Data processing addendum

Definitions

Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Representative” means a natural or legal person established in the Union who, designated by the controller or processor in writing under Article 27, represents the controller or processor about their respective obligations under this Regulation;

Supervisory authority” means an independent public authority which is established by a Member State under Article 51;

Zelt” Zelt Technology Limited (12881631),14a Lowndes Street, London, SW1X 9EX

Preamble

The protection and careful handling of personal data obtained is the highest priority of Zelt.
This DPA is between the Zelt entity and the entity identified as the Customer in a completed Order Form or via the Zelt platform.

1. An agreement pursuant to Art 28 GDPR

1.1. This section regulates the rights and obligations pursuant to Art 28 GDPR in connection with the processing of personal data by one Party on behalf of another Party and applies only to the agreed data processing activities.

2. Data Processing

2.1. The processing activities to be carried out by Zelt on behalf of the Customer, their purposes and means, and the types and categories of data shall be set out in Annex 1, but furthermore may also be taken from the Master Subscription Agreement (for the purpose of which this Agreement was first concluded) or new contracts between the Parties (further referred to as the “Master Subscription Agreement”).

3. Obligations of Zelt

3.1. Zelt will process data and processing results exclusively within the framework of the Master Subscription Agreement. If an order of authority is placed with Zelt to submit data of the Customer, the Processor will inform the Customer insofar as this is legally permissible and shall refer the authority to the Customer.

3.2. If in Zelt’s opinion, an instruction of the Customer is unlawful based on national or European law provisions, Zelt must inform the Customer without delay.

3.3.The subsequent use of data by a third party is strictly forbidden, except when it is necessary to provide the service defined in the Master Subscription Agreement.

3.4.Zelt is obliged to process the data in line with the GDPR and other relevant laws, regulations and general legislation pertaining to data protection.
Zelt is obliged to properly document the data collection, the data processing, and the usage of data.

4. Data secrecy and confiscation of data

4.1. Zelt must follow all relevant secrecy duties which arise from law and this Agreement, especially the confidentiality duty of Art 28 (3) lit b GDPR.

4.2. Zelt must bind all persons handling the data to confidentiality and secrecy before commencing activities under this Agreement. The confidentiality obligation of the persons commissioned with the data handling remains in effect, even after the end of their activity and after ceasing employment with Zelt. Zelt also ensures that rules are in place, which guarantees the confidentiality and security of data when third parties authorised by them access the data.

4.3.If the Customer’s data at Zelt is to be jeopardised by seizure or confiscation, insolvency or settlement proceedings or other events or measures by third parties, or if there is a risk of a significant change in the ownership structure of Zelt, Zelt must inform the Customer immediately. Zelt will immediately inform all persons involved in this context that the sovereignty of the data lies with the Customer.

5. Technical and organisational measures

5.1 Zelt guarantees the security and, therefore confidentiality, integrity and availability of the data in accordance with Art 28 (3) lit c and Art 32 GDPR, and in particular also in connection with Art 5 (1) lit f and (2) GDPR. With this in mind, Zelt has taken technical and organisational measures to ensure data security and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and resilience of the systems. Zelt assures that it has taken into account the state of the art, the type, scope and purposes of the processing, as well as the different probability of occurrence and severity of the risks for the rights and freedoms of natural persons within the meaning of Art 32 (1) GDPR. Zelt ensures a level of security that does justice to the risks arising from the processing and the type of data to be protected.

6. Data Subject Rights

6.1. The right to erasure (right to be forgotten), the right to rectification, the right to restriction of processing, the right to data portability and the right to access (these are the rights mentioned in Chapter III of the GDPR) must be ensured directly by the Customer. Nevertheless, Zelt will support the Customer in fulfilling these rights and ensure that the Customer can comply with requests within the statutory deadlines. In consequence, Zelt must send all necessary information no later than 10 days to the Customer upon request.

6.2. Zelt may not give access, correct, delete, or restrict the processing of the data processed without the authorisation of the Customer. If a data subject contacts Zelt directly in this regard, Zelt will immediately forward this request to the Customer and also notify the data subject regarding the request redirection.

6.3. Concerning the right to data portability, Zelt is obliged, depending on the instructions of the Customer, to provide the data in a structured, common and machine-readable format – which is determined by the Customer – either directly to the person concerned or to the Customer, or to a named controller.

7. Obligations according to Art 32 – 36 GDPR

7.1. Zelt supports the Customer in complying with all obligations relating to the security of personal data as specified in Articles 32-36 GDPR, comprising, inter alia, reporting obligations in the event of a breach of the protection of personal data, data protection impact statements, and prior consultations. This support with the obligations in Articles 32-36 GDPR includes, among others, the following obligations of the Zelt:

7.1.1. Ensuring an appropriate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing, as well as the forecast probability and severity of a possible violation of the relevant legislative provisions due to security gaps and enable relevant violations to be identified immediately.

