Last updated: 14 March 2024
This Data Processing Addendum (“DPA”) supplements and forms part of:
the Zapworks User Agreement for Business and Education users;
the Zapworks Enterprise Agreement for Enterprise customers; and
each agreement for the use of the Zapvision CMS (a “Zapvision CMS Agreement”).
Capitalised terms used, but not defined, in this DPA are either defined in the Zapworks Terms of Use published at https://zap.works/terms/ for Zapworks users; or the Zapvision CMS Terms of Use for users of the Zapvision CMS published at https://www.zappar.com/zapvision-cms-terms/
Part 1: Introduction
Purpose
This DPA sets out the terms that apply when Personal Data is processed by Zappar on behalf of an Account Holder or Subscriber as part of the Services, where the Account Holder or Subscriber is acting as a Controller or Processor for the purposes of UK or EU Data Protection law or regulation, including the Data Protection Act 2018 (“UK DPA”) and European General Data Protection Regulation (“GDPR”) (collectively, the “Data Protection Laws”). It applies solely to the extent required by the Data Protection Laws and takes effect as of the date set out above.
Effect of DPA
If a provision of this DPA conflicts with a provision of the User Agreement, a Zapworks Enterprise Agreement or a Zapvision CMS Agreement (an “Applicable Agreement”), then this DPA will control with respect to the processing of Personal Data (as defined below). The Applicable Agreement will remain in full force and effect and will be unchanged except as modified by this DPA. This DPA will terminate automatically upon the expiry or termination of the Applicable Agreement.
Acceptance
Provided that the User is a party to an effective Applicable Agreement, this DPA shall take effect automatically as between the parties. The parties may also, at the request of the Account Holder or the Subscriber, enter into a version of this DPA which is physically or electronically signed by or on behalf of both parties. The parties may also by agreement enter into an individually negotiated data processing agreement provided such agreement satisfies the minimum requirements laid down in the Data Protection Laws.
Defined Terms
For the purposes of this DPA:
“Customer” means:
in the case of Zapworks, the Account Holder; and
in the case of the Zapvision CMS, the Subscriber;
the expressions “Controller”, “Data Subject”, “Processor”, “Personal Data Breach” and “processing” have the same meaning as in Article 4 of the GDPR;
“EEA” means the European Economic Area, consisting of all EU Member states plus Iceland, Liechtenstein and Norway;
“EU Data” means Personal Data to whose processing the GDPR applies;
“Personal Data” means any User Content of the Account Holder or User Data of a Subscriber that is or contains information that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under the Data Protection Laws. This does not include any personal data in respect of which Zappar is the sole Controller under the Data Protection Laws;
“Third Country” means (as applicable) a country outside the United Kingdom or EEA not recognised by the United Kingdom or European Commission as providing an adequate level of protection for personal data (as described in the UK GDPR or GDPR);
“UK Data” means Personal Data to whose processing the UK GDPR applies; and
“UK GDPR” means the GDPR as applied by Chapter 3 of Part 2 of the Data Protection Act 2018.
Part 2: Details of the Data Processing
Details of Zappar’s role as a Processor of Personal Data are as follows:
Subject Matter of the Personal Data processing: The subject matter of the data processing under this DPA is User Content or User Data that is Personal Data.
Duration of the Personal Data processing: The term of the Applicable Agreement and any period after the term prior to Zappar’s deletion of all Personal Data included within the User Content or User Data.
Purpose of the Personal Data processing: The purpose of the processing is to enable the Customer and their Authorised Users to receive and Zappar to provide the Services initiated by the Customer or their Authorised Users from time to time.
Nature of the Personal Data processing: The nature of the processing includes publication, hosting and serving of User Content or User Data across Zappar’s technology platform and such other services described in the Zapworks or Zapvision CMS documentation and initiated by the Customer or their Authorised Users from time to time.
