ZayZoon Canada- Data Processing Agreement
This Data Privacy Agreement (“DPA”) applies to any services agreement (“Agreement”) between ZayZoon and Client and is incorporated by reference when the Applicable Laws (defined below) cover Counterparty’s use of the Services and the processing of Personal Data. This DPA ensures that ZayZoon’s processing of Personal Data complies with Applicable Laws. This DPA does not apply if ZayZoon and Counterparty executed a separate data processing agreement compliant with the Applicable Laws.
Capitalized Terms not defined herein shall have the definitions set forth in the Agreement.
1. Definitions
“Applicable Laws” means all laws, regulations, and regulatory guidance applicable to the Processing of Personal Data under this DPA, including PIPEDA and applicable provincial privacy laws.
“Controller” means Client.
“Personal Data” means any information relating to an identified or identifiable individual, as defined under the applicable data protection laws in Canada, including the Personal Data Protection and Electronic Documents Act (PIPEDA) and any applicable provincial privacy laws.
“Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
“Processor” means ZayZoon.
2. Scope and Purpose
The Processor agrees to Process Personal Data only on behalf of and under the documented instructions of the Controller, except where required by Applicable Laws.
The Processor shall not Process Personal Data for any purpose other than to perform the Services described in the Agreement, or as otherwise expressly authorized by the Controller.
3. Obligations of the Processor
The Processor shall comply with all Applicable Laws concerning the Processing of Personal Data. The Processor shall ensure that all personnel authorized to Process Personal Data are bound by confidentiality obligations and have received appropriate training on data protection.
The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration.
If sub-processors are engaged, Processor shall contract with such sub-processors to ensure they comply with Applicable Laws.
Processor shall not transfer Personal Data outside Canada and the United States without Controller's prior written consent, except where required by law or where adequate protections are in place.
- Security
ZayZoon has implemented and will maintain commercially reasonable and appropriate technical and organizational measures in relation to the Services, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. This includes measures relating to the physical security of facilities used to deliver Services, measures to control access rights to assets and relevant networks, and processes for testing these measures.
- Compliance
Demonstration of Compliance. Upon request by Counterparty, ZayZoon will make available to Counterparty information demonstrating that ZayZoon uses Counterparty Personal Data in a manner consistent with its obligations under Applicable Laws.
Certificate of Compliance. ZayZoon will notify Counterparty if it determines that it can no longer meet its obligations under Applicable Laws. Upon such notice, Counterparty will have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Counterparty Personal Data by ZayZoon.
Legal Requests. The obligations set out in this DPA shall not restrict ZayZoon’s ability to comply with (a) federal, provincial, or local laws; (b) a court order or subpoena to provide information; or (c) a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. ZayZoon shall not be in breach of this DPA or the Agreement if ZayZoon responds to such a request in compliance with Applicable Laws.
Disclosure of Requests to Counterparty. If ZayZoon receives a valid and binding request or order of a governmental body (e.g., a court order, law enforcement demand or other local equivalent) relating to Counterparty Personal Data, ZayZoon will attempt to redirect the requestor to seek disclosure directly from Counterparty (and may provide Counterparty’s basic contact information to enable them to do this this).
- General
This DPA shall remain in force until the earlier of: (i) the termination or expiry of the Agreement or (ii) ZayZoon ceasing to process Personal Data.
If any part of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other terms shall remain in force. Any invalid, unenforceable, or illegal term will be interpreted to give effect to the Parties’ commercial intention. If that is not possible, it will be severed but the rest shall remain in full force.
Except where this DPA conflicts with the Agreement, all other provisions of the Agreement remain unchanged. In the event of conflict between this DPA and the terms of the Agreement, this DPA shall prevail so far as the subject matter concerns the processing of Counterparty Personal Data. This DPA together with the Agreement is the final, complete, and exclusive agreement of the Parties with respect to the subject matter of it and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. No other representations or terms shall apply or form part of this DPA.
ZayZoon’s liability under or in connection with this DPA is subject to the limitations on liability contained in the Agreement.
This DPA and the Agreement shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of Applicable Laws. The Parties agree that this DPA shall be interpreted in favor of their intent to comply with Applicable Laws and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with Applicable Laws.
This DPA shall be governed by the governing law of the Province of Alberta.