This Data Processing Agreement (“DPA”) supplements the Zeroe Customer Agreement or other agreement in place between the Customer and the contracting entity specified in the Master Services Agreement, which is a wholly-owned subsidiary of Zero Emit Solutions Holdings Ltd (“Zeroe” or “Parent Company”). All rights and obligations under this DPA pertain exclusively to the contracting entity identified in the Agreement. Unless otherwise defined in this DPA or the Agreement, all capitalized terms will have the meanings given in Section 9 of this DPA.
1. Scope and Term
1.1 Roles of the Parties
(a) Customer Personal Data. Zeroe will Process Customer Personal Data as the Customer’s Processor in accordance with the Customer’s instructions as outlined in Section 2.1 (Customer Instructions).
(b) Zeroe Account Data. Zeroe will Process Zeroe Account Data as a Controller for the following purposes:(i) to provide and improve the Products; (ii) to manage the Customer relationship (communicating with Customers and Users in accordance with their account preferences, responding to Customer inquiries and providing technical support, etc.), (iii) to facilitate security, fraud prevention, performance monitoring, business continuity, and disaster recovery; and (iv) to carry out core business functions such as accounting, billing, and filing taxes.
(c) Zeroe Usage Data. Zeroe will Process Zeroe Usage Data as a Controller for the following purposes: (i) to provide, optimize, secure, and maintain the Products; (ii) to optimize user experience; and (iii) to inform Zeroe’s business strategy.
(d) Description of the Processing. Details regarding the Processing of Personal Data by Zeroe are stated in Schedule 1 (Description of Processing)
1.2 Term of the DPA.
The term of this DPA coincides with the Agreement term and terminates upon expiration or earlier termination of the Agreement (or, if later, when Zeroe ceases all Processing of Customer Personal Data).
1.3 Order of Precedence
If there is any conflict or inconsistency among the following documents, the order of precedence is: (1) The applicable terms stated in Schedule 2 (Region-Specific Terms including any transfer provisions); (2) the main body of this DPA; and (3) the Agreement.
2. Processing of Personal Data
2.1 Customer Instructions
Zeroe must Process Customer Personal Data in accordance with the documented lawful instructions of Customer Customer as stated in the Agreement (including this DPA) and respective Orders, as necessary to (i) provide the Products and related Support and Advisory Services to Customer and enable the use of various features and functionalities. (ii) investigate Security Incidents and enforce the Acceptable Use Policy, or (iii) comply with its legal obligations. Zeroe will notify Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate Applicable Data Protection Law.
2.2 Confidentiality
Zeroe must treat Customer Personal Data as Customer’s Confidential Information under the Agreement. Zeroe must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.
3. Security
3.1 Security Measures
Zeroe has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against Security Incidents. The Customer is responsible for configuring the Products and using features and functionalities made available by Zeroe to maintain appropriate security in light of the nature of Customer Data. The Customer acknowledges that the Security Measures are subject to technical progress and development and that Zeroe may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security during a Subscription Term.
3.2 Security Incidents
Zeroe will notify the Customer within 72 hours of becoming aware of a Security Incident, providing updates and assistance as necessary for compliance with data protection laws.
Zeroe must notify the Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Zeroe must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within Zeroe’s reasonable control. Upon the Customer’s request and taking into account the nature of the Processing and the information available to Zeroe, Zeroe must assist the Customer by providing information reasonably necessary for the Customer to meet its Security Incident notification obligations under the Applicable Data Protection Law. Notification of a Security Incident is not an acknowledgment by Zeroe of its fault or liability.
4. Sub-processing
4.1 General Authorization
By entering into this DPA, the Customer provides general authorization for Zeroe to engage Sub-processors to Process Customer Personal Data. Zeroe must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this DPA; (ii) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement.
4.2 Notification of New Sub-processors
Zeroe maintains an up-to-date list of its Sub-processors here, which contains a mechanism for the Customer to subscribe to notifications of new Sub-processors. Zeroe will provide such notice, to the emails subscribed.
