Zeni – Data Processing Addendum
This Data Processing Addendum (“Addendum”) is entered into by and between Zeni Inc. (“Zeni”) and Customer in connection with Customer’s purchase of services from Zeni. Each of Zeni and Controller shall be also referred to individually as a “Party” and together as the “Parties.” This Addendum is hereby incorporated into and made a part of the Agreement between Customer and Zeni.
1. Definitions
Defined terms used but not defined herein shall have the meanings assigned to such terms in the Agreement. As used herein:
- “Agreement” means the Terms of Service at https://www.zeni.ai/legal/terms-of-service and any applicable order form (“Order Form”) signed by the Parties.
- “Customer” means the person or entity that has entered an Agreement with Zeni for the provision of Services and its Affiliates (as that term is defined in the Agreement”).
- “Controller” means the Party responsible for determining the purpose and means of Processing of Personal Data.
- “Data Subject” means the identified or identifiable natural person to which Personal Data relates.
- “Data Protection Laws” means any applicable U.S. laws, statutes, or regulations as may be amended, extended, or re-enacted from time to time that relate to Personal Data.
- “Personal Data” means any and all information that relates to an identified or identifiable natural person, that is protected as “personal data,” “personal information,” or similar term by applicable Data Protection Laws and that is Processed by Processor or a Sub-processor under the Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- “Personnel” means any employee, staff member, agency worker, or other full time or temporary, paid, or unpaid person working for either Controller or Processor.
- “Processor” means the party that is processing Personal Data on behalf of the Controller.
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, and governed by Data Protection Laws, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The verb form “Process” shall mean to engage in any of the foregoing.
- “Security Incident” shall mean the accidental or unlawful or unauthorized destruction, loss, alteration, unauthorized disclosure of or access to Personal Data Processed by Processor or its Sub-processors on behalf of Controller under the Agreement, or any other incident involving such Personal Data that would require notification to a governmental entity or to a Data Subject.
- “Services” shall mean the products and services provided by Zeni under the Agreement.
- “Sub-processor” means any third party engaged by Processor to Process Personal Data in order to provide the Services under the Agreement.
- “Third-Party Provider” means a third party that is providing products and services directly to Customer or its Personnel.
- “Usage Data” means any content, data, or information collected, derived, or otherwise generated from Controller’s use of or access to the Services as well as the performance of the Services, including, but not limited to, information about Controller’s operating environment, session length, errors, technical logs, and other similar data.
- “U.S.” means the United States.
2. Compliance
In discharging its obligations hereunder and under the Agreement, each Party will be responsible for its compliance with all Data Protection Laws. For the Services, Customer is the Controller and Zeni is the Processor, except for Personal Data of the owner of Customer that is Processed to confirm Customer’s eligibility for the Services.
3. Processor Obligations
Processor agrees as follows:
- Processing
- Processor shall Process Personal Data to provide and improve the Services in accordance with this Addendum and the Agreement and any documented instructions received from Controller. Controller hereby instructs Processor to Process Personal Data: (1) in accordance with the Agreement and applicable Order Form(s), including to maintain, provide, train, and improve the Services, (2) in compliance with other documented reasonable instructions provided by Controller in writing (e.g. via email) where such instructions are consistent with the terms of the Agreement; provided, that, Processor’s carrying out of such additional instructions may incur additional fees payable to Processor by Controller, and (3) as required by applicable U.S. laws, statutes or regulations as may be amended, extended, or re-enacted from time-to-time, unless otherwise required pursuant to Data Protection Laws, in which case Processor shall inform Controller of that legal requirement before Processing, unless prohibited by Data Protection Laws or on important grounds of public interest.
- If Processor lacks any instructions from Controller that Processor deems necessary in order to carry out the Processing, or if Processor deems Controller’s instructions, wholly or partly, to be in breach of Data Protection Laws, Processor shall without undue delay notify Controller and await any further instructions that the Controller deems necessary.
- Personnel
- Personnel (i) who have access to Personal Data shall have committed themselves to confidentiality or be under an appropriate statutory obligation of confidentiality; (ii) shall Process Personal Data only as provided under this Addendum and the Agreement; and (iii) shall be provided training as necessary from time to time with respect to Processor’s obligations under this Addendum and under Data Protection Laws. Processor shall take commercially reasonable steps to ensure the reliability of its Personnel in the Processing of Personal Data and shall ensure that access thereto is limited to Personnel performing Services in connection with the Agreement.
