Data Processing Addendum

This Data Processing Addendum, including its Annexes, (“DPA”) is incorporated into and forms part of the agreement between ZINFI Technologies, Inc. (“ZINFI”) and Client (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.  To the extent there is a conflict between the terms of this addendum and the Agreement, the terms of the Agreement shall control. 

By signing the Agreement, Client enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent ZINFI processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Client” shall include Client and Authorized Affiliates. The term of this DPA will follow the term of the Agreement.  All capitalized terms not defined herein shall have the meaning set forth in the Agreement. ZINFI and Client may be individually referred to hereinafter as a “Party” and collectively as the “Parties”. 
In the course of providing the Services to Client pursuant to the Agreement, ZINFI may Process Personal Data on behalf of Client and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.  The Processor to Controller terms apply solely to the extent that ZINFI is a Processor of Personal Data in connection with providing its Services to Client.

DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Client’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Client and ZINFI, but has not signed its own Agreement with ZINFI and is not a “Client” as defined under this DPA.
“California Personal Information” means Client Personal Data that is subject to the protection of the CCPA
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Consumer”, “Business”, “Sell”, “Service Provider” and “Share” will have the meanings given to them in the CCPA
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Client” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Agreements. 
“Client Data” means what is defined in the Agreement as “Client Data” or “Your Data”, provided that such data is electronic data and information submitted by or for Client to the Services.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
"Europe" means the European Union, the European Economic Area and/or their member states,   Switzerland, and the United Kingdom.
“European Data” means Client Personal Data that is subject to the protection of European   Data Protection Laws.
“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of  natural persons with regard to the processing of Personal Data and on the  free movement of  such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning  the processing of Personal Data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA"); in each case as may be amended, superseded, or replaced. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Instructions” means the written, documented instructions issued by Client to ZINFI and  direction ZINEFI to perform a specific or general action with regard to Client Personal Data  (including, but not limited to, depersonalizing, blocking, deletion, and making available).
“Permitted Affiliates” means any of Client’s Affiliates that (i) are permitted to use ZINFI’s Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a “Client” as defined under the Agreement, (ii) qualify as a Controller of Client Personal Data or Controller Personal Data, and (iii) are subject to European Data Protection Laws.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Client Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
“Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and Council approved by the European Commission Implementing Decision (EU) 2021/914/ of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

“Sub-processor” means any Processor engaged by ZINFI or its affiliates to assist in fulfilling its obligations with respect to the processing of Client Personal Data under this Agreement.  Sub-Processors may include third parties or ZINFI’s Affiliates but will exclude any ZINFI employee or consultant. 
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR
“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at  https://ico.org.uk/media/for- organisations/documents/4019539/international-data-transfer-addendum.pdf as may be amended, superseded, or replaced.
“ZINFI” means the ZINFI  Technologies, Inc.
“ZINFI Group” means ZINFI and its Affiliates engaged in the Processing of Personal Data.

PROCESSING OF PERSONAL DATA

1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Controller, ZINFI is the Processor and that ZINFI or members of the ZINFI Group will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
2. Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of ZINFI as Processor. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
3. ZINFI’s Processing of Personal Data. ZINFI shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.  ZINFI is not responsible for compliance with Data Protection Laws applicable to Client or its industry that are not generally applicable to ZINFI.  Client acknowledges and agree that ZINFI may access and Process Client Personal Data on a global basis as necessary to provide its Services in accordance with the Agreement, and in particular that Client Personal Data may be transferred to and Processed by ZINFI in the United States and to other jurisdictions where ZINFI Affiliates and Sub-Processors have operations. Wherever Client Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

