure backup of Customer’s data for a period of up to 90 days (or up to 2 month for the EnjoyHQ platform and/or up to 30 days in relation to the UserZoom Go platform) post-termination.
The provisions in this DPA shall apply as long as the UserZoom processes personal data for which the Customer is the data controller, in accordance with the Agreement.
9.1. Any notice or other communication to be provided by one party to the other party under this DPA, shall be provided in accordance with the notices provision of the Agreement.
9.2. This DPA and the documents referred to in it including the Agreement constitute the entire understanding and agreement of the parties in relation to the processing of the Customer Personal Data and supersede all prior agreements, discussions, negotiations, arrangements and understandings of the parties and/or their representatives in relation to such processing.