Legal — Cluster 2
Data Processing Addendum
- Effective: January 1, 2025
- Version 3.0
- English (US)
- Legal — Cluster 2
Data Processing
Addendum
- Effective: January 1, 2025
- Version 3.0
- English (US)
CONTENTS
1. Definitions
2. Roles & Relationship
3. Processing Instructions
4. Data Subject Rights
5. Sub-processors
6. International Transfers
7. Security Measures
9. Data Retention & Deletion
10. Audit Rights
11. Liability
12. Term & Termination
13. Governing Law
Schedule A — Processing
Details
Download PDF
AT A GLANCE
- ZWS acts as a data processor; the Customer is the data controller.
- ZWS processes personal data only on documented Customer instructions.
- Sub-processor changes are notified 30 days in advance with a right to object.
- International transfers rely on EU SCCs and equivalent UK mechanisms.
- Personal data breaches are reported within 72 hours of ZWS becoming aware.
- Data is deleted or returned within 30 days of agreement termination.
Definitions
Unless separately defined herein, capitalized terms have the meanings assigned in the ZWS Terms of Service or in applicable data protection law. For this DPA:
Unless separately defined herein, capitalized
terms have the meanings assigned in the ZWS
Terms of Service or in
applicable data
protection law. For this DPA:
- Controller means the natural or legal person who determines the purposes and means of processing of personal data (the Customer in most cases).
- Processor means the entity that processes personal data on behalf of the Controller (ZWS in most cases).
- Data Protection Law means GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable national or state data protection legislation.
- Personal Data has the meaning given in applicable Data Protection Law.
- Processing means any operation performed on personal data including collection, storage, use, disclosure, and deletion.
- Standard Contractual Clauses (SCCs) means the clauses adopted by the European Commission under Decision 2021/914/EU.
- Sub-processor means any third party engaged by ZWS to process Personal Data on the Customer's behalf.
-
Controller means the natural or legal person
who determines the purposes and means of
processing of personal data (the Customer
in most cases). -
Processor means the entity that processes
personal data on behalf of the Controller
(ZWS in most cases). -
Data Protection Law means GDPR (EU
2016/679), UK GDPR, CCPA/CPRA, and any
other applicable national or state data
protection legislation. -
Personal Data has the meaning given in
applicable Data Protection Law. -
Processing means any operation performed
on personal data including collection,
storage, use, disclosure, and deletion. -
Standard Contractual Clauses (SCCs)
means the clauses adopted by the European
Commission under Decision 2021/914/EU. -
Sub-processor means any third party
engaged by ZWS to process Personal Data
on the Customer's behalf.
Roles and Relationship
The Customer is the Controller of Personal Data it uploads to or processes through ZWS services. ZWS is a Processor acting on the Customer's documented instructions. In limited contexts where ZWS independently determines the purposes and means of processing (e.g., billing records, security logs), ZWS acts as an independent Controller; such processing is governed by the ZWS Privacy Policy.
The Customer is the Controller of Personal
Data it uploads to or processes through ZWS
services. ZWS is a Processor
acting on the
Customer's documented instructions. In limited
contexts where ZWS independently determines
the
purposes and means of processing (e.g.,
billing records, security logs), ZWS acts as an
independent Controller; such
processing is
governed by the ZWS Privacy Policy.
This DPA supplements and is incorporated into the agreement between the parties. By accepting the ZWS Terms of Service or executing an Order Form, the Customer agrees to this DPA.
This DPA supplements and is incorporated into
the agreement between the parties. By
accepting the ZWS Terms of
Service or
executing an Order Form, the Customer agrees
to this DPA.
Processing Instructions
ZWS shall process Personal Data only:
- On the documented instructions of the Customer, including those in the ZWS Terms of Service, Order Forms, and applicable service configuration; and
- To the extent necessary to provide, maintain, and improve the contracted services; and
- As required by applicable law, in which case ZWS shall inform the Customer unless prohibited by law.
-
On the documented instructions of the
Customer, including those in the ZWS Terms
of Service, Order Forms, and applicable
service configuration; and -
To the extent necessary to provide,
maintain, and improve the contracted
services; and -
As required by applicable law, in which case
ZWS shall inform the Customer unless
prohibited by law.