1. Details of the Processing. The subject-matter of Processing of Personal Data by ZINFI is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA
2. Deletion or Return of Client Personal Data.  ZINFI will delete or return all Client Personal Data including Client Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of Client’s Agreement in accordance with the procedures set out in our Terms and Conditions.  This term will apply except where ZINFI is required by applicable law to retain some or all of the Client Data, or where ZINFI has archived Client Data on backup systems, which data ZINFI will securely isolate and protect from any further Processing and delete in accordance with our deletion practices. If Client needs help retrieving its Client Data during the Subscription Term, ZINFI will provide reasonable assistance to Client, at Client’s cost, and in accordance with the ‘Confidentiality’ section of the Terms and Conditions.   ZINFI will notify Client in advance of any applicable costs which will be commercially reasonable.
3. Client Personal Data Breaches.  ZINFI will notify Client without undue delay after ZINFI becomes aware of any Client Personal Data Breach and will provide timely information relating to the Client Personal Data Breach as it becomes known or reasonably requested by Client. At Client’s request, ZINFI will promptly provide Client with such reasonable assistance as necessary to enable Client to notify relevant Client Personal Data Breaches to competent authorities and/or affected Data Subjects, if Client is required to do so under Data Protection Laws.
4. Client Instructions.  Client is responsible for ensuring that its instructions to ZINFI regarding the Processing of Client Personal Data comply with applicable laws, including Data Protection Laws. The parties agree that the Agreement (including this DPA), constitute Client’s complete Instructions to ZINFI in relation to ZINFI’s Processing of Client Personal Data,  subject to that Client may provide additional instructions during the Term of the Agreement that are consistent with the Agreement and the nature and lawful use of the Services. 
5. Conflict of Laws.  If ZINFI becomes aware that ZINFI cannot Process Client Personal Data in accordance with Client’s Instructions due to a legal requirement under any applicable law, ZINFI will (i) promptly notify Client of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Client Personal Data) until such time as Client issues new Instructions with which ZINFI is able to comply. If this provision is invoked, ZINFI will not be liable to Client under the Agreement for any failure to perform the applicable Subscription Services until such time as Client issues new lawful Instructions with regard to the Processing.
6. Client Information.  ZINFI shall inform Client immediately (i) if, in its opinion and instruction from Client constitutes a breach of the GDRP and/or (ii) if ZINFI is unable to follow Client’s instructions for the Processing of Personal Data. 
7. Security.  ZINFI will implement and maintain appropriate technical and organizational measures to protect Client Personal Data from Client Personal Data Breaches as described under Annex 2 to this DPA (“Security Measures”).  Notwithstanding the foregoing ZINFI may modify or update the Security Measures at its discretion provide that such modification does not result in a material degradation in the protection offered by the Security Measures

RIGHTS OF DATA SUBJECTS

1. Data Subject Request. ZINFI shall, to the extent legally permitted, promptly notify Client if ZINFI receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, ZINFI shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, ZINFI shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent ZINFI is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from ZINFI’s provision of such assistance.
2. Required Assistance. Taking into account the nature of the Processing, ZINFI shall assist Client  by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. 
3. Additional Assistance. To the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, ZINFI shall upon Client’s written request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent ZINFI is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from ZINFI’s provision of such assistance.

ZINFI PERSONNEL & DATA PROTECTION OFFICER

1. Confidentiality. ZINFI shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. ZINFI shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
2. Reliability. ZINFI shall take commercially reasonable steps to ensure the reliability of any ZINFI personnel engaged in the Processing of Personal Data.
3. Limitation of Access. ZINFI shall ensure that ZINFI’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

1. Data Protection Officer. Members of the ZINFI Group have appointed a data protection officer. The appointed person may be reached at [email protected]

SUB-PROCESSORS

1. Appointment of Sub-processors. Client acknowledges and agrees that (a) ZINFI’s Affiliates may be retained as Sub-processors; and (b) ZINFI and ZINFI’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. ZINFI or a ZINFI Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in the Agreement with respect to the protection of Client Data to the extent applicable to the nature of the Services provided by such Sub-processor.
2. List of Current Sub-processors and Notification of New Sub-processors. The current list of Sub-processors for the Services being provided by ZINFI to Client are identified at  https://www.zinfi.com/list-of-sub-processors/.   By signing this DPA, Client elects to receive notifications via email at least 30 days prior when there are changes in the sub-processors.  If Client would like to opt out of receiving such updates, it can opt-out of such notifications by sending an email to [email protected].
3. Objection Right for New Sub-processors. Client may object to ZINFI’s use of a new Sub-processor by notifying ZINFI promptly in writing within thirty (30) days after receipt of ZINFI’s notice in accordance with the mechanism set out in Section 5.2. In the event Client objects to a new Sub-processor, as permitted in the preceding sentence, ZINFI will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Client. If ZINFI is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client may terminate the applicable Agreement with respect only to those Services which cannot be provided by ZINFI without the use of the objected-to new Sub-processor by providing written notice to ZINFI. ZINFI will refund Client any prepaid fees covering the remainder of the term of such Agreement following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Client.
4. Liability. ZINFI shall be liable for the acts and omissions of its Sub-processors to the same extent ZINFI would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

