Data Processing Addendum (DPA)

The Parties enter into this DPA to comply with applicable Data Protection Laws, including the EU GDPR (defined below), in relation to Processor’s Processing of Personal Data as part of its obligations under the Agreement.

Except as modified by this DPA, the terms of the Agreement remain in full force and effect. If there is a conflict between the Agreement and this DPA, this DPA prevails to the extent of that conflict.

Table of Contents

1. Definitions
2. Scope and Purpose
3. Categories of Personal Data and Data Subjects
4. Purpose of Processing
5. Duration of Processing
6. Controller Obligations
7. Processor Obligations
8. Data Secrecy
9. Security (Technical and Organisational Measures)
10. Audit Rights
11. Mechanism of Data Transfers
12. Sub-processors
13. Personal Data Breach Notification
14. Return and Deletion of Personal Data
15. SCHEDULE 1 – SCCs and Annexes

• ANNEX I – List of Parties and Description of Transfer
• ANNEX II – Technical and Organisational Measures
• ANNEX III – List of Sub-processors

1. Definitions

Terms not otherwise defined in this DPA shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

• “Data Transfer” means a transfer of the Personal Data from the Controller to the Processor, or between two establishments of the Processor, or with a Sub-processor by the Processor.
• “EU GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
• “Standard Contractual Clauses” or “SCCs” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection.
• “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
• “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• “Sub-processor” means a processor/sub-contractor appointed by the Processor for the provision of all or parts of the Services and processes the Personal Data as provided by the Controller.

2. Scope and Purpose

This DPA sets out the Processor’s obligations when Processing Personal Data on behalf of the Controller and is limited to the Processor’s obligations under the Agreement.

This DPA applies to Personal Data that the Controller provides to the Processor (or makes available to the Processor) in connection with the Services.

If there is a conflict between the provisions of the Agreement and this DPA relating to Processing of Personal Data, the provisions of this DPA shall prevail.

3. Categories of Personal Data and Data Subjects

The Controller authorizes the Processor to process Personal Data to the extent determined and controlled by the Controller.

The categories of data subjects and categories of Personal Data are described in Annex I to Schedule 1.

4. Purpose of Processing

The Processor will Process Personal Data only for the purposes of:

• providing and supporting the Services under the Agreement (including task management and communication functions described in the Agreement and applicable order forms); and
• complying with documented Instructions from the Controller (including those set out in the Agreement and related documentation).

5. Duration of Processing

The Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing by the Controller.

Where the Agreement ends or Services are discontinued, return/deletion will be handled in accordance with Section 14 and the retention/deletion controls described in Processor’s retention and deletion requirements.

6. Controller Obligations

The Controller warrants that it has all necessary rights to provide the Personal Data to the Processor for the Processing to be performed in relation to the agreed services.

To the extent required by Data Privacy Laws, the Controller is responsible for ensuring it provides such Personal Data to Processor based on an appropriate legal basis allowing lawful Processing activities, including that any necessary Data Subject consents to this Processing are obtained, and that a record of such consents is maintained. Should such consent be revoked by the Data Subject, the Controller is responsible for communicating the fact of such revocation to the Processor.

The Controller shall:

• Provide all natural persons from whom it collects Personal Data with the relevant privacy notice.
• Request the Processor to purge Personal Data when required by the Controller or any Data Subject from whom it collects Personal Data, unless the Processor is otherwise required to retain the Personal Data by applicable law and/or legal hold.
• Immediately advise the Processor in writing if it receives or learns of any:
  • Complaint or allegation indicating a violation of Data Privacy Laws regarding Personal Data;
  • Request from one or more individuals seeking to access, correct, or delete Personal Data;
  • Inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Data; and
  • Any regulatory request, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Data.

7. Processor Obligations

The Processor shall:

• Follow written and documented Instructions received from the Controller (including email) with respect to the Processing of Personal Data (each, an “Instruction”).
• Treat the Processing described in the Agreement and related documentation as Instructions from the Controller.
• Provide reasonable assistance to the Controller (upon request) in responding to Data Subject requests and/or applicable regulatory authority directions regarding Processor’s Processing of Personal Data.
  • Processor maintains a structured process for Data Subject Requests; the statutory response period is one month from receipt (as applicable). Temporary working copies of data (if created for handling a request) must be securely deleted within one month.
• Inform the Controller if, in Processor’s opinion, an Instruction infringes applicable legislation or regulation.
• Taking into account the nature of the Processing and the information available to the Processor, assist the Controller with Data Protection Impact Assessments (DPIAs) where required under GDPR.

8. Data Secrecy

To Process Personal Data, the Processor will use personnel who are:

• informed of the confidential nature of Personal Data; and
• performing the Services in accordance with the Agreement.

The Processor requires confidentiality commitments from personnel and provides privacy and security training for individuals with access to Personal Data, consistent with accepted industry practices.

