This Data Protection Attachment (“DPA”) is incorporated into and made part of ZaapIT's T&C and governs the Processing of Personal Data by ZaapIT as a Processor on behalf of Customer