SECURITY

1. Controls for the Protection of Client Data. ZINFI shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client Data), confidentiality and integrity of Client Data. ZINFI regularly monitors compliance with these measures. ZINFI will not materially decrease the overall security of the Services during a subscription term.
2. Client Obligations.  Client isresponsible for independently determining whether the data security provided for in the Services adequately meets its obligations under Data Protection Law.  Client is also responsible for its secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service (including to securely backup or encrypt such data).
3. Third-Party Certifications and Audits. ZINFI has obtained third-party certifications and audits. Upon Client’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, ZINFI shall make available to Client that is not a competitor of ZINFI (or Client’s independent, third-party auditor that is not a competitor of ZINFI) a copy of ZINFI’s then most recent third-party audits or certifications, as applicable.

CLIENT DATA INCIDENT MANAGEMENT AND NOTIFICATION

ZINFI maintains security incident management policies and procedures and shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data, including Personal Data, transmitted, stored or otherwise Processed by ZINFI or its Sub-processors of which ZINFI becomes aware (a “Client Data Incident”). ZINFI shall make reasonable efforts to identify the cause of such Client Data Incident and take those steps as ZINFI deems necessary and reasonable in order to remediate the cause of such a Client Data Incident to the extent the remediation is within ZINFI’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s Users.

ADDITIONAL PROVISIONS FOR CALIFORNIA PERSONAL INFORMATION

1. Scope. The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information that ZINFI Processes on Client’s behalf under the Agreement.

1. Role of Parties. When processing California Personal Information in accordance with Client’s Instructions, the parties acknowledge and agree that Client is a Business and ZINFI is Service Provider for the purposes of the CCPA.

1. Responsibilities. ZINFI certifies that it will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services and Consulting Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA, including as described in the ‘Usage Data’ section of our Privacy Policy. Further, ZINFI certifies that it will not (i) Sell or Share California Personal Information; (ii) Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; or (iii) combine California Personal Information included in Client Data with Personal Data that it collects or receive from another source (other than information ZINFI receives from another source in connection with its obligations as a Service Provider under the Agreement)

1. Compliance. ZINFI will (i) comply with the obligations applicable to us as a Service Provider under the CCPA; (ii) provide the same level of protection for California Personal Information as is required by the CCPA; and (iii) notify Client if it makes a determination that ZINFI can no longer meet our obligations as a Service Provider under the CCPA

1. CCPA Audits. Client will have the right to take reasonable and appropriate steps to help ensure that ZINFI uses California Personal Information in a manner consistent with Client’s obligations under the CCPA. Upon notice, Client will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information

1. Not a Sale. The parties acknowledge and agree that the disclosure of California Personal Information by Client to ZINFI does not form part of any monetary or other valuable consideration exchanged between the parties.

RETURN AND DELETION OF CLIENT DATA

ZINFI shall return Client Data to Client and, to the extent allowed by applicable law, delete Client Data in accordance with the procedures and timeframes specified in the Agreement.

AUTHORIZED AFFILIATES

1. Contractual Relationship. The Parties acknowledge and agree that, by executing the Agreement, Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between ZINFI and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 10. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Client.
2. Communication. The Client that is the contracting party to the Agreement shall remain responsible for coordinating all communication with ZINFI under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with ZINFI, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
1. Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against ZINFI directly by itself, the Parties agree that (i) solely the Client that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Client that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 10.3.2, below).
2. The Parties agree that the Client that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on ZINFI and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.

EUROPEAN SPECIFIC PROVISIONS

      Scope.  This ‘Additional Provisions for European Data’ section will apply only with respect to European Data that ZINFI Processes on Client’s behalf under the Agreement.

      Role of Parties. When Processing European Data in accordance with Client’s Instructions, the parties acknowledge and agree that Client is acting either   as the Controller, or as a Processor on behalf of another Controller, and ZINFI is the Processor under the Agreement.

       Instructions. If ZINFI believes that Client’s Instruction infringes European Data Protection Laws (where applicable), ZINFI will inform Client without delay.

       Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to us, and Client does not otherwise have access to the required information, ZINFI will provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with supervisory authorities (for example, the French Data Protection Agency (CNIL), the Berlin Data Protection Authority (BlnBDI) and the UK Information Commissioner’s Office (ICO)) or other competent data privacy authorities to the extent required by European Data Protection Laws.

1. Data Transfers.   ZINFI will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Client Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures  as are necessary to ensure the transfer is in compliance with applicable European Data  Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Client Personal Data, including the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection  Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as  adopted or approved in accordance with applicable European Data Protection Laws.

ADDITIONAL PROVISOINS FOR CALIFORNIA PERSONAL INFORMATION

1.  Scope. The ‘Additional Provisions for California Personal Information’ section of the DPA will  apply only with respect to California Personal Information that ZINFI Processes on Client’s behalf under the Agreement.

1.  Role of Parties. When processing California Personal Information in accordance with Client Instructions, the parties acknowledge and agree that Client is a Business, and ZINFI is Service Provider for the purposes of the CCPA.

1. Responsibilities. ZNIFI certifies that it will Process California Personal Information as a Service  Provider strictly for the purpose of performing the Subscription Services and Consulting  Services under the Agreement (the "Business Purpose") or as otherwise permitted by the  CCPA, including as described in the ‘Usage Data’ section of our Privacy Policy. Further, ZINFI certifies that it will not (i) Sell or Share California Personal Information; (ii) Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; or (iii) combine California Personal Information included in Client Data with Personal Data that ZINFI collects or receive from another source (other than information ZINFI receives from another source in connection with its obligations as a Service Provider under the Agreement).

1. Compliance. ZINFI will (i) comply with the obligations applicable to us as a Service Provider under the CCPA; (ii) provide the same level of protection for California Personal Information as is required by the CCPA; and (iii) notify Client if ZINFI makes a determination that it can no longer meet our obligations as a Service Provider under the CCPA.

1. CCPA Audits. Client will have the right to take reasonable and appropriate steps to help ensure that ZINFI uses California Personal Information in a manner consistent with its obligations  under the CCPA. Upon written notice, Client will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information.

1. Not a Sale. The parties acknowledge and agree that the disclosure of California Personal Information by Client to ZINFI does not form part of any monetary or other valuable  consideration exchanged between the parties.

IMPACT OF LOCAL LAWS

As of the Effective Date, ZINFI has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data as set forth in the Infrastructure and Sub-processors documentation, including any requirements to disclose Personal Data or measures authorizing access by a Public Authority, prevent ZINFI from fulfilling its obligations under this DPA. If ZINFI reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Client. In such a case, ZINFI shall use reasonable efforts to make available to the affected Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening Client. If ZINFI is unable to make available such change promptly, Client may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by ZINFI in accordance with the Local Laws by providing written notice in accordance with the “Notices” section of the Agreement.

TRANSFER MECHANISMS

Where the transfer of Client Personal Data or Controller Personal Data between the parties  involves a Restricted Transfer and European Data Protection Laws require putting in place  appropriate safeguards, ZINFI and  Client will comply with the following:

1. Data Privacy Framework. ZINFI participates in and certifies compliance with the Data Privacy Framework. Where and to the extent the Data Privacy Framework applies, ZINFI will use the Data Privacy Framework to lawfully receive Client Personal Data  and Controller Personal Data in the United States and will provide at least the same level of  protection to such data as is required by the Data Privacy Framework Principles. ZINFI will inform Client if ZINFI Is unable to comply with this requirement.

1. Standard Contractual Clauses. If European Data Protection Laws require that appropriate  safeguards are put in place (for example, if the Data Privacy Framework does not cover the  transfer and/or the Data Privacy Framework is invalidated), the Standard  Contractual Clauses  will be incorporated by reference and form part of the Agreement as follows: 

