To review our previous Terms of Service Data Processing Addendum, you can find it here.
The purpose of this Data Processing Addendum (“DPA”) is to set out Ziflow’s obligations relating to the Personal Data processed by it in the provision of the Service to the Customer pursuant to the Contract.
Defined terms used in the Master Subscription Agreement shall have the same meaning where used in this DPA unless otherwise defined herein.
Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.
Applicable Law means as applicable and binding on Customer, Ziflow and/or the Services:
- any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject;
- any court order, judgment or decree;
- or any direction, policy, rule, or order that is made or given by any regulatory body having jurisdiction over a party.
Controller means the entity which determines the purposes and means of the Processing of Personal Data.
Customer Content means electronic files, logos, data and information uploaded under Customer’s account to the Service, whether directly or through the API (i.e. the programming interface to the Service).
Data Protection Laws means
- the General Data Protection Regulation (EU) 2016/679 and any applicable national implementing laws as amended from time to time;
- the Data Protection Act 2018 and
- all laws about the processing of personal data and privacy applicable to the processing of Protected Data pursuant to this DPA.
Data Subject means the identified or identifiable person to whom Personal Data relates.
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws.
Personal Data means any information relating to
- an identified or identifiable natural person and,
- an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.
Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.
Processor means the entity which Processes Personal Data on behalf of the Controller.
Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and related terms such as process have corresponding meanings).
Processing Instructions has the meaning given to that term in clause 3.b.
Protected Data means Personal Data submitted to the Service (excluding any in Customer Content) or otherwise provided to Ziflow by the Customer in pursuance of use of the Service by Customer.
Sub-Processor means another Processor engaged by Ziflow for carrying out processing activities in respect of the Protected Data.
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Working Day means Monday to Friday inclusive excluding bank and public holidays in the UK.
2. Roles and obligations
The parties agree that, for the Protected Data, Customer shall be the Controller and Ziflow shall be the Processor.
Ziflow shall process the Protected Data in compliance with:
- the obligations of Processors under Data Protection Laws; and
- the terms of this DPA.
Customer, is required to ensure all Personal Data it provides to Ziflow for use in connection with the Service shall be collected and transferred to Ziflow or submitted to the Service in accordance with Data Protection Laws. For the avoidance of doubt, it shall be Customer’s responsibility to
- to ensure it has a legal basis for the processing of the Protected Data by Ziflow.
Customer as Controller is required, in its use of the Service, to Process Protected Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Protected Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Protected Data and the means by which Customer acquired Personal Data.
Insofar as Ziflow processes Protected Data, Ziflow:
- shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with Customer’s documented instructions from time to time and in accordance with Appendix 1 (Data Processing Particulars), as updated from time to time (“Processing Instructions”); and
- shall inform Customer if Ziflow is aware of a Processing Instruction that, in its opinion, infringes Data Protection Laws.
4. Technical and organisational measures
Security Measures. Ziflow:
- implements and maintains reasonable security measures appropriate to the nature of the Protected Data including, without limitation, technical, physical, administrative, and organizational controls, designed to maintain the confidentiality, security, and integrity of the Protected Data;
- implements and maintains industry-standard systems and procedures for detecting, preventing, and responding to attacks, intrusions, or other systems failures and regularly tests, or otherwise monitors the effectiveness of the safeguards’ key controls, systems, and procedures;
- designates an employee or employees to coordinate implementation and maintenance of its Security Measures (as defined below); and
- identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of Protected Data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of safeguards in place to control these risks (collectively, Security Measures). Ziflow’s security policy is located here and will not be materially degraded during the term of all orders under the Agreement: https://www.ziflow.com/security.
5. Sub processors and staff
Ziflow has appointed Sub-Processor(s) under a written contract containing materially equivalent obligations to those in this Data Processing Addendum. Full details of current Sub-Processors and can be found here: https://www.ziflow.com/sub-processors.
Ziflow shall ensure that all of its personnel and contractors processing Protected Data are subject to a binding written contractual obligation with Ziflow or are under professional obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Ziflow shall, where practicable and not prohibited by Applicable Law, notify Customer of any such requirement before such disclosure) Ziflow is responsible for the acts, omissions, willful misconduct or negligence of sub-processors, staff and agents to include employees, contractors and temporary staff.
Ziflow may change Sub-Processor(s) form time to time. It is the responsibility Customer to regularly check the list of Sub-Processors published here: https://www.ziflow.com/sub-processors for changes. The Customer has twenty days (from date of the change in Sub-Processor) to object to the change in Sub-Processor on reasonable and objectively justifiable grounds. If Customer objects to the change in Sub-Processor, Ziflow will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of the Protected Data by the objected to new Sub-Processor. If Ziflow is unable to make available such change within a reasonable period of time, Customer may, by written notice, terminate the Service which cannot be provided by Ziflow without the use of the objected to new Sub-Processor. Ziflow will provide a refund of any prepaid fees covering the remainder of the term of such Service following the effective date of termination with respect to such terminated Service.
6. Data subject request and assistance
Ziflow shall promptly refer all Data Subject Requests it receives to Customer as appropriate (wherever practicable within two Working Days of receipt of the request).
Ziflow shall provide such assistance to Customer as Customer reasonably requires (taking into account the nature of processing and the information available to Ziflow) to ensure compliance with each party’s obligations under Data Protection Laws with respect to:
- Data Subject Requests;
- security of processing;
- data protection impact assessments (as such term is defined in Data Protection Laws);
- prior consultation with a Supervisory Authority regarding high risk processing; and
- notifications to the Supervisory Authority and/or communications to Data Subjects by Customer in response to any Personal Data Breach and for the avoidance of doubt Ziflow must promptly notify Customer in writing of any communications received by it from Data Subjects or Supervisory Authorities relating to the Protected Data without responding to either of the same unless it has been expressly authorised to do so by Customer.
