ZayZoon USA - Data Processing Agreement
ZAYZOON DATA PROCESSING ADDENDUM (US)
This Data Processing Addendum (“DPA”) supplements and is incorporated into the ZayZoon Client Standard Terms or other services agreement (in either case, the “Agreement”) between ZayZoon US Inc. (“ZayZoon”) and the Client or other counterparty identified in the Agreement (“Counterparty”). This DPA applies to ZayZoon’s Processing of Counterparty Personal Information in connection with the Service. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or, where applicable, in Applicable Privacy Laws.
- Definitions
“Applicable Privacy Laws” means all federal, state, and local laws and regulations applicable to ZayZoon’s Processing of Counterparty Personal Information under the Agreement, including, to the extent applicable to Counterparty’s use of the Service: the California Consumer Privacy Act and the implementing regulations of the California Privacy Protection Agency (collectively, the “CCPA”); the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Connecticut Data Privacy Act; the Utah Consumer Privacy Act; the Texas Data Privacy and Security Act; the Oregon Consumer Privacy Act; and any other comprehensive consumer privacy law in effect from time to time in any US state or territory, in each case as amended.
“Authorized Persons” means employees, contractors, and agents of ZayZoon and its Affiliates and Subprocessors who require access to Counterparty Personal Information to perform their roles in connection with the Service and who are bound by confidentiality obligations no less restrictive than those in the Agreement.
“Business Purposes” has the meaning given in Section 3.1.
“Controller” means the natural or legal person that, alone or jointly with others, determines the purposes and means of Processing Personal Information. References to “Business” under the CCPA and equivalent terms under other Applicable Privacy Laws have the same meaning.
“Counterparty Personal Information” means Personal Information that Counterparty discloses or otherwise makes available to ZayZoon in connection with Counterparty’s use of the Service.
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual or household, and includes “personal data” and analogous concepts as defined under any Applicable Privacy Law.
“Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, use, disclosure, transmission, retention, and deletion. “Process” and “Processed” have corresponding meanings.
“Processor” means the natural or legal person that Processes Personal Information on behalf of the Controller. References to “Service Provider” under the CCPA and equivalent terms under other Applicable Privacy Laws have the same meaning.
“Sale” and “Share” have the meanings given under the CCPA. “Sale” also includes any analogous concept under any other Applicable Privacy Law that prohibits or restricts the disclosure of Personal Information for monetary or other valuable consideration.
“Security Incident” means a confirmed unauthorized access to, or acquisition, disclosure, alteration, destruction, or loss of, Counterparty Personal Information in ZayZoon’s possession or control. Security Incident does not include unsuccessful attempts at unauthorized access, failed log-in attempts, port scans, denial-of-service attacks, or similar events that do not result in unauthorized access to, or compromise of, Counterparty Personal Information.
“Notifiable Security Incident” means a Security Incident that (a) is reasonably likely to require notification to one or more affected individuals or to any governmental authority under any Applicable Privacy Law or other applicable data breach notification law, or (b) is reasonably likely to result in a material risk of harm to one or more affected Users.
“Subprocessor” means any third party (other than an Authorized Person of ZayZoon or an Affiliate of ZayZoon) engaged by ZayZoon to Process Counterparty Personal Information.
“Targeted Advertising” means displaying advertisements to an individual where the advertisement is selected based on Personal Information obtained from that individual’s activities over time and across non-affiliated websites or online applications. Targeted Advertising does not include advertising based on activities within the Service or directly responsive to a User’s request.
Terms defined in the CCPA or other Applicable Privacy Laws that are used in this DPA without further definition have the meanings given in the applicable law. References to Sections of the CCPA are to those Sections as amended, including by the California Privacy Rights Act and implementing regulations.
- Roles and Compliance
2.1 Roles. For purposes of this DPA, Counterparty is the Controller and ZayZoon is the Processor with respect to Counterparty Personal Information. Each Party will comply with its respective obligations under Applicable Privacy Laws.
2.2 Counterparty Responsibilities. Counterparty is responsible for (a) establishing and maintaining a lawful basis for disclosing Counterparty Personal Information to ZayZoon and authorizing ZayZoon’s Processing under this DPA; (b) providing all required notices to, and obtaining all required consents from, Users and other affected individuals; (c) the accuracy, completeness, and quality of Counterparty Personal Information disclosed to ZayZoon; and (d) the lawfulness of Counterparty’s instructions to ZayZoon.
