ZanReal Logo
Legal

Data Processing Agreement

Last updated October 18, 2025

1. Introduction

This Data Processing Addendum ("Addendum") is entered into and is supplemental to, and made pursuant to, the ZanReal Services Agreement, Enterprise Services Order Form and Enterprise Terms and Conditions or other agreement executed between ZanReal and Customer for ZanReal' provision of Services (the "Agreement") as of the effective date of such Agreement ("Effective Date") and is by and between ZANREAL Mateusz Janota, a Polish corporation ("ZanReal"), and the Customer that executed the Agreement. This Addendum applies to ZanReal' Processing of Personal Data under the Agreement across all Services including software development, marketing services, remote IT support, SEO optimization, and UI/UX design services.

Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates to the extent such Affiliates are included and covered under the Agreement with ZanReal. For the purposes of this Addendum only, and except where indicated otherwise, the term "Customer" shall include Customer and Affiliates.

This Addendum shall become legally binding upon Customer entering into the Agreement.

2. Definitions

Any terms used in this Addendum and not defined will have the meanings given to them in the applicable Agreement.

  1. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity.
  2. "Applicable Data Protection Laws" means all applicable privacy and data protection laws and regulations and in each case, as amended, superseded, or replaced from time to time, including, without limitation, the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); the United Kingdom Data Protection Act 2018; the California Consumer Privacy Act of 2018 ("CCPA"); the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"); and the Australian Privacy Principles and the Australian Privacy Act (1988).
  3. "Contact Data" means the Personal Data that ZanReal Processes as a controller, such as account information and payment information.
  4. "Customer Data" means the Personal Data that ZanReal Processes on behalf of Customer.
  5. "Data Subject" means the identified or identifiable natural person who is the subject of Personal Data or the meaning as set forth in Applicable Data Protection Laws, including similar terms, such as "Consumer" as used in the CCPA.
  6. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and including all "processing" as defined in any Applicable Data Protection Laws.
  7. "Personal Data" means "personal data", "personal information", "personally identifiable information" or similar information defined in and governed by Applicable Data Protection Laws.
  8. "Security Incident" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data Processed by ZanReal and/or its Subprocessors in connection with the provision of Services. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
  9. "Service-Generated Data" means usage data and metadata that is generated through the use of the Services, including data generated through the use of Support Services. This Addendum applies to Service-Generated Data to the extent Service-Generated Data constitutes Personal Data.
  10. "Services" means collectively the software development services, marketing services, remote IT support, SEO optimization services, UI/UX design services, Platform as a Service (PaaS), and any Audit and Training Services, each as defined in the Agreement.
  11. "Subprocessor" means any third-party authorized by ZanReal to Process Customer Data in assistance with fulfilling its obligations with respect to providing Services under the Agreement or this Addendum.

3. General; Termination

  1. This Addendum forms part of the Agreement and except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will govern.
  2. Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.
  3. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
  4. This Addendum will remain in effect until, and automatically terminate upon, deletion of Customer Data as described in this Addendum.

4. Relationship of the Parties

  1. ZanReal as Processor. The parties acknowledge and agree that with regard to the Processing of Customer Data, Customer acts as a controller (or processor) and ZanReal is a processor. ZanReal will process Customer Data under and in accordance with Customer's instructions (on behalf of the controller) as outlined in Section 6 (Role and Scope of Processing).
  2. ZanReal as Controller. To the extent that any Service-Generated Data is considered Personal Data and as to any Contact Data, ZanReal is the controller with respect to such data and will Process such data in accordance with its Privacy Policy.

5. Compliance with Law

Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Customer Data.

6. Role and Scope of the Processing

  1. Customer Responsibilities. Customer is solely responsible for obtaining and maintaining all the necessary consents prior to accessing, storing, uploading, processing, or storing Customer Data in the Service. Customer has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions, and rights necessary under applicable laws, including Applicable Data Protection Laws, for ZanReal to lawfully process Customer Data for the purposes contemplated by the Agreement. Customer has complied with all applicable laws, rules, and regulations, including Applicable Data Protection Laws, in the collection and provision to ZanReal and its Subprocessors of such Customer Data.
  2. Customer Instructions. ZanReal will Process Customer Data only in accordance with Customer's documented, lawful instructions on behalf of the controller, except to the extent required by Applicable Data Protection Laws to which ZanReal is subject or where ZanReal becomes aware or believes that Customer's instructions violate Applicable Data Protection Laws, in which case ZanReal will notify Customer. By entering into the Agreement, Customer instructs ZanReal to Process Customer Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing by ZanReal as constituting instructions for purposes of this Addendum. Customer acknowledges and agrees that such instruction authorizes ZanReal to Process Customer Data (a) to perform its obligations and exercise its rights under the Agreement; (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; and (c) does not conflict with the instructions given to the Customer by the controller to Process Customer Data.

