This Data Privacy Agreement (“DPA”) applies to any services agreement (“Agreement”) between ZayZoon US Inc. and Client or Partner (each, “Counterparty”) and is incorporated by reference when the CCPA covers Counterparty’s use of the Services and the processing of Personal Information. This DPA ensures that ZayZoon’s processing of Personal Information complies with the CCPA. This DPA does not apply if ZayZoon and Counterparty executed a separate data processing agreement compliant with the CCPA.

 

Definitions

 Capitalized terms used in this DPA have the meanings given below or, where not set out below, the meanings given in the Agreement or the CCPA.

• "Agreement" means the services agreement entered into between the Counterparty and ZayZoon.
• "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100, et seq., as may be amended from time to time, including but not limited to those amendments enacted by the California Privacy Rights Act of 2020, and any implementing regulations.
• "Counterparty Personal Information" means the Personal Information provided by Counterparty that ZayZoon processes on behalf of Counterparty in the course of performing the Services.
• "User" has the meaning set forth in the Agreement.
• "Participating Employees" means a User that has signed up for the Service.
• "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household in so far as such information relates to a Consumer within the scope of the CCPA.
• "Personal Information Security Breach" means an unauthorized access and exfiltration, theft, or disclosure as a result of ZayZoon’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the Personal Information, as described in subdivision (a)(1) of Cal. Civ. Code §1798.150.
• "Service" has the meaning set forth in the Agreement.

Terms that are defined within the CCPA that appear in this DPA, including but not limited to “Business,” “Commercial Purpose,” “Consumer,” “Service Provider,” “process,” “collect,” “sell,” and “share,” have the meanings defined in the CCPA.

In this DPA, references to Sections of the CCPA are to those Sections as amended by the CPRA.

 

Application

This DPA only applies to the extent that Counterparty or Eligible Employees are subject to the CCPA. ZayZoon shall not have any liability to Counterparty or Eligible Employees to the extent the basis of liability arises from a violation of CCPA or any other applicable law by Counterparty or Eligible Employees, failure by Counterparty to obtain necessary consents to use Personal Information or provide necessary opt-outs, or failure by Counterparty to fully comply with the Agreement or this DPA (collectively, “Failures”). Counterparty shall indemnify, defend, and hold ZayZoon harmless from any claims, demands, allegations, damages, losses, liabilities, fines, penalties, costs and expenses (including reasonable attorneys’ fees and costs) arising from such Failures.

Except as set out in this DPA or the Agreement, Counterparty is fully responsible for compliance with all applicable laws.  With regard to Counterparty Personal Information processed in accordance with the Agreement, Counterparty is the Business and ZayZoon is a Service Provider.

 

Data Processing Terms

3.1     Compliance with CCPA. ZayZoon will comply with all sections of the CCPA that apply to it as a Service Provider during the course, scope, and performance of its obligations as a Service Provider.

3.2     Business Purposes. ZayZoon will process Counterparty Personal Information only for purposes of (a) delivering the Services; (b) ensuring the security and integrity of the Counterparty Personal Information is reasonably necessary and proportionate for these purposes; (c) undertaking internal research for technological development and demonstration; and (d) for related purposes or as otherwise permitted by the CCPA (the “Business Purposes”).

3.3    Retention. ZayZoon shall only retain Counterparty Personal Information to deliver the Services and comply with its legal obligations. The Services may provide Counterparty and Participating Employees with controls that may be used to retrieve, block access to, correct, or delete content, and some content may be subject to user-defined retention or access periods.

3.4     Use Restriction. ZayZoon shall only process Counterparty Personal Information for limited and specified purposes (a) set forth in Section 3.2; (b) in accordance with Counterparty’s documented instructions, including those provided in the Agreement; (c) as necessary to comply with legal obligations; (d) as permitted by the CCPA; or (e) as otherwise agreed to in writing with Counterparty. ZayZoon shall not: (a) retain, use or disclose Counterparty Personal Information for any purpose other than for the Business Purposes or as otherwise permitted by the CCPA; (b) retain, use, or disclose Counterparty Personal Information for a Commercial Purpose other than providing the Services or as otherwise permitted by the CCPA; (c) Sell or Share Counterparty Personal Information; (d) retain, use or disclose Counterparty Personal Information outside of the direct business relationship between ZayZoon and the Counterparty, Participating Employees, or Eligible Employees; or (e) combine Counterparty Personal Information with Personal Information received from or on behalf of any other person or collected from ZayZoon’s own interaction with a consumer, except as specifically allowed under the CCPA. The foregoing does not apply to any information that is no longer Personal Information, including by application of Deidentification or aggregation techniques that meet the requirements of applicable law.