- Processing Terms
3.1 Purposes. ZayZoon will Process Counterparty Personal Information solely (a) to provide and improve the Service in accordance with the Agreement; (b) to comply with its legal obligations; (c) to maintain the security and integrity of the Service; (d) to perform internal research and development relating to the Service and ZayZoon’s other offerings; (e) on Counterparty’s documented written instructions, including those set forth in the Agreement; and (f) as otherwise permitted by Applicable Privacy Laws (collectively, the “Business Purposes”).
3.2 Use Restrictions. ZayZoon will not: (a) Sell or Share Counterparty Personal Information; (b) Process Counterparty Personal Information for Targeted Advertising or cross-context behavioral advertising; (c) retain, use, or disclose Counterparty Personal Information outside the direct business relationship between ZayZoon and Counterparty, except as permitted by Applicable Privacy Laws; (d) combine Counterparty Personal Information with Personal Information that ZayZoon receives from or on behalf of other persons, or that ZayZoon collects from its own interaction with a consumer, except (i) as necessary to provide the Service to Counterparty, (ii) to detect or prevent fraud, security incidents, or other illegal activity, or (iii) as otherwise permitted by Applicable Privacy Laws; or (e) Process Counterparty Personal Information for a Commercial Purpose other than the Business Purposes.
3.3 De-Identified and Aggregated Information. Notwithstanding anything to the contrary, ZayZoon may collect, generate, use, retain, and disclose de-identified, aggregated, or anonymized information derived from Counterparty Personal Information, provided that ZayZoon (a) takes reasonable measures to ensure such information cannot be associated with an identified or identifiable individual or household, (b) maintains and uses the information only in de-identified, aggregated, or anonymized form, and (c) does not attempt to re-identify the information. ZayZoon’s rights under this Section 3.3 survive the expiration or termination of the Agreement.
3.4 Retention. ZayZoon will retain Counterparty Personal Information only for as long as necessary to fulfill the Business Purposes or to comply with its legal obligations.
3.5 Location of Processing. Counterparty Personal Information is Processed by ZayZoon primarily in the United States. ZayZoon may engage Affiliates and Subprocessors (including in Canada) to assist with the Service, in each case subject to obligations consistent with this DPA.
- Subprocessors
4.1 General Authorization. Counterparty grants ZayZoon a general authorization to engage Subprocessors to Process Counterparty Personal Information in connection with the Service, subject to this Section 4.
4.2 Categories; List on Request. ZayZoon engages Subprocessors in categories including cloud infrastructure and hosting, payment processing and money movement, identity verification and fraud prevention, electronic communications (email, SMS, and push notification), analytics, logging and monitoring, customer support, and software development tools. A list of ZayZoon’s then-current Subprocessors is available to Counterparty upon written request, subject to obligations of confidentiality consistent with the Agreement.
4.3 Flow-Down. ZayZoon will require each Subprocessor to be bound by data protection obligations no less restrictive than those imposed on ZayZoon under this DPA. ZayZoon remains liable for the acts and omissions of its Subprocessors with respect to Counterparty Personal Information to the same extent ZayZoon would be liable for its own acts and omissions.
4.4 Notice of New Subprocessors; Objection. ZayZoon will notify Counterparty (which notice may be by email to Counterparty’s designated contact, or by updating a list made available to Counterparty) of any new Subprocessor that will Process Counterparty Personal Information. If Counterparty has a reasonable objection to a new Subprocessor on data protection grounds, Counterparty may notify ZayZoon in writing within fifteen (15) days of receipt of notice, in which case the Parties will work in good faith to identify a commercially reasonable resolution. If no resolution can be reached within a reasonable period, Counterparty may terminate the affected portion of the Service or the Agreement on written notice to ZayZoon as Counterparty’s sole and exclusive remedy.
- Security
5.1 Technical and Organizational Measures. ZayZoon will implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Counterparty Personal Information, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the Processing. ZayZoon maintains an information security program that may include, as applicable and as ZayZoon determines appropriate from time to time, measures such as: (a) a recognized third-party security certification or attestation, such as SOC 2 Type 2; (b) written information security policies; (c) encryption of Counterparty Personal Information using industry-standard methods; (d) access controls, including role-based access and multi-factor authentication for Authorized Persons; (e) logging and monitoring of access to Counterparty Personal Information; (f) vulnerability management and testing; and (g) business continuity and disaster recovery capabilities. ZayZoon may modify the specific measures comprising its information security program from time to time, provided that ZayZoon will not materially diminish the overall level of protection afforded to Counterparty Personal Information.
