Zato Terms of Use
These Terms of Use, together with the DPA, (“Agreement”) are entered into as of the date the Customer accepts these terms by clicking “accept” accessing or using the Services via Zato’s Platform (“Effective Date”) between the applicable Zato contracting entity set forth in Clause 11.5 (“Zato”) and the customer identified in the account created on the Zato Platform (“Customer”). Zato and Customer may also be referred to individually as “Party” or together as the “Parties.” Capitalised terms used but not otherwise defined have the meanings given in Clause 12 or in the DPA. The Parties agree as follows:
1. Provision of Services
1.1 Access to Services
Subject to Customer’s compliance with this Agreement, Zato will make the AI Services available to Customer for Customer’s internal business use via the Zato Platform. Customer acknowledges that Zato or its Affiliates may review Customer’s use of the Services for the purpose of providing Services and verifying Customer’s compliance with this Agreement. Customer agrees that its use of the Services is not contingent on any future functionality or features, or dependent on any oral or written statements made by Zato or any of its Affiliates regarding future functionality or features.
1.2 Protection of Customer Data
Zato will maintain administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Customer Data hosted or processed by Zato, as required by law. Where Customer’s use of the Services includes the processing of Personal Data by Zato (as defined in the DPA), subject to applicable data protection laws, such use will be governed by the DPA, which is incorporated into this Agreement by reference. Customer will only provide to Zato the minimum amount of personal data necessary to enable Customer to use the Services in accordance with this Agreement.
1.3 Evolving Zato Technology
Subject to Clause 7.2(b), Zato may issue Updates for the Services from time to time.
2. Use of Services
2.1 Customer’s Responsibilities
Only Authorised Users are permitted to access and use the Services. Customer acknowledges that Zato and its Affiliates may directly or indirectly contact Customer and Authorised Users in connection with Zato’s and its Affiliates’ services. Customer will be solely responsible for:
- Authorised Users’ compliance with this Agreement;
- the accuracy and quality of Customer Data, the means by which Customer acquired Customer Data, and obtaining appropriate usage rights with respect to Customer Data;
- maintaining the confidentiality of usernames, passwords, and other account information or access credentials (as applicable);
- all activities that occur under its Authorised Users’ usernames, passwords, accounts or access credentials as a result of Authorised Users’ access to the Services;
- ensuring Authorised Users use the Services only in accordance with the Documentation. Customer will follow all requirements under applicable law, which may include providing notice and disclosures to Authorised Users and/or Data Subjects that Customer Personal Data (as defined in the DPA) is subject to Customer’s own privacy policy and other terms regarding the use or handling of Customer Personal Data as required by applicable Data Protection Law. Customer will notify Zato promptly upon learning of any unauthorised use of, or access to, the Services; and
- Customer is solely responsible for all use of the Output and evaluating the Output for accuracy and appropriateness for its use cases, including by utilising human review as appropriate. Customer acknowledges and agrees that Customer will comply with all legal and professional responsibilities relating to the use of the Services, including obtaining all necessary consents from, and making all required disclosures to, any persons who use or derive any use or benefit from the Services and any Output.
2.2 Restrictions
Customer will not and will not permit others to:
- make any Services available to any third party other than Customer or Authorised Users;
- sell, resell, license, sublicense, distribute, rent, or lease any Services, or include any Services in a service bureau or outsourcing offering;
- use the Services to store or transmit infringing, tortious, libelous, or otherwise unlawful material, Harmful Code, or material that otherwise violates the rights of any third-party;
- interfere with or disrupt the integrity or performance of the Services or any third-party data contained in the Services;
- use, or permit direct or indirect access to, the Services in a way that seeks to circumvent any restrictions on use in the Documentation or in any Zato policies;
- use the Services to exploit any Zato Intellectual Property Rights except as otherwise expressly permitted under this Agreement or the Documentation;
- frame or mirror any part of the Services, except as permitted by and in accordance with the Documentation;
- access the Services in order to develop a competitive product or service or benchmark with a non-Zato product or service, or to otherwise exploit for competitive purposes;
- subject to applicable law, reverse engineer, copy, or modify any software included as part of the Services;
- use the Services for any improper, fraudulent, or other non-legitimate business purpose;
- use the Services in a way that could be considered harmful, malicious, threatening, offensive, pornographic, defamatory, bigoted, hateful, indecent, or otherwise objectionable in Zato’s reasonable opinion;
- use the Services to send unsolicited communications, promotions, or advertisements in violation of any applicable anti-spam or e-privacy law, rule, or regulation;
- use any automated device or process, such as a robot, spider, data-mining, web-scraping, or other means to circumvent, access, use, or integrate with the Services or its contents, including but not limited to other user account information; or
- use the Service in violation of any applicable law.
3. Third-Party Applications
Products or services developed by third parties may be available to Customer, including via Zato’s API, for use with the Services (“Third-Party Applications”). By using Third-Party Applications, Customer permits Zato to grant providers of such Third-Party Applications access to Customer Data or other data as required for the use and support of such Third-Party Applications in conjunction with the Services.
Third-Party Applications are not Services under this Agreement, may be subject to the third-party provider’s additional terms, and may require an additional fee to such providers in order to use the Third-Party Applications. Zato’s software may contain features designed to interoperate with Third-Party Applications. Such features are not considered Services under this Agreement.
Zato may cease providing such features for any reason, including if the provider of a Third-Party Application ceases to make the Third-Party Application available for interoperation with the Services, without entitling Customer to any refund, credit, or compensation. Notwithstanding any obligations Zato may have under the DPA, Zato is not responsible for the use or protection of Customer Data in any Third-Party Applications.
