Data processing addendum

Last Updated: November 2023


Definitions

personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

representative” means a natural or legal person established in the Union who, designated by the controller or processor in writing under Article 27, represents the controller or processor about their respective obligations under this Regulation;

supervisory authority” means an independent public authority which is established by a Member State under Article 51;

Zelt” means Zelt Technology Limited (12881631), residing at 14a Lowndes Street, London, SW1X 9EX

UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland has the meaning given by the European Union (Withdrawal) Act 2018.

EU GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council;

European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;

Data Protection Laws” means to the extent that UK GDPR applies, the law of the United Kingdom or a part thereof which relates to the protection of personal data; or to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Zelt is subject, which relates to the protection of personal data.

Preamble

The protection and careful handling of personal data obtained is the highest priority of Zelt.

This DPA is between the Zelt entity and the entity identified as the Customer in a completed Order Form or via the Zelt platform.

1 An agreement pursuant to Art 28 GDPR

1.1 This section regulates the rights and obligations pursuant to Art 28 GDPR in connection with the processing of personal data by one Party on behalf of another Party and applies only to the agreed data processing activities.

2 Data Processing

2.1 The processing activities to be carried out by Zelt on behalf of the Customer, their purposes and means, and the types and categories of data shall be set out in Annex 1, but furthermore may also be taken from the Master Subscription Agreement (for the purpose of which this Agreement was first concluded) or new contracts between the Parties (further referred to as the “Master Subscription Agreement”).

3 Obligations of Zelt

3.1 Zelt will process data and processing results exclusively within the framework of the Master Subscription Agreement. If an order of authority is placed with Zelt to submit data of the Customer, the Processor will inform the Customer insofar as this is legally permissible and shall refer the authority to the Customer.

3.2 If in Zelt’s opinion, an instruction of the Customer is unlawful based on national or European law provisions, Zelt must inform the Customer without delay.

3.3 The subsequent use of data by a third party is strictly forbidden, except when it is necessary to provide the service defined in the Master Subscription Agreement.

3.4 Zelt is obliged to process the data in line with the GDPR and other relevant laws, regulations and general legislation pertaining to data protection.

3.5 Zelt is obliged to properly document the data collection, the data processing, and the usage of data.

4 Obligations of the Customer

4.1 Compliance with Laws. Within the scope of the Agreement and in its use of the services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us.

4.2 In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Personal Data and the means by which you acquired it; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorisations (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws). You will inform us without undue delay if you are not able to comply with your responsibilities under this section or applicable Data Protection Laws.

4.3 You are responsible for independently determining whether the data security provided for in Zelt’s Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of Zelt’s Services, including protecting the security of Personal Data in transit to and from the Service (including to securely backup or encrypt any such Personal Data).

5 Data secrecy and confiscation of data

5.1 Zelt must follow all relevant secrecy duties which arise from law and this Agreement, especially the confidentiality duty of Art 28 (3) lit b GDPR.

5.2 Zelt must bind all persons handling the data to confidentiality and secrecy before commencing activities under this Agreement. The confidentiality obligation of the persons commissioned with the data handling remains in effect, even after the end of their activity and after ceasing employment with Zelt. Zelt also ensures that rules are in place, which guarantees the confidentiality and security of data when third parties authorised by them access the data.

5.3 If the Customer’s data at Zelt is to be jeopardised by seizure or confiscation, insolvency or settlement proceedings or other events or measures by third parties, or if there is a risk of a significant change in the ownership structure of Zelt, Zelt must inform the Customer immediately. Zelt will immediately inform all persons involved in this context that the sovereignty of the data lies with the Customer.

6 Technical and organisational measures

6.1 Zelt guarantees the security and therefore confidentiality, integrity and availability of the data in accordance with Art 28 (3) lit c and Art 32 GDPR, and in particular also in connection with Art 5 (1) lit f and (2) GDPR. With this in mind, Zelt has taken technical and organisational measures to ensure data security and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and resilience of the systems. Zelt assures that it has taken into account the state of the art, the type, scope and purposes of the processing, as well as the different probability of occurrence and severity of the risks for the rights and freedoms of natural persons within the meaning of Art 32 (1) GDPR. Zelt ensures a level of security that does justice to the risks arising from the processing and the type of data to be protected.

6.2 Zelt has laid down the technical and organisational measures in Annex 2

7 Data Subject Rights

7.1 The right to erasure (right to be forgotten), the right to rectification, the right to restriction of processing, the right to data portability and the right to access (these are the rights mentioned in Chapter III of the GDPR) must be ensured directly by the Customer. Nevertheless, Zelt will support the Customer in fulfilling these rights and ensure that the Customer can comply with requests within the statutory deadlines. In consequence, Zelt must send all necessary information no later than 10 days to the Customer upon request.

