top of page
zalow_hero.png

Global Data Processing Agreement

Effective Date: 07/01/2024

Last Updated: 09/01/2024

The Client agreeing to these terms (“Customer”), and Zalow Inc. or any other entity that directly or indirectly controls, is controlled by, or is under common control with Zalow Inc. (as applicable, “Zalow”) (each, a “party” and collectively, the “parties”), have entered into an agreement under which Zalow has agreed to provide a marketplace where Clients and Freelancers can identify each other and advertise, buy, and sell Freelancer Services online, with such other services, if any, described in the agreement (the “Service”) to Customer (as amended from time to time, the “Agreement”).

 

Unless otherwise agreed to in writing by you and Zalow, to the extent Zalow processes any EU personal data for you as a controller (as defined by the General Data Protection Regulation (EU) 2016/679) in your role as a Customer as defined in this Global Data Processing Agreement (the “DPA”), this DPA applies. This DPA, including its appendices, supplements the Agreement. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.

1. Introduction

This DPA reflects the parties’ agreement with respect to the processing and security of Customer Data under the Agreement.

2. Definitions

2.1 Exceptions

The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

2.2 Standard:

  • “Affiliate” means any entity that controls or is under common control with a specified entity.

  •  “Agreed Liability Cap” means the maximum monetary or payment-based amount at which a party’s liability is capped under the Agreement.

  •  “Confidential Information” means any information or materials (regardless of form or manner of disclosure) that are disclosed by or on behalf of one party to the other party that (i) are marked or communicated as being confidential at or within a reasonable time following such disclosure; or (ii) should be reasonably known to be confidential due to their nature or the circumstances of their disclosure. The term “Confidential Information” does not include any information or materials that: (a) are or become generally known or available to the public through no breach of this Agreement or other wrongful act or omission by the receiving party; (b) were already known by the receiving party without any restriction; (c) are acquired by the receiving party without restriction from a third party who has the right to make such disclosure; or (d) are independently developed by or on behalf of the receiving party without reference to any Confidential Information.

  • “Customer Account Data” means personal data that relates to Customer’s relationship with Zalow, including the names and/or contact information of individuals authorized by Customer to access Customer’s Zalow account and billing information of individuals that Customer has associated with its Zalow account.

  • “Customer Personal Data” means the personal data contained within the Customer Data.

  • “Customer Data” means the data entered into the Service by or on behalf of any End User, but excludes Customer Account Data.

  •  “End User” means an authorized user of the Service under Customer’s account.

  •  “Data Incident” means a breach of Zalow’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Zalow. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

  • “EEA” means the European Economic Area, Switzerland, and/or the United Kingdom.

  • “European Data Protection Legislation” means, as applicable: (a) the GDPR and its respective national implementing legislations; and/or (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).

  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

  • “EU SCCs” means the EU Standard Contractual Clauses approved by the European Commission in decision 2021/914 located at https://eurex.europa.eu/eli/dec_impl/2021/914/oj.

  • “Non-European Data Protection Legislation” means, as applicable, the data protection or privacy laws, regulations, and other legal requirements other than the European Data Protection Legislation.

  • “Notification Email Address” means the contact email address that you provided to Zalow for the purpose of receiving notices from Zalow.

  • “Security Measures” has the meaning given in Section 7.1.1 (Zalow’s Security Measures).

  • “Subprocessors” means third parties authorized under this DPA to have logical access to and process Customer Data in order to provide parts of the Service. For clarity, freelancers that clients engage via Zalow are not Subprocessors under this DPA.

  • “Term” means the period from the DPA’s effective date until the end of Zalow’s provision of the Service, including, if applicable, any period during which provision of the Service may be suspended and any post-termination period during which Zalow may continue providing the Service for transitional purposes.

  • “United Kingdom International Data Transfer Agreement or Addendum” (“UK IDTA”) means either, as applicable, (a) the International Data Transfer  agreement when used under the UK GDPR, or (b) the International Data Transfer Addendum to the EU SCCs issued by the Commissioner under s119A(1) of the Data Protection Act 2018, version A1.0, in force from March 21, 2022.

 

3. Duration of this DPA

This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Data by Zalow as described in this DPA.