4. Fees and Payment
4.1 Fees
Customer will pay Zato all fees based on the price per ledger and Customer’s use of the Services, as set out on the Zato Platform or as agreed between Customer and Zato (“Fees”). Zato may modify its Fees at any time on at least 30 days’ prior written notice to the Customer, with any rate changes becoming effective after such notice and subsequent updating to Zato’s Platform. Customer’s continued use of the Services after a rate change constitutes acceptance of the new rates and agreement to pay the revised Fees. Except as set out in this Agreement, all payment obligations are non-cancelable, and Fees paid are non-refundable.
4.2 Payment Terms
All invoices for Fees and Taxes are due and payable within the time frame and in the currency set out in the payment method stipulated on the Zato Platform, without deduction or set off. Customer must agree to the billing arrangements, including any direct debit or other required payment mechanism, specified on the Zato Platform. Customer is responsible for providing complete and accurate billing and contact information to Zato and promptly notifying Zato of any changes to such information.
If Customer fails to pay any undisputed portion of Fees due, or a payment of Fees defaults for any reason, within ten (10) business days after receiving notice that its account is overdue, Zato may, without limiting its other rights and remedies, suspend the Services until such amounts are paid in full (“Non-Payment Suspension”). Zato is not obliged to continue to provide Services without payment of applicable Fees.
4.3 Use of Purchase Orders
No terms of any purchase order or other form or agreement provided by Customer will modify or supplement this Agreement, regardless of any failure of Zato to object to such terms, and any such terms will have no force or effect.
4.4 Taxes
Fees do not include any taxes or similar governmental charges or assessments of any nature, including goods and services (GST) tax assessable by any jurisdiction (collectively, “Taxes”) which must be paid by the Customer, if applicable. For clarity, Zato is solely responsible for taxes assessable against it based on its own income, property, and employees.
5. Proprietary Rights and Licenses
5.1 Ownership; Reservation of Rights
All Zato Intellectual Property Rights, including Intellectual Property Rights in the Services, Documentation, Statistical Usage Data, and Zato’s Confidential Information, are and will remain owned exclusively by Zato and its Affiliates, as applicable. Ownership in all Updates, derivatives, modifications, new functionalities, enhancements, and customisation related to the Services created by or on behalf of Zato, as well as recommendations, suggestions, proposals, ideas, improvements, or other feedback, will immediately vest in Zato upon creation or communication to Zato, as applicable, and Zato will be free to use and disclose as it deems fit.
All deliverables provided in the performance of Professional Services are owned by Zato and will be made available as part of the Services provided under this Agreement. Nothing in this Agreement will preclude or limit Zato from using or exploiting any concepts, ideas, techniques, or know-how of or related to the Services. Other than as expressly set out in this Agreement, no license or other rights in or to the Services or other Zato Intellectual Property Rights are granted to Customer, and all such rights are expressly reserved to Zato and its Affiliates.
5.2 Use of Zato Logos
Use of Zato’s logos, and all other Zato trade marks, service marks, product names, and trade names of Zato, is subject to the Zato trade mark usage guidelines notified to the Customer from time to time.
5.3 Customer Data
Customer Data and Customer’s Confidential Information are and will remain owned exclusively by Customer or its Authorised Users, as applicable. Customer hereby grants Zato, its Affiliates, and its subprocessors a worldwide right and license to access, host, display, process, analyse, transmit, reproduce, and otherwise utilise Customer Data (subject to Clauses 1.3 and 6.2) for the purposes of providing and improving the Services in accordance with this Agreement.
Customer acknowledges that due to the nature of the Services and artificial intelligence generally, Output may not be unique, and other users may receive similar content from Zato’s services. Responses and output that are requested by and generated for other users are not considered the Customer’s Output, and Customer’s ownership of Output does not extend to other users’ output or any content delivered as part of any third-party offering.
5.4 Statistical Usage Data
Zato and its Affiliates may collect, use, and otherwise process Statistical Usage Data for their own analysis, analytics, marketing, and other internal business purposes, including, without limitation, sharing with subprocessors to improve Zato’s products and services. Except where Customer has expressly provided its written consent, Zato will otherwise only disclose Statistical Usage Data if such data is (a) aggregated or anonymised; and (b) does not disclose the identity of Customer or its Authorised Users or any Customer Confidential Information.
6. Confidentiality
6.1 Definition of Confidential Information
“Confidential Information” means all information or data disclosed by a Party or any of its Affiliates (as applicable, the “Disclosing Party”) that is confidential, proprietary, or otherwise not publicly available, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure whether oral or in writing, and disclosed during the Term in connection with the Services.
Confidential Information includes: (a) with respect to Customer, Customer Data; (b) with respect to Zato, the Services and pricing; and (c) with respect to a Party, any technical, financial, economic, marketing, strategic, business, product, design, or operational information, including the terms of this Agreement, of such Party.
Confidential Information does not include any information that (w) is or becomes generally known to the public without breach of this Agreement or any other agreement by the Party receiving information or any of its Affiliates (as applicable, the “Receiving Party”); (x) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (y) is received from a third party without restriction on disclosure and without breach of any obligation owed to the Disclosing Party; or (z) was independently developed by the Receiving Party without use of or reference to any Confidential Information.
6.2 Protection of Confidential Information
The Receiving Party will (a) use the same degree of care that it uses to protect the confidentiality of its own confidential information of a similar nature (but not less than reasonable care); (b) not use any Confidential Information for any purpose outside the scope of this Agreement; and (c) except as otherwise expressly consented to by an authorised representative of the Disclosing Party, limit access to Confidential Information to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement (“Authorised Recipients”).
