DATA PROCESSING ADDENDUM (the “DPA”)
FOR ZMAGS CUSTOMERS
Zmags Corporation (“Zmags”) and Customer have entered into an agreement or agreements (the “Master Subscription Agreement”) pursuant to which Zmags may Process certain Personal Data on behalf of Customer in connection with Customer’s use of Zmags solutions and services (collectively, “Zmags Services”). This amendment (the “Amendment”) incorporates the Data Processing Amendment (DPA) into the Master Subscription Agreement (as amended by the DPA, the “Master Subscription Agreement”) and describes certain data processing and transfer obligations of the parties. This Amendment shall be effective as of May 25, 2018 (the “Effective Date”). In the event of any inconsistency between the DPA and the Master Subscription Agreement, the DPA shall control.
1. Definitions. In this DPA, the following terms shall have the meanings set out below. Other capitalized terms used but not otherwise defined herein shall have the meanings ascribed to such terms in the Service Agreement.
1.1 “Controller” means the party that determines the purposes and means of the Processing of Personal Data.
1.2 “Data Protection Laws and Regulations” means laws and regulations applicable to the Processing of Personal Data under the Service Agreement, including applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, and the United Kingdom, including without limitation Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and EU Directive 2002/58/EC on Privacy and Electronic Communications (“e-Privacy Directive”) or, the superseding Regulation on Privacy and Electronic Communications (“e-Privacy Regulation”), once effective.
1.3 “Data Subject” means an identified or identifiable natural person, as defined under Data Protection Laws and Regulations, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4 “Personal Data” means any information relating to a Data Subject that is Processed by Zmags on behalf of Customer pursuant to the terms of the Service Agreement.
1.5 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.6 “Proccess,” “Processes,” “Processed” or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.7 “Processor” means the party which Processes Personal Data on behalf of the Controller.
1.8 “Subprocessor” means any Processor engaged by Zmags in the provision of Zmags Services to Customer, as further described in Section 2.4 of this DPA.
2. Protection of Personal Data
2.1 Relationship of Parties: For the purposes of the Service Agreement, Customer is the Controller and appoints Zmags as a Processor to Process Personal Data on behalf of Customer in connection with Customer’s use of Zmags Services pursuant to the Service Agreement. The Processor and Controller shall each comply with their respective obligations applicable to it under the Data Protection Laws and Regulations and this DPA.
2.2 Purpose Limitation: Zmags shall Process Personal Data in order to perform Zmags’s obligations, or as otherwise permitted, under the Service Agreement as a Processor, in compliance with the applicable Data Protection Laws and Regulations. The purposes of Processing are as described in the Service Agreement, including Schedule A to this DPA, and any other exhibits, statements of work or addenda attached to or otherwise incorporated into the Service Agreement (the “Permitted Purpose”).
2.3 Cross-Border Transfers: If Personal Data is transferred under the Service Agreement from the European Economic Area or Switzerland by Customer as Controller to Zmags as Processor, or otherwise by Zmags as Processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, has determined does not ensure an adequate level of protection of Personal Data, then Zmags will subscribe to an appropriate legal mechanism for such transfer (such as the EU-U.S. Privacy Shield Framework) or take such other measures as may be required under applicable Data Protection Laws and Regulations.
2.4.1 Customer acknowledges and agrees that Zmags may engage Subprocessors in connection with the provision of Zmags Services. A list of approved Subprocessors as of the Effective Date of this DPA is located at www.zmags.com/subprocessors (the “Subprocessor List”).
2.4.2 When engaging any new Subprocessor, Zmags will enter into a written agreement with each Subprocessor containing data protection obligations no less protective than those in this DPA or as may otherwise be required by applicable Data Protection Laws and Regulations. For the avoidance of doubt, Zmags may continue to use those Subprocessors already engaged by Zmags as at the date of this DPA. Zmags agrees to be responsible for the acts or omissions of each such Subprocessor to the same extent as Zmags would be liable if performing the services of such Subprocessor under the terms of the Service Agreement.
2.4.3 Zmags will inform Customer of any new Subprocessor engaged during the term of the Service Agreement by updating the Subprocessor List. If Customer reasonably believes that the appointment of a new Subprocessor will have a material adverse effect on Zmags’s ability to comply with applicable Data Protection Laws and Regulations as a Processor, then Customer must notify Zmags in writing, within 30 days following the update to the Subprocessor List, of its reasonable basis for such belief. Zmags shall not appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken.