5.2 Authorized Persons. ZayZoon will limit access to Counterparty Personal Information to Authorized Persons who require access to perform their roles in connection with the Service and who are bound by obligations of confidentiality.
5.3 Notifiable Security Incident. ZayZoon will notify Counterparty without unreasonable delay after ZayZoon determines that a Notifiable Security Incident has occurred. ZayZoon’s notice will include, to the extent then known and to the extent ZayZoon may lawfully disclose: (a) a description of the nature of the Notifiable Security Incident; (b) the categories and approximate number of affected individuals; (c) the categories and approximate volume of Counterparty Personal Information affected; (d) the measures ZayZoon has taken or proposes to take to address the Notifiable Security Incident and mitigate its effects; and (e) a designated point of contact for further information. ZayZoon will update Counterparty as additional information reasonably becomes available. ZayZoon’s notification of, or response to, a Notifiable Security Incident under this Section will not be construed as an acknowledgment by ZayZoon of any fault or liability.
5.4 Cooperation. ZayZoon will provide commercially reasonable cooperation to Counterparty in connection with Counterparty’s investigation of, and response to, a Notifiable Security Incident, including with respect to Counterparty’s notification obligations to affected individuals, regulators, or other third parties under Applicable Privacy Laws.
- Individual Rights Assistance
6.1 Counterparty Responsibility. Counterparty is responsible for receiving, verifying, and responding to requests from Users or other individuals to exercise their rights under Applicable Privacy Laws, including rights of access, deletion, correction, portability, and opt-out from Sale, Share, Targeted Advertising, or profiling (each, a “Consumer Request”).
6.2 Direct Requests Received by ZayZoon. If ZayZoon receives a Consumer Request relating to Counterparty Personal Information directly from an individual, ZayZoon will (a) confirm that the request relates to Counterparty and (b) where appropriate, attempt to redirect the individual to exercise the request through Counterparty, and may provide Counterparty’s basic contact information to enable the individual to do so.
6.3 Assistance. Taking into account the nature of the Service and the information reasonably available to ZayZoon, ZayZoon will provide commercially reasonable assistance to Counterparty in responding to verified Consumer Requests relating to Counterparty Personal Information, to the extent Counterparty is unable to address such requests through Counterparty’s own use of the Service. Counterparty is responsible for verifying the identity of the requesting individual. Counterparty is responsible for ZayZoon’s reasonable costs incurred in providing assistance with Consumer Requests in excess of the assistance required of a Processor under Applicable Privacy Laws.
- Compliance Assistance
7.1 Data Protection Impact Assessments. Taking into account the nature of the Service and the information reasonably available to ZayZoon, ZayZoon will provide commercially reasonable assistance to Counterparty in connection with Counterparty’s data protection impact assessments or risk assessments required under Applicable Privacy Laws relating to ZayZoon’s Processing of Counterparty Personal Information.
7.2 Demonstration of Compliance. Upon Counterparty’s reasonable written request, and no more than once per calendar year (except in connection with a Notifiable Security Incident or to the extent and frequency actually required by Applicable Privacy Laws or by a regulator of competent jurisdiction), ZayZoon will make available to Counterparty information reasonably necessary to demonstrate ZayZoon’s compliance with its obligations under this DPA. ZayZoon may satisfy this obligation by providing (a) ZayZoon’s then-current security certification or attestation report (such as a SOC 2 Type 2 report), if any, (b) summaries of relevant security and privacy policies and procedures, and (c) written responses to reasonable due diligence questionnaires. Any information provided under this Section is ZayZoon’s Confidential Information.
7.3 Audits. If Applicable Privacy Laws or a specific legal obligation require audit rights beyond Section 7.2, the Parties will negotiate in good faith mutually acceptable audit terms. Any audit will be (a) conducted by an independent third-party auditor approved by ZayZoon (such approval not to be unreasonably withheld), (b) subject to confidentiality obligations consistent with the Agreement, (c) at Counterparty’s sole expense, (d) conducted during normal business hours upon at least thirty (30) days’ prior written notice, and (e) conducted in a manner that does not unreasonably disrupt ZayZoon’s operations or compromise the security or confidentiality of other customers’ data.
