PINGDOM_CHECK

Data Processing Agreement

This Data Processing Agreement and its Annexes (“DPA”) form part of the Agreement entered into between Zyte customers (“Client”,“You”, “Your”) and Zyte Group Ltd. (“Zyte”) (collectively, the “Parties”) and sets forth the terms and conditions under which the Parties may process Personal Data. In the event of a conflict in relation to the processing of Personal Data between this DPA, Zyte Terms, and any other agreement, this DPA shall prevail. Unless otherwise specified, capitalized terms used but not defined in this DPA shall have the meaning set forth elsewhere in the Terms. This DPA is effective as the date the Agreement is entered into and will continue in force until the expiration or termination of the Agreement in accordance with its terms.

  1. Definitions

    The following definitions shall apply for the purposes of this DPA:

    1. “Agreement” means the Zyte Terms together with any document related to Your subscription to the Services together with any Zyte generated service invoices, statements of work, contracts and/or any other agreements executed or approved by You with respect to Your subscription to the Services.

    2. "Contact Data" means Personal Data provided by You to Zyte including names, usernames (Zyte login details, Slack and other communication software other user names), business email addresses, business phone numbers, job titles, and such other information as is specified in the Zyte Terms.

    3. “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the meanings set out in the GDPR (and related terms such as “Process” have corresponding meanings). 

    4. “Data Protection Laws” is defined as all legislation and regulations relating to the protection of Personal Data, including (without limitation), the Data Protection Acts 1988-2018, the GDPR, and all other statutory instruments, industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by a relevant Supervisory Authority relating to the processing of Personal Data or privacy, each as amended, revised, modified or replaced from time to time.

    5. “GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data.

    6. "Restricted Transfer" means an international transfer of Personal Data by Zyte to You where such transfer would be prohibited by applicable Data Protection Laws in the absence of a Transfer Solution.

    7. “Security Event” means an incident which results in (or may result in) the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, Client’s Personal Data while in the custody or control of Zyte or a Sub-Processor.

    8. "Service Personal Data" means the Personal Data collected, processed, or transferred by and/or to Client using the Services.

    9. “Services” means the service(s) and/or product(s) provided by Zyte to You under the Zyte Terms and/or an applicable Agreement.

    10. “Standard Contractual Clauses” means (a) in respect of any Personal Data subject to the GDPR , the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 between (i) controllers and controllers (Module 1) ("Controller to Controller") and/or (ii) processors and controller (Module 4) ("Processor to Controller") as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at https://ec.europa.eu/info/sites/default/files/sccs_word.zip and the Addendum B.1.0 issued by the Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (incorporating the Mandatory Clauses of that Addendum) appended to the Standard Contractual Clauses.

    11. “Sub-Processor” means the third party sub-processors set out in Annex 3 to this DPA engaged by Zyte to process Personal Data as authorized by Client in accordance with this DPA. 

    12. “Third Country” means all countries that are not members of the European Economic Area (“EEA”) or which have not been recognised by the European Commission as providing an adequate level of protection for Personal Data.

    13.  "Transfer Solution" means the Standard Contractual Clauses or any other means or basis for permitting the transfer of Personal Data in accordance with applicable Data Protection Laws. 

    14. “TOMs” means technical and organizational measures.

    15. “Zyte Terms” means Zyte’s Terms of Service and Privacy Policy.

  1. Data Protection Roles

    1. The Parties acknowledge that:

      1. they each shall be independent controllers in respect of the Contact Data: and 

      2. Zyte shall be a Processor and Client shall be a Controller in respect of the Service Personal Data. 

  1. Client Obligations

    1. Client represents and warrants that it will only use the Service Personal Data to process Personal Data if such processing is in compliance with the applicable Data Protection Laws.

    2. Client, as the Controller, represents and warrants that any processing instructions given to Zyte shall be lawful and in compliance with the applicable Data Protection Laws.  Client further represents and warrants that it has and will continue at all times to have in place all fair Processing notices, (where applicable) consent mechanisms for Data Subjects and other measures required to ensure that all Processing of Service Personal Data on the Client's behalf contemplated pursuant to this DPA, shall be lawful and shall not contravene the applicable Data Protection Laws.

  1. Zyte Obligations

    1. Zyte, as the Controller, will process Contact Data for the purposes of providing the Services to Client under the Zyte Terms and any applicable Agreement.

    2. Zyte, as the Processor, will process the Service Personal Data only on documented instructions from Client.

    3. Without prejudice to the Client's obligations pursuant to Section 3, Zyte shall immediately inform Client if instructions given by Client, in Zyte' opinion, infringe the GDPR or applicable Union or Member State data protection provisions.

    4. Zyte warrants that all persons authorized by Zyte to Process Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality to ensure that the Service Personal Data is kept safe and secure.