If ZWS determines that a Customer instruction violates applicable Data Protection Law, ZWS will promptly notify the Customer. ZWS is not required to follow an instruction that would result in a violation of law.
If ZWS determines that a Customer instruction
violates applicable Data Protection Law, ZWS
will promptly notify the
Customer. ZWS is not
required to follow an instruction that would
result in a violation of law.
ZWS personnel authorized to process Personal Data are subject to binding confidentiality obligations.
ZWS personnel authorized to process Personal
Data are subject to binding confidentiality
obligations.
Data Subject Rights
As the Controller, the Customer is responsible for responding to data subject rights requests (access, rectification, erasure, portability, objection, restriction). ZWS will:
As the Controller, the Customer is responsible
for responding to data subject rights requests
(access, rectification,
erasure, portability,
objection, restriction). ZWS will:
- Promptly forward to the Customer any rights request received directly by ZWS from a data subject
- Provide technically feasible assistance to the Customer in fulfilling such requests within the ZWS platform (e.g., data export tools, deletion APIs)
- Not respond directly to a data subject rights request without Customer authorization, except as required by law
-
Promptly forward to the Customer any rights
request received directly by ZWS from a
data subject -
Provide technically feasible assistance to
the Customer in fulfilling such requests
within the ZWS platform (e.g., data export
tools, deletion APIs) -
Not respond directly to a data subject rights
request without Customer authorization,
except as required by law
Reasonable assistance beyond standard platform capabilities may be subject to ZWS's professional-services rates.
Reasonable assistance beyond standard
platform capabilities may be subject to ZWS's
professional-services rates.
Sub-processors
The Customer grants ZWS a general authorization to engage Sub-processors, subject to the following conditions:
The Customer grants ZWS a general
authorization to engage Sub-processors,
subject to the following conditions:
- ZWS will maintain a current list of Sub-processors at zoikoweb.com/legal/subprocessors.
- ZWS will notify the Customer at least 30 days before adding or replacing a Sub-processor by email and by updating the Subprocessors page.
- The Customer may object to a new Sub-processor within 14 days of notice on reasonable grounds related to data protection. If the parties cannot resolve the objection, the Customer may terminate the affected services without penalty within 30 days of the original notice.
- ZWS will impose data protection obligations on Sub-processors that are substantially equivalent to those in this DPA and remain liable to the Customer for Sub-processor acts and omissions.
-
ZWS will maintain a current list of Sub-
processors at
zoikoweb.com/legal/subprocessors. -
ZWS will notify the Customer at least 30
days before adding or replacing a Sub-
processor by email and by updating the
Subprocessors page. -
The Customer may object to a new Sub-
processor within 14 days of notice on
reasonable grounds related to data
protection. If the parties cannot resolve the
objection, the Customer may terminate the
affected services without penalty within 30
days of the original notice. -
ZWS will impose data protection obligations
on Sub-processors that are substantially
equivalent to those in this DPA and remain
liable to the Customer for Sub-processor
acts and omissions.
International Transfers
Where ZWS transfers Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country not recognized as providing adequate protection, the parties agree that such transfers are subject to the EU SCCs (Module 2: Controller to Processor) as incorporated herein by reference, or the equivalent UK International Data Transfer Addendum where UK law applies.
Where ZWS transfers Personal Data from the
European Economic Area (EEA), the United
Kingdom, or Switzerland to a
country not
recognized as providing adequate protection,
the parties agree that such transfers are
subject to the EU
SCCs (Module 2: Controller to
Processor) as incorporated herein by
reference, or the equivalent UK International
Data Transfer Addendum where UK law
applies.
The Annexes to the SCCs are populated as follows: Annex I corresponds to Schedule A of this DPA; Annex II describes ZWS's technical and organizational measures as set out in Section 7; Annex III lists the Sub-processors at /legal/subprocessors.
The Annexes to the SCCs are populated as
follows: Annex I corresponds to Schedule A of
this DPA; Annex II describes
ZWS's technical
and organizational measures as set out in
Section 7; Annex III lists the Sub-processors at
/legal/subprocessors.
