This Data Processing Agreement ("DPA") forms part of the Master Services Agreement (the "Agreement") between Customer ("Controller") and Zema Global Data US LLC ("Processor") and is entered into to ensure the lawful processing of Personal Data under applicable data protection laws.
1. Definitions
For purposes of this Data Processing Agreement:
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Personal Data means data the Controller provides to the Processor and determines the purpose and use of it, and which the Processor handles on Controller’s behalf.
Data Subject means an identified or identifiable natural person to whom the Personal Data relates.
Subprocessor means any third party engaged by the Processor to process Personal Data on its behalf.
Supervisory Authority means an independent public authority established by an EU Member State, the United Kingdom, or Switzerland responsible for monitoring the application of Data Protection Laws.
Standard Contractual Clauses (SCCs) means the standard data protection clauses adopted by the European Commission or relevant UK/Swiss authority for the transfer of Personal Data to third countries.
Third Country means any country outside the European Economic Area (EEA), the United Kingdom, or Switzerland not recognized as providing an adequate level of data protection.
Data Protection Impact Assessment (DPIA) means a process to identify and minimize the data protection risks of a project or processing activity.
Data Transfer Impact Assessment (TIA) means a review conducted to assess the risks of international data transfers under SCCs or similar mechanisms.
Confidential Information means any non-public, proprietary, or confidential information disclosed during the Agreement, whether in written, oral, electronic, or other form.
Personal Information means information that identifies, relates to, describes, or is capable of being associated with a particular individual, as defined by applicable U.S. privacy laws, including the CCPA and CPRA.
2. Purpose and Scope
This DPA governs Processor's processing of Personal Data provided by Controller, or collected on Controller's behalf, while providing the Services defined in the Agreement. The purpose is to ensure such processing complies with applicable Data Protection Laws, including the GDPR, UK GDPR, Swiss FADP, as well as the CCPA/CPRA, FTC ACT, and Privacy Act of 1974 as applicable.
3. Roles of the Parties
Controller: The entity determining the purposes and means of the processing of Personal Data.
Processor: Zema Global Data US LLC, which processes Personal Data on behalf of the Controller.
4. Details of Processing
|
Category |
Details |
|
Subject Matter |
Provision of SaaS services per the Agreement. |
|
Duration |
Term of the Agreement, unless otherwise required by law. |
|
Nature & Purpose |
Storage, access, transmission, enrichment, and analysis of data. |
|
Data Subjects |
Employees, contractors, and users of the Controller. |
|
Types of Personal Data |
Names, email addresses, IP addresses, credentials, usage logs, client-uploaded data, and information processed via APIs, file uploads, and cloud storage integrations. |
The subject matter, duration, nature and purpose of the processing, the categories of data subjects, and the types of personal data processed under this DPA are described in full in [Annex I – Details of the Processing], which forms an integral part of this DPA.
The parties agree that the details set forth in Annex I satisfy the requirements of Article 28(3) of the GDPR and the equivalent provisions under UK and Swiss data protection laws.
5. Processor Obligations
Process Personal Data only on documented instructions from Controller.
Ensure personnel authorized to process Personal Data are subject to confidentiality.
Implement technical and organizational measures as detailed in the Agreement, including:
Encryption and access controls
Secure file transfer (SFTP, AS2)
Use of cloud storage (AWS S3, Azure, GCP) with strict access controls
Machine-readable formats (CSV, JSON, Parquet, etc.)
Support the Controller in ensuring compliance with data subject rights and cooperation with supervisory authorities.
6. Data Subject Rights
Processor shall assist Controller with data subject access, rectification, erasure, portability, objection, and restriction of processing requests.
Processor will promptly inform Controller if such a request is received directly.
7. Data Transfers and Standard Contractual Clauses
Processor will ensure that any transfer of Personal Data outside the EEA, UK, or Switzerland complies with applicable safeguards, including:
EU Standard Contractual Clauses (SCCs) adopted under Commission Implementing Decision (EU) 2021/914 (Module Two: Controller to Processor);
UK International Data Transfer Addendum to the SCCs;
Swiss Addendum for compliance with the Swiss Federal Act on Data Protection.
The SCCs, including relevant Appendices, are hereby incorporated into this DPA by reference. Where there is any conflict between the SCCs and the rest of this DPA, the SCCs shall prevail in respect of the data transfer.
Processor agrees to:
Notifying Controller if it can no longer comply with the SCCs;
Cease processing or take reasonable steps to remediate if non-compliance is identified;
Provide a copy of the applicable transfer impact assessment upon reasonable request.
8. Security and Breach Notification
Processor implements commercially reasonable administrative, technical, and physical safeguards.
Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach.
The Processor shall notify the Controller without undue delay, and in any event within 24 hours, upon becoming aware of a Personal Data Breach.
The notification shall include details of the breach, including the nature of the incident, the categories and approximate number of affected Data Subjects, and the categories and volume of data involved.
The Processor shall include all information the Controller reasonably requires to comply with its obligations under applicable Data Protection Laws, including the duty to notify a Supervisory Authority or affected Data Subjects.