9. Security (Technical and Organisational Measures)

The Processor will maintain appropriate technical and organisational measures to protect the security, confidentiality, and integrity of Personal Data, taking into account the nature, scope, context, and purposes of Processing and the risks to the rights and freedoms of natural persons.

Security measures include, as applicable:

• governance and oversight of security controls and policies (reviewed at least annually);
• access controls (least privilege / need-to-know) and authentication controls (including MFA/SSO for administrators and users, where applicable);
• logging and monitoring to support detection and investigation of security events;
• vulnerability management and patch management activities on a risk basis;
• secure disposal controls and secure deletion processes; and
• resiliency practices including backups and recovery mechanisms.

Further details are set out in Annex II of Schedule 1.

10. Audit Rights

Upon Controller’s reasonable request, the Processor will make available to the Controller information as is reasonably necessary to demonstrate Processor’s compliance with its obligations under the EU GDPR or other applicable laws in respect of its Processing of Personal Data.

If the Controller wishes to conduct an audit (by itself or through a representative) at Processor’s site, the Controller shall provide at least thirty (30) days prior written notice. The Processor will provide reasonable cooperation and assistance in relation to audits, including inspections, conducted by the Controller or its representative.

The Controller shall bear the expense of such an audit.

11. Mechanism of Data Transfers

Any Data Transfer for the purpose of Processing by the Processor in a country outside the European Economic Area (the “EEA”) shall only take place in compliance as detailed in Schedule 1.

Where model clauses (SCCs) have not been executed at the same time as this DPA, the Processor shall not unduly withhold execution of such clauses where transfer of Personal Data outside the EEA is required for performance of the Agreement.

12. Sub-processors

The Controller acknowledges and agrees that the Processor may engage third-party Sub-processor(s) in connection with performance of the Services, provided such Sub-processor(s) implement technical and organisational measures to ensure confidentiality and protection of Personal Data.

The Processor will:

• maintain a list of authorized Sub-processors in Annex III of Schedule 1;
• notify the Controller at least thirty (30) calendar days in advance of any intended changes or additions to Sub-processors listed in Annex III (by emailing notice of the intended change to Customer); and
• remain liable to the Controller for a Sub-processor’s failure to fulfil its data protection obligations under this DPA in connection with the performance of the Services (in accordance with Article 28(4) GDPR).

If the Controller has a concern that a Sub-processor’s Processing of Personal Data is reasonably likely to cause the Controller to breach its data protection obligations under GDPR, the Controller may object and the Parties will confer in good faith to address the concern.

13. Personal Data Breach Notification

The Processor shall maintain defined procedures to manage security incidents and Personal Data Breaches (as defined under GDPR).

The Processor shall, without undue delay, notify the Controller if it becomes aware of any Personal Data Breach unless such breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The Processor shall provide the Controller with reasonable assistance to:

• meet notification obligations to a Supervisory Authority and/or Data Subjects (as applicable);
• identify the cause of the breach; and
• take commercially reasonable steps to mitigate and remedy the breach.

Processor’s incident response framework includes defined responsibilities and escalation paths (including an incident response team structure), categorization of incidents by severity (low/moderate/high), and a client communication role responsible for maintaining client escalation contacts and providing updates to affected clients.

No acknowledgement of fault. Processor’s notification of or response to a Personal Data Breach under this DPA will not be construed as an acknowledgement by Processor of any fault or liability with respect to the incident.

14. Return and Deletion of Personal Data

At least thirty (30) days from the end of the Agreement or cessation of the Processor’s Services under the Agreement, whichever occurs earlier, the Processor shall return to the Controller all Personal Data, or if the Controller so instructs, the Processor shall have the Personal Data deleted.

The Processor shall return such Personal Data in a commonly used format or in the current format in which it was stored (at the discretion of the Controller), as soon as reasonably practicable following receipt of Controller’s notification.

In any case, the Processor shall delete Personal Data (including all copies) as soon as reasonably practicable following the end of the Agreement, unless retention is required by applicable law and/or a legal hold.

Retention and deletion are governed by the Processor’s retention and deletion requirements, which include:

• defined retention periods that must be documented and approved (including Leadership Team approval for changes),
• secure deletion and disposal methods (delete/purge of electronic data, secure wiping of media, physical destruction where applicable), and
• suspension of deletion under legal/regulatory holds until formally lifted.