7. Subprocessing

  1. Customer specifically authorizes ZanReal to use its Affiliates as Subprocessors, and generally authorizes ZanReal to engage Subprocessors to Process Customer Data. In such instances, ZanReal: (i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum to the extent applicable to the nature of the services provided by such Subprocessor; and (ii) remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause ZanReal to breach any of its obligations under this Addendum.
  2. A list of ZanReal' Subprocessors, including their functions and locations, is available at zanreal.com/security, and may be updated by ZanReal from time to time in accordance with this Addendum.
  3. Customer must email privacy@zanreal.com or other method as communicated by ZanReal to Customer in the future, to subscribe to notice of new Subprocessors that will be engaged. ZanReal will notify Customer by updating the list of Subprocessors and, if Customer has subscribed to notices as set forth in the preceding sentence, via email. If, within five (5) calendar days after such notice, Customer notifies ZanReal in writing that Customer objects to ZanReal' appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds and Customer will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering document.

8. Security

  1. Security Measures. ZanReal will implement and maintain technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with ZanReal' security standards referenced in the Agreement ("Security Measures"). For more information on ZanReal' security measures please see our Security FAQs at </security>.
  2. Customer Responsibility.
    1. Customer is responsible for reviewing the information made available by ZanReal relating to data security and making an independent determination as to whether the Services meet Customer's requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures provide a level of security appropriate to the risk in respect of the Customer Data and that they may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease ZanReal' obligations as compared to those reflected in such terms as of the Effective Date).
    2. Customer agrees that, without limitation of ZanReal' obligations under this Section 8, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer's systems and devices that it uses with the Services; and (d) maintaining its own backups of Customer Data.
  3. Security Incident. Upon becoming aware of a confirmed Security Incident, ZanReal will notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of ZanReal' legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notice to Customer will describe, to the extent possible, (a) the details of the Security Incident as known or as reasonable requested by Customer, and (b) the steps taken, deemed necessary and reasonable by ZanReal, to mitigate the potential risks, to the extent that the remediation is within ZanReal' reasonable control. Without prejudice to ZanReal' obligations under this Section 8.c., Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. ZanReal' notification of or response to a Security Incident under this Section 8.c. will not be construed as an acknowledgment by ZanReal of any fault or liability with respect to the Security Incident. These obligations will not apply to Security Incidents to the extent they are caused by Customer.

9. Audits and Reviews of Compliance

The parties acknowledge that Customer must be able to assess ZanReal' compliance with its obligations under Applicable Data Protection Laws and this Addendum, insofar as ZanReal is acting as a processor on behalf of Customer.

  1. ZanReal' Audit Program. ZanReal uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Data. Such audits (e.g., SOC 2 Type 2) are performed at least once annually at ZanReal' expense by independent, third-party security professionals at ZanReal' selection and result in the generation of a confidential audit report ("Audit Report"). For more information on ZanReal' security measures please see Schedule 2.
  2. Customer Audit. Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, ZanReal will make available to Customer a copy of ZanReal' most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Laws will be satisfied by these Audit Reports.

10. Impact Assessments and Consultations

ZanReal will provide reasonable cooperation to Customer, to the extent Customer does not otherwise have access to the relevant information and such information is available to ZanReal, in connection with any data protection impact assessment (at Customer's expense only if such reasonable cooperation will require ZanReal to assign significant resources to that effort) or consultations with regulatory authorities as required by Applicable Data Protection Laws.

11. Data Subject Requests

ZanReal will upon Customer's request (and at Customer's expense) provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If ZanReal receives a request from a Data Subject in relation to the Processing of their Customer Data, ZanReal will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

12. Return or Deletion of Customer Data

  1. Customers may delete or export Customer Data at any time while using the Services in a manner consistent with the functionality of the Service. Termination or expiration of the Agreement serves as instruction for ZanReal to delete all Customer Data within a commercially reasonable timeframe.
  2. Notwithstanding the foregoing, Customer understands that ZanReal may retain Customer Data if required by law, and such data will remain subject to the requirements of this Addendum.