Ziflow shall be entitled to reimbursement of its reasonable costs for providing such notifications and assistance pursuant to sub-clause 6.a. above.
7. Overseas transfers
To the extent required under Data Protection Laws, Ziflow shall ensure that any transfers (and any onward transfers) of Protected Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories (Third Countries), are effected by way of Appropriate Safeguards and in accordance with such Data Protection Laws which may include European Union approved Standard Contractual Clauses (“SCCs”).
In the event that Customer is situated in a Third Country and is processing Protected Data on behalf of users, customers or Affiliates situated in the European Economic Area or in the United Kingdom, in the absence of any other Appropriate Safeguards, to the extent applicable, Customer and Ziflow agree to the terms of the SCCs found here: https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF for the purposes of onward transfer as if the Customer is exporter from the EEA and Ziflow is the importer in a Third Country. Ziflow agrees to comply with the terms of such SCCs for onward transfer to its Sub-processors situated in Third Countries. For the purposes of Appendix 1 of the SCCs the relevant information is set out in Appendix 1 to this DPA and Ziflow Limited is the importer and Customer named in the Agreement is the exporter. For the purposes of Appendix 2 of the SCCs the relevant security information is set out here: https://www.ziflow.com/security.
7.3 Details of onward transfers by Ziflow to, and of the Appropriate Safeguards in place with, Sub- processors can be found here: https://www.ziflow.com/sub-processors.
8. Records and audits
Ziflow shall maintain written records of all categories of processing activities carried out on behalf of Customer.
Ziflow shall make available to Customer such information as is reasonably necessary to demonstrate its compliance with the obligations of Processors under Data Protection Laws, and shall allow for and contribute to audits, including inspections, by Customers (or another auditor mandated by Customer) for this purpose, subject to Customer:
- giving Ziflow at least 30 days’ advance notice of such information request, audit and/or inspection being required;
- the parties mutually agreeing the scope, timing, and duration of the audit in addition to a reimbursement rate Ziflow’s time and effort in co-operating with such audit, for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Ziflow; and
- ensuring that all information obtained or generated by Customer or its or its mandated auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law). Customer shall, and shall where appropriate procure that Customer, provide a copy of such information and audit reports to Ziflow following an inspection or audit pursuant to this clause 8.
9. Breach notification
In respect of any Personal Data Breach involving Protected Data, Ziflow shall without undue delay and in any event within 48 hours of becoming aware of the Personal Data Breach:
- notify Customer of the Personal Data Breach; and
- so far a possible without prejudicing the continued security of the Protected Data or any investigation into the Personal Data Breach, provide Customer with details of the Personal Data Breach.
10. Deletion or return of protected data
Customer may extract the Protected Data prior to or on termination in accordance with the Ziflow transition assistance policy located at http://www.ziflow.com/transition-assistance-policy.
Upon termination Ziflow will destroy any Protected Data remaining on the Service.
If after termination continued storage by Ziflow of any Protected Data is required by Applicable Law, Ziflow shall inform Customer of any such requirement and the period during which it is required to be stored. Ziflow shall not process such Protected Data except to the extent required by Applicable Law. Such Protected Data shall remain subject to the terms of this DPA.
If a party receives a compensation claim from a person (including but not limited to a Data Subject) relating to processing of Protected Data processed by Ziflow under the Contract, it shall promptly provide the other party with notice and full details of such claim. Customer shall make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of Ziflow.
This clause 11 does not affect the liability of Ziflow to any Data Subject or Supervisory Authority pursuant to a claim made directly against Ziflow by either of them.
As between Ziflow and Customer liability for all loss, damage, claims, fines or penalties (“Losses”) arising out of any breach of this DPA including for any Losses arising out of a Personal Data Breach, shall be governed by the limitations of liability and remedies for loss of data as set out in the Contract.
Customer acknowledges that it is not permitted to include Personal Data in Customer Content and Ziflow excludes all liability for any claims, penalties, fines, damages or costs arising in respect of Personal Data in Customer Content including from any Personal Data Breach involving Personal Data in Customer Content.
APPENDIX DATA PROCESSING PARTICULARS
1. Subject-matter of processing:
Identification and contact data of users of the Service; customer relationship management and payment management
2. Duration of the processing:
Subject to Clause 10 of this DPA, Ziflow will Process Protected Data for the duration of the Customer’s subscription to the Service, unless otherwise agreed upon in writing.
3. Nature and purpose of the processing:
To use the Protected Data for the purpose of providing the Services and as otherwise detailed in the Contract, and as further instructed by Customer in its use of the Services.
4. Type of Personal Data:
The use of the Service requires no Personal Data to be submitted by the Customer in Customer Content and Customer must not include Personal Data in Customer Content which is input into the Services. Customer may only submit Personal Data to the Services in relation to administration of users of the Service which includes, the following categories of Personal Data:
First and last name
Contact information (company, email, phone, physical business address)
Special Category Data: None
5. Categories of Data Subjects:
The Personal Data processed by Ziflow in relation to the Service relates only to the following categories of data subjects: Employees, agents, advisors, freelancers of Customer (who are natural persons) and who are authorized by Customer to use the Service
6. Processing Instructions
To use the Protected Data for the purpose of administering and managing authorised users of the Service and for payment and customer relationship management purposes and as otherwise instructed in writing from time to time.