- Confidentiality
- Processor will maintain as confidential and will not disclose Personal Data to any third party except for Processor Personnel and Sub-processors, unless (i) in accordance with the Agreement and this Addendum, (ii) with Controller’s consent or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order), or (iii) required to do so by Data Protection Laws to which Processor is subject. Processor will take commercially reasonable steps to ensure that its Sub-processors are informed of the confidential nature of the Personal Data, have agreed in writing to maintain such Personal Data as confidential, and have received appropriate training on their responsibilities in respect of Personal Data Processing.
- Security Measures
- Processor will, taking into account the nature, scope, context, and purposes of the Processing, adopt and maintain commercially reasonable and appropriate organizational, technical, and security measures designed to protect against unauthorized or accidental access, loss, alteration, disclosure, or destruction of Personal Data to the extent required by Data Protection Laws and as set forth at www.https://www.zeni.ai/security.
- Notices
- Processor shall, as promptly as reasonably practicable and to the extent legally permitted, inform the Controller:
- upon Processor’s discovery of any breach by Processor or its Personnel of the Agreement or Data Protection Laws relating to the protection of Personal Data processed under the Agreement;
- of any legally binding request for disclosure of Personal Data received from a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
- after becoming aware of any Security Incident relating to Personal Data. In the event of a Security Incident, Processor shall provide Controller with all reasonable assistance in investigating and mitigating the adverse effects of any such Security Incident. Processor will also provide all reasonable assistance to Controller to enable Controller to comply with its obligations under Data Protection Laws to notify the applicable regulatory authority or government entity and the affected Data Subjects, taking into account the nature of Processing and the information available to Processor; provided that the obligations in this section shall not apply to Security Incidents that are caused by Controller or its representatives or users or Personal Data that is not Processed on behalf of Controller. Except to the extent required by law, Processor shall have no responsibility for providing notifications to governmental entities or to Data Subjects relating to such Security Incident, and Controller shall be solely responsible for any such notifications. Unless legally required by Data Protection Laws, or other applicable laws, Processor will not disclose the Security Incident to any third party without obtaining Controller’s prior written consent, not to be unreasonably withheld;
- of any notice, inquiry, or investigation by a regulatory authority or government entity relating to Personal Data; and
- of any request received directly from a Data Subject to exercise data subject rights under Data Protection Laws (“Data Subject Requests”).
- Processor shall, as promptly as reasonably practicable and to the extent legally permitted, inform the Controller:
- Cooperation
- Processor will use commercially reasonable efforts to cooperate and assist Controller, at Controller’s expense, promptly upon request in respect of Controller’s obligations regarding:
- responding to and carrying out any Data Subject Request to the extent it relates to Personal Data processed by Processor;
- investigating or fulfilling a request from any regulatory authority or government entity if and to the extent such investigation or request relates to Personal Data; and
- preparing data protection assessments and, where applicable, carrying out regulatory consultations that Controller is legally required to make with respect to Personal Data, taking into account the nature of the Processing and the information made available to Processor.
- Processor will use commercially reasonable efforts to cooperate and assist Controller, at Controller’s expense, promptly upon request in respect of Controller’s obligations regarding:
- Return or Deletion of Personal Data
- Upon termination of the Agreement or any time upon notification by Controller and unless prohibited by law, Processor will, and will cause its Sub-processors to, securely destroy or, at Controller’s sole discretion, return all Personal Data (including all copies) and confirm to Controller that it has taken such measures, in each case to the extent permitted by applicable law and consistent with the underlying terms of the Agreement. Until all Personal Data is deleted or returned, Processor shall continue to ensure compliance with this Addendum. To the extent, under the explicit instruction of Controller, that Processor complies with the destruction of Personal Data under this section prior to the expiration or termination of the Agreement, Processor is not liable for any impact on Processor’s performance under the terms of the Agreement. Controller shall reimburse Processor’s reasonable expenses in connection with the return of Personal Data. Processor agrees to preserve the confidentiality of any Personal Data retained by it in accordance with applicable law and agrees that any active Processing of such Personal Data after termination of the Services will be limited to the extent necessary in order to comply with applicable law. Processor shall ensure that the post-termination obligations set forth in this section are also required of Sub-processors. The foregoing shall not apply to Usage Data, any Personal Data that has been de-identified in accordance with Data Protection Laws or to the extent that deletion or return of such Personal Data would require re-training of Processor’s artificial intelligence models.