7.1.2. The obligation to inform the Customer immediately, and at the latest within 24 hours upon becoming aware (including on weekends and public holidays), after circumstances that indicate violations of the protection of personal data become known, and to provide all documents and information about them; this duty of Zelt is in any case independent of whether there is a specific risk to the rights and freedoms of natural persons; Zelt acknowledges that there is an indication of a violation of the protection of personal data even when it comes to accidents or accidental behaviour that could result in disclosure to or access by third parties;

7.1.3. The obligation to support the Customer within the scope of his duty to inform the supervisory authority and/or the affected data subject and to provide the Customer with all relevant information immediately in this context.

7.1.4. The obligation to support the Customers’ data protection impact assessment in the context of prior consultations with the supervisory authority.

7.2. Notwithstanding the obligations laid down, Zelt shall never notify a supervisory authority of a data breach except for an explicit legal requirement.

8. Sub-Processors

8.1. Sub-Processors (the “sub-contracting relationships” or “sub-contracting processors”) within the meaning of this Agreement provide those services which relate directly to the provision of the services laid out in the Master Subscription Agreement. The Customer hereby authorises Zelt to engage affiliates and other Sub-processors to Process Customer Personal Data in accordance with the provisions within this DPA and Data Protection Laws. A current list of Zelt’s Sub-processors can be found in Annex 1 and Zelt’s Sub-processor List . The Customer acknowledges and agrees that Zelt’s use of such Sub-processors satisfies the requirements of this DPA.
Outsourcing to Sub-Processors or changing existing Sub-Processors is only permitted if a contractual agreement in accordance with Article 28 (2) to (4) GDPR is used, and Zelt has imposed the same data protection obligations as laid out in this Agreement on the Sub-Processor. Zelt is still liable for compliance with the obligations under this Agreement and the applicable data protection regulations, despite the engagement of a Sub-Processor.

8.2. Zelt will only outsource data processing or engage a Sub-Processor outside of the UK or EEA (European Economic Area) if the third-party country has adequate data protection in accordance with Art 45 GDPR, if standard data protection clauses (as per the latest version of the SCCs published by the European Commission) are concluded in accordance with Art 46 (2) lit c and lit d GDPR, binding corporate rules in accordance with 46 (2) lit b in conjunction with 47 GDPR, or other measures in accordance with Art 46 Paragraph 2 GDPR make the outsourcing legally compliant.

8.3. Zelt shall maintain an up-to-date list of its Sub-processors in Annex 1. The Customer should refer to Annex 1 regularly. The Customer may also sign up to receive notification of new Sub-processors by emailing hello@zelt.app with the subject “Subscribe to New Sub-processors.” Once the Customer has signed up to receive new Sub-processor notifications, Zelt will then provide the Customer with notice of any new Sub-processor before authorising such new Sub-processor to Process Customer Personal Data and allow the Customer ten days to submit a legitimate, good-faith objection to such new Sub-processor(s) from Customer’s receipt of Zelt’s notice. In the objection, the Customer shall explain its reasonable grounds for such objection. In the event of such an objection, the parties will work together in good faith to resolve the grounds for the objection. If the parties cannot resolve the objection within a reasonable period, which shall not exceed thirty days, either party may terminate the Master Subscription Agreement by providing notice to the other party. Zelt may replace a Sub-processor if the need for the change is urgent and necessary to provide the Services. In such instance, Zelt shall notify the Customer of the replacement as soon as reasonably practicable, and the Customer shall retain the right to object to the replacement Sub-processor.

9. Inspection and Audit rights

9.1. Providing the Customer gives Zelt 30 days’ notice; they are granted the right to inspect and control the data processing equipment, files and documents required for processing the personal data, which is processed on its behalf. Under no circumstances shall such audits or investigative activities disclose personal data, which is processed by the Processor on behalf of other Controllers (other Customers). The Customer is authorised to carry out these inspections by itself or to have them carried out by an expert (e.g. an IT forensics provider).

9.2. Providing the Customer gives Zelt 30 days’ notice, the Customer also has the right to inspect the records of the processing activities of the Processor (Art 30 (2) GDPR), where these records concern processing activities performed on behalf of the Customer.

9.3. Zelt ensures that the Customer can check the compliance in regard to the obligations of the processor according to Art 28 GDPR and provides all information for this without explicit request by the Customer. Zelt will also provide the Customer, upon request, with the information and documents required to carry out the inspections and otherwise to monitor compliance with the obligations specified in this Agreement and, to demonstrate the implementation of the technical and organisational measures. Evidence of such measures, which do not only concern the specific processing, can be provided by:

9.3.1. Compliance with approved codes of conduct in accordance with Art 40 GDPR;

9.3.2. Certification according to an approved certification procedure in accordance with Art 42 GDPR;

9.3.3. Current attestations, reports or report excerpts from independent bodies (e.g.: auditors, auditors, data protection officers, IT security departments, data protection auditors, quality auditors);

9.3.4. Appropriate certification through IT security or data protection audits (e.g.: BSI standards).

9.4. Zelt has to grant the data protection authority access to the premises where the relevant data processing occurs, and data processing systems are located at the Customer’s request and have to provide the necessary support.