COUNSEL REVIEW REQURIED
The SCCs must be executed as a standalone addendum or specifically referenced in a signed agreement. This document provides the contractual framework only; entities covered by GDPR or UK GDPR should consult qualified counsel.
COUNSEL REVIEW REQURIED
The SCCs must be executed as a
standalone addendum or specifically
referenced in a signed agreement. This
document
provides the contractual
framework only; entities covered by GDPR
or UK GDPR should consult qualified
counsel.
Security Measures
ZWS implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, at minimum:
ZWS implements and maintains appropriate
technical and organizational measures to
protect Personal Data against
accidental or
unlawful destruction, loss, alteration,
unauthorized disclosure, or access. These
measures include, at
minimum:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Role-based access control with principle of least privilege and mandatory MFA for privileged access
- Vulnerability management, penetration testing, and security patching programs
- Physical security controls at ZWS data centers including locked cages, CCTV, and access logs
- Business continuity and disaster recovery plans with regular testing
- Binding confidentiality and security training requirements for personnel with access to Personal Data
- Logging and monitoring of access to Personal Data systems
-
Encryption of Personal Data in transit (TLS
1.2 or higher) and at rest (AES-256 or
equivalent) -
Role-based access control with principle of
least privilege and mandatory MFA for
privileged access -
Vulnerability management, penetration
testing, and security patching programs -
Physical security controls at ZWS data
centers including locked cages, CCTV, and
access logs -
Business continuity and disaster recovery
plans with regular testing -
Binding confidentiality and security training
requirements for personnel with access to
Personal Data -
Logging and monitoring of access to
Personal Data systems
Breach Notification
ZWS will notify the Customer without undue delay, and in any event within 72 hours of ZWS becoming aware of a Personal Data Breach that affects Customer data. The notification will include, to the extent known at the time:
ZWS will notify the Customer without undue
delay, and in any event within 72 hours of ZWS
becoming aware of a
Personal Data Breach that
affects Customer data. The notification will
include, to the extent known at the time:
- A description of the nature of the breach, including categories and approximate number of data subjects and records affected
- The name and contact details of the ZWS Data Protection Officer or equivalent contact point
- A description of likely consequences of the breach
- A description of measures taken or proposed to address the breach and mitigate its effects
-
A description of the nature of the breach,
including categories and approximate
number of data subjects and records
affected -
The name and contact details of the ZWS
Data Protection Officer or equivalent contact
point -
A description of likely consequences of the
breach -
A description of measures taken or
proposed to address the breach and
mitigate its effects
ZWS may provide the above information in phases as it becomes available. The Customer is responsible for notifying relevant supervisory authorities and data subjects as required by applicable Data Protection Law. ZWS will provide reasonable cooperation to assist with such notifications.
ZWS may provide the above information in
phases as it becomes available. The Customer
is responsible for notifying
relevant supervisory authorities and data subjects as required by
applicable Data Protection Law. ZWS will
provide
reasonable cooperation to assist with
such notifications.
Data Retention and Deletion
ZWS will retain Customer Personal Data for the duration of the applicable service agreement, plus any retention period required by law. Upon termination or expiration of the service agreement (or at Customer request, if sooner), ZWS will:
ZWS will retain Customer Personal Data for the duration of the
applicable service agreement,
plus any retention period
required by law. Upon
termination or expiration of the service
agreement (or at Customer request, if sooner),
ZWS will:
- Make Customer Personal Data available for export via the ZWS data-export tooling for a period of 30 days after the termination date; and
- Securely delete or anonymize all remaining Customer Personal Data within 60 days of the termination date, unless longer retention is required by applicable law; and
- On request, provide a written confirmation of deletion.
-
Make Customer Personal Data available for
export via the ZWS data-export tooling for a
period of 30 days after the termination date;
and -
Securely delete or anonymize all remaining
Customer Personal Data within 60 days of
the termination date, unless longer retention
is required by applicable law; and -
On request, provide a written confirmation
of deletion.
Backup copies of deleted data are overwritten in the ordinary course of ZWS's backup rotation cycle, typically within 90 days.