Neither Party will disclose the terms of this Agreement or any Order to any third party other than its Affiliates, legal counsel, and accountants without the other Party’s prior written consent, on condition that a Party that makes any such disclosure to its Affiliate, legal counsel, or accountants will remain responsible for such Affiliate’s, legal counsel’s, accountants’, and Authorised Recipients’ compliance with this Clause 6 (Confidentiality).
6.3 Compelled Disclosure
The Receiving Party may disclose Confidential Information to the extent compelled by law or legal process to do so, on condition that the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the compelled disclosure.
If the Receiving Party is compelled by law to disclose Confidential Information as part of a proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.
7. Representations, Warranties, Exclusive Remedies, Disclaimers
7.1 General Warranty
Each Party represents and warrants that it has the necessary rights to enter into this Agreement and has the legal power to do so.
7.2 Zato Limited Warranties
Zato warrants that (a) the Services will perform materially in accordance with the applicable Documentation; (b) Zato will not materially reduce the core functionality of the Services during the current period of access to the Services; (c) Zato will use industry standard measures to deliver the Services free of Harmful Code; and (d) Zato will perform the Professional Services in a diligent and professional manner.
Customer’s exclusive remedy and Zato’s entire liability for a breach of the above warranties will be, at Zato’s option, (x) the correction of the deficient Service that caused the breach of warranty, or (y) provision of comparable functionality. If Zato, as determined in its reasonable discretion, cannot accomplish (x) or (y), Zato will terminate the deficient service and refund to Customer any prepaid Fees for the affected terminated Service.
7.3 Disclaimers
Except as expressly provided in this Agreement, neither Party or its licensors makes any warranty of any kind, whether express, implied, statutory, or otherwise, and each Party and its licensors specifically disclaim all implied warranties, including any implied warranty of merchantability, fitness for a particular purpose, title, or non-infringement, to the maximum extent permitted by applicable law.
Zato does not warrant that Services will be error-free or uninterrupted, will meet Customer’s requirements or expectations, or that its security measures will be sufficient to prevent third-party access to Customer Data. Zato does not warrant that the Customer will obtain any particular results from the use of the Service or that any produced results will be accurate. Customer (and any third person that the Customer authorises to use the results) relies on and uses the results of the Services at its own risk, and Zato will have no liability to the Customer (or any third party) in this respect.
8. Indemnification
8.1 Indemnification by Customer
Customer will indemnify Zato against any claim or regulatory action brought against Zato by a third party to the extent such claim relates to the Customer Data (if used by Zato in accordance with this Agreement), Customer’s use of the Services, or Third-Party Applications built by or on behalf of Customer. If a third party makes such a claim against Zato, Customer will pay all damages, loss and costs and expense (including legal fees) arising from or in connection with the claim, including any amounts awarded against Zato or any settlement with respect to such claim.
9. Limitation of Liability
9.1 Exclusion of Damages
To the extent arising out of or related to this Agreement, Zato nor its respective Affiliates will be liable for any loss of profits, loss of data, revenues, goodwill, anticipated savings, or use, costs of substitute goods or services, or business interruption, or work stoppage, or any indirect, special, incidental, exemplary, punitive, or consequential damages, however caused, and based on any theory of liability, whether for breach of contract, breach of warranty, tort (including negligence), product liability, or otherwise, even if such Zato is advised of the possibility of such damages. This disclaimer will not apply to the extent prohibited by law.
9.2 Limitation of Liability
Zato and its respective Affiliates’ aggregate cumulative liability for all damages arising out of or related to this Agreement will not exceed the applicable Fees paid to Zato for the applicable Services and attributable to the twelve (12) month period immediately preceding the event giving rise to the liability. The existence of more than one claim will not expand this limit. Nothing in this Agreement excludes or limits any liability that cannot be excluded or limited under applicable law.
10. Term and Termination
10.1 Term of Agreement
This Agreement will begin on the Effective Date and continue until terminated as permitted in this Agreement. If Customer has not used the Services for at least ninety (90) consecutive days, Zato may terminate this Agreement.
10.2 Suspension
In the event of Customer’s or an Authorised User’s breach of this Agreement, including without limitation for Non-Payment Suspension or violation of the restrictions in Clause 2.2, Zato may, in its reasonable discretion, suspend Customer’s or an Authorised User’s access to or use of the Services. Zato will use reasonable efforts, unless the circumstances dictate otherwise, to provide reasonable notice to the Customer via email before suspending the Customer’s use of the Services.
10.3 Termination
Either Party may terminate this Agreement if the other Party is in material breach of this Agreement, where such material breach is not cured (to the extent capable of being cured) within thirty (30) days after receiving notice of breach from the non-breaching Party, or with immediate effect where such material breach cannot be cured.
For the avoidance of doubt and without limiting Zato’s rights, Customer’s noncompliance with Clause 2.2 or Clause 4.2 will be deemed a material breach of this Agreement. To the extent permitted by law, this Agreement may be terminated by either Party with immediate effect if the other Party becomes insolvent, enters external administration or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.
10.4 Effect of Termination
Upon the termination of this Agreement for any reason:
- unless otherwise agreed by the Parties in writing, all access to the Services will automatically terminate;
- Customer and its Authorised Users will immediately cease access and use of the Services, other than for retrieval purposes provided in (d);
- all outstanding payment obligations of Customer (if any) will become due and payable immediately; and
- within thirty (30) days following termination, Zato will provide the Customer, at Customer’s request, with all files used in processing, together with any adjustments made to the outputs, and the final results, including both machine generated content and subsequent human-applied modifications. After thirty (30) days, Zato will have no obligation to maintain or provide any Customer Data, and may delete or destroy all copies of Customer Data. If Zato is required to retain a copy of Customer Data for legal purposes, such copy remains subject to the confidentiality provisions of this Agreement.