2.5 Notices and Consents:
2.5.1 General: Customer shall comply with all applicable Data Protection Laws and Regulations, including: (a) providing all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and Zmags’s, Processing and transfer of Personal Data; and (b) obtaining all necessary rights and valid consents from Data Subjects (including Data Subjects within Customer’s Content) to permit Processing by Zmags for the purposes of fulfilling Zmags’s obligations, or as otherwise permitted, under the Service Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.5.2 Children; Sensitive Data: Customer is responsible for compliance with all applicable Data Protection Laws and Regulations regarding its Content, including without limitation those that regulate content directed toward children (as defined under applicable Data Protection Laws and Regulations; for example, under 13 years old in the United States or under 16 years old in certain other countries). Customer’s use of Zmags Services in connection with the distribution of Content and/or Processing of sensitive Personal Data of a Data Subject (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s genetic data, biometric data, health data, or data regarding sex life or sexual orientation) must be in compliance with all applicable Data Protection Laws and Regulations, including obtaining explicit consent from Data Subjects whose Personal Data is provided to Zmags for Processing.
3. Cooperation and Data Subjects’ Rights
3.1 To the extent Customer does not have the ability to access Personal Data to correct, amend, delete it, refrain from Processing it, or provide it in portable form, upon request from a Data Subject (to the extent that such Data Subject is entitled to such rights under applicable Data Protection Laws and Regulations), Zmags will assist Customer with any reasonable request to do so. If a Data Subject contacts Zmags directly to request access to, or correction, amendment or deletion of, Personal Data in connection with services provided to Customer by Zmags, to the extent legally required, Zmags will promptly notify Customer of the request.
4. Investigations and Audits
4.1 Regulatory Audit. Zmags shall reasonably assist and support Customer in the event of an investigation by a data protection regulator or similar authority, if and to the extent that such investigation relates to Zmags’s Processing of Personal Data.
4.2 Customer Audit. Upon at least 30 days’ advance written request by Customer, at mutually agreed times and subject to Zmags’ reasonable audit guidelines, Zmags shall provide to Customer, its authorized representatives and/or independent inspection body designated by Customer: (a) reasonable access to records of Zmags’ Processing of Personal Data; and (b) reasonable assistance and cooperation of Zmags’ relevant staff for the purpose of auditing Zmags’ compliance with its obligations under this DPA. Zmags reserves the right to restrict access to its proprietary information, including but not limited to its network architecture, internal and external test procedures, test results and remediation plans. Customer will use best efforts to minimize damage, injury or disruption to Zmags Services and Zmags’ premises, equipment, personnel or business operations. Customer further agrees that: (W) personnel (or designated third parties) performing said audits will be bound by the confidentiality obligations set forth in the Service Agreement; (X) all findings will be deemed Zmags’ Confidential Information; (Y) Customer will share all findings with Zmags; and (Z) Zmags will classify and remediate all findings in accordance with Zmags’ risk management program. Zmags need not give access to its premises for the purposes of such an audit or inspection: (i) to any individual unless he or she produces reasonable evidence of identity and authority and (ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer has given notice to Zmags that this is the case before attendance outside those hours begins. Customer is limited to one audit in any 12-month period, except (i) if and as required by a competent data protection authority; or (ii) Customer believes a further audit is necessary as a result of a Personal Data Breach relating to Zmags Services.
4.3 Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to Zmags, Zmags shall, upon Customer’s written request, provide Customer with reasonable cooperation and assistance to fulfill Customer’s obligations under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of Zmags Services. Such cooperation and assistance is provided to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Zmags. To the extent required by applicable Data Protection Laws and Regulations, Zmags shall provide reasonable assistance to Customer in respect of Customer’s prior consultations with the Supervisory Authority.
5. Notice of Non-Compliance
5.1 If required by applicable Data Protection Laws and Regulations, in the event that Zmags is unable to comply with its obligations in this DPA, Zmags shall promptly notify Customer and, if Zmags is unable to take reasonable and appropriate steps to remediate the non-compliance within a mutually-agreed upon timeframe, Customer may take any one or more of the following actions: (a) suspend the transfer of Personal Data to Zmags; (b) require Zmags to cease Processing Personal Data to the extent technically possible; (c) demand the return or destruction of Personal Data; and/or (d) terminate this DPA in accordance with the Service Agreement.
6. Data Security
6.1 Zmags will ensure that all individuals with access to Personal Data are subject to written obligations of confidentiality and that Personal Data is Processed only for the Permitted Purpose.
6.2 Security Measures. Zmags’ technical and organizational security measures to protect Personal Data shall be as set forth in the Service Agreement, this DPA, and/or in any orders or statements of work issued pursuant to the Service Agreement. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, such measures shall include those identified in Schedule B to this DPA.
6.3 Breach Notification. If Zmags becomes aware of a Personal Data Breach involving Zmags Services, Zmags shall: (a) without undue delay following Zmags’ discovery thereof, notify Customer of such Personal Data Breach; (b) investigate, remediate and mitigate the effects of the Personal Data Breach; (c) reasonably cooperate with Customer’s investigation of the Personal Data Breach to the extent that such cooperation does not compromise Zmags’ security; (d) take any additional actions and provide any additional cooperation to Customer as may reasonably be required under applicable Data Protection Laws and Regulations; and (e) upon resolution, provide Customer with a written incident report describing the breach, actions taken during the response and plans for future actions to prevent a similar breach from occurring in the future.