If all required information is not available at the time of initial notice, the Processor shall provide updates as information becomes available.
9. Records of Processing Activities
The Processor shall maintain a current written record of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) of the GDPR. These records shall include:
The name and contact details of the Processor and any Subprocessors;
The categories of processing carried out;
Transfers of Personal Data internationally and the safeguards in place;
A general description of the technical and organizational security measures applied.
Such records shall be made available to the Controller or to a Supervisory Authority without undue delay.
10. Audit Rights
Controller may audit Processor’s compliance with this DPA once per year with 30 days' notice.
The audit may include review of security policies, subprocessors, and breach response capabilities. The audit may include inspection of systems and access to evidence of certifications, penetration testing, and incident response protocols.
Processor may require audits to occur remotely or through a trusted third-party.
The Controller may appoint an independent third party to perform the audit, provided such party is bound by confidentiality obligations. The Controller shall give the Processor at least 30 days’ prior written notice, and audits shall be conducted during normal business hours with minimal disruption.
11. Audit Costs
Unless otherwise agreed, each Party shall bear its own costs in connection with an audit. If the audit reveals a material breach of this DPA or Data Protection Laws, Processor shall bear reasonable costs of the audit.
12. Data Protection Impact Assessments
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs) and prior consultations with Supervisory Authorities, where required under applicable Data Protection Laws. Such assistance shall be limited to the information necessary to demonstrate compliance and support lawful processing activities.
13. Duration and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination or expiration of the Agreement, this DPA shall automatically terminate, except for those provisions which by their nature are intended to survive, including obligations related to data return, deletion, and confidentiality.
14. Obligations Post-Termination
Upon termination or expiration of this DPA, the Processor shall, at the Controller’s election, return or securely delete all Personal Data in its possession or control within 30 days, unless otherwise required by applicable law.
The Processor shall certify deletion upon request and continue to protect any retained data under the terms of this DPA.
15. Order of Precedence
In the event of any conflict between this DPA and any other agreement between the parties, including the Agreement, the terms of this DPA shall prevail with respect to the processing of Personal Data.
16. Indemnification
Each Party shall indemnify and hold harmless the other Party against any direct losses, claims, damages, or liabilities (including legal fees) arising from or related to a breach of this DPA, to the extent caused by the indemnifying Party’s failure to comply with its obligations under this DPA or applicable Data Protection Laws.
17. Liability
Liability under this DPA is subject to the limitations set out in the Agreement.
Neither Party excludes liability where it cannot be excluded by law.
18. Miscellaneous
This DPA is governed by the same law and jurisdiction as the Agreement.
Where required by the SCCs, the governing law shall be the laws of Ireland.
If any provision is found invalid, the remainder of the DPA remains in full effect.
This DPA is incorporated into the Agreement by reference.
This DPA shall prevail in respect of all data transfer and processing or transformation on behalf of and at the direction of and with the approval of the Controller.
Annex I – Details of the Processing (SCCs)
|
Category |
Details |
|
Subject Matter |
Provision of SaaS services per the Agreement. |
|
Duration |
Term of the Agreement, unless otherwise required by law. |
|
Nature & Purpose |
Processing Personal Data as necessary to provide services under the Agreement, including ingestion, normalization, transformation, storage, and retrieval of structured datasets via API, file upload, or secure cloud integration. |
|
Categories of data |
Contact data, credentials, system usage data, uploaded customer content, |
|
Data Subjects |
Employees, contractors, and end users of the Controller. |
|
Types of Personal Data |
Names, email addresses, IP addresses, credentials, usage logs, customer-uploaded data, and information processed via APIs, file uploads, and cloud storage integrations. |
Annex II – Security Measures (SCCs)
Role-based access controls and administrative authentication (including SSO and MFA).
Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Regular vulnerability scanning and penetration testing.
Segmented production and development environments.
Logging, audit trails, and real-time monitoring tools.
Business continuity and disaster recovery protocols with routine testing.
Internal security and data protection training for employees and contractors.
Incident response plan covering containment, investigation, notification, and remediation.
Secure data disposal processes (e.g., secure wiping, destruction of media) are implemented to ensure that Personal Data is irrecoverable when no longer required.
Annex III – Subprocessors (SCCs)
The Processor will use the following categories of Subprocessors:
- Cloud Hosting Providers: Amazon Web Services, Azure, Google Cloud Platform
- Monitoring and Logging Tools: Splunk, New Relic, Elastic
- Support and Ticketing Systems: Salesforce Service Cloud, Ivanti, Jira
- Authentication and Access Management: Microsoft Entra, Okta, Auth0
- Data Ingestion, Aggregation, Visualization and Orchestration: Snowtide, Oracle, Highcharts
- Data Integration and Data Warehousing Services: Snowflake, Databricks
- Professional Services Contractors: EPAM, Implementation consultants engaged under confidentiality
The current list of Subprocessors is maintained at: www.zema.global/subprocessors
The Processor will provide at least 30 days’ prior written notice of any new Subprocessor engagements and will allow the Controller to reasonably object based on material data protection concerns.