This version has been superseded, please visit our most up to date DPA at www.ziflow.com/data-processing-addendum 

To review our previous Terms of Service Data Processing Addendum, you can find it here. 

The purpose of this Data Processing Addendum (“DPA”) is to set out Ziflow’s obligations relating to the Personal Data processed by it in the provision of the Service to the Customer pursuant to the Contract. 

1. DEFINITIONS

Defined terms used in the Terms of Service shall have the same meaning where used in this DPA unless otherwise defined herein.

Appropriate Safeguards	means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
Applicable Law	means as applicable and binding on Customer, Ziflow and/or the Services: (a)            any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject; (b)            any court order, judgment or decree; or (c)            any direction, policy, rule or order that is made or given by any regulatory body having jurisdiction over a party;
Controller	means the entity which determines the purposes and means of the Processing of Personal Data;
Customer Content	means electronic files, logos, data and information uploaded under Customer’s account to the Service, whether directly or through the API (i.e. the programming interface to the Service);
Data Protection Laws	means (i) the General Data Protection Regulation (EU) 2016/679 and any applicable national implementing laws as amended from time to time and (ii) the Data Protection Act 2018 and (iii) all laws about the processing of personal data and privacy applicable to the processing of Protected Data pursuant to this DPA
Data Subject	means the identified or identifiable person to whom Personal Data relates;
Data Subject Request	means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
Personal Data Breach	means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
Processor	means the entity which Processes Personal Data on behalf of the Controller;
processing	means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and related terms such as process have corresponding meanings);
Processing Instructions	has the meaning given to that term in clause 3.2;
Protected Data	means Personal Data submitted to the Service (including as part of Customer Content) or otherwise provided to Ziflow by the Customer in pursuance of use of the Service by Customer;
Sub-Processor	means another Processor engaged by Ziflow for carrying out processing activities in respect of the Protected Data;
Supervisory Authority	means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
Working Day	means Monday to Friday inclusive excluding bank and public holidays in the UK.

2. ROLES AND OBLIGATIONS

2.1 The parties agree that, for the Protected Data, Customer shall be the Controller and Ziflow shall be the Processor.

2.2 Ziflow shall process the Protected Data in compliance with:

(a) the obligations of Processors under Data Protection Laws; and

(b) the terms of this DPA.

2.3 Customer, is required to ensure all Personal Data it provides to Ziflow for use in connection with the Service shall be collected and transferred to Ziflow or submitted to the Service in accordance with Data Protection Laws. For the avoidance of doubt, it shall be Customer’s responsibility to (i) ensure the terms of use it supplies to the Data Subjects of the Protected Data comply with Data Protection Laws including in particular any fair processing information requirements relating to the processing of the Protected Data by Ziflow and (ii) to ensure it has a legal basis for the processing of the Protected Data by Ziflow.

3. INSTRUCTIONS

3.1 Customer is required, in its use of the Service, to Process Protected Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Protected Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Protected Data and the means by which Customer acquired Personal Data.

3.2 Insofar as Ziflow processes Protected Data, Ziflow:

(a) shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with Customer’s documented instructions from time to time and in accordance with Appendix 1 (Data Processing Particulars), as updated from time to time (“Processing Instructions”); and

(b) shall inform Customer if Ziflow is aware of a Processing Instruction that, in its opinion, infringes Data Protection Laws.

4. TECHNICAL AND ORGANISATIONAL MEASURES

4.1 Ziflow shall implement and maintain

(a) appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed pursuant to this DPA, including where appropriate data protection by default and/or by design measures;

(b) taking into account the nature of the processing, the technical and organisational measures necessary to assist Customer insofar as is reasonably possible in the fulfilment of Customer’s obligations to respond to Data Subject Requests relating to Protected Data.

5. SUB PROCESSORS AND STAFF

5.1 Ziflow has appointed Sub-Processor(s) under a written contract containing materially equivalent obligations to those in this Data Processing Addendum. Full details of current Sub-Processors and can be found here: https://www.ziflow.com/sub-processors

5.2 Ziflow shall ensure that all of its personnel and contractors processing Protected Data are subject to a binding written contractual obligation with Ziflow or are under professional obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Ziflow shall, where practicable and not prohibited by Applicable Law, notify Customer of any such requirement before such disclosure) Ziflow is responsible for the acts, omissions, willful misconduct or negligence of sub-processors, staff and agents to include employees, contractors and temporary staff.

5.3 Ziflow may change Sub-Processor(s) form time to time. It is the responsibility Customer to regularly check the list of Sub-Processors published here: https://www.ziflow.com/sub-processors for changes. The Customer has twenty] days (from date of the change in Sub-Processor) to object to the change in Sub-Processor on reasonable and objectively justifiable grounds. If Customer objects to the change in Sub-Processor, Ziflow will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of the Protected Data by the objected to new Sub-Processor. If Ziflow is unable to make available such change within a reasonable period of time, Customer may, by written notice, terminate the Service which cannot be provided by Ziflow without the use of the objected to new Sub-Processor. Ziflow will provide a refund of any prepaid fees covering the remainder of the term of such Service following the effective date of termination with respect to such terminated Service.