13. International Provisions

  1. Processing in the United States. Customer acknowledges that, as of the Effective Date, ZanReal' primary processing facilities are in the United States. Notwithstanding the foregoing, Customer acknowledges that ZanReal may in connection with the provision of Services, need to transfer and process Customer Data to and in the United States and anywhere else in the world where ZanReal or its Subprocessors maintain data processing operations. ZanReal will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this Addendum.
  2. Jurisdiction Specific Terms. To the extent that ZanReal Processes Customer Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this Addendum.
  3. Cross Border Data Transfer Mechanism. To the extent that Customer's use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland or any other jurisdiction listed in Schedule 3) to ZanReal located outside of that jurisdiction (a "Transfer Mechanism"), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

Schedule 1

Subject Matter & Details of Processing

1. Nature and Purpose of the Processing

ZanReal will process Personal Data as necessary to provide the Services under the Agreement. ZanReal does not sell Customer Data (or end user information within such Customer Data) and does not share such end users' information with third parties for compensation or for those third parties' own business interests.

  1. Customer Data. ZanReal will process Customer Data as a processor in accordance with Customer's instructions as outlined in Section 6.a (Customer Instructions) of this Addendum.
  2. Service-Generated Data and Contact Data. ZanReal will process Service-Generated Data and Contact Data as a controller for the purposes outlined in Section 4.b (ZanReal as Controller) of this Addendum.

2. Processing Activities

  1. Customer Data. Customer Data will be subject to the following basic processing activities: the provision of Services and disclosures in accordance with the Agreement and/or as compelled by applicable laws.
  2. Service-Generated Data and Contact Data. Personal Data contained in Service-Generated Data and/or Contact Data will be subject to the following processing activities by ZanReal: ZanReal may use Service-Generated Data and/or Contact Data to operate, improve and support the Services, to provide marketing and service-related messages and for other lawful business practices, such as analytics, benchmarking and reporting.

3. Duration of the Processing

The period for which Personal Data will be retained and the criteria used to determine that period is as follows:

  1. Customer Data. Prior to the termination of the Agreement, ZanReal will Process Customer Data in accordance with sections 3 and 12 of this Addendum.
  2. Service-Generated Data and Contact Data. Upon termination of the Agreement, ZanReal may retain, use, and disclose Service-Generated Data and/or Contact Data for the purposes set forth above in Section 2.b (Service-Generated Data and Contact Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. ZanReal will anonymize or delete Personal Data contained within Service-Generated Data and/or Contact Data when ZanReal no longer requires it for the purpose set forth in Section 2.b (Service-Generated Data and Contact Data) of this Schedule 1.

4. Categories of Data Subjects

  1. Customer Data. Individuals whose Personal Data is included in Customer Data.
  2. Service-Generated Data and Contact Data. Customer's authorized users with access to a ZanReal account, customers, suppliers, and end users.

5. Categories of Personal Data

  1. Customer Data. The categories of Customer Data are: any Customer Data that Customer, or third parties acting on their behalf, may submit to ZanReal in connection with the performance of the Service, to the extent of which is exclusively determined and controlled by the Customer, such as IP address and system configuration information.
  2. Service-Generated Data and Contact Data. ZanReal processes Personal Data within Service-Generated Data and/or Contact Data, such as name, email address, phone number, account preferences, and content of communications with Support Services.

6. Sensitive Data or Special Categories of Data

  1. Customer Data. Customers are prohibited from including sensitive data or special categories of data in Customer Data.
  2. Service-Generated Data and Contact Data. Sensitive data is not contained in Service-Generated Data and/or Contact Data.

Schedule 2

Technical & Organizational Security Measures

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding ZanReal' technical and organizational security measures set forth below.

1. Measures of pseudonymization and encryption of personal data

ZanReal maintains Customer Data in an encrypted format at rest using Advanced Encryption Standard (AES-256) and in transit (TLS 1.2 or higher).

2. Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services

ZanReal' Customer agreements contain strict confidentiality obligations. Additionally, ZanReal requires Subprocessors to sign confidentiality provisions that are substantially similar to those contained in ZanReal' Customer agreements. All employees (and contractors) are bound by ZanReal' internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.

The Services operate on Amazon Web Services ("AWS"), Microsoft Azure ("Azure"), and Google Cloud Platform ("GCP") and are protected by the security and environmental controls of Amazon and Google, respectively. The infrastructure for the ZanReal Services spans multiple, fault-independent AWS availability zones in geographic regions physically separated from one another, supported by various tools and processes to maintain high availability of services.