    5. Zyte shall implement and maintain appropriate TOMs designed to meet the requirements of Article 32 of the GDPR to protect the the Personal Data against any misuse, accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.

    6. Zyte shall without undue delay, and in any event no later than seventy-two (72) hours, notify Client of a Security Event. Where, and insofar as, it is not possible to provide all information at the same time, the initial notification of a Security Event shall contain the information then available and further information shall be provided as it becomes available without undue further delay.

    7. Zyte will provide Client with information about:

      1. the details of a contact point where more information concerning the Security Event can be obtained;

      2. the nature of the Security Event including the categories and approximate number of Data Subjects and Personal Data records concerned;

      3. the likely consequences of the Security Event; and

      4. the steps Zyte has taken to address the Security Event.

    8. Zyte shall:

      1. take all necessary steps to mitigate the effects and to minimize any damage resulting from the Security Event and to prevent a recurrence of such Security Event; and

      2. provide such assistance and cooperation as Client requires in responding to the Security Event including in relation to notifying any relevant regulatory authority and/or affected Data Subject(s) of the Security Event. 

  1. Sub-Processors

    1. Client agrees that Zyte may share Personal Data with the Sub-Processors listed in Annex III.  Zyte may remove or replace the current Sub-Processors from time to time as necessary to provide the Services and will notify You of any such changes. 

    2.  Zyte must ensure that a written contract is entered into with each Sub-Processor that is compliant with the Data Protection Laws. Zyte shall be responsible and liable for any acts or omissions of the Sub-Processor.

    3.  Instructions given by Zyte to any Sub-Processor shall be within the scope of this DPA.

  1. Third Country Transfer of Personal Data

    1. The Parties acknowledge and agree Zyte may from time to time transfer Contact Data and Service Personal Data outside of the EEA.

    2. In the event of a Restricted Transfer, the Parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of this DPA as follows:

      1. Client shall be the “data importer” and Zyte shall be the “data exporter”.

      2. In relation to Client’s contact information, Module One shall apply as the Parties are independent Controllers. In relation to data extracted using Zyte Services, Module Four shall apply as Client is the Controller and Zyte is the Processor.

      3. In Clause 7, the optional docking clause shall not apply

      4. In Clause 9, Option 2 shall apply with at least 7 days prior notice (including email).

      5. In Clause 11, the optional language shall not apply.

      6. In Clause 17, the law of Ireland shall apply.

      7. In Clause 18, the courts of Ireland shall apply.

      8. the Annex I and II to the Standard Contractual Clauses are set out in the Annex I and II to this DPA

    3. In the event of a change in any applicable Data Protection Laws relating to the country/countries where an adequate level of data protection exists requiring an alternative Transfer Solution to be implemented to permit the continued transfers of Personal Data anticipated in the Agreement, the Parties each agree to act reasonably to seek to agree an alternative Transfer Solution permitting the relevant Party to continue Processing the Personal Data in the relevant country/countries and the relevant international transfer(s) to continue.

    4.  In the event the European Commission issues any replacement or substitution of the Standard Contractual Clauses, upon receipt of written notice from a Party requiring the same, the Standard Contractual Clauses incorporated into this DPA pursuant to this clause 6.4 shall be deemed to be deleted and replaced with such replacement or substitution which each Party agrees shall be deemed to be incorporated into this Agreement in place of the Standard Contractual Clauses (and all references in this DPA shall be deemed to refer to such replacement or substitutions clauses accordingly).  To the extent necessary, each Party agrees to co-operate taking such other measures as may be necessary to give effect to such replacement or substitution of the Standard Contractual Clauses in order to comply with applicable Data Protection Laws and/or otherwise satisfy any administrative or documentary requirements relating to the same.

  1. General

    1. Nothing in this DPA reduces the Client's obligations under the Agreement in relation to the protection of Personal Data. 

    2. This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed, in accordance with, the laws of Ireland.

    3. The Parties irrevocably agree that in relation to any dispute or claim that arises out of or in connection with the DPA or its subject matter or formation (including non-contractual disputes or claims) the courts of Ireland shall have jurisdiction.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name:Zyte Group Ltd.
Address:Cuil Greine House, Ballincollig Commercial Park, Link Road, Ballincollig, Co. Cork, Ireland.
Contact person’s name, position and contact details:Sanaea Daruwalla, sanaea@zyte.com
Activities relevant to the data transferred under these Clauses:Providing Services to Client
Role (controller/processor):Module 1 Controller in relation to Contact Data.
Module 4 Processor in relation to Service Personal Data.