7.2 Zelt may not give access, correct, delete, or restrict the processing of the data processed without the authorisation of the Customer. If a data subject contacts Zelt directly in this regard, Zelt will immediately forward this request to the Customer and also notify the data subject regarding the request redirection.

7.3 Concerning the right to data portability, Zelt is obliged, depending on the instructions of the Customer, to provide the data in a structured, common and machine-readable format – which is determined by the Customer – either directly to the person concerned or to the Customer, or to a named controller.

8 Obligations according to Art 32 – 36 GDPR

8.1 Zelt supports the Customer in complying with all obligations relating to the security of personal data as specified in Articles 32-36 GDPR, comprising, inter alia, reporting obligations in the event of a breach of the protection of personal data, data protection impact statements, and prior consultations. This support with the obligations in Articles 32-36 GDPR includes, among others, the following obligations of the Zelt:

8.1.1 Ensuring an appropriate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing, as well as the forecast probability and severity of a possible violation of the relevant legislative provisions due to security gaps and enable relevant violations to be identified immediately.

8.1.2 The obligation to inform the Customer immediately, and at the latest within 24 hours upon becoming aware (including on weekends and public holidays), after circumstances that indicate violations of the protection of personal data become known, and to provide all documents and information about them; this duty of Zelt is in any case independent of whether there is a specific risk to the rights and freedoms of natural persons; Zelt acknowledges that there is an indication of a violation of the protection of personal data even when it comes to accidents or accidental behaviour that could result in disclosure to or access by third parties;

8.1.3 The obligation to support the Customer within the scope of his duty to inform the supervisory authority and/or the affected data subject and to provide the Customer with all relevant information immediately in this context.

8.1.4 The obligation to support the Customers’ data protection impact assessment in the context of prior consultations with the supervisory authority.

8.2 Notwithstanding the obligations laid down, Zelt shall never notify a supervisory authority of a data breach except for an explicit legal requirement.

9 Sub-Processors

9.1 Sub-Processors (the “sub-contracting relationships” or “sub-contracting processors”) within the meaning of this Agreement provide those services which relate directly to the provision of the services laid out in the Master Subscription Agreement. The Customer hereby authorises Zelt to engage affiliates and other Sub-processors to Process Customer Personal Data in accordance with the provisions within this DPA and Data Protection Laws. A current list of Zelt’s Sub-processors can be found in Annex 1 and Zelt’s Sub-processor List . The Customer acknowledges and agrees that Zelt’s use of such Sub-processors satisfies the requirements of this DPA.

9.2 Outsourcing to Sub-Processors or changing existing Sub-Processors is only permitted if a contractual agreement in accordance with Article 28 (2) to (4) GDPR is used, and Zelt has imposed the same data protection obligations as laid out in this Agreement on the Sub-Processor. Zelt is still liable for compliance with the obligations under this Agreement and the applicable data protection regulations, despite the engagement of a Sub-Processor.

9.3 Zelt will only outsource data processing or engage a Sub-Processor outside of the UK or EEA (European Economic Area) if the third-party country has adequate data protection in accordance with Art 45 GDPR, if standard data protection clauses (as per the latest version of the SCCs published by the European Commission) are concluded in accordance with Art 46 (2) lit c and lit d GDPR, binding corporate rules in accordance with 46 (2) lit b in conjunction with 47 GDPR, or other measures in accordance with Art 46 Paragraph 2 GDPR make the outsourcing legally compliant.

9.4 Zelt shall maintain an up-to-date list of its Sub-processors in Annex 1. The Customer should refer to Annex 1 regularly. The Customer may also sign up to receive notification of new Sub-processors by emailing hello@zelt.app with the subject “Subscribe to New Sub-processors.” Once the Customer has signed up to receive new Sub-processor notifications, Zelt will then provide the Customer with notice of any new Sub-processor before authorising such new Sub-processor to Process Customer Personal Data and allow the Customer ten days to submit a legitimate, good-faith objection to such new Sub-processor(s) from Customer’s receipt of Zelt’s notice. In the objection, the Customer shall explain its reasonable grounds for such objection. In the event of such an objection, the parties will work together in good faith to resolve the grounds for the objection. If the parties cannot resolve the objection within a reasonable period, which shall not exceed thirty days, either party may terminate the Master Subscription Agreement by providing notice to the other party. Zelt may replace a Sub-processor if the need for the change is urgent and necessary to provide the Services. In such instance, Zelt shall notify the Customer of the replacement as soon as reasonably practicable, and the Customer shall retain the right to object to the replacement Sub-processor.