4.3 Objection to New Sub-processors.
The Customer may object to Zeroe’s appointment of a new Sub-processor during the Sub-processor Notice Period. If Customer objects, Customer, as its sole and exclusive remedy, may terminate the applicable Order for the affected Product.
5. Assistance and Cooperation Obligations
5.1 Data Subject Rights
Taking into account the nature of the Processing, Zeroe must provide reasonable and timely assistance to the Customer to enable the Customer to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Customer Personal Data.
5.2 Cooperation Obligations
Upon Customer’s reasonable request, and taking into account the nature of the Processing, Zeroe will provide reasonable assistance to the Customer in fulfilling the Customer’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that Customer cannot reasonably fulfill such obligations independently with the help of available documentation.
5.3 Third-Party Requests
Unless prohibited by Law, Zeroe will promptly notify the Customer of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling Zeroe to disclose Customer Personal Data. Zeroe will follow its law enforcement guidelines in responding to such requests. In the event that Zeroe receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, Zeroe will redirect such inquiries to the Customer and will not provide any information unless required to do so under applicable Law.
6. Deletion and Return of Customer Personal Data
6.1 During Subscription Term
During the Subscription Term, the Customer and its Users may, through the features of the product, access, retrieve, or delete Customer Personal Data.
6.2 Post-Termination
Following the expiration or termination of the Agreement, Zeroe must, in accordance with the Agreement, delete all Customer Personal Data. Notwithstanding the foregoing, Zeroe may retain Customer Personal Data (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Zeroe will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Personal Data and not further process it except as required by Applicable Data Protection Law.
7. Audit
7.1 Audit Reports
Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Zeroe, Zeroe will supply a summary copy of relevant audit report(s) (“Report”) to the Customer so the Customer can verify compliance with the audit standards against which it has been assessed, and this DPA.
7.2 On-site Audits
Only to the extent Customer cannot reasonably satisfy Zeroe’s compliance with this DPA through the exercise of its rights under section 7.1 above, or where required by Applicable Data Protection Law or regulatory authority, Customer, or its authorized representatives, may, at Customer’s expense, conduct audits (including inspections) during the term of the Agreement to assess Zeroe’s compliance with the terms of this DPA. Any audit must (i) be conducted during Zeroe’s regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or regulatory authority requires a shorter notice period); (ii) be subject to reasonable confidentiality controls obligating the Customer (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iii) occur no more than once every twelve (12) months; and (iv) restrict findings to only information relevant to Customer.
8. International Provisions
To the extent Zeroe Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant to international transfers of Personal Data (directly or via onward transfer).
9. Definitions
“Applicable Data Protection Law” means all Laws applicable to the Processing of Personal Data under the Agreement.
“Zeroe Account Data” means Personal Data relating to Customer’s relationship with Zeroe, including: (i) Users’ account information (e.g. name, email address, or Zeroe’s account ID; (ii) billing and contact information of individual(s) associated with Customer’s Zeroe account (e.g. billing address, email address, or name); (iii) Users’ device and connection information (e.g. IP address); and (iv) content/description of technical support requests (excluding attachments) alongside with the Support Number.
“Zeroe Usage Data” means Personal Data relating to or obtained in connection with the use, performance, operation, support, or use of the Products, including via their connection to Third-Party Products. Zeroe Usage Data may include event name (i.e. what actions Users performed), event timestamps, browser information, diagnostic data, data types, file sizes, and similar information associated with data from the Products and Third-Party Products that Customer connects to the Products. For clarity, Zeroe Usage Data does not include Customer Personal Data.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means Personal Data contained in Customer Data and/or Customer Materials that Zeroe Processes under the Agreement solely on behalf of Customer. For clarity, Customer Personal Data includes any Personal Data included in the attachments provided by Customer or its Users in any technical support requests.
“Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.
“Processing” (and “Process”) means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the entity that Processes Personal Data on behalf of the Controller.
“Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by Zeroe and/or its Sub-processors.
“Sub-processor” means any third party (including Zeroe Affiliates) engaged by Zeroe to Process Customer Personal Data.
Schedule 1
Description of Processing
1. The Categories of data subjects whose Personal Data is Processed: The Customer and its Users.
2. The categories of Personal Data Processed are Zeroe Account Data, Zeroe Usage Data, and Customer Personal Data.
3. Sensitive Data Transferred: Zeroe Account Data and Zeroe Usage Data do not contain data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) generic data, biometric data processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or (iii) relating to criminal convictions and offenses (altogether “Sensitive Data”). Subject to section 6.3 of the Agreement, Customer or its Users may upload content which may include Sensitive Data, the extent of which is determined and controlled solely by Customer.
4. The frequency of the transfer: Continuous.
5. Nature of the Processing Zeroe will Process Personal Data in order to provide the Products and related Support and advisory services in accordance with the Agreement, including this DPA. Additional information regarding the nature of the Processing (including transfer) is described in respective Orders for relevant Products and Documentation referring to technical capabilities features, including but not limited to collection, structuring, storage, transmission, or otherwise making available of Personal Data by automated means.
6. Purpose(s) of the Processing:
6.1. Customer Personal Data: Zeroe will Process Customer Personal Data as Processor in accordance with Customer Instructions as set out in Section 2.1 (Customer Instructions).
6.2. Zeroe Account Data and Zeroe Usage Data: Zeroe will Process Zeroe Account Data and Zeroe Usage Data for the limited and specified purposes outlined in Section 1.1 (Roles of the Parties).
7. Duration of Processing:
7.1. Customer Personal Data: Zeroe will Process Customer Personal Data for the term of the Agreement as outlined in Section (Deletion and Return of Customer Personal Data).
7.2. Zeroe Account Data and Zeroe Usage Data: Zeroe will Process Zeroe Account Data and Zeroe Usage Data only as long as required (a) to provide Products and related Support and Advisory Services to Customer in accordance with the Agreement; (b) for Zeroe’s legitimate business purposes outlined in Section 1.1 (Roles of the Parties); or (c) by applicable law(s).
8. Transfers to Sub-processors: Zeroe will transfer Customer Personal Data to Sub-processors as permitted in Section 4 (Subprocessing).
Schedule 2
Region-Specific Terms
Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this Schedule will have the meanings given to them in Section 4 of this Schedule.
1. Definitions.
1.1. Where Personal Data is subject to the laws of one of the following regions, the definition of “Applicable Data Protection Law” includes:
(a) Australia: the Australian Privacy Act;
(b) Brazil: the Brazilian Lei Geral de Proteção de Dados (General Personal Data Protection Act);
(c) Canada: the Canadian Personal Information Protection and Electronic Documents Act;
(d) Europe: (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from Time to Time (“EU Data Protection Law”);
(e) Japan: the Japanese Act on the protection of Personal information;
(f) Singapore: the Singapore Personal Data Protection Act;
(g) South Korea: the South Korean Personal Information Protection Act (“PIPA”) and the Enforcement Decrees of PIPA;
(h) Switzerland: the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from Time to Time (“Swiss FADP”);
(i) The United Kingdom: the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded, or replaced from time to time (“UK Data Protection Law”);
(j) The United States: all state laws related to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act (“US State Privacy Laws”);
(k) The United Arab Emirates: all state laws related to the protection and Processing of Personal Data in effect in the United Arab Emirates, which may include, without limitation, Data Protection Law DIFC Law No. 5 of 2020, Federal Decree Law No 45 of 2021, ADGM Data Protection Regulations;
(l) Indonesia: all state laws related to the protection and Processing of Personal Data in effect in Indonesia, which may include, without limitation, Law No. 27 of 2022 concerning Personal Data Protection;
1.2. “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
1.3. “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.
1.4. “Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.
1.5. “Service Provider” has the same meaning as given in the CCPA.