 

4. Data Protection Legislation

 

4.1 Application of European Legislation.

The parties acknowledge that the European Data Protection Legislation will apply to the processing of Customer Personal Data to the extent provided under the European Data Protection Legislation.

 

4.2 Application of Non-European Legislation.

The parties acknowledge that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.

 

5. Processing of Data

 

5.1 Roles and Regulatory Compliance; Authorization.

 

5.1.1 Processor and Controller Responsibilities.

If the European Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:

  • 5.1.1.1 Customer is a controller (or processor, as applicable), of the Customer Personal Data under European Data Protection Legislation;

  • 5.1.1.2 Zalow is a processor (or subprocessor, as applicable) of the Customer Personal Data under the European Data Protection Legislation; and

  • 5.1.1.3 each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Personal Data.

 

5.1.2 Responsibilities under Non-European Legislation.

If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.

 

5.1.3 Authorization by Third Party Controller.

If Customer is a processor, Customer warrants to Zalow that Customer’s instructions (defined below) and actions with respect to that Customer Personal Data, including its appointment of Zalow as another processor, have been authorized by the relevant controller to the extent required by applicable law.

 

5.2 Scope of Processing.

The subject matter and details of the processing are described in Appendix 1.

 

5.2.1 Customer’s Instructions.

By entering into this DPA, Customer instructs Zalow to process Customer Personal Data only in accordance with applicable law: (a) to provide the Service; (b) as further specified through Customer’s use of the Service; (c) as documented in the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Customer and acknowledged by Zalow as constituting instructions for purposes of this DPA (each and collectively, “Customer’s Instructions”) and only for the foregoing purposes and not for the benefit of any other third party. Zalow may condition the acknowledgement described in (d) on the payment of additional fees or the acceptance of additional terms.

 

5.2.3 Zalow’s Compliance with Instructions.

With respect to Customer Personal Data subject to European Data Protection Legislation, Zalow will comply with the instructions described in Section 5.2.2 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Zalow is subject requires other processing of Customer Personal Data by Zalow, in which case Zalow will inform Customer (unless that law prohibits Zalow from doing so on important grounds of public interest) via the Notification Email Address.

 

6. Data Deletion

 

6.1 Deletion by Customer.

Zalow will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Service. If Customer uses the Service to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Zalow to delete the relevant Customer Data from Zalow’s systems in accordance with applicable law. Zalow will comply with this instruction as soon as reasonably practicable, unless applicable law requires storage. Nothing herein requires Zalow to delete Customer Data from files created for security, backup, and business continuity purposes sooner than required by Zalow’s existing data retention processes.

 

6.2 Deletion on Termination.

On expiry of the Term, Customer instructs Zalow to delete all Customer Data (including existing copies) from Zalow’s systems in accordance with applicable law. Zalow will comply with this instruction as soon as reasonably practicable, unless applicable law requires storage. Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards. If the EU or the UK SCCs are applicable to Zalow’s processing of Customer Personal Data, the parties agree that the certification of deletion referenced in Clauses 8.5 and 16(d) of the EU and the UK SCCs shall be provided only upon Customer’s written request. Nothing herein requires Zalow to delete Customer Data from files created for security, backup, and business continuity purposes sooner than required by Zalow’s existing data retention processes.

 

7. Data Security

 

7.1 Zalow’s Security Measures, Controls and Assistance.

 

7.1.1 Zalow’s Security Measures.

Zalow will implement and maintain technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Zalow’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Zalow may update or modify the Security Measures from time to time provided that such updates and modifications do not degrade the overall security of the Service.

 

7.1.2 Security Compliance by Zalow Staff.

Zalow will take appropriate steps to ensure compliance with the Security Measures by its staff to the extent applicable to their scope of performance, including ensuring that all such persons it authorizes to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

7.1.3 Zalow’s Security Assistance.

Customer agrees that Zalow will (taking into account the nature of the processing of Customer Personal Data and the information available to Zalow) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:

  • 7.1.3.1 implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Zalow’s Security Measures);

  • 7.1.3.2 complying with the terms of Section 7.2 (Data Incidents); and

  • 7.1.3.3 providing Customer with the information contained in the Agreement including this DPA.