10 Inspection and Audit rights

10.1 Providing the Customer gives Zelt 30 days’ notice; they are granted the right to inspect and control the data processing equipment, files and documents required for processing the personal data, which is processed on its behalf. Under no circumstances shall such audits or investigative activities disclose personal data, which is processed by the Processor on behalf of other Controllers (other Customers). The Customer is authorised to carry out these inspections by itself or to have them carried out by an expert (e.g. an IT forensics provider).

10.2 Providing the Customer gives Zelt 30 days’ notice, the Customer also has the right to inspect the records of the processing activities of the Processor (Art 30 (2) GDPR), where these records concern processing activities performed on behalf of the Customer.

10.3 Zelt ensures that the Customer can check the compliance in regard to the obligations of the processor according to Art 28 GDPR and provides all information for this without explicit request by the Customer. Zelt will also provide the Customer, upon request, with the information and documents required to carry out the inspections and otherwise to monitor compliance with the obligations specified in this Agreement and, to demonstrate the implementation of the technical and organisational measures. Evidence of such measures, which do not only concern the specific processing, can be provided by:

10.3.1 compliance with approved codes of conduct in accordance with Art 40 GDPR;

10.3.2 certification according to an approved certification procedure in accordance with Art 42 GDPR;current attestations, reports or report excerpts from independent bodies (e.g.: auditors, auditors, data protection officers, IT security departments, data protection auditors, quality auditors);

10.3.3 appropriate certification through IT security or data protection audits (e.g.: BSI standards).

10.4 Zelt has to grant the data protection authority access to the premises where the relevant data processing occurs, and data processing systems are located at the Customer’s request and have to provide the necessary support.

11 Indemnification

11.1 The Customer will indemnify Zelt in respect of all liabilities, costs and expenses suffered or incurred by Zelt in its capacity as Processor of the Personal Data of the Customer arising from (i) any Security Breach in the terms of this Agreement if such Security Breach was caused by the Customer or (ii) any negligent act or omission by the Customer in the exercise of the rights granted to it under the Applicable Law provided that:

11.1.1 Zelt, within reasonable time, notifies the Customer of any actions, claims or demands brought or made against it;

11.1.2 Zelt will not compound, settle or admit to any actions, claims or demands without the consent of the Customer except by order of a court of competent jurisdiction;

11.1.3 the Customer shall be entitled at its own cost to defend or settle any proceedings;

11.1.4 unless otherwise restricted or limited by any legislation in the applicable jurisdiction, the Customer’s maximum aggregate liability under this DPA shall, in no case exceed the total of one times annual subscription fees

11.1.5 nothing in this DPA shall restrict or interfere with the Customer’s rights against the Processor or any other person in respect of contributory negligence.

11.2. Zelt’s right to claim damages shall be forfeited if Zelt fails to give written notice of any damages that may be sustained as aforesaid within ten business days from the occurrence and knowledge thereof or commences to make good such damages before written notice is given as aforesaid.

11.3 Nothing in this Clause shall lead to a liability of the Customer for acts or omissions of Zelt on its own accord and independently of the instructions given to it by the Customer. Therefore, this clause shall not apply to any liabilities, costs or expenses that have arisen solely out of negligence or wilful act, default or omission of Zelt, its employees, contractors, sub-contractors or any other person outside the Customer’s control.

11.4 Zelt will indemnify the Customer in respect of all liabilities, costs and expenses suffered or incurred by the Controller in its capacity as controller of the data of the Processor arising from (i) any Security Breach in the terms of this Agreement if such Security Breach was caused by the Processor or (ii) any negligent act or omission by the Processor in the exercise of the rights granted to it under the Applicable Law provided that:

11.4.1 The Customer, within reasonable time, notifies Zelt of any actions, claims or demands brought or made against it concerning any alleged Security Breach;

11.4.2 Zelt shall be entitled at its own cost to defend or settle any proceedings;

11.4.3 Unless otherwise restricted or limited by any legislation in the applicable jurisdiction, Zelt’s maximum aggregate liability under this DPA shall, in no case exceed the total of one times annual subscription fees

11.4.4 Nothing in this DPA shall restrict or interfere with Zelt’s rights against the Customer or any other person in respect of contributory negligence.