4. Controller Obligations
Controller agrees and represents that:
- it shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data;
- it will comply with all Data Protection Laws with respect to its Processing of Personal Data, including, but not limited to, (i) providing all required disclosures, notices, and privacy policies, and (ii) obtaining all necessary consents from Data Subjects and government authorizations required under applicable Data Protection Laws to permit the Processing of Personal Data under this Addendum;
- it will provide notice of sharing of Personal Data with Processor consistent with the requirements of Data Protection Laws;
- it will only provide Personal Data from Data Subjects in the US and has a lawful basis for processing of Personal Data under all Data Protection Laws;
- it will not provide to the Services Personal Data of children under 13 or any Personal Data that is protected health information under the Health Insurance Portability and Accountability Act;
- all instructions from Controller to Processor with respect to processing of Personal Data shall comply with Data Protection Laws;
- it shall promptly inform Processor of:
- any non-compliance by Controller and its Personnel with the Agreement or the provisions of the Data Protection Laws relating to the protection of Personal Data processed under the Agreement;
- any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities; and
- any relevant notice, inquiry, or investigation by a regulatory authority or government entity or claim by a Data Subject relating to Personal Data.
5. Audit
If required for Controller to comply with its obligations as a controller under Data Protection Laws, Processor agrees at the reasonable request of Controller to submit data processing facilities it owns or controls for audit, including inspections, to ascertain and/or monitor compliance with this Agreement and Data Protection Laws and that the Processor meets Controller’s requirements related to Processing, which audit shall be carried out with at least four (4) weeks’ notice and during regular business hours and under a duty of confidentiality, by the Controller and/or by a third party appointed by Controller, and in a manner not to disrupt the business of Processor and subject to confidentiality obligations and mutually agreed upon procedures (“Controller Audit”). Controller may audit Processor’s compliance with its obligations under this Addendum no more than once per year, except to the extent additional audits are required by Data Protection Laws. Controller may use the audit reports only for the purposes of meeting Controller’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum. The audit reports are Confidential Information of the Parties under the terms of the Agreement. Any Controller Audits are at Controller’s expense. The Parties will negotiate in good faith with respect to any charges or fees that may be incurred by Processor to provide assistance with a Controller Audit that requires the use of resources different from or in addition to those required for the provision of the Services. Processor may also comply with its obligations under this Section 5 by providing a copy of its most recent SOC 2 Type II audit report.
6. Sub-processors
Controller acknowledges and agrees that Processor may use its Affiliates or may engage third parties as Sub-processors in connection with the provision of the Services and hereby consents to such sub-processing. In connection with the appointment of Sub-processors, Processor shall instruct such Sub-processors to guarantee a level of data protection compliance and information security not less protective in the aggregate than as is set forth in these terms. Processor conducts appropriate due diligence on its Sub-processors.
7. Limitation of Liability
Each Party’s liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort, or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its affiliates under the Agreement and this Addendum.
8. Data Protection Assessment
Upon Controller’s written request, Processor shall provide Controller with reasonable cooperation and assistance needed to fulfil Controller’s obligation under Data Protection Laws to carry out a data protection assessment related to Controller’s use of the Services. Controller shall compensate Processor at its standard consulting rates for such assistance and reimburse any out-of-pocket expenses incurred by Processor.
9. Third-Party Providers
As part of the Services, Zeni may offer Customer and its Personnel certain products and services offered by Third-Party Providers, such as credit cards or stored value cards (“Third-Party Products”). Customer agrees that Zeni may provide Personal Data received from Customer and its Personnel to such Third-Party Providers in connection with the offering of Third-Party Products. Customer further agrees that Zeni shall have no obligation, responsibility, or liability for such Third-Party Products or the Processing of Personal Data by such Third-Party Providers.
10. Amendments
Customer agrees that Zeni may amend or modify this Addendum at any time, including as necessary to comply with Data Protection Law, in accordance with the Agreement.
11. Miscellaneous
This Addendum together with the Agreement are the entire agreement and understanding of the Parties and supersede any prior agreement or understanding between the Parties, in each case in respect of the Processing and transfer of Personal Data for the purposes specified herein. This Addendum is subject and made a part of the Agreement, provided that to the extent of any conflict between the Agreement and the Addendum, the terms of this Addendum shall control as it relates to the Processing of Personal Data. The Parties acknowledge and agree that this Addendum shall continue to be binding on them notwithstanding any subsequent changes in the form of their legal personality. This Addendum may be executed in multiple counterparts, all of which together shall constitute one and the same agreement.