ZanReal performs regular backups of Customer Data, which is hosted in AWS, Microsoft Azure, and GCP data centers. Backups are globally replicated for resiliency against regional disasters and periodically tested by the ZanReal engineering team.

Employees complete mandatory training annually, which covers privacy and data protection, confidentiality, social engineering, password policies, and information security.

3. Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident

ZanReal performs regular backups of Customer Data, which is hosted in AWS, Microsoft Azure, and GCP data centers. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest.

ZanReal has a business continuity and disaster recovery plan that incorporates input from periodic risk assessments, vulnerability scanning, and threat analysis.

4. Processes for regular testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of processing

ZanReal maintains a risk-based assessment security program. The framework for ZanReal' security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. ZanReal' security program is intended to be appropriate to the nature of the Services and the size and complexity of ZanReal' business operations.

ZanReal has a separate and dedicated security team that manages ZanReal' security program. This team facilitates and supports independent audits and assessments performed by third parties to provide independent feedback on the operating effectiveness of the information security program (e.g., SOC 2 Type 2, penetration testing, and vulnerability scanning).

ZanReal' security governance program covers: Policies and Procedures, Asset Management, Access Management, Data Handling, Encryption, Logging & Monitoring, Password Management, Personnel Security, Resiliency, Responsible Disclosure, Risk Assessment, Vendor Risk Management, Vulnerability, SDLC, Incident Response, Business Continuity & Crisis Management, Acceptable Use and Code of Conduct. Information security policies and standards are reviewed and approved by management at least annually and are made available to all employees.

Security is managed at the highest levels of the company, with security and technology leadership meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.

5. Measures for user identification and authorization

ZanReal personnel are required to use unique user access credentials and passwords for authorization. ZanReal follows the principles of least privilege through role-based and time-based access models when provisioning system access. ZanReal personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval prior to access provisioning. Employee access to Customer Data is promptly removed upon role change or termination.

ZanReal uses commercially reasonable practices to identify and authenticate users who attempt to access ZanReal systems.

6. Measures for the protection of data during transmission

Customer Data is encrypted when in transit between Customer and the ZanReal Services.

7. Measures for the protection of data during storage

Customer Data is stored encrypted using AES-256. ZanReal uses AWS Key Management System ("KMS") to encrypt data in our infrastructure. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect keys that cannot be retrieved from the service by anyone or transmitted beyond the AWS regions where they were created. AWS log-in credentials and private keys generated by the Service are for ZanReal' internal use only.

8. Measures for ensuring physical security of locations at which personal data are processed

ZanReal is a remote-first organization with limited physical presence globally. As needed, physical security controls for office space are inherited from our co-working office provider, which manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security.

The Services operate on AWS, Microsoft, and GCP and are protected by the security and environmental controls of Amazon, Microsoft, and Google, respectively.

Detailed information about AWS security is available at:

For AWS SOC Reports, please see:

Detailed information about Azure security is available at:

Detailed information about GCP security is available at:

9. Measures for ensuring events logging

ZanReal monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is centralized by the security team. Log activities are investigated when necessary and escalated appropriately.

User activity metrics are available to Customers within the Services. For further information, visit /settings/activity.

10. Measures for ensuring systems configuration, including default configuration

ZanReal applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new Services are deployed; and (b) annual penetration testing by independent third parties.

ZanReal adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. Monitors are in place to notify the security team of changes made to critical infrastructure and services that do not adhere to the change management processes.

11. Measures for internal IT and IT security governance and management

ZanReal maintains a risk-based assessment security program. The framework for ZanReal' security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. ZanReal' security program is intended to be appropriate to the nature of the Services and the size and complexity of ZanReal' business operations.

ZanReal has a separate and dedicated Information Security team that manages ZanReal' security program. This team facilitates and supports independent audits and assessments performed by third parties to provide independent feedback on the operating effectiveness of the information security program (e.g., SOC 2 Type 2, penetration testing, and vulnerability scanning).

ZanReal' security governance program covers Policies and Procedures, Asset Management, Access Management, Data Handling, Encryption, Logging & Monitoring, Password Management, Personnel Security, Resiliency, Responsible Disclosure, Risk Assessment, Vendor Risk Management, Vulnerability, SDLC, Incident Response, Business Continuity & Crisis Management, Acceptable Use and Code of Conduct. Information security policies and standards are reviewed and approved by management at least annually and are made available to all employees.

Security is managed at the highest levels of the company, with security and technology leadership meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.