10. Liability

10.1. Zelt is only liable for data protection losses, costs and expenses incurred by the Customer where:

10.1.1. Zelt has not complied with its obligations under this DPA.

10.1.2. Zelt has not complied with its Processor obligations under the applicable Data Protection Laws; or

10.1.3. Zelt’s Sub-Processor has not complied with its data protection obligation.

10.2. Except where prohibited by law, Zelt’s total liability to the Customer under this DPA in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation, or any other claims of any nature arising under or in connection with this DPA shall in all circumstances be limited to 3 times the fees paid by the Customer to Zelt in respect of the 12 months prior to the event giving rise to the claim.

10.3. Subject to clauses 9.1 and 9.2, each party shall indemnify the other against all claims and proceedings and all liability, loss, costs and expenses incurred by the other as a result of any claim made or brought by a Data Subject or other legal person in respect of any loss, damage or distress caused to them as a result of any breach by the other party of the Data Protection Laws by that party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend or settle it.

11. Return and deletion of Data

11.1 Zelt will at 12 months after the contractual relationship has ended or due to any earlier written request from the Customer, delete or return Personal Data, save for when the law requires a longer data retention period.

12. Contract duration and termination

12.1. This contract is automatically terminated upon termination of the Master Subscription Agreement.

13. Miscellaneous

13.1. Amendments: Zelt reserves the right to occasionally amend this DPA by posting a revised version on Zelt’s website and notifying the Customer. Changes are effective 30 days from Zelt notifying the Customer. The customer has 30 days from receipt of Zelt’s notice to submit a legitimate, good-faith objection to the amendment. In the objection, Customer shall explain its reasonable grounds for such objection. In the event of such objection, the parties will work together in good faith to resolve the grounds for the objection. If the parties are unable to resolve the objection within a reasonable time period, which shall not exceed 30 days, either party may terminate the Master Subscription Agreement by providing notice to the other party. If the Customer doesn’t object to the amendments within 30 days, the new DPA will take effect.

13.2. Governing law: This Agreement and the relations between the Parties (insofar as they relate directly or indirectly to this Agreement) are governed by English law.
Disputes and Jurisdiction: If disputes arise, the Parties shall endeavour to find an amicable solution first. In case of failure, all disputes arising out of or relating to this Agreement shall be settled solely in

ANNEX 1 – Personal Data processed on behalf of the Customer

1. Description and Purpose of the Processing

As an HR software provider, Zelt processes personal data on behalf of their customers in order to facilitate various HR functions such as employee management, payroll and benefits administration. The processing of personal data by Zelt is governed by the GDPR and other relevant privacy laws.

2. The purpose of processing personal data by Zelt includes

Employee management: Zelt processes personal data such as employee contact information, employment status, salary and benefits information, and performance evaluations to manage employee records and enable effective HR management.

Payroll and benefits administration: Zelt processes personal data such as employee bank account information, tax information and benefits enrolment data to facilitate payroll and benefits administration.

Reporting and analytics: Zelt may analyse and aggregate personal data to generate reports and analytics to help customers make informed HR decisions.

Zelt is committed to protecting the personal data of its customers and their employees and has implemented appropriate technical and organisational measures to ensure the security and confidentiality of personal data.

3. Categories of Data Subjects and Personal Data

As an HR software provider, Zelt processes personal data related to various categories of data subjects, which typically include:

Employees: Zelt processes personal data related to current and former employees of its customers, such as contact information, employment history, job performance, payroll and benefits information, and tax information.

Job applicants: Zelt processes personal data related to job applicants who apply for positions with its customers, such as contact information, education, work experience, and other information submitted as part of the application process.

Contractors and consultants: Zelt may process personal data related to contractors and consultants who provide services to its customers, such as contact information, job performance, and payment information.

Customers: Zelt may process personal data related to its customers, such as contact information and billing information.

Partners and suppliers: Zelt may process personal data related to its partners and suppliers, such as contact information and payment information.

Other individuals: Zelt may process personal data related to other individuals who interact with its customers, such as emergency contacts or references provided by employees or job applicants.

It is important to note that the specific categories of data subjects may vary depending on the services provided by Zelt and the needs of its customers.

4. List of Sub-Processors

Amazon Web Services EU&UK
Google Cloud EMEA Limited
Staffology Limited
Yapily Ltd
Mitsogo Inc.
June Inc.
Segment Inc.


LAST UPDATED: March 1, 2023