10.5 Surviving Provisions
The Clauses titled “Fees and Payment,” “Proprietary Rights and Licenses,” “Confidentiality,” “Representation, Warranties, Exclusive Remedies, Disclaimers,” “Term and Termination,” “Indemnification,” “Limitation of Liability,” and “General Provisions” will survive any termination of this Agreement.
11. General Provisions
11.1 Export Control
Each Party will comply with all applicable Export Control and Sanctions Laws and Regulations in connection with providing and using the Services.
11.2 Anti-Corruption
Neither Party has promised, made, or received any bribe, kickback, or other similar payment or transfer of value from or to any director, officer, employee, agent, or other representative of the other Party in connection with this Agreement. Reasonable gifts, entertainment, sponsorships, and donations do not violate the above restriction.
11.3 Contracting Entity, Governing Law & Venue
The Zato contracting entity, laws that will apply to a dispute arising out of or relating to this Agreement, and jurisdiction for dispute resolution, depend on where the Customer is domiciled and in all cases without reference to conflict of law rules of any jurisdiction, will be as follows:
| If Customer is domiciled in | The Zato contracting entity is | Governing law is that of | The venue for dispute resolution is |
|---|---|---|---|
| Australia | Zato Australia Pty Ltd | New South Wales | Sydney, New South Wales |
| New Zealand | Zato New Zealand Limited | New Zealand | Auckland, New Zealand |
11.4
The provisions of the United Nations Convention of Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Acts will not apply to this Agreement in any manner whatsoever.
11.5 Dispute Resolution
The Parties will attempt in good faith to promptly resolve any disputes arising out of or relating to this Agreement by negotiation between representatives of each Party with the authority to resolve such dispute. If the Parties are unsuccessful, either party may commence proceedings in a court of competent jurisdiction as set out in Clause 11.3.
11.6 Notices
Notices to Customer will be delivered via email or overnight delivery at the address associated with the Order. Notices to Zato will be delivered via email to security@zatohq.com. All notices must be in writing and will be effective when received.
11.7 Force Majeure
Neither Party will be responsible or liable for any failure or delay in its performance under this Agreement (except for payment of Fees, which may be delayed but not excused) to the extent due to any cause beyond its reasonable control (“Force Majeure Event”). The Party suffering a Force Majeure Event will use reasonable efforts to mitigate against the effects of such Force Majeure Event.
11.8 Assignment
Each Party will not assign this Agreement, in whole or part, or any right or interest in this Agreement, without the other Party’s prior written consent, not to be unreasonably withheld, and any purported assignment will be void. However, either Party may assign this Agreement without consent to an Affiliate, or in connection with a merger, consolidation, or corporate reorganisation or internal restructure, sale of all or substantially all of its assets or business, or other change of control transaction.
Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns. Assignment will not relieve Customer of its obligation to pay Fees incurred before the assignment.
11.9 Relationship of the Parties
The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.
11.10 Entire Agreement and Order of Precedence
This Agreement (together with any linked terms) contains the entire understanding and agreement of the Parties concerning the subject matter of this Agreement and supersedes all prior or contemporaneous communications, representations, agreements, and understandings, either oral or written, between the Parties with respect to its subject matter. This Agreement may be amended by Zato on at least 30 days’ prior written notice to the Customer. Continued use of the Services after this period will be deemed acceptance of the revised or new terms by the Customer.
In the event of any conflict or inconsistency between or among the following documents, the order of precedence will be: (1) the DPA, (2) this Agreement, and (3) any links provided in this Agreement. Any amendment will take precedence over the document it amends.
11.11 Miscellaneous
If a provision of this Agreement is unenforceable or invalid, the provision will be revised so as to best accomplish the objectives of the Parties as evidenced by this Agreement, and the remainder of this Agreement will continue in full force. The English language version of this Agreement will be the version used when interpreting or construing this Agreement. Any notices in connection with this Agreement must be provided in English. Either Party’s failure to enforce any right under this Agreement will not waive that right. There are no third-party beneficiaries to this Agreement, and Customer acknowledges that Zato will have no obligations or liability whatsoever to any third parties with which Customer does business.
12. Definitions
12.1 “Affiliate” means an entity that controls, is controlled by, or is under common control of a Party, where “control” means ownership or control, directly or indirectly, of more than fifty percent (50%) of the voting interest of such entity or party (but only for so long as such control exists) or the right to otherwise control the decision making of the subject entity.
12.2 “Authorised User” means any individual or agent authorised by Customer to access or use the Services.
12.3 “Customer Data” means any content, data, information, Personal Data (as described in Clause 1.3), and other materials submitted by Customer, Customer’s clients, third parties or an Authorised User to the Services or Zato Platform (“Input”) and data the Customer will receive from the use of the AI Services (“Output”), including without limitation all Customer’s client data and third party data that Customer uploads into the Services and Zato Platform. Customer Data excludes Statistical Usage Data, any content from publicly available sources, and any suggestion, enhancement request, recommendation, correction, or other feedback relating to the operation of the AI Services pursuant to Clause 5.4.
12.4 “Documentation” means the official Zato-provided user guides and functional specifications applicable to the Services, including Zato’s policies, whether in electronic, paper, or equivalent form, as updated from time to time, as provided by Zato to Customer or accessible at websites designated by Zato.
12.5 “DPA” means Zato’s Customer Data Processing Addendum, incorporated into this Agreement and as set out in the Addendum to these Terms of Use.
12.6 “Export Control and Sanctions Laws and Regulations” means all laws and regulations under applicable law controlling or regulating the export, re-export, or (in-country) transfer of goods, technology, software, or services, or those that impose other trade or financial sanctions against targeted countries, territories, individuals, or entities.