12. Measures for certifications/assurance of processes and products

ZanReal conducts various third-party audits to attest to various frameworks including SOC 2 Type 2 and annual application penetration testing.

AWS, Azure, and GCP have achieved: SOC 1, 2, and 3; ISO 27001, 27017, 27018, 27701, and 9001; Cloud Security Alliance Security, Trust, Assurance and Risk (CSA STAR); FedRAMP; and use FIPS 140-2 validated cryptographic modules, in addition to meeting compliance standards for many other legal, security, and privacy frameworks. Further information about these providers' security practices can be found on their respective websites.

13. Measures for ensuring data minimization

ZanReal Customers unilaterally determine what Customer Data they route through the ZanReal Services and how the Services are configured. As such, ZanReal operates on a shared responsibility model. ZanReal provides tools within the Services that gives Customers control over exactly what data enters the platform and enables Customers with the ability to block data at the Source level. Additionally, ZanReal allows Customers to delete and suppress Customer Data on demand.

14. Measures for ensuring data quality

ZanReal has a three-fold approach for ensuring data quality. These measures include: (i) unit testing to ensure the quality of logic used to make API calls, (ii) volume testing to ensure the code is able to scale, and (iii) daily end-to-end testing to ensure that the input values match expected values. ZanReal applies these measures across the board, both to ensure the quality of any Service-Generated Data that ZanReal collects and to ensure that the ZanReal Services are operating in accordance with the documentation.

Each ZanReal Customer chooses what Customer Data they route through the ZanReal Services and how the Services are configured. As such, ZanReal operates on a shared responsibility model. ZanReal ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data leaves ZanReal to flow to a downstream destination.

ZanReal has a process that allows individuals to exercise their privacy rights, as described in ZanReal' Privacy Notice available at Privacy Policy.

15. Measures for ensuring limited data retention

ZanReal Customers unilaterally determine what Customer Data they route through the ZanReal Services and how the Services are configured. As such, ZanReal operates on a shared responsibility model. Customers have the ability to delete Customer Data via the self-service functionality of the Services. ZanReal will, within a commercially reasonable timeframe after request by Customer following the termination or expiration of the Agreement, delete all Customer Data from ZanReal' systems, unless required by law.

16. Measures for ensuring accountability

ZanReal has adopted measures for ensuring accountability, such as implementing data protection policies across the business, publishing ZanReal' Information Security Policy (available at /security), maintaining documentation of processing activities, and recording and reporting Security Incidents involving Personal Data. ZanReal conducts regular third-party audits to ensure compliance with our privacy and security standards.

17. Measures for allowing data portability and ensuring erasure

ZanReal' Customers have direct relationships with their end users and are responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws.

ZanReal has self-service functionality that allows Customers to delete and suppress their Customer Data.

ZanReal specifies in the Addendum that it will provide assistance to such Customer as may reasonably be required to comply with Customer's obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). If ZanReal receives a request from a Data Subject in relation to their Customer Data, ZanReal will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

ZanReal has a process that allows individuals to exercise their privacy rights, as described in ZanReal' Privacy Notice available at Privacy Policy.

18. For transfers to [sub]-processors, also describe the specific technical and organisational measures to be taken by the [sub]-processor to be able to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the data exporter

When ZanReal engages a Subprocessor under this Addendum, ZanReal and the Subprocessor enter into an agreement with data protection terms substantially similar to those contained herein. Each Subprocessor agreement must ensure that ZanReal is able to meet its obligations to Customer. In addition to implementing technical and organisational measures to protect personal data, Subprocessors must a) notify ZanReal in the event of a Security Incident so ZanReal may notify Customer; b) delete data when instructed by ZanReal in accordance with Customer's instructions to ZanReal; c) not engage additional Subprocessors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with Customer's instructions to ZanReal.

Schedule 3

Cross Border Data Transfer Mechanism

1. Definitions

  1. "Standard Contractual Clauses" means the 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.
  2. "UK IDTA" means the UK international data transfer addendum (Schedule 5).

2. Transfer Mechanism for EEA, UK, and Switzerland

  1. Standard Contractual Clauses. To the extent that Customer's use of the Services requires an onward transfer mechanism to lawfully transfer personal data from the EEA, UK, or Switzerland to ZanReal located outside of those jurisdictions, the Standard Contractual Clauses will apply to such transfers. The parties agree that: a. Customer is the data exporter and ZanReal is the data importer; b. The subject matter, duration, nature and purpose of the processing, categories of data subjects, and categories of personal data are set out in Schedule 1; c. The technical and organizational measures are set out in Schedule 2; d. Any Subprocessor arrangements will be governed by the terms of this DPA; e. The parties will comply with the Standard Contractual Clauses as if they were directly incorporated into this DPA.