Data importer(s):

Name:Client’s name as set out in an Agreement
Address:Client’s address as set out in an Agreement
Contact person’s name, position and contact details:As set out in an Agreement or as otherwise agreed with Zyte
Activities relevant to the data transferred under these Clauses:Using Zyte’s Services
Role (controller/processor):Module 1 Controller in relation to Contact Data.
Module 4 Controller in relation to Service Personal Data.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred:
Client staff information; other information as determined by Client
Categories of personal data transferred:
Names, usernames (Zyte login details, Slack and other communication software other user names), business email addresses, postal addresses, business phone numbers, job titles,and other information as specified in the Agreement
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous
Nature of the processing
As specified in the Agreement
Purpose(s) of the data transfer and further processing
Zyte will process the Personal Data as necessary to provide the Services
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As specified in the Agreement
For transfers to (sub) processors, also specify subject matter, nature and duration of the processing
As described in in Annex III

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13
Irish Data Protection Commission

ANNEX II


TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Security MeasureDescription of Zyte Process
Ensuring physical security of locations at which Personal Data is processedZyte services are hosted on data servers hosted by highly secure cloud providers. All of Zyte’s hosting providers are ISO 27001 certified.
Ensuring system event loggingZyte uses centralized log management, which logs system events. Zyte shall monitor these logs for success rates, availability, and response time.
Protection of data during transmissionAll data in transit is encrypted using Transport Layer Security (TLSv1.2) using RSA256 bit key signed using the algorithm SHA256withRSA.
Managing vulnerabilities on production environmentZyte has a vulnerability management program and performs advanced vulnerability scans using leading technology scanners on a daily basis.
Ensuring password securityStrong passwords are implemented on all applicable systems. Zyte has a password management policy following ISO 27001 security requirements.
Ensuring system configurationSetup on servers is automated using a configuration management and orchestration tool to provide the same configurations per role on all servers.
User identification and authorisationAdministrative privileges are restricted based on the concept of least privilege and defined roles-level access. Only very limited staff at Zyte have administrator access to Zyte systems.
Governance and risk managementZyte has a risk management program in accordance with the ISO 27001 Framework
Managing incidents that affect confidentiality, integrity, and availabilityAn Information Technology Infrastructure Library is used to manage the lifecycle of an incident. Zyte has an incident response progress and guide for escalation based on the severity of an incident.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors (including a clear delimitation of responsibilities in case several sub-processors are authorized) :

NameAddressDescription of processing
6sense450 Mission Street, Suite 201 San Francisco, CA, 94105 USACustomer relationship management tool
Amazon Web Services410 Terry Avenue North, Seattle, WA USAHosting provider
Atlassian350 Bush Street Floor 13 San Francisco, CA 94104 USAProject management tool
Braintree222 W Merchandise Mart Plaza, Suite 800, Chicago, IL 60654 USAOnline payment processing provider
Breadwinner 8 The Green, Suite #5978, Dover, DE 19901 USAFinancial reporting management system
Chargebee340 S. Lemon Avenue, Suite #1537, Walnut, CA 91789 USAPayment and subscription management tool
ChiliPiper228 Park Avenue South, Suite 78136, New York, NY 10003 USA Scheduling platform tool
Confluent899 West Evelyn Ave. Mountain View, CA 94041 USACode development and maintenance system
Docusign5 Hanover Quay, Grand Canal Dock, Dublin, Ireland Contract signature platform
Freshworks2950 S. Delaware Street, Suite 201, San Mateo, CA 94403 USAIssue reporting and tracking tool
Gainsight655 Montgomery St 7th Floor, San Francisco, CA 94111 USA Customer relationship management tool
Gong201 Spear St. 13th Floor San Francisco, CA 94105 USA Call recording and customer relationship management tool
Google Analytics1600 Amphitheatre Parkway Mountain View, CA 94043 USA Analytics service
Google Cloud1600 Amphitheatre Parkway Mountain View, CA 94043 USA Infrastructure provider
HetznerIndrustriestr. 25, 91710 Gunzenhausen, GermanyHosting provider
Hubspot25 First Street, 2nd Floor Cambridge, MA 02141 USA Customer relationship management tool
Mail Gun112 E Pecan St #1135, San Antonio, TX 78205 USAEmail and communication tool
MixMax548 Market Street, PMB 60764 San Francisco, CA, 94104 USA Email and communication tool
MicrosoftOne Microsoft Way, Redmond WA 98052 USA Analytics and documentation tool
Salesforce415 Mission Street Third Floor San Francisco, CA 94105 USA Customer relationship management tool
Servers.com 2777 N Stemmons Fwy. Dallas, TX 75207 USA Hosting provider
Slack500 Howard Street San Francisco, CA 94105 USA Communication and integration tool
Stripe 354 Oyster Point Blvd South San Francisco, CA 94080 USA Online payment processing provider
Userpilot 2035 Sunset Lake Road Newark, Delaware 19702 USA Customer onboarding and analytics tool
Xero 1615 Platte Street, Suite 400, Denver, CO 80202 USA Invoicing tool
Zapier 548 Market St. #62411. San Francisco, CA 94104 USA Integration and automation tool