6. DATA SUBJECT REQUEST AND ASSISTANCE

6.1 Ziflow shall promptly refer all Data Subject Requests it receives to Customer as appropriate (wherever practicable within two Working Days of receipt of the request).

6.2 Ziflow shall provide such assistance to Customer as Customer reasonably requires (taking into account the nature of processing and the information available to Ziflow) to ensure compliance with each party’s obligations under Data Protection Laws with respect to:

(a) Data Subject Requests;

(b) security of processing;

(c) data protection impact assessments (as such term is defined in Data Protection Laws);

(d) prior consultation with a Supervisory Authority regarding high risk processing; and

(e) notifications to the Supervisory Authority and/or communications to Data Subjects by Customer in response to any Personal Data Breach and for the avoidance of doubt Ziflow must promptly notify Customer in writing of any communications received by it from Data Subjects or Supervisory Authorities relating to the Protected Data without responding to either of the same unless it has been expressly authorised to do so by Customer.

6.3 Ziflow shall be entitled to reimbursement of its reasonable costs for providing such notifications and assistance pursuant to sub-clause 6.2 above.

7. OVERSEAS TRANSFERS

7.1  To the extent required under Data Protection Laws, Ziflow shall ensure that any transfers (and any onward transfers) of Protected Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories, are effected by way of Appropriate Safeguards and in accordance with such Data Protection Laws.

8. RECORDS AND AUDITS

8.1 Ziflow shall maintain written records of all categories of processing activities carried out on behalf of Customer.

8.2 Ziflow shall make available to Customer such information as is reasonably necessary to demonstrate its compliance with the obligations of Processors under Data Protection Laws, and shall allow for and contribute to audits, including inspections, by Customers (or another auditor mandated by Customer) for this purpose, subject to Customer:

(a) giving Ziflow at least 30 days’ advance notice of such information request, audit and/or inspection being required; and

(b) the parties mutually agreeing the scope, timing, and duration of the audit in addition to a reimbursement rate Ziflow’s time and effort in co-operating with such audit, for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Ziflow; and

(c) ensuring that all information obtained or generated by Customer or its or its mandated auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law). Customer shall, and shall where appropriate procure that Customer, provide a copy of such information and audit reports to Ziflow following an inspection or audit pursuant to this clause 8.

9. BREACH NOTIFICATION

9.1  In respect of any Personal Data Breach involving Protected Data, Ziflow shall without undue delay and within 48 hours of becoming aware of the Personal Data Breach:

(a) notify Customer of the Personal Data Breach; and

(b) so far a possible without prejudicing the continued security of the Protected Data or any investigation into the Personal Data Breach, provide Customer with details of the Personal Data Breach.

10. DELETION OR RETURN OF PROTECTED DATA

10.1 Customer may extract the Protected Data prior to or on termination in accordance with the Ziflow transition assistance policy located at http://www.ziflow.com/transition-assistance-policy.

10.2 Upon termination Ziflow will destroy any Protected Data remaining on the Service.

10.3 If after termination continued storage by Ziflow of any Protected Data is required by Applicable Law, Ziflow shall inform Customer of any such requirement and the period during which it is required to be stored. Ziflow shall not process such Protected Data except to the extent required by Applicable Law. Such Protected Data shall remain subject to the terms of this DPA.

11. LIABILITY

11.1 If a party receives a compensation claim from a person (including but not limited to a Data Subject) relating to processing of Protected Data processed by Ziflow under the Contract, it shall promptly provide the other party with notice and full details of such claim. Customer shall make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of Ziflow.

11.2 This clause 11 does not affect the liability of Ziflow to any Data Subject or Supervisory Authority pursuant to a claim made directly against Ziflow by either of them.

11.3 As between Ziflow and Customer liability for all loss, damage, claims, fines or penalties (“Losses”) arising out of any breach of this DPA including for any Losses arising out of a Personal Data Breach, shall be governed by the limitations of liability and remedies for loss of data as set out in the Contract.

 

APPENDIX 1 
DATA PROCESSING PARTICULARS

1. Subject-matter of processing:
   
   Identification and contact data of users of the Service
   
   
2. Duration of the processing:
   
   Subject to Clause 10 of this DPA, Ziflow will Process Protected Data for the duration of the Customer’s subscription to the Service, unless otherwise agreed upon in writing.

3. Nature and purpose of the processing:
   
   To use the Protected Data for the purpose of providing the Services and as otherwise detailed in the Contract, and as further instructed by Customer in its use of the Services.

4. Type of Personal Data:
   
   The use of the Service requires little to no Personal Data to be submitted by the Customer but the Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion.  Customer may submit Personal Data in relation to administration of users of the Service which may include, but is not limited to the following categories of Personal Data:

Special Category Data:

None

5. Categories of Data Subjects:
   
   The use of the Service requires little to no Personal Data to be submitted by the Customer but the Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion and which may include the following categories of Personal Data:

The Personal Data typically processed by Ziflow in relation to the Service relates only to the following categories of data subjects:

- Employees, agents, advisors, freelancers of Customer (who are natural persons) and who are authorized by Customer to use the Service

6. Processing Instructions
   
   To use the Protected Data for the purpose of providing the Service and as otherwise instructed in writing from time to time.