12.7 “Harmful Code” means code, files, scripts, agents, malware, or programs intended to do harm, including but not limited to viruses, worms, time bombs, and Trojan horses.
12.8 “Intellectual Property Rights” means all rights, title, and interest in all intellectual property, including patents, copyrights, trade secrets, mask works, trademarks, and other intellectual property rights of any sort throughout the world.
12.9 “Professional Services” means the implementation, technical, customisation, consulting, training, and similar services provided by or through Zato or its Affiliates, as separately agreed by the Parties.
12.10 “Reseller” means a third party authorised by Zato or its Affiliates to promote, distribute, and/or resell the Services.
12.11 “Statistical Usage Data” means usage information or data related to the access or use of the Services. Examples of Statistical Usage Data include information or data on user visits, user activity, project activity, and numbers and types of clicks or impressions, as well as statistical, functional, behavioral, or other information or data based on or derived from such access or use.
12.12 “Services” means the Zato AI-powered accounting services, including Zato’s offerings as software-as-a-service, and all associated Updates, that provides the functionality described in the Documentation, and any Professional Services (if applicable).
12.13 “Updates” means all updates, enhancements, and other modifications that Zato makes generally available, at no additional charge, to its Customers of the Services.
12.14 “Zato Platform” means collectively, the online, web based applications, portal and platform provided by Zato, its Affiliates or third party providers, and used for the provision of the Services as ordered by Customer for use by Authorised Users pursuant to this Agreement.
```
Zato Customer Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated by reference into the Terms of Use and forms part of the agreement between Zato and the Customer (the “Agreement”).
By agreeing to the Agreement that incorporates this DPA by reference, Customer is deemed to have accepted the terms of this DPA on behalf of itself and, to the extent required under applicable law, on behalf of its Data Controller Affiliates (defined below) (collectively, “Customer”). For the purposes of this DPA only, and except as otherwise indicated, the term “Customer” will include Customer and its Data Controller Affiliates.
Data Processing
1. Scope and Roles
This DPA applies when Customer Personal Data is processed by Zato under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Customer is the Controller of the Customer Personal Data covered by this DPA, and Zato will be a Processor Processing Customer Personal Data on behalf of Customer and this DPA will apply accordingly.
2. Details of Data Processing
2.1 Subject matter. The subject matter of the data Processing under this DPA is Customer Personal Data.
2.2 Duration. The duration of the Processing under this DPA is determined by the Agreement. Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Zato deletes or anonymises all Customer Personal Data as described in the Agreement.
2.3 Purpose. The purpose of the processing under the DPA is the provision of the Services by Zato to Customer as specified in the Agreement.
2.4 Nature of the Processing. Customer Personal Data is processed by Zato in connection with the Services under the Agreement and/or any applicable Order.
2.5 Categories of Data Subjects. The Data Subjects of Customer which may include Customers’ Authorised Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Customer for use in connection with the Services.
2.6 Categories of data. Identifiers (contact detail including name, email, phone number, and addresses); Employment Data (professional data, contact details, hours worked, site access); IT Data (IP addresses, browser type, language preferences, cookies data); and other Personal Data that Customer or its Authorised Users elect to submit to the Services.
2.7 Special categories of data (if appropriate). Zato and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements. However, Customer or its Affiliates may choose to include this type of data within content that the Customer instructs Zato to process on its behalf.
3. Compliance with the Laws
Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of this DPA.
4. Jurisdiction Specific Terms
Certain jurisdictions require other specific terms. Where required under applicable Data Protection Law, this DPA fully incorporates the applicable Jurisdiction Specific Terms as follows:
4.1 European Economic Area. European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR. For the purposes of the GDPR, processing of personal data by Zato on behalf of Customer is subject to the terms of the DPA and the EU SCCs.
4.2 United Kingdom. The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded, or replaced.
For the purpose of Section 8 of the DPA, the European Commission decision 2010/87/EU on standard contractual clauses will be implemented for transfers to Non-Adequate Countries subject to the UK General Data Protection Regulation (“UK SCC”), and: (a) the information set out in Annex I of the Appendix to the EU SCCs as set forth above will be deemed to be set out in Appendix 1 of such UK SCCs; (b) the information set out in Annex II to the EU SCCs as set forth above will be deemed to be set out in Appendix 2 of such UK SCCs; (c) the optional illustrative indemnification Clause will not apply; (d) the UK SCCs will be deemed to have been updated in accordance with the recommendations of the Information Commissioner’s Office so that they are suitable for transfers from the UK; and (e) Clauses 14 and 15 of the EU SCCs will be deemed incorporated into the DPA so as to also apply to the transfer of Customer Personal Data with any changes deemed made to reflect the applicability of the UK GDPR to that data as opposed to the GDPR.
In relation to any transfer of Customer Personal Data protected by the UK GDPR, in the event that the competent United Kingdom authority issues alternative standard contractual clauses for transfers of Personal Data from a controller to a processor (i) Zato may on reasonable notice to Customer amend the DPA and/or these Jurisdiction Specific Terms to replace the UK SCCs referred to in this Rider with such alternative SCCs and any such amendments or supplemental provisions to the alternative SCCs deemed necessary by Zato, in its sole discretion, for the purpose of the DPA and/or the Rider (“New UK SCCs”), and (ii) from the date of such notice, any reference in the DPA to UK SCCs will be deemed to refer to such New UK SCCs.
4.3 Switzerland. Swiss Federal Data Protection Act (“FDPA”). Zato’s obligations to a Customer under the DPA are only those express obligations imposed by FDPA. Each party is responsible for fulfilling its respective obligations set out in the FDPA, and Zato will process Personal Data to a standard of protection at least comparable to the standard provided under the FDPA and complying with the terms of the Agreement.