Categories of Personal Data: In general, this may consist of identifying information and organisation data of the Customer’s customers and end users and Personal Data of Data Subjects contained in User Content or User Data such as names, contact information, images, videos, voices; together with such other categories as are agreed by the parties and recorded in writing. It is acknowledged that Zappar does not allow the Services to be used for the purposes of processing any of the “sensitive categories” of Personal Data specified in Article 9(1) of the GDPR and UK GDPR.
Categories of Data Subjects: To the extent User Content or User Data contains Personal Data, it may concern the Account Holder’s or the Subscriber’s end users, clients, customers, suppliers, employees, business contacts, members of the public and other individuals who have consented to their Personal Data being included within the Account Holder’s User Content or Subscriber’s User Data.
Part 3: Data Processing Terms
1. The Roles of the Parties
Independent Controllers:
Each party (“Controller Party”) acknowledges that it is an independent Controller with respect to Business Contact Data. “Business Contact Data” is personal data of the other party’s personnel processed by the Controller Party for the purpose of facilitating the Services and maintaining the business relationship.
Zappar as Processor:
To the extent that Zappar processes Personal Data in the course of providing the Services, it will do so only as a Processor acting on behalf of the Customer (as the Controller or a Processor for the Customer’s Controller(s)) and in accordance with the requirements of this DPA.
Compliance with laws:
Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the Data Protection Laws.
2. Scope of Processing
Zappar undertakes that it will only process the Personal Data on documented instructions from the Customer, including with regard to transfers of Personal Data to a Third Country or an international organisation, unless Zappar is required to do so by either (a) in the case of EU Personal Data, European Union or national law to which Zappar is subject or (b) in the case of UK Data, domestic law; in such a case, Zappar shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
For the purposes of this Clause 2, the following shall be deemed to be documented instructions to Zappar:
Zappar may process UK Personal Data within the United Kingdom and/or the EEA. Zappar may process EU Personal Data within the United Kingdom (for so long as it is recognised by the European Commission as providing an adequate level of protection for the Personal Data) and/or the EEA. Any other processing of the Personal Data shall be subject to Clause 12 below.
Zappar shall immediately inform the Customer if, in Zappar’s opinion, an instruction given by or on behalf of the Customer would breach the GDPR or other European Union or Member State data protection provisions or the UK GDPR or other United Kingdom data protection provisions.
3. Obligations of the Customer
The Customer as the Controller or Processor for the Controller, shall be responsible for ensuring that: (a) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including the Data Protection Laws; and (b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Zappar for processing in accordance with the terms of the Applicable Agreement and this DPA.
The Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which the Customer acquired the Personal Data.
4. Confidentiality
Zappar shall ensure that persons authorised by Zappar to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security
Zappar shall have in place and maintain throughout the term of this DPA appropriate technical and organisational measures to protect the Personal Data in accordance with the requirements of Article 32 of the GDPR and Article 32 of the UK GDPR. Zappar shall provide details of these measures to the Customer upon request.
6. Rights of Data Subjects
Zappar shall taking into account the nature of the processing, provide the Customer with reasonable assistance by appropriate technical and organisational measures, insofar as this is possible and at the Customer’s cost, with fulfilling the Customer’s obligations to respond to requests by Data Subjects to exercise their rights laid down in Chapter III of the GDPR and Chapter III of the UK GDPR. If a request is made directly to Zappar, Zappar shall promptly inform the Customer.
7. Personal Data Breaches
Zappar shall (a) notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Personal Data which is the subject of this DPA; and (b) take appropriate measures to address the Personal Data Breach, including measures to mitigate any adverse effects resulting from the Personal Data Breach.
It is the Customer’s sole responsibility to ensure that its contact information is up to date at all times, so as to enable Zappar to notify Personal Data Breaches to the Customer.
8. Other Assistance
Zappar shall also provide the Customer with reasonable assistance, at the Customer’s cost, in ensuring compliance with the Customer’s obligations pursuant to Articles 32 to 36 of the GDPR and Articles 32 to 36 of the UK GDPR taking into account the nature of the processing and the information available to Zappar.