7. Deletion or Return of Personal Data
7.1 Upon termination or expiration of the Service Agreement or at any time at Customer’s written request, Zmags shall return to Customer or destroy all Personal Data, except as otherwise permitted by applicable Data Protection Laws and Regulations.
8.1 This DPA is effective as of the effective date of the Service Agreement and will terminate automatically upon termination or expiration of the Service Agreement without further action required by either party. Provisions of this Addendum that, by their nature should survive, will survive any such termination or expiration.
8.2 This DPA shall be governed by and construed in accordance with the governing law set forth in the Service Agreement, except where otherwise required by applicable Data Protection Laws and Regulations.
Data Processing Description
This Schedule A forms part of the DPA and describes the Processing that Zmags will perform on behalf of Customer.
Controller (Customer) uploads Content to Zmags Services.
Processor (Zmags) is a provider of online software platforms that allow customers to create and publish digital content experiences without the need for coding.
Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Business information (such as email addresses) of Customer’s employees who use Zmags Services (“Users”).
- End users who view Customer’s Content (“Viewers”) via Zmags Services.
- Natural persons whose images (or other Personal Data) are included in Customer’s Content.
Categories of data
Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of data: (some or all of which may not be considered Personal Data under applicable Data Protection Laws and Regulations):
- Users: Names, phone numbers, email and login credentials.
- Viewers: IP addresses, location data
- Images (or other Personal Data) of natural persons included in Content.
Special categories of data (if appropriate)
Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following special categories of data:
- None, unless Customer contacts Zmags at email@example.com to request a change to this section and the parties agree in writing to the special categories of data to be Processed.
The Personal Data will be subject to the following basic Processing activities:
- User login credentials and contact information will be used to authenticate User access and to provide Zmags Services and support to Customer.
- IP addresses and geolocation data is collected to operate Zmags Services and may be used to provide Customer with viewing analytics.
- IP addresses and geolocation data is collected to operate Zmags Services and may be used to provide Customer with viewing analytics.
Minimum Security Measures
Zmags shall use commercially reasonable efforts to implement appropriate network security and encryption technologies, including but not limited to the following technologies or any technologies that provide comparable or enhanced protections:
1. IT Network Security. Zmags maintains appropriate IT network segmentation, including but not limited to, firewalls, to segregate its internal networks from the internet and maintains intrusion detection, monitoring, and logging systems to detect and respond to attacks.
2. Application Security. Application security refers to the features and measures that are built into the application to defend against threats, attacks and vulnerabilities. Many involve credentials requirements, encryption, limitation on sign-in attempts, and the use of roles and permissions to restrict access to certain data and documents. These application security measures apply to Zmags’ proprietary software-as-a-service products, Creator® and Publicator®.
3. Vulnerability and Patch Management. Following receipt of any update release from the manufacturer, Zmags will apply manufacturer-recommended security updates to all systems, devices, or applications Processing Personal Data within a reasonable period of time, taking into account the nature and severity of the risk. Zmags will install, within a reasonable period of time following Zmags’ receipt from the manufacturer, any software patches designated by manufacturers, vendors, or Zmags as “critical”. Zmags conducts regular vulnerability scans and penetration tests of any network storing or processing Personal Data and remediates any identified critical vulnerability in accordance with Zmags’ defined remediation schedule.
4. Access Controls.
a. Access Management. Only those ZMags personnel that reasonably need access to Personal Data to perform the services described in the Agreement are granted such access. If Zmags personnel no longer need access to Personal Data, whether because of termination or re-assignment, then access privileges are promptly disabled.
b. Usernames and Passwords. Accounts used to access systems, software, equipment, or networks must comply with Zmags’ complex password requirements.
c. Multi-Factor Authentication. Zmags shall have in place multi-factor authentication for its employees to access Personal Data. For the purposes of this requirement, the implementation and use of appropriate and commercially-reasonable identity verification systems and physical access controls that limit access to systems containing Personal Data may be considered a “factor”.
d. Training. Zmags personnel that may have access to Personal Data are required to undergo regular training on commercial best practices for data security.
5. Encryption. The Zmags Services provide encryption of Content in transit via Secure Sockets Layer (SSL). The protocol allows applications to communicate across a network in a way designed to prevent eavesdropping and tampering. It also provides endpoint authentication and communications confidentiality over the internet, so that data sent from a client workstation to the Zmags Services is secure. All data and attachments are also encrypted.
6. Auditing and Testing.
- Zmags maintains information system audit records to enable the monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate information system activity.
- Zmags’ security policies, standards and procedures are designed to monitor and protect the Zmags Services. Such policies, standards and procedures are reviewed at least annually and updated as necessary.
- A third-party conducts network, system and application vulnerability scanning, and penetration testing, on at least an annual basis, to evaluate the implementation of Zmags’ information security measures. Zmags conducts regularly-scheduled internal vulnerability scans against its business and production operations networks.
- Zmags’ cloud storage providers must provide annual SOC 2 or industry equivalent reports attesting to data center controls.