Backup copies of deleted data are overwritten
in the ordinary course of ZWS's backup
rotation cycle, typically within 90
days.
Audit Rights
ZWS will make available all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections by the Customer or a mutually agreed auditor, subject to the following conditions:
ZWS will make available all information
reasonably necessary to demonstrate
compliance with this DPA and
will allow for
and contribute to audits and inspections by the
Customer or a mutually agreed auditor, subject
to the following
conditions:
- At least 30 days' prior written notice is provided
- Audits are conducted no more than once per calendar year absent a specific security concern
- The audit scope is limited to ZWS systems relevant to the processing of Customer Personal Data
- The auditor executes a confidentiality agreement with ZWS before commencing the audit
- Costs of the audit are borne by the Customer unless the audit reveals material non-compliance
-
At least 30 days' prior written notice is
provided -
Audits are conducted no more than once per
calendar year absent a specific security
concern -
The audit scope is limited to ZWS systems
relevant to the processing of Customer
Personal Data -
The auditor executes a confidentiality
agreement with ZWS before commencing
the audit -
Costs of the audit are borne by the
Customer unless the audit reveals material
non-compliance
ZWS may satisfy audit obligations by providing up-to-date third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certification) in lieu of on-site inspection where the Customer agrees.
ZWS may satisfy audit obligations by providing
up-to-date third-party audit reports (e.g., SOC
2 Type II, ISO 27001
certification) in lieu of on-
site inspection where the Customer agrees.
Liability
Each party's liability under this DPA is subject to the limitations set out in the applicable service agreement. To the extent Data Protection Law mandates unlimited or higher liability (e.g., GDPR Article 82), those mandatory provisions prevail over any contractual cap solely with respect to claims brought by data subjects or supervisory authorities, and not for claims between the parties.
Each party's liability under this DPA is subject
to the limitations set out in the applicable
service agreement. To the
extent Data
Protection Law mandates unlimited or higher
liability (e.g., GDPR Article 82), those
mandatory provisions
prevail over any
contractual cap solely with respect to claims
brought by data subjects or supervisory
authorities, and
not for claims between the
parties.
Term and Termination
This DPA is effective from the date the Customer accepts the ZWS Terms of Service or enters into an applicable Order Form, and remains in force until the underlying service agreement terminates. Obligations regarding confidentiality, deletion, and audit survive termination.
This DPA is effective from the
date the Customer accepts the ZWS Terms of Service
or enters into an applicable Order
Form, and
remains in force until the underlying service
agreement terminates. Obligations regarding
confidentiality,
deletion, and audit survive
termination.
Governing Law
This DPA is governed by and construed in accordance with the laws of the state of [State — Placeholder], United States, except that the SCCs and UK Addendum shall be governed by the applicable EU or UK law as required for their validity. Disputes are subject to the jurisdiction clause in the ZWS Terms of Service.
This DPA is governed by and construed in
accordance with the laws of the state of [State
— Placeholder], United States,
except that the
SCCs and UK Addendum shall be governed by
the applicable EU or UK law as required for
their validity.
Disputes are subject to the
jurisdiction clause in the ZWS Terms of
Service.
Processing Details
| Attribute | Details |
|---|---|
| Subject matter | Provision of cloud hosting, API, and managed services as described in the Order Form or ZWS Terms of Service |
| Duration | Term of the applicable service agreement |
| Nature of processing |
Storage, transmission, computation, and backup on ZWS infrastructure as directed by the Customer |
| Purpose of processing |
To provide the contracted services; to maintain service performance, security, and availability |
| Categories of data subjects | Customer's end-users, employees, contractors, and any other individuals whose data the Customer uploads to ZWS services |
| Categories of personal data |
Determined by the Customer; may include contact details, account credentials, usage data, and any other data the Customer elects to process on ZWS infrastructure |
| Special categories | None anticipated; Customer must notify ZWS before processing special category data and obtain additional controls |
| Controller contact | As specified in the Customer's account registration or Order Form |
| Processor contact (DPO) |
[email protected] |
Contact Channels
Data Protection Officer
[email protected]
Privacy Team
[email protected]
Legal Portal
Submit Inquiry
Subprocessors
View Current List