For the purpose of Section 8 of the DPA and in relation to Personal Data that is protected by the FDPA, the EU SCCs will apply with the following modifications: (a) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the FDPA; (b) references to “EU”, “Union”, “Member State”, and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be; and (c) references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCs will instead be incorporated by reference and form an integral part of this Addendum and will apply to such transfers.
4.4 Brazil. Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law, Lei Geral de Proteção de Dados (“LGPD”). Zato’s obligations to a Customer under the DPA are only those express obligations imposed by LGPD on a “Data Processor (operador)” for the benefit of a “Data Controller (Controlador).” Each party is responsible for fulfilling its respective obligations set out in the LGPD, and Customer issues Processing instructions consistent with Section 2.1 of the DPA in order to enable Zato to fulfill its LGPD obligations. For the purpose of Section 8 of the DPA, the EU SCC will be used for transfers to non-adequate countries as per GDPR.
4.5 Singapore. Personal Data Protection Act 2012 (“PDPA”). Zato’s obligations to Customer under the PDPA are only those express obligations imposed by the PDPA that require that an “Organisation” and “Data Intermediary” to have in place. Each party is responsible for fulfilling its respective obligations set out in the PDPA, and Zato will process Personal Data to a standard of protection at least comparable to the standard provided under the PDPA and complying with the terms of the Agreement. The terms used in the applicable provisions of the DPA will be replaced as follows: “Controller” will mean “Organisation”; “Processor” will mean “Data Intermediary”; and “Data Subject” will mean “Individual.”
4.6 State of California, United States. The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations. Zato’s obligations to Customer under the DPA are only those express obligations imposed by the CCPA that require that a “Business” and a “Service Provider” to have in place. Each party is responsible for fulfilling its respective obligations set out in the CCPA.
Zato will not collect, sell, retain, disclose, or use the Personal Information of the Consumer for any purpose other than to perform the Subscription Services specified in the Agreement, or as otherwise permitted by CCPA. The terms used in the applicable provisions of the DPA will be replaced as follows: “Personal Data” will mean “Personal Information”; “Controller” will mean “Business”; “Processor” will mean “Service Provider”; and “Data Subject” will mean “Consumer.”
5. Documented Instructions
5.1 Customer Instructions. Customer will, in its use of the Services, at all times provide documented instructions to Zato for the Processing of Customer Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Zato’s Processing of Customer Personal Data (“Documented Instructions”). Zato will Process Customer Personal Data in accordance with Customer’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Zato and Customer, including agreement on any additional fees payable by Customer to Zato for carrying out such instructions.
5.2 Obligations and Indemnity. Customer will ensure that its Documented Instructions comply with all laws, rules, and regulations applicable to the Customer Personal Data, and that the Processing of Customer Personal Data per Customer’s Documented Instructions will not cause Zato to be in breach of applicable Data Protection Law. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Zato by or on behalf of Customer; (b) how Customer acquired any such Customer Personal Data (e.g., appropriate notice and/or consent); and (c) the Documented Instructions it provides to Zato regarding the Processing of such Personal Data. Customer will not provide or make available to Zato any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services and will indemnify Zato from all claims and losses in connection therewith.
6. Confidentiality of Customer Personal Data
Zato will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order).
If a governmental body sends Zato a demand for Customer Personal Data, Zato will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Zato may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then Zato will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Zato is legally prohibited from doing so.
7. Authorised Persons
Zato will ensure that all persons Authorised to Process Customer Personal Data on behalf of Zato are made aware of the confidential nature of the Customer Personal Data, and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
8. Authorised Subprocessors
Customer hereby grants Zato a general authorisation to engage, appoint, remove, replace or otherwise use Subprocessors as necessary in connection with the provision of Services. Customer expressly approves the Subprocessors currently used by Zato and as disclosed to the Customer upon request. Zato maintains an up-to-date list of its Subprocessors available to the Customer upon request and will notify subscribed Customers via email of any updates to this list. Customers may subscribe to such notifications by registering with Zato (contact: security@zatohq.com).
Customer acknowledges it has no direct audit, inspection, or access rights with respect to any Subprocessor, and its sole remedy regarding Subprocessor compliance is to rely on Zato’s contractual oversight and the objection process outlined in this Section 8.
8.1 Objections. If the Customer reasonably objects to the engagement of a new Subprocessor, Zato will have the right to cure the objection through one of the following options (to be selected at Zato’s sole discretion): (a) Zato cancels its plans to use the Subprocessor with regard to Customer Personal Data; (b) Zato will take the corrective steps requested by Customer in its objection and proceed to use the Subprocessor with regard to Customer Personal Data; (c) Zato may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Customer Personal Data; and (d) Zato provides Customer with a written description of commercially reasonable alternative(s), if any, to such engagement.
If Zato, in its sole discretion, cannot provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, Zato and Customer may terminate this DPA with prior written notice, or suspend the affected Services. Termination will not relieve Customer of any fees or charges owed to Zato for Services provided up to the effective date of the termination under the Agreement. If Customer does not object to a new Subprocessor’s engagement within ten (10) days of notice by Zato, that new Subprocessor will be deemed accepted.
8.2 Subprocessor Obligations. Where Zato authorizes a Subprocessor as described in Section 8.1:
- Zato will restrict the Subprocessor’s access to Customer Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Zato will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
- Zato will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Zato under this DPA, Zato will impose on the Subprocessor the same contractual obligations that Zato has under this DPA; and
- Zato will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Zato to breach any of Zato’s obligations under this DPA.