- Automated Decisionmaking
ZayZoon will not engage in profiling of Users in connection with the Service that produces legal or similarly significant effects on Users without Counterparty’s prior written authorization. To the extent any feature of the Service involves automated decisionmaking that is subject to Applicable Privacy Laws, ZayZoon will provide Counterparty with information reasonably necessary for Counterparty to fulfill its disclosure, opt-out, and assessment obligations under Applicable Privacy Laws.
- Electronic Communications
9.1 User Communications by ZayZoon. In connection with the Service, ZayZoon may send communications to Users by email, SMS, push notification, automated telephone dialing systems, voice, and other electronic means. ZayZoon obtains the consents, authorizations, and contact preferences applicable to such communications directly from Users through ZayZoon’s User-facing terms and Privacy Policy and the User registration and account management mechanisms made available by ZayZoon. ZayZoon will honor User opt-outs received through standard channels (including “STOP” for SMS and “unsubscribe” links for email) and will maintain internal suppression lists consistent with applicable law.
9.2 Carrier and Platform Compliance. ZayZoon is responsible for its compliance with carrier and platform requirements applicable to the sending of communications to Users in connection with the Service, including A2P 10DLC brand and campaign registration applicable to SMS messaging.
9.3 Counterparty Obligations. Counterparty represents and warrants that (a) Counterparty has the right to disclose to ZayZoon the User contact information and other Personal Information disclosed under the Agreement, (b) the User contact information disclosed to ZayZoon may be used by ZayZoon to send communications contemplated by the Service, and (c) Counterparty will not direct or instruct ZayZoon to send any communications that would violate the Telephone Consumer Protection Act (47 U.S.C. § 227), the CAN-SPAM Act, any state telemarketing or unsolicited electronic communications law, or any other applicable law. Counterparty is responsible for any communications Counterparty sends to Users or other persons (whether through Counterparty’s own systems or through any Counterparty-controlled feature of the Service) and for compliance with applicable law in connection with such communications.
9.4 Allocation of Risk. The Parties’ respective indemnification, limitation of liability, and other risk allocation provisions in the Agreement apply to claims, liabilities, fines, penalties, and losses arising under or relating to this Section 9. This Section 9 does not create separate or additional indemnification obligations.
- Return and Deletion at Termination
Upon the expiration or termination of the Agreement, ZayZoon will, at Counterparty’s written election made within thirty (30) days after such expiration or termination, return or delete Counterparty Personal Information then in ZayZoon’s possession or control, except to the extent ZayZoon is required to retain Counterparty Personal Information by Applicable Privacy Laws or other applicable law, or as part of routine archival or backup processes (in each case subject to the continued application of this DPA to such retained information). If Counterparty does not make a timely election under this Section, ZayZoon may delete Counterparty Personal Information at its discretion. Section 3.3 (De-Identified and Aggregated Information) survives.
- Liability
ZayZoon’s liability under or in connection with this DPA is subject to the limitations of liability set forth in the Agreement, and the aggregate liability of each Party under the Agreement and this DPA combined will not exceed the aggregate cap set forth in the Agreement. Nothing in this DPA creates a separate or additional cap on liability or supercap exception.
- General
12.1 Term. This DPA takes effect on the effective date of the Agreement and continues until the later of (a) the expiration or termination of the Agreement and (b) ZayZoon’s deletion or return of all Counterparty Personal Information in accordance with Section 10.
12.2 Conflict. Except as expressly set forth in this DPA, the terms of the Agreement remain in effect. In the event of conflict between this DPA and the Agreement with respect to the Processing of Counterparty Personal Information, this DPA prevails.
12.3 Modification. ZayZoon may modify this DPA from time to time. ZayZoon will notify Counterparty of any material modification by updating the version of this DPA available at www.zayzoon.com/dpa or by such other reasonable means as ZayZoon may elect.
12.4 Governing Law. This DPA is governed by the governing law specified in the Agreement.
12.5 Severability. If any provision of this DPA is held invalid, unenforceable, or illegal by a court of competent jurisdiction, the remaining provisions remain in full force and effect, and the invalid provision will be interpreted (or, if necessary, replaced) so as to give effect, to the maximum extent possible, to the original intent of the Parties.
12.6 Interpretation. This DPA is to be interpreted as broadly as necessary to comply with Applicable Privacy Laws. Any ambiguity in this DPA is to be resolved in favor of an interpretation that complies with Applicable Privacy Laws.