 

7.2 Data Incidents.

 

7.2.1 Incident Notification.

If Zalow becomes aware of a Data Incident, Zalow will: (a) notify Customer of the

Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.

 

7.2.2 Details of Data Incident.

Notifications made pursuant to this section will describe, to the extent practicable,

details of the Data Incident, including steps taken to mitigate the potential risks and any steps Zalow recommends Customer take to address the Data Incident.

 

7.2.3 Delivery of Notification.

Notification(s) of any Data Incident(s) will be delivered to the Notification Email

Address or, at Zalow’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.

 

7.2.4 No Assessment of Customer Data by Zalow.

Zalow will not assess the contents of Customer Data to identify information subject to any specific legal requirements. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident(s).

 

7.2.5 No Acknowledgement of Fault by Zalow.

Zalow’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) is not an acknowledgement by Zalow of any fault or liability with respect to the Data Incident.

 

7.3 Customer’s Security Responsibilities and Assessment.

 

7.3.1 Customer’s Security Responsibilities.

Customer agrees that, without prejudice to Zalow’s obligations under Section 7.1 (Zalow’s Security Measures, Controls and Assistance) and Section 7.2 (Data Incidents):

  • 7.3.1.1 Customer is solely responsible for its use of the Service, including:

  • 7.3.1.1.1 making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Customer Data;

  • 7.3.1.1.2 securing the account authentication credentials, systems and devices Customer uses to access the Service;

  • 7.3.1.1.3 backing up its Customer Data; and

  • 7.3.1.2 Zalow has no obligation to protect Customer Data that Customer elects to store or transfer outside of the Service.

7.3.2 Customer’s Security Assessment.

  • 7.3.2.1 Customer is solely responsible for reviewing Zalow’s security processes and evaluating for itself whether the Service, the Security Measures, and Zalow’s commitments under this Section 7 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation or Non-European Data Protection Legislation, as applicable.

  • 7.3.2.2 Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Zalow as set out in Section 7.1.1 (Zalow’s Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.

 

7.4 Reviews and Audits of Compliance.

 

7.4.1 Customer’s Audit Rights.

  • 7.4.1.1 If the European Data Protection Legislation applies to the processing of Customer Personal Data, Zalow will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Zalow’s compliance with its obligations under this DPA in accordance with Section 7.4.2 (Additional Business Terms for Reviews and Audits). Zalow will contribute to such audits as described in this Section 7.4 (Reviews and Audits of Compliance).

  • 7.4.1.2 If the Standard Contractual Clauses as described in Section 10 (International Data Transfers) are applicable to Zalow’s processing of Customer Personal Data, without prejudice to any audit rights of a supervisory authority under such Standard Contract Clauses, the parties agree that Customer or an independent auditor appointed by Customer may conduct audits as described in Clauses 8.9(c) and (d) of the EU and the UK SCCs in accordance with Section 7.4.2 (Additional Business Terms for Reviews and Audits).

 

7.4.2 Additional Business Terms for Reviews and Audits.

  • 7.4.2.1 If the European Data Protection Legislation applies to the processing of Customer Personal Data, Customer may exercise its right to audit Zalow under Sections 7.4.1(a) or 7.4.1(b): (1) where there has been a Data Incident within the previous six (6) months or there is reasonable suspicion of a Data Incident within the previous six (6) months or (2) where Customer will pay all reasonable costs and expenses incurred by Zalow in making itself available for an audit. Any third party who will be involved with or have access to the audit information must be mutually agreed to by Customer and Zalow and must execute a written confidentiality agreement acceptable to Zalow before conducting the audit.

  • 7.4.2.2 To request an audit under Section 7.4.1(a) or 7.4.1(b), Customer must submit a detailed audit plan to Zalow’s Privacy Contact as described in Section 12 (Privacy Contact; Processing Records) at least thirty (30) days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. The scope may not exceed a review of Zalow’s compliance with the Standard Contractual Clauses or its compliance with the European Data Protection Legislation, in each case with respect to the Customer Data. The audit must be conducted during regular business hours at the applicable facility, subject to Zalow policies, and may not interfere with Zalow business activities.