9. Security; Audits; Personal Data Breach; Impact Assessments
9.1 Security. Zato’s provision of the Services will be consistent with the measures described in Appendix A.
9.1.1 Updates to Zato Security Controls. Customer is responsible for reviewing the information made available by Zato relating to data security and making an independent determination as to whether the Security Controls meet Customer’s requirements and legal obligations under applicable law. Customer acknowledges that the Security Controls are subject to technical progress and development and that Zato may update or modify the Security Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term.
9.2 Confidential Security Reports and Audits. For the duration of its processing of Customer Personal Data, Zato will maintain compliance with appropriate security standards for its industry. Upon request, Zato will, no more than once per calendar year, make available for Customer’s review a summary copy of an audit report(s) (“Report”) that reflects such compliance. A request may be made by emailing Zato at security@zatohq.com. Customer acknowledges and agrees that such Reports are Zato’s Confidential Information.
Zato will also provide a requesting Customer with a summary Report and/or confirmation of Zato’s own audits and/or a summary report of third-party auditors’ audits of its Subprocessors that have been provided by those Subprocessors to Zato, subject to obligations of confidentiality and to the extent such reports or evidence may be shared with Customer (“Third-party Subprocessor Audit Reports”). Alternatively, Zato will provide the Customer with a summary of relevant information or third-party certifications (e.g., ISO 27001, SOC 2) sufficient to demonstrate the Subprocessor’s compliance with industry-standard security and privacy practices.
9.3 Personal Data Breach. In the event of a Personal Data Breach, except where prohibited by law, Zato will notify Customer without undue delay and otherwise respond as described in Section 9.3.1 below. In addition, Zato will assist Customer in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.
9.3.1 Practices. Zato does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Zato becomes aware, and within the scope of the Services, take such steps as Zato in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Customer without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Zato to affect Customer Personal Data, and provide Customer with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities.
The obligations herein will not apply to a Personal Data Breach caused by Customer, Customer’s Authorised Users or misuse of Customer’s Access Credentials. Zato’s obligation to report or respond to a Personal Data Breach under this Section 9 is not and will not be construed as an acknowledgement by Zato of any fault or liability of Zato with respect to the Personal Data Breach.
10. Zato Assistance with Data Subject Requests
Zato will inform Customer of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Zato regarding Customer Personal Data. Customer will be responsible for handling such requests of Data Subjects.
Upon a written request for assistance by Customer, Zato will reasonably assist Customer with handling such Data Subject request. Zato may charge Customer no more than a reasonable charge to perform such assistance, and such charges will be set forth in a quote and agreed in writing by the Parties, or as set forth in the Agreement. If Customer does not agree to the quote, the Parties agree to reasonably cooperate to find a feasible solution.
11. International Transfers of Personal Data
11.1 U.S. Based Processing; Notification of Changes. Customer acknowledges and agrees that Zato may transfer and process Customer Personal Data to and in the United States (for Customer’s domiciled in the United States) and anywhere else in the world where Zato, its Affiliates, or its Subprocessors maintain data processing operations. Zato will ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA.
11.2 Application of SCCs. The applicable SCC Controller-to-Processor Clauses will apply to Customer Personal Data that is transferred via the Services from Europe (defined below) and/or the United Kingdom, either directly or via onward transfer, to any country not recognized by the European Commission, the Swiss Federal Data Protection and Information Commissioner and/or a competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Customer Personal Data.
11.2.1 For purposes of this DPA, if the SCCs apply, this DPA fully incorporates the SCCs. If Customer submits Customer Personal Data to the Services for Processing by Zato, Customer and Zato will be deemed to have entered into the SCCs, where applicable, and the submission of such Customer Personal Data to the Services will constitute Customer’s prior written consent to the transfer and Processing by Zato if such consent is required under the SCCs. The SCCs will not apply where the Customer Personal Data is transferred in accordance with an Alternative Transfer Mechanism (defined below), such as when necessary for the performance of Services pursuant to the Agreement or on Customer’s Documented Instructions.
11.3 Explicit Consent and Notice. Customer will bear sole responsibility for obtaining its Authorised User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Customer Personal Data to Zato in a manner consistent with the applicable Data Protection Law. If, at any time, an Authorised User and/or Data Subject withdraws any consent given pursuant to this Subsection, Customer will immediately inform Zato in writing at security@zatohq.com and cease use and collection of Customer Personal Data related to such objecting Authorised User and/or Data Subject. Customer will keep an electronic record of all consents given, and any consents withdrawn, by Authorised Users and/or Data Subjects and will make such records available to Zato upon request as required by law.
12. Effect of Termination
12.1 Upon termination or expiration of the Agreement, Zato will (at Customer’s written request) anonymise all Customer Personal Data in its possession or control (meaning: irreversible, industry-standard anonymization techniques that prevent any possibility of re-identification) or securely delete all Customer Personal Data (so that the data is permanently erased) where required to comply with applicable law. This requirement will not apply to the extent Zato is required by applicable law to retain some or all of the Customer Personal Data.
12.2 Customer acknowledges that the Services are used as a system of record and that data uploaded to the Services is required to be retained under applicable laws for the establishment, exercise, or defense of legal claims. As an equivalent to deletion, Zato will permanently and securely anonymise Customer Personal Data to the extent no individual could be identified.
13. Indemnification by Customer
To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Customer agrees to defend, indemnify and hold harmless Zato, its Affiliates and Zato’s Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a “Zato Indemnitee”) from and against any and all Losses resulting from Customer’s violation of this DPA and/or the infringement or violation by Customer, its Authorised Users, or any other user of Customer’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.