9. Deletion/ Return of Personal Data
Upon the expiry or termination of the Applicable Agreement, Zappar shall, at the choice of the Customer, delete or return to the Customer all relevant Personal Data and delete all existing copies, save to the extent that Zappar is required by any applicable law to retain some or all of the Personal Data.
10. Audit Rights
Zappar will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and Article 28 of the UK GDPR. Whilst it is the parties' intention ordinarily to rely on the provision of the documentation to verify Zappar’s compliance with this DPA, Zappar shall permit the Customer (or their appointed third party auditor who must not be a competitor of Zappar) to carry out an audit of Zappar’s processing of Personal Data under the Applicable Agreement following a Personal Data Breach suffered by Zappar, or upon the instruction of a data protection authority. The Customer must give Zappar reasonable prior notice of such intention to audit, conduct its audit during Zappar’s normal business hours, and take all reasonable measures to prevent unnecessary disruption to Zappar's operations. Any such audit shall be subject to Zappar's reasonable security and confidentiality terms and guidelines. The Customer will reimburse Zappar for any such on-site audit at Zappar’s then-current rates, which shall be made available to the Customer upon request. The charges for the audit shall be reasonable taking into account the resources expended (or to be expended) by Zappar and where possible shall be agreed by the parties prior to commencement of the audit. If Zappar declines to follow any instruction requested by the Customer regarding audits, the Account Holder is entitled to terminate this DPA and the Applicable Agreement.
11. Use of Sub-Processors
The Customer agrees that Zappar may engage third party sub-processors (collectively, “Sub-Processors”) to process the Personal Data on the Customer’s behalf. Zappar shall impose on each Sub-Processor obligations that protect the Personal Data to the same or substantially similar standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-Processor. Zappar may by giving reasonable notice add or make changes to the Sub-Processors. If the Customer objects on reasonable grounds to any proposed change (e.g. if making Personal Data available to the Sub-Processor may violate applicable Data Protections Laws, or weaken the protections for such Personal Data) it must notify Zappar within 14 calendar days of the date of Zappar’s notification. Such notice shall contain the reasonable grounds for the objection. Following receipt of the Customer’s notice, the parties will work together in good faith to find an alternative solution. If the parties are unable to find an alternative solution acceptable to both of them within a reasonable period of time, which shall not exceed 30 calendar days, and Zappar is unable to continue to provide the Services to the Customer without use of the objected-to Sub-Processor, either party may at any time thereafter terminate the Applicable Agreement by written notice to the other, without imposing a penalty for such termination on the Customer.
The Sub-Processors used by Zappar to process Personal Data as at the effective date of this DPA are listed in the Schedule.
12. Transfers of Personal Data
Zappar will not transfer any Personal Data to a Third Country (a “Data Transfer”), except where (a) the Customer has agreed in writing to such transfer; (b) such transfer is necessary to provide the Services initiated by the Customer or their Authorised User, which may include caching User Content or User Data locally to improve content delivery performance; or (c) as necessary to comply with the law or binding order of a government body.
Data Transfers within (a) and (b) shall only be conducted on the basis of:
Zappar shall ensure that its Sub-Processors comply with this Section 12.
13. Amendment
Zappar may update and change any part or all of this DPA at any time by posting a new version on zap.works or zappar.com provided that the updated DPA continues to meet the minimum requirements laid down in the Data Protection Laws. When Zappar makes changes the “Last Updated” date will be updated to reflect the date of the most recent version.
14. Governing Law
This DPA shall be governed by and construed in all respects in accordance with the laws of England.
THE SCHEDULE
SUB-PROCESSORS
Company name and address
|
Type of processing activities performed
|
Data storage location |
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855, Luxembourg
|
Content hosting and serving, including transmission of content through the cloud. |
Primary storage location is in Ireland, but content may be cached locally to improve content delivery performance |