  2. UK International Data Transfer Addendum. For transfers of personal data from the UK, the UK IDTA set out in Schedule 5 will apply.

3. Changes to Transfer Mechanisms

ZanReal will notify Customer of any changes to applicable transfer mechanisms and work with Customer to implement any necessary updates to ensure continued compliance with applicable laws.

Schedule 4

Jurisdiction Specific Terms

1. European Union and European Economic Area

  1. GDPR Compliance. Where ZanReal processes personal data subject to the GDPR, ZanReal will comply with the obligations of a processor under the GDPR.

  2. Data Protection Officer. Customer may contact ZanReal' Data Protection Officer at privacy@zanreal.com.

  3. Supervisory Authority. The competent supervisory authority is the supervisory authority of the Member State in which Customer has its main establishment or, if Customer has no establishment in the EU, the supervisory authority in the Member State where Customer's representative is established.

2. United Kingdom

  1. UK GDPR Compliance. Where ZanReal processes personal data subject to the UK GDPR, ZanReal will comply with the obligations of a processor under the UK GDPR.

  2. UK Representative. If required by applicable law, ZanReal will appoint a UK representative and provide Customer with the representative's contact information.

3. Switzerland

  1. Swiss Data Protection Compliance. Where ZanReal processes personal data subject to Swiss data protection laws, ZanReal will comply with applicable Swiss data protection requirements.

4. California, United States

  1. CCPA Compliance. Where ZanReal processes personal information subject to the California Consumer Privacy Act (CCPA), ZanReal will: a. Process personal information only as a service provider; b. Not sell personal information; c. Not retain, use, or disclose personal information for any purpose other than performing the services specified in the Agreement; d. Provide the same level of privacy protection as required by the CCPA.

5. Canada

  1. PIPEDA Compliance. Where ZanReal processes personal information subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), ZanReal will comply with applicable requirements.

6. Australia

  1. Privacy Act Compliance. Where ZanReal processes personal information subject to the Australian Privacy Act 1988, ZanReal will comply with the Australian Privacy Principles.

Schedule 5

UK International Data Transfer Addendum

Part 1: Tables

Table 1: Parties

Start dateThe date this Addendum enters into force
The PartiesData exporter: Customer (as data controller or processor) and Data importer: ZanReal (as processor)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCsThe version of the Approved EU SCCs which this Addendum is appended to
ModuleModule Two (controller to processor) and/or Module Three (processor to processor) as applicable

Table 3: Appendix Information

AppendixInformation
Annex 1A: List of PartiesAs set out in Schedule 1
Annex 1B: Description of TransferAs set out in Schedule 1
Annex II: Technical and organisational measuresAs set out in Schedule 2
Annex III: List of Sub processorsAs set out at zanreal.com/security

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19: Customer and ZanReal

Part 2: Mandatory Clauses

  1. Interpretation of this Addendum. This Addendum forms part of the Agreement and must be read together with the Standard Contractual Clauses. This Addendum does not modify the Standard Contractual Clauses except where specified.

  2. Hierarchy. In case of conflict, this Addendum prevails over the Agreement but does not prevail over the Standard Contractual Clauses.

  3. Incorporation of and changes to the EU SCCs. This Addendum incorporates the Standard Contractual Clauses which are amended to the extent necessary so that: a. Together they operate for data transfers made by the data exporter to the data importer, to the extent that such transfers are subject to the Data Protection Laws of the United Kingdom; b. The Standard Contractual Clauses taken together with this Addendum provide appropriate safeguards pursuant to the Data Protection Laws of the United Kingdom.

  4. Interpretation of this Addendum. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms shall have the same meaning as in the Standard Contractual Clauses. Additionally, the following terms have the following meanings: a. "Addendum" means this UK International Data Transfer Addendum; b. "Approved Addendum" means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022; c. "Data Protection Laws" means all applicable data protection and privacy laws including the Data Protection Act 2018 and the UK GDPR; d. "ICO" means the Information Commissioner's Office; e. "UK" means the United Kingdom of Great Britain and Northern Ireland; f. "UK GDPR" means the UK General Data Protection Regulation.

Previous Versions

The previous versions of our Policies and other documents can be seen at GitHub