14. Limitation of Liability
14.1 Exclusion of Damages. UNDER NO CIRCUMSTANCES AND REGARDLESS OF THE NATURE OF ANY ACTION WILL THE ZATO INDEMNITEES BE LIABLE, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, TO CUSTOMER OR TO ANY OTHER PERSON OR ENTITY FOR ANY LOSSES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF CUSTOMER PERSONAL DATA ARISING FROM OR RELATING TO CUSTOMER’S BREACH OF ITS OBLIGATIONS IN THIS DPA.
14.2 Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Data Controller Affiliates and Zato, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement.
For the avoidance of doubt, the Zato Indemnitees’ total liability for all Actions by Customer and all of Customers Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, will not be understood to apply individually and severally to Customer and/or to any Customer Affiliate that is a contractual party to any such DPA.
15. Survival of the DPA
This DPA will continue in force until the termination of the Agreement (the “Termination Date”), provided that the data protection obligations of this DPA and the SCCs will continue to apply for so long as Zato processes Customer Personal Data.
16. Severance
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
17. Entire Agreement; Order of Precedence
Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.
18. Definitions
18.1 “Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
18.2 “Action” means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
18.3 “Affiliates”, “Customer Data”, “Zato”, and “Services” will each have the meaning ascribed to it in the Agreement.
18.4 “Alternative Transfer Mechanism” means a mechanism, other than SCCs, that enables the lawful transfer of Personal Data from Europe or the U.K. to a third country in accordance with applicable Data Protection Law.
18.5 “Competent Supervisory Authority” means, in accordance with Clause 13 of the EU SCCs, (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”). With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
18.6 “Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or “data exporter” refers to Customer.
18.7 “Customer”, as used in this DPA, will include Customer (as defined in the Agreement) and its Data Controller Affiliates.
18.8 “Customer Personal Data” means Customer Data submitted to Zato for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data.
18.9 “Data Controller Affiliates” means any of Customer’s Affiliates that have not signed or otherwise accepted their own Order with Zato and therefore would not be a “Customer” as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Zato Services pursuant to the Agreement between Customer and Zato. For the avoidance of doubt, no third-party beneficiaries are intended.
18.10 “Data Protection Law” means any data protection and privacy laws and regulations that are applicable to the processing of Customer Personal Data by Zato, including, where applicable, the laws listed in Zato’s Jurisdiction Specific Terms, as may be amended, superseded, or replaced from time to time.
18.11 “Data Subject” means the identified or identifiable person to whom Customer Personal Data relates.
18.12 “Documented Instructions” has the meaning ascribed in Subsection 5.1 of this DPA.
18.13 “Europe” means the European Economic Area and Switzerland.
18.14 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation).
18.15 “including” and its derivatives mean “including but not limited to.”
18.16 “Losses” means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
18.17 “Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
18.18 “Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data Processed by Zato or Zato’s Subprocessors.
18.19 “Zato Indemnitee” will have the meaning ascribed to it in Section 13, above.
18.20 “Processing” (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
18.21 “Processor” means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or “data importer” in this DPA refers to Zato.
18.22 “Public Authority Request” means a government agency or law enforcement authority, including a judicial authority request for information.
18.23 “Services” means Zato’s Services as set forth in the Agreement.
18.24 “Standard Contractual Clauses” or “SCCs” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) (the “Swiss SCCs”).
18.25 “Subprocessor” means any Processor engaged by Zato to assist in processing Customer Personal Data in connection with the Services per Customer’s Documented Instructions under the terms of the Agreement and this DPA. Subprocessors may include Zato’s Affiliates, but will exclude Zato employees, contractors, and consultants.
18.26 “UK GDPR” means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK’s Data Protection Act 2018.
Appendix A — Technical and Organizational Security Measures
At all times while Zato Processes Customer Personal Data, Zato will: (a) maintain and follow a written information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to Customer Personal Data and unauthorised access to the Services, and (c) minimize Customer Personal Data risks, including through risk assessment and regular testing. Zato will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following Security Measures (as updated from time to time):
Zato takes measures, such as security personnel and secured buildings, designed to (i) prevent unauthorised persons from gaining access to Customer Data, (ii) manage, monitor, and log movement of persons into and out of Zato facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
Zato takes measures designed to prevent unauthorised use of Customer Data. These controls may vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and two-factor authentication, documented authorization processes, documented change management processes, logging of access on several levels, system audit or event logging, and related monitoring procedures to proactively record user access and system activity for routine review.
Zato takes measures designed to ensure that Customer Data is accessible and manageable only by properly Authorised staff, direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and that Customer Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
In addition to the access control rules set forth in Subsections 1(i)–1(iii) above, Zato implements an access policy under which access to its system environment, to Personal Data, and to other Customer Data is restricted to Authorised personnel only.
Zato takes measures to ensure that: (i) the Customer Data source is under the control of Customer; and (ii) Personal Data integrated into Zato’s systems is managed by secured file transfer from Customer and the Authorised User subject.
Zato ensures that backups are made on a regular basis, are secured, and are encrypted when storing data to protect against accidental destruction or loss when hosted by Zato.
Zato maintains a dedicated staff responsible for the development, implementation, and maintenance of Zato’s data privacy and information security programs.
Zato maintains audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the organization, monitoring and maintaining compliance, and reporting the condition of its information security and compliance to senior internal management.
Zato maintains data protection and information security policies and makes sure that policies and measures are regularly reviewed and where necessary, improved.
Zato communicates with Customer applications utilizing cryptographic protocols such as TLS 1.2 or above to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
Zato maintains operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Controller possession.
Zato maintains incident procedures designed to investigate, respond to, mitigate and notify of events related to Customer’s data or information assets. A dedicated network operations and security operations staff performs rapid monitoring and response capabilities to address alerts.
Zato engages in network security controls such as providing for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
Zato utilizes vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
Zato maintains business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. Testing is performed to evaluate the plans and recovery capabilities.