  • 7.4.2.3 Following receipt by Zalow of a request for an audit under Section 7.4.1(a) or 7.4.1(b), Zalow and Customer will discuss and agree in advance on: (i) the reasonable date(s) of and security and confidentiality controls applicable to any review of documentation; and (ii) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 7.4.1(a) or 7.4.1(b).

  • 7.4.2.4 Customer will be responsible for any fees it incurs, including any fees charged by any auditor appointed by Customer to execute any such audit.

  • 7.4.2.5 Customer will provide Zalow any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only to meet its regulatory audit requirements and to confirm compliance with the requirements of the Standard Contractual Clauses or European Data Protection Legislation. The audit reports, and all information and records observed or otherwise collected in the course of the audit, are Confidential Information of Zalow under the terms of the Agreement.

  • 7.4.2.6 Zalow may object in writing to an auditor appointed by Customer if the auditor is, in Zalow’s reasonable opinion, not suitably qualified or independent, a competitor of Zalow, or otherwise unsuitable. Any such objection by Zalow will require Customer to appoint another auditor or conduct the audit itself.

  • 7.4.2.7 Nothing in this DPA will require Zalow either to disclose to Customer or its auditor, or to allow Customer or its auditor to access:

  • 7.4.2.7.1 any data of any other customer of Zalow;

  • 7.4.2.7.2 Zalow’s internal accounting or financial information;

  • 7.4.2.7.3 any trade secret of Zalow;

  • 7.4.2.7.4 any information that, in Zalow's reasonable opinion, could: (A) compromise the security of Zalow systems or premises; or (B) cause Zalow to breach its obligations under applicable law or its security and/or privacy obligations to Customer or any third party; or

  • 7.4.2.7.5 any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Standard Contractual Clauses or European Data Protection Legislation.

 

7.4.3 No Modification of Standard Contractual Clauses.

Nothing in this Section 7.4 (Reviews and Audits of Compliance) varies or modifies any rights or obligations of Customer or Zalow under any Standard Contractual Clauses entered into as described in Section 10 (International Data Transfers).

 

8. Impact Assessments and Consultations

Customer agrees that Zalow will (taking into account the nature of the processing and the information available to Zalow) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by providing the information contained in the Agreement including this DPA.

 

9. Data Subject Rights; Data Export

 

9.1 Access; Rectification; Restricted Processing; Portability.

During the Term, Zalow will, in a manner consistent with the functionality of the Service, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Zalow as described in Section 6.1 (Deletion by Customer), and to export Customer Data.

 

9.2 Data Subject Requests.

 

9.2.1 Customer’s Responsibility for Requests.

During the Term, if Zalow receives any request from a data subject under European Data Protection Legislation in relation to Customer Personal Data, Zalow will advise the data subject to submit their request to Customer, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Service.

 

9.2.2 Zalow’s Data Subject Request Assistance.

Customer agrees that Zalow will (taking into account the nature of the processing of Customer Personal Data) reasonably assist Customer in fulfilling an obligation

to respond to requests by data subjects described in Section 9.2.1 (Customer’s Responsibility for Requests), including, if applicable, Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in Section 9.1 (Access; Rectification; Restricted Processing; Portability) and Section 9.2.1 (Customer’s Responsibility for Requests).

 

10. International Data Transfers

 

10.1 Data Storage and Processing Facilities.

Zalow may, subject to this Section 10 (International Data Transfers), store and process the relevant Customer Data anywhere Zalow or its Subprocessors maintain

facilities.

 

10.2 Data Transfers under the EU SCCs.

The EU SCCs are incorporated into this DPA and apply where the application of the EU SCCs, as between the parties, is required under applicable European Data Protection Legislation for the transfer of personal data. The EU SCCs shall be deemed completed as follows:

  • 10.2.1 Where Customer acts as a controller and Zalow acts as Customer’s processor with respect to Customer Personal Data subject to the EU SCCs, Module 2 applies.

  • 10.2.2 Where Customer acts as a processor and Zalow acts as Customer’s Subprocessor with respect to Customer Personal Data subject to the EU SCCs, Module 3 applies.

  • 10.2.3 Clause 7 (the optional docking clause) is not included.

  • 10.2.4 Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization).

  • 10.2.5 Under Clause 11 (Redress), the optional language will not apply.

  • 10.2.6 Under Clause 17 (Governing law), the parties choose Option 1 and select the law of Ireland.

  • 10.2.7 Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.

  • 10.2.8 Annexes I, II, and III of the EU SCCs are set forth in Appendix 1 below.

 

10.3 Data Transfers under the IDTA.

When used as an addendum to the EU SCCs and the UK IDTA is otherwise required under applicable European Data Protection Law for the transfer of Customer Personal Data, the UK IDTA addendum shall incorporate the selections above and be deemed further completed as follows:

  • 10.3.1 Table 1: the parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Appendix 1, and the Key Contact shall be the contacts set forth in Appendix 1.

  • 10.3.2 Table 2: The referenced Approved EU SCCs shall be the EU SCCs incorporated into this DPA.

  • 10.3.3 Table 3: Annex 1A, 1B, and II shall be set forth in Appendix 1.

  • 10.3.4 Table 4: Either party may end the EU SCCs as set out in Section 19 of the EU SCCs.

 

10.4 Data Transfers from Switzerland.

Where the EU SCCs are required under Swiss data protection law applicable to the transfer of Customer Personal Data, the following additional provisions will apply:

  • 10.4.1 References to the GDPR in the EU SCCs are to be understood as references to the Swiss Federal Act on Data Protection (“FADP”) insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

  • 10.4.2 The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

  • 10.4.3 References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

  • 10.4.4 Under Annex I(C) of the EU SCCs: where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

 

11. Subprocessors

 

11.1 Consent to Subprocessor Engagement.

Customer specifically authorizes the engagement of Zalow’s Affiliates as Subprocessors. In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”). If the Standard Contractual Clauses as described in Section 10 (International Data Transfers) are applicable to Zalow’s processing of Customer Personal Data, the above authorizations will constitute Customer’s prior written consent to the subcontracting by Zalow of the processing of Customer Personal Data if such consent is required under the Standard Contractual Clauses.

 

11.2 Information about Subprocessors.

  • 11.2.1 Information about Subprocessors is available upon request by emailing privacyrequests@Zalow.com (as may be updated by Zalow from time to time in accordance with this DPA). Subprocessor information will be provided only upon request and is the Confidential Information of Zalow under this Agreement and must be treated with the level of confidentiality afforded to Confidential Information hereunder.

 

11.3 Requirements for Subprocessor Engagement.

When engaging any Subprocessor, Zalow will:

  • ensure via a written contract that:

  • the Subprocessor only accesses and uses Customer Data to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any Standard Contractual Clauses entered into or Alternative Transfer Solution adopted by Zalow as described in Section 10 (International Data Transfers); and

  • if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are imposed on the Subprocessor; and

  • remain liable for all obligations subcontracted to, and all related acts and omissions of, the Subprocessor.

 

11.4 Opportunity to Object to Subprocessor Changes.

Zalow may add or remove Subprocessors from time to time. Zalow will inform Customer of new Subprocessors via a subscription mechanism described in the list of Subprocessors as described above. If Customer objects to a change, it will provide Zalow with notice of its objection to info@Zalow.com including reasonable detail supporting Customer’s concerns within sixty days of receiving notice of a change from Zalow or, if Customer has not subscribed to receive such notice, within

sixty days of Zalow publishing the change. Zalow will then use commercially reasonable efforts to review and respond to Customer’s objection within thirty days of receipt of Customer’s objection. If Zalow does not respond to a Customer objection as described above, or cannot reasonably accommodate Customer’s objection, Customer may terminate the Agreement by providing written notice to Zalow. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Subprocessor.

 

12. Privacy Contact; Processing Records

 

12.1 Zalow’s Privacy Contact.

Privacy inquiries related to this DPA can be submitted to legal@Zalow.com (and/or via such other means as Zalow may provide from time to time).

 

12.2 Zalow’s Processing Records.

Customer acknowledges that Zalow is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Zalow is acting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to Zalow via the Service or other means provided by Zalow, and will use the Service or such other means to ensure that all information provided is kept accurate and up-to-date.

 

13. Liability

 

13.1 Liability Cap.

For clarity, the total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement (such as under the DPA or the Standard Contractual Clauses) will be limited to the Agreed Liability Cap for the relevant party, subject to Section 13.2 (Liability Cap Exclusions).