11.5 In the event of a breach of this DPA caused by the actions of a sub-processor, Zelt shall assign the right to the Customer to take action under the sub-processor contract as it deems necessary in order to protect and safeguard Personal Data. Zelt acknowledges and agrees that it shall remain liable to the Customer for any breach of the terms of this DPA or any sub-processor contract by any sub-processor and other subsequent third-party processors appointed by it.

12 Return and deletion of Data

12.1 Zelt will at 12 months after the contractual relationship has ended or due to any earlier written request from the Customer, delete or return Personal Data, save for when the law requires a longer data retention period.

13 Contract duration and termination

13.1 This contract is automatically terminated upon termination of the Master Subscription Agreement.

14 Miscellaneous

14.1 Amendments: Zelt reserves the right to occasionally amend this DPA by posting a revised version on Zelt’s website and notifying the Customer. Changes are effective 30 days from Zelt notifying the Customer. The customer has 30 days from receipt of Zelt’s notice to submit a legitimate, good-faith objection to the amendment. In the objection, Customer shall explain its reasonable grounds for such objection. In the event of such objection, the parties will work together in good faith to resolve the grounds for the objection. If the parties are unable to resolve the objection within a reasonable time period, which shall not exceed 30 days, either party may terminate the Master Subscription Agreement by providing notice to the other party. If the Customer doesn’t object to the amendments within 30 days, the new DPA will take effect.

14.2 Governing law: This Agreement and the relations between the Parties (insofar as they relate directly or indirectly to this Agreement) are governed by English law.

14.3 Disputes and Jurisdiction: If disputes arise, the Parties shall endeavour to find an amicable solution first. In case of failure, all disputes arising out of or relating to this Agreement shall be settled solely in the courts of England.

ANNEX 1 – Personal Data processed on behalf of the Customer

1 Description and Purpose of the Processing

1.1 As an HR software provider, Zelt processes personal data on behalf of their customers in order to facilitate various HR functions such as employee management, payroll and benefits administration. The processing of personal data by Zelt is governed by the GDPR and other relevant privacy laws.

2 The purpose of processing personal data by Zelt includes.

2.1 Employee management: Zelt processes personal data such as employee contact information, employment status, salary and benefits information, and performance evaluations to manage employee records and enable effective HR management.

2.2 Payroll and benefits administration: Zelt processes personal data such as employee bank account information, tax information and benefits enrolment data to facilitate payroll and benefits administration.

2.3 Reporting and analytics: Zelt may analyse and aggregate personal data to generate reports and analytics to help customers make informed HR decisions.

2.4 Zelt is committed to protecting the personal data of its customers and their employees and has implemented appropriate technical and organisational measures to ensure the security and confidentiality of personal data.

3 Categories of Data Subjects and Personal Data

3.1 As an HR software provider, Zelt processes personal data related to various categories of data subjects, which typically include:

3.2 Employees: Zelt processes personal data related to current and former employees of its customers, such as contact information, employment history, job performance, payroll and benefits information, and tax information.

3.3 Job applicants: Zelt processes personal data related to job applicants who apply for positions with its customers, such as contact information, education, work experience, and other information submitted as part of the application process.

3.4 Contractors and consultants: Zelt may process personal data related to contractors and consultants who provide services to its customers, such as contact information, job performance, and payment information.

3.5 Customers: Zelt may process personal data related to its customers, such as contact information and billing information.

3.6 Partners and suppliers: Zelt may process personal data related to its partners and suppliers, such as contact information and payment information.

3.7 Other individuals: Zelt may process personal data related to other individuals who interact with its customers, such as emergency contacts or references provided by employees or job applicants.

3.8 It is important to note that the specific categories of data subjects may vary depending on the services provided by Zelt and the needs of its customers.

4 List of Sub-Processors

4.1 Amazon Web Services EU&UK
4.2 Google Cloud EMEA Limited
4.3 Staffology Limited
4.4 Yapily Ltd
4.5 Mitsogo Inc.
4.6 June Inc.
4.7 Zinc Work Limited

ANNEX 2 – Technical and Organisational Measures

1 Zelt warrants and undertakes in respect of all the Personal Data that is Processes on behalf of the Controller that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organisational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

2 Such measures shall include but are not limited to, physical access control, logical access control (i.e. non-physical access control measures such as passwords), data access control, data transfer control, input control, availability measures, and data separation

3 Zelt shall provide the Controller, upon request, with adequate proof of compliance (e.g. the relevant parts of the Processor’s agreements with its data centre provider).

4 For more detailed information on the latest state-of-the-art measures adopted by our hosting provider, please refer to the following link https://aws.amazon.com/security/


PRIOR VERSIONS

March 2023

April 2023