(A) In relation to Client Personal Data that ZINFI Processes as a Processor (i) the  Module Two terms apply to the extent Client is a Controller and the Module Three terms  apply to the extent Client is a Processor of Client Personal Data; (ii) in  Clause 7, the  optional docking clause applies; (iii) in Clause 9, Option 2 applies and changes to Sub Processors will be notified in accordance with the ‘Sub Processors’ section of this DPA; (iv) in  Clause 11, the optional language is deleted; (v) in Claus es 17 and 18, the parties agree that the  governing law and forum for disputes for the Standard Contractual Clauses will be determined in  accordance with the ‘Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction  Specific Terms or, if such  section does not specify an EU Member State, the Republic of Ireland  (without reference to conflicts of law principles); (vi) the Annexes of the Standard Contractual  Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (vii) the supervisory authority that will act as competent supervisory authority will be determined  in accordance with GDPR. 
(B) In relation to Controller Personal Data for which ZINFI and Client are each a  Controller (i) the Module One terms apply; (ii) in Clause 7, the optional docking clause applies; (iii) in Clause 11, the optional language is deleted; (iv) in Clauses 17 and 18, the parties agree  that the governing law and forum for disputes for the Standard Contractual Clauses will be  determined in accordance with the ‘Contracting Entity; Applicable Law; Notice’ section of the  Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the  Republic of Ireland (without reference to conflicts of law principles); (v) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the  Annexes of this DPA; and (vi) the supervisory authority that will act as competent supervisory  authority will be the Irish Data Protection Commission.

(C) In relation to Client Personal Data and Controller Personal Data that is subject to the UK  GDPR, the Standard Contractual Clauses will apply in accordance with subsection (A) and the  following modifications (i) the Standard Contractual Clauses will  be modified and interpreted in  accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed  completed with the information set out in the Annex es of this DPA and Table 4 will be deemed  completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard  Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

(D) In relation to Client Personal Data and Controller Personal Data that is subject to the  Swiss DPA, the Standard Contractual Clauses will apply in accordance with subsection (A) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as  references to the Swiss DPA; (ii) references to "EU," "Union," and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland." 

(E) In relation to Client Personal Data that ZINFI Processes as a Processor, Client agrees that by complying with our obligations under the ‘Sub-Processors’ section of this DPA, ZINFI fulfills its obligations under Section 9 of the Standard Contractual Clauses. For the purposes  of Clause 9(c) of the Standard Contractual Clauses, Client acknowledges that ZINFI may be restricted  from disclosing Sub-Processor agreements, but ZINFI will use reasonable efforts to require any  Sub-Processor ZINFI appoints to permit it to disclose the Sub-Processor agreement to Client and will provide (on a confidential basis) all information ZINFI reasonably can. Client also acknowledges and agree that it will exercise its audit rights under Clause 8.9 of the Standard Contractual Clauses by instructing ZINFI to comply with the measures described in the ‘Demonstration of Compliance’ section of this DPA.

(F) If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA,  the Standard Contractual Clauses will prevail to the extent of such conflict. Where the ZINFI contracting entity under the Agreement is not ZINFI Technologies, Inc., such contracting entity (not ZINFI, Technologies Inc.) will remain fully and solely responsible and liable to ZINFI for the performance of the Standard Contractual Clauses by ZINFI, Inc., and CLIENT will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity. If ZINFI cannot comply with its obligations under the Standard Contractual Clauses for any reason, and Client intends to suspend or terminate the transfer of Personal Data to ZINFI, Client agrees to provide ZINFI with reasonable written notice to enable ZINFI to cure such noncompliance and reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such noncompliance. If ZINFI has not or cannot cure the noncompliance, Client may suspend or terminate the affected part of the Subscription Service in accordance with the Agreement.  In the event of such termination under this Section, Client will remain obligated to pay for any and all invoices issued by ZINFI prior termination, and any and all professional services provided  by ZINFI through termination.  Client, however, will have no obligation to pay for any future invoices issued after termination other than future invoices for professional services previously rendered prior to termination. 

14.3    Alternative Transfer Mechanism.  In the event that ZINFI is required to adopt an alternative transfer mechanism under European Data Protection Laws, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and Client agrees to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

PARTIES TO THIS DPA. 

Permitted Affiliates.  By signing the Agreement, Client enters into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of itself and in the name and on behalf of its Permitted Affiliates. For the purposes of this DPA only and except where indicated otherwise, the terms “Client," “you,” and “your” will include Client and such Permitted Affiliates.

Authorization. The legal entity agreeing to this DPA as Client represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

Remedies. The parties agree that (i) solely the Client entity that is the contracting party  to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have  under this DPA on behalf of its Affiliates, and (ii) the Client entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Client entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.