SCHEDULE 1

ANNEX I

A. LIST OF PARTIES

Data exporter(s) (Controller)

• Name: Customer (as set forth in the relevant Order Form)
• Address: As set forth in the relevant Order Form
• Contact person’s name, position, and contact details: As set forth in the relevant Order Form
• Activities relevant to the data transferred under these Clauses: Recipient of the Services provided by Zango Global Inc. in accordance with the Agreement
• Signature and date: Signature and date are set out in the Agreement
• Role (Controller/Processor): Controller

Data importer(s) (Processor)

• Name: Zango Global Inc.
• Address: 251 Little Falls Drive, Wilmington, New Castle County, Delaware 19808
• Contact person’s name, position, and contact details: Shashank Agarwal, Data Protection Officer (DPO), shashank@zango.ai

Our EU GDPR Representative is:
Pedro Sousa
Rua Professor Dias Valente
233 2esq 2765-578 Estoril, Portugal
pedro.sousa@zango.ai

• Activities relevant to the data transferred under these Clauses: Provision of the Services to the Customer in accordance with the Agreement
• Signature and date: Signature and date are set out in the Agreement
• Role (Controller/Processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

• Customer’s authorized users of the Services.

Categories of personal data transferred

• Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, Username.

Sensitive data transferred (if applicable) and applied restrictions or safeguards

• No special category data is required; Controller should not provide it.

The frequency of the transfer

• Continuous basis.

Nature of the processing

• For providing services, task management, and communication.

Purpose(s) of the data transfer and further processing

• The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms.

The period for which the personal data will be retained, or criteria used

• As more fully described in the Agreement, this DPA, and accompanying order forms, subject to legal/contractual requirements and legal holds.

For transfers to (sub-)processors

• The subject matter, nature, and duration of the Processing are more fully described in the Agreement, this DPA, and accompanying order forms.

C. COMPETENT SUPERVISORY AUTHORITY

• Data exporter is established in an EEA country. The competent supervisory authority is as determined by application of Clause 13 of the EU SCCs.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES (Security)

Description of the technical and organisational security measures implemented by Zango Global Inc. as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Security

• Security Management System.
• Organization. Zango Global Inc. designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program.
• Policies. Management reviews and supports all security related policies to ensure the security, availability, integrity and confidentiality of Customer Personal Data. These policies are updated at least once annually.
• Assessments. Zango Global Inc. engages a reputable independent third-party to perform risk assessments of all systems containing Customer Personal Data at least once annually.
• Risk Treatment. Zango Global Inc. maintains a formal and effective risk treatment program that includes penetration testing, vulnerability management and patch management to identify and protect against potential threats to the security, integrity or confidentiality of Customer Personal Data.
• Vendor Management. Zango Global Inc. maintains an effective vendor management program.
• Incident Management. Zango Global Inc. reviews security incidents regularly, including effective determination of root cause and corrective action.
• Standards. Zango Global Inc. operates an information security management system that complies with the requirements of ISO 27001:2022 standard.

Personnel Security

• Personnel conduct is governed by confidentiality, ethics, appropriate usage, and professional standards requirements.
• Background checks are performed for employees who will have access to client data, to the extent legally permissible and consistent with applicable local law/customary practice.
• Personnel execute confidentiality agreements at hire and acknowledge compliance with confidentiality, privacy, and security policies.
• Personnel receive privacy and security training; additional role-based requirements may apply (e.g., certifications).
• Personnel do not process Customer Personal Data without authorization.

Access Controls

• Access Management. Formal access management process for request, review, approval, and provisioning; periodic access reviews to confirm continued need.
• Authentication. Administrators and end users authenticate via multi-factor authentication or single sign-on to use the Services (as applicable).
• Least privilege / need-to-know. Internal access processes are designed to protect against unauthorized access, use, disclosure, alteration, or destruction of Customer Personal Data.
• Accountability. Access is logged to create an audit trail; approvals are managed through workflow tools that maintain audit records.
• Password standards. Where passwords are used, standards include complexity, expiry, lockout, reuse restrictions, and re-prompt after inactivity.

Data Center and Network Security

Data Centers

• Infrastructure. Google Cloud Platform (GCP) is used as the data center.
• Resiliency. Multi-Availability Zones are enabled; backup restoration testing is conducted on a regular basis to ensure resiliency.
• System hardening and secure development. Servers are customized for the application environment and hardened; code review is used to increase security.
• Disaster recovery. Data replication across multiple systems; disaster recovery programs are designed, planned, and tested.
• Security logging. Logging enabled to support security audits and detect attacks/intrusions.
• Vulnerability management. Regular vulnerability scanning across production and development; remediation based on risk with Critical/High/Medium patches installed as soon as commercially possible.

Networks and Transmission

• Transmission security. Production transmissions use Internet standard protocols.
• Perimeter controls. GCP Security Group (virtual firewall equivalent) is used for the production environment.
• Incident response operations. Defined escalation procedures; monitoring of multiple channels; prompt response and documentation of incidents/outcomes.
• Encryption in transit. HTTPS encryption (SSL/TLS) is available for data in transit.
• Storage and isolation. Multi-tenant environment on GCP; replication between zones; logical isolation of customer data; central authentication across Services; secure disposal of Client Data via defined destruction processes.

ANNEX III

LIST OF SUB-PROCESSORS (Combined List)

The Controller has authorized the use of the following Sub-processors: