Effective Date – January 02, 2021
Definitions
“Applicable Data Protection Law” means all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements relating in anyway to the privacy, Personal Data protection, confidentiality or security of Protected Data, including the European Union Directives and regulations governing general data protection and all applicable industry standards concerning privacy, data protection, confidentiality or information security.
“Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Personal data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” or similar terms shall have the meanings given under Applicable Data Protection Law. In case of conflicting definitions those in the GDPR (EU regulation 2016/679) shall prevail.
Introduction
This is the Data Processing Addendum (“DPA”) that regulates the Personal Data Processing activities between Zomentum (“we”, “us”, “Zomentum”, “our”) and the customer (“you”). Collectively referred as “the Parties”. The object of this DPA is the lawful Processing of Personal Data and it is an integral part our Terms and Conditions (https://www.zomentum.com/terms-and-conditions). You agree to this DPA terms by using the Zomentum Service. This DPA will be in force for as long as you use the Zomentum Service.
Processing Roles
By using the Zomentum Service you may choose to enter Personal Data of one or more Data Subjects into the platform. The Parties acknowledge and agree that with regard to the Processing of Personal Data, you are the Controller of the Personal Data and we are the Processor. In delivering the Zomentum Service we might engage sub-processors as detailed in section Sub-processors below.
Your processing of Personal Data
You shall, in your use of the Zomentum Service, Process Personal Data in accordance with the requirements of Applicable Data Protection Law. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data you Process and for the means you used to acquire the data. Any instruction you might give to Process Personal Data shall comply with Applicable Data Protection Law. We shall not be liable for any losses, fines, costs, penalties, damages, etc., arising from or in connection with any Processing in accordance with your instructions.
Our Processing of Personal Data
We shall Process the Personal Data solely as necessary to perform our obligations and strictly in accordance with your documented instructions. We shall Process Personal Data in accordance with Applicable Data Protection Law, the terms in this DPA and for the purposes specified under Zomentum’s Privacy Notice at https://www.zomentum.com/privacy-policy
We shall provide reasonable assistance to you to assist you in complying with requirements of Applicable Data Protection Law. We shall make available to you all information necessary to demonstrate compliance with this DPA and upon prior written notice, allow for and contribute to audits by you or another auditor mandated by you for this purpose.
Details of the Processing
The duration, the nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects Processed under this DPA are specified under Zomentum’s Privacy Notice at https://www.zomentum.com/privacy-policy.
General
We shall comply with all applicable Data Protection Laws and Regulations with regard to the Zomentum Service. Zomentum Processes Personal Data exclusively as contractually agreed upon or as per documented instructions from you. You shall not give oral data Processing instructions. Any adjustments to the data Processing must be agreed between the Parties inwriting.
We shall act exclusively in accordance with this Addendum and/or as per documented instructions by the Client, unless we are legally obliged to carry out a specific data Processing operation. If we believe an additional instruction violates the Data Protection Laws and Regulations, we will inform you without undue delay in writing and may suspend the performance until you have modified or confirmed the lawfulness of the additional instruction in writing. We shall not use the Personal Data provided for Processing for any other purposes, except that we might use the Personal Data to perform internal measurements, metrics, analyse performance indicators, benchmarking or similar purposes provided that the Personal Data has been fully anonymized or aggregated beyond possible re-identification.
Confidentiality
We shall ensure that our employees engaged in the Processing of Personal Data are informed of their confidentiality duties, particularly in regard of Personal Data and have received appropriate training on their responsibilities and obligations regarding confidentiality, data protection and security.
Data Subject Request Support
We shall promptly notify you if we receive a request from a Data Subject for access, correction, amendment, deletion or other request related to their Personal Data (“DSR”).We shall not respond directly to any DSR and redirect the Data Subject to place the DSR with you. We shall only respond to the Data Subject to confirm that the request relates to you, the controller. Where you cannot access the information needed to fulfill the DSR we shall assist you, upon your written request, if the efforts are commercially reasonable. You shall be responsible for any reasonable costs arising from such assistance.
Data breach notifications
We shall inform you of all cases of loss or illegal disclosure of Personal Data you control or access to such data by non-authorized persons. The written notification shall occur without undue delay after we became aware and have reasonable evidence of the relevant incident. The written notification shall include the relevant details available. We agree to support the Client as required by applicable Data Protection Laws and Regulations. We, in cooperation with you, shall take appropriate measures to protect the Personal Data and to prevent or limit any detrimental effects on the data subjects. We shall not inform the competent supervisory authorities, the data subjects or the public about incidents and measures affecting you without your prior written instruction.