Other Rights. The parties agree that Client will, when reviewing ZINFI’s compliance with this DPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Client entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

1. GENERAL PROVISIONS

1. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, ZINFI reserves the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment; No Waiver’ section of ZINFI’s Terms and Conditions will apply.

1. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

1. Limitation of Liability.  Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and ZINFI, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Agreement and all DPAs together.  For the avoidance of doubt, ZINFI’s and its Affiliates’ total liability for all claims from Client and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Client and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Client and/or to any Authorized Affiliate that is a contractual party to any such DPA.

1. Governing Law. This DPA will be governed by and construed in accordance with the  ‘Contracting Entity; ‘Applicable Law; Notice’ sections of the Jurisdiction Specific Terms, unless required otherwise by Data Protection Laws.

ZINFI Technologies, Inc., by and on behalf of its affiliates, as applicable.	Controller: _______________________ Either as a Controller, or as a Processor acting in the capacity of a Controller, on behalf of another Controller.
Signature: ________________________	Signature: ________________________
Name: ___________________________	Name: ___________________________
Title:	Title:

List of  Annexes

Annex 1: Details of the Processing

Annex 2:  Security

Annex 3: Sub-Processors

ANNEX 1

DETAILS OF THE PROCESSING

• LIST OF PARTIES

Data Exporter(s):

Name: Client as defined in the Agreement between ZINFI and Client, and its Permitted Affiliates

Address:  Contact person’s name, position and contact details: 

Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement and as further described in the Documentation.

Role (controller/processor):  Controller (either as the Controller or acting in capacity of a Controller, as Processor, on behalf of another Controller)

Data Importer(s):

Name: ZINFI Technologies, Inc.

Address:  6200 Stoneridge Mall Road Suite 300, Pleasanton, California 94588

Contact person’s name, position and contact details: Sudip Kr. Chaudhuri, Head of Engineering, [email protected]

Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement. 

Role (controller/processor):  Processor

• FREQUENCY OF TRANSFER & DURATION OF PROCESSING: 

Unless otherwise agreed in writing, continuous basis during the Term of the Agreement depending on the use of the Services by Client. 

• DESCRIPTION OF TRANSFER

Categories of Data Subjects Whose Data Is Transferred
Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

• Prospects, Clients, business partners and vendors of Client (who are natural persons)
• Employees or contact persons of Client’s prospects, Clients, business partners and vendors
• Employees, agents, advisors, freelancers of Client (who are natural persons)
• Client’s Users authorized by Client to use the Services

Types of Personal Data Transferred

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• First and last name
• Title
• Position
• Employer
• Contact information (company, email, phone, physical business address)
• ID data
• Professional life data
• Localization data

Special Categories of Data
Client may submit special categories of Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Nature of Processing. 
Customer Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:  (1) Storage and other Processing necessary to provide, maintain and improve the Services, and (2) Services provided to Client; and/or  Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws
Purpose of Processing and Further Processing
ZINFI will process Personal Data as necessary to perform Services pursuant to the Agreement, as further specified in the Agreement and as further instruction by Client in its use of the Services. 
Period for which Personal Data will be retained

Subject to the ‘Deletion or Return of Client Personal Data’ section of this DPA, ZINZI will  Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

ANNEX 2
SECURITY MEASURES

ZINFI will maintain administrative, physical and technical safeguards for protection of security, confidentiality and integrity of Personal Data uploaded to the Services, as described in Security, Privacy, and Architecture Documentation applicable to the specific Services purchased by Client, which may include the following:

• Physical Access Control

Measures to ensure that unauthorized persons will not have physical access to systems used to process Personal Data.