 

13.2 Liability Cap Exclusions.

Nothing in Section 13.1 (Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

 

14. Miscellaneous

Notwithstanding anything to the contrary in the Agreement, where Zalow, Inc. is not a party to the Agreement, Zalow, Inc. will be a third-party beneficiary of Section 7.4 (Reviews and Audits of Compliance), Section 11.1 (Consent to Subprocessor Engagement) and Section 13 (Liability) of this DPA.

 

 

Appendix 1: Subject Matter and Details of the Data Processing

 

Subject Matter:

Zalow’s provision of the Service to Customer.

 

Duration of the Processing:

The Term plus the period from the expiry of the Term until deletion of all Customer Data by Zalow in accordance with the DPA.

 

Nature and Purpose of the Processing

Zalow will process Customer Personal Data for the purposes of providing the Service to Customer in accordance with the DPA.

 

Categories of Data

Data relating to End Users or other individuals provided to Zalow via the Service, by (or at the direction of) Customer or by End Users. The open nature of the Service does not impose a technical restriction on the categories of data Customer may provide. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Zalow services; and demographic information.

 

Data Subjects

Data subjects include End Users and the individuals about whom data is provided to Zalow via the Service by (or at the direction of) Customer or by End Users.

 

Appendix 2: Security Measures

Zalow will implement and maintain the Security Measures set out in this Appendix 2. Zalow may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service. Zalow will:

  • Conduct information security risk assessments at least annually and whenever there is a material change in the organization’s business or technology practices that may impact the privacy, confidentiality, security, integrity or availability of Customer Personal Data.

  • Regularly and periodically train personnel who have access to Customer Personal Data or relevant Zalow Systems.

  • Maintain secure user authentication protocols, secure access control methods, and firewall protection for Zalow Systems that Process Customer Personal Data.

  • Maintain policies and procedures to detect, monitor, document and respond to actual or reasonably suspected Information Security Incidents.

  • Implement and maintain tools that detect, prevent, remove and remedy malicious code designed to perform an unauthorized function on or permit unauthorized access to Zalow Systems.

  • Implement and maintain up-to-date firewalls.

  • Implement and use cryptographic modules to protect Customer Personal Data in transit and, when commercially reasonable, at rest.

  • Maintain reasonable restrictions on physical access to Customer Personal Data and relevant Zalow Systems.

Appendix 3 Annex I of the EU SCCs

A. LIST OF PARTIES

Data exporter(s):

  • Name: Customer

  • Activities relevant to the data transferred under these Clauses: Obtaining the Services from Data Importer

  • Role (controller/processor): Controller or Processor, as applicable

 

Data importer(s):

  • Name: Zalow Inc.

  • Address: 4500 S. Lakeshore Dr. STE 400, Tempe, AZ 85282

  • Contact person’s name, position and contact details: Privacy Counsel, legal@Zalow.com

  • Activities relevant to the data transferred under these Clauses: Providing the Services to Data Exporter.

  • Role (controller/processor): Processor

 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • Data subjects include End Users and the individuals about whom data is provided to Zalow via the Service by (or at the direction of) Customer or by End Users.

 

Categories of personal data transferred

  • Data relating to End Users or other individuals provided to Zalow via the Service, by (or at the direction of) Customer or by End Users. The open nature of the Service does not impose a technical restriction on the categories of data Customer may provide. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Zalow services; and demographic information.

 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • None anticipated.

 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Continuously, for the length of the Agreement between the parties.

 

Nature of the processing

  • Zalow will process Customer Personal Data to provide the Service to Customer in accordance with the DPA.

 

Purpose(s) of the data transfer and further processing

  • Zalow will process Customer Personal Data for the purposes of providing the Service to Customer in accordance with the DPA.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • The Term plus the period from the expiry of the Term until deletion of all Customer Data by Zalow in accordance with the DPA.

 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Zalow’s subprocessors will process personal data to assist Zalow in providing the Services pursuant to the Agreement, for as long as needed for Zalow to provide the Services.

 

C. COMPETENT SUPERVISORY AUTHORITY

The Irish Data Protection Commission.

 

Annex II of the EU SCCs

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

  • See Appendix 2 to the DPA.

bottom of page