Cooperation with the Supervisory Authority
When requested in writing by you we shall cooperate with the competent Supervisory Authority in the performance of their duties. We shall immediately notify you in writing of any monitoring activities and measures initiated or taken by the competent Supervisory Authority. This shall also apply if a competent Supervisory Authority investigates Zomentum in relation to your data Processing activities. We shall immediately inform you in writing of any control actions and measures taken by the competent Supervisory Authority insofar as they relate to this DPA, your Processing instructions or regarding an investigation about the Processing Personal Data on your behalf.
Insofar as the Client is subject to a review by the competent Supervisory Authority, administrative offence or criminal proceeding, the liability claim of a data subject or a third party's claim in connection with the Processing of Personal Data by Zomentum we shall support you to the best of our ability and to the reasonable extent.
Data Deletion
We shall delete or anonymize Personal Data when we remove your account from our platform. We usually perform such operations within 90 days of the termination of the relation between the Parties, unless a longer applicable statutory retention period, legal or reporting obligations. We will also hold your data for up to 12 months if you have requested in writing a temporary service suspension. We shall also delete data from backups within 180 days thereafter. Once deleted or anonymized the data cannot be recovered. We shall be obliged to request immediate deletion of Personal Data with sub-processors if an automated deletion process is not in place.
Data Impact Assessments
We shall provide you with reasonable cooperation, information and assistance as needed to fulfill your obligations under Applicable Data Protection Law, including the need to carry out Data Protection Impact Assessments related to your use of Zomentum Service.
Customer Audits
Upon your request, and subject to appropriate confidentiality obligations, we shall make available to you or your independent third-party auditor information regarding Zomentum and third-party sub-processors’ compliance with the Data Protection requirements set forth in our agreements.
The parties, as integral part of this DPA, hereby execute the Standard Contractual Clauses pursuant to the European Commission’s decision 2010/87/EU of 5 February 2010 on the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087
The Standard Contractual Clauses are executed between you, the Controller, as “data exporter” and us the Processor and provider of the Zomentum Service as “data importer.” The section Sub-processors of this DPA addresses and aligns the sub-processing requirements of the Standard Contractual Clauses. In the event of any conflict between the terms of this DPA and the EU Standard Contractual Clauses, the terms of the EU Standard Contractual Clauses shall prevail.
Zomentum may provide some of its products and services through third parties. These third-party service providers might perform technical functions on our or your behalf. In doing so, some of them, might become sub-processors of Personal Data when such Processing is unavoidable. You or we may share the Personal Data you control with such third-party service providers to enable the functionality of the Zomentum Service. The Processing of Personal Data by such third parties is regulated by DPAs similar to this one with the object to maintain equivalent Processing safeguards. We shall be liable for the acts and omissions of the sub-processors to the same extent we would be liable if we were performing the services of each sub-processor directly under the terms of this DPA.
You hereby authorize us to engage any third-party provider as sub-processors to support the performance of the Zomentum Service. We will maintain an up-to-date list of sub-processors on our website (https://www.zomentum.com/sub-processors). We will add new sub-processors, as needed, to the list thirty (30) days prior to the commencement of their Processing activities. You shall notify us in writing about any objection you might have about their Processing of the Personal Data you control. Upon your reasoned objection we shall investigate your concern and seek a solution. Without written objections from you will be deemed to have consented to the sub-processing. We shall ensure that we have in place a written contract or DPA with the sub-processor applying an equivalent level of data protection obligations to those set out in this DPA.
Pursuant to Clause 5(h), 5(j) and 11(1) of the Standard Contractual Clauses, you agree that Zomentum may engage sub-processors as described in this section.
Technical and Organizational Security Measures
We shall maintain appropriate technical and organizational security safeguards designed to protect your Personal Data against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. We shall regularly monitor compliance with these measures.
We shall also implement measures to maintain the ongoing confidentiality, integrity and availability of the systems and services that Process Personal Data to restore the availability and access to data in a timely manner in the event of a physical or technical incident. Our platform uses industry-standard authentication tools and encryption technology to protect data at rest and in transit. However, due the inherent open nature of the Internet, we cannot guarantee the absolute security of the communications between you and us or the data we store.
Find more security details at https://www.zomentum.com/security