• security guards, doormen
• (issue of) keys and corresponding documentation electronic access control system
• video surveillance (cctv)
• security checks for any external companies/services
• security checks for visitors (escorting of visitors)
• security guidelines for utilization of mobile devices (e.g., smartphones, notebook computers)

• System Access Control

Measures to prevent data processing systems from being used without authorization:

• password guidelines (incl. digits/special characters, min. length, password expiration, password history)
• multi-factor authentication
• automatic log-out or password-protected screensaver after certain time period without user activity
• access authentication rules for terminals and users
• firewall, anti-virus protection
• intrusion detection/intrusion prevention
• logging of access
• securing external interfaces

• Data Access Control

Measures to ensure that persons authorized to use data processing systems have access only to those data they are authorized to access, and that Personal Data cannot be read, copied, altered or removed without authorization during processing, use and after:

• access control concept (access rights limited by profiles and roles)
• documentation of access rights
• approval and assignment of access rights through authorized personnel only

• Data Transfer Control

Measures to ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred Personal Data using data transmission facilities:

• transport encryption
• encryption of physical data carriers

• Data Entry Control

Measures to ensure that it is possible after the fact to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:

• documenting / logging of physical access
• logging of system access (e.g., login name, IP address)
• logging of individual actions
• other event logging (e.g., intrusion and hacking attempts, unsuccessful login attempts)

• Control of Processors

Measures to ensure that Personal Data processed on behalf of others is processed strictly in compliance with the data exporter’s instructions:

• Business contact details such as Name, business email, business phone numbers, etc. would be primarily processed and housed by the data importer
• data processing agreements

• Availability Control

Measures to ensure that Personal Data are protected against accidental destruction or loss:s

• backup in separate location and regular tests of recovery procedures
• business continuity/disaster recovery concept
• uninterruptable power supply (UPS)
• anti-theft measures
• fire protection (early-warning-fire-detection, extinguishing system)
• water protection
• redundant air conditioning system

• Separation of Data

Measures to ensure that data collected for different purposes can be processed separately:

• clear physical and/or logical separation of data from data of other data exporters
• separated systems for development, test and production environment

ZINFI will not materially decrease the overall security of the Services during the term of an Agreement. 

ANNEX 3
SUB-PROCESSORS

This Annex 3 is incorporated into the DPA and the Agreement.  This annex explains how ZINFI engages with Sub-Processors.
ZINFI currently uses the Sub-processors identified at  https://www.zinfi.com/list-of-sub-processors/ to Process Personal Data as necessary to perform the Services pursuant to the Agreement.  By signing the Agreement and agreeing to the DPA, Client agrees that all of the Sub-Processors on this list may have access to Client Data.
Due to the nature of ZINFI’s global business and its ongoing efforts to provide the best possible service to Client Sub-Processors may change from time to time. For example, ZINFI may remove Sub-Processor to  consolidate and minimize our use of service providers or ZINFI may add a Sub Processor if ZINFI believes that doing so will enhance its ability to deliver our Subscription Service.

By signing this DPA, Client elects to receive notifications via email at least 30 days prior when there are changes in the sub-processors.  If Client would like to opt out of receiving such updates, it can opt-out of such notifications by sending an email to [email protected].  So long as Client does not Opt Out of receiving notifications of change in sub-processors, ZINFI will notify Client at least 30 days prior to any change of sub-processor taking effect.

For more information on ZINFI’s privacy practices, please visit ZINFI’s privacy policy page.  If Client has any questions regarding this page, please contact ZINFI at [email protected]

EXECUTED BY THE PARTIES AUTHORIZED REPRESENTATIVES:
On behalf of the data exporter:

Name (written out in full):
…
Position:
…
Address:
…
Other information necessary in order for the contract to be binding (if any):

Signature ____________________

On behalf of the data importer:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature ____________________

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Standard Contractual Clauses (the ‘Clauses’).
This Appendix forms part of the Standard Contractual Clauses. A description of the Details of
Processing, including (i) List of Parties, (ii) Description of the Transfer and (iii) Competent
Supervisory Authority are set out in Annex 1 of the DPA.

DATA EXPORTER

Name: …

Authorized Signature …

DATA IMPORTER

Name:

Authorized Signature

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Standard Contractual Clauses (the ‘Clauses’).
A description of the technical and organizational
security measures implemented by the data
importer in accordance with Standard Contractual Clauses are set out in Annex 2 of the DPA

DATA EXPORTER

Name: …

Authorized Signature …

DATA IMPORTER

Name:

Authorized Signature

APPENDIX THREE TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Standard Contractual Clauses (the ‘Clauses’).
The List of Sub-Processors used by the data importer are listed in accordance with Clause 9(a)
Of the Standard Contractual Clauses are set out in Annex 2 of the DPA:

DATA EXPORTER

Name: …

Authorized Signature …

DATA IMPORTER

Name:

Authorized Signature