3.5     Subcontractors. ZayZoon acknowledges that the restrictions and obligations under the CCPA and this DPA apply even if ZayZoon engages subcontractors to perform services on its behalf. Service Provider will establish contracts with its subcontractors that comply with the CCPA.

 

Security

 4.1     Technical Measures.  +ZayZoon has implemented and will maintain commercially reasonable and appropriate technical and organizational measures in relation to the Services, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. This includes measures relating to the physical security of facilities used to deliver Services, measures to control access rights to assets and relevant networks, and processes for testing these measures.

 

Individual Rights

 5.1     If ZayZoon receives a request from an individual with respect to Counterparty Personal Information, ZayZoon will confirm that their request relates to Counterparty and attempt to redirect the individual to exercise that right through Counterparty (and may provide Counterparty’s basic contact information to enable them to do this).

5.2     When required by the CCPA, Counterparty will inform Service Provider of any Consumer request that requires Service Provider’s compliance, and will provide Service Provider with the information within Counterparty’s possession that is necessary for Service Provider to comply with the request. Taking into account the nature of the Services and Personal Information available to ZayZoon, where ZayZoon holds Counterparty Personal Information, ZayZoon will provide assistance in relation to individual rights requests in so far as this is technically possible and where Counterparty does not have the ability to address the request without ZayZoon’s assistance (including access, deletion, and correction requests). Counterparty is responsible for determining that the Consumer request has been verified and that the requestor is the individual whose Personal Information is being sought. Counterparty assumes sole responsibility for (and ZayZoon bears no responsibility for) Personal Information provided in good faith to Counterparty in reliance on this Section. Counterparty may be responsible for costs incurred by ZayZoon in connection with ZayZoon’s provision of such assistance.

 

Compliance

 6.1     Demonstration of Compliance.  Upon request by Counterparty, ZayZoon will make available to Counterparty information demonstrating that ZayZoon uses Counterparty Personal Information in a manner consistent with its obligations under the CCPA.

6.2     Certificate of Compliance.  ZayZoon will notify Counterparty if it determines that it can no longer meet its obligations under the CCPA. Upon such notice, Counterparty will have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Counterparty Personal Information by ZayZoon.

6.3     Legal Requests.  The obligations set out in this DPA shall not restrict ZayZoon’s ability to comply with (a) federal, state, or local laws; (b) a court order or subpoena to provide information; or (c) a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. ZayZoon shall not be in breach of this DPA or the Agreement if ZayZoon responds to such a request in compliance with applicable law.

6.4     Disclosure of Requests to Counterparty.  If ZayZoon receives a valid and binding request or order of a governmental body (e.g., a court order, law enforcement demand or other local equivalent) relating to Counterparty Personal Information, ZayZoon will attempt to redirect the requestor to seek disclosure directly from Counterparty (and may provide Counterparty’s basic contact information to enable them to do this this).

 

General

 7.1     This DPA shall remain in force until the earlier of: (i) the termination or expiry of the Agreement or (ii) ZayZoon ceasing to process Personal Information.

7.2     If any part of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable, or illegal, the other terms shall remain in force. Any invalid, unenforceable, or illegal term will be interpreted to give effect to the Parties’ commercial intention. If that is not possible, it will be severed but the rest shall remain in full force.

7.3     Except where this DPA conflicts with the Agreement, all other provisions of the Agreement remain unchanged. In the event of conflict between this DPA and the terms of the Agreement, this DPA shall prevail so far as the subject matter concerns the processing of Counterparty Personal Information. This DPA together with the Agreement is the final, complete, and exclusive agreement of the Parties with respect to the subject matter of it and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. No other representations or terms shall apply or form part of this DPA. 

7.4     ZayZoon’s liability under or in connection with this DPA is subject to the limitations on liability contained in the Agreement.

7.5     This DPA and the Agreement shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of the CCPA. The Parties agree that this DPA shall be interpreted in favor of their intent to comply with the CCPA and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with the CCPA.

7.6     This DPA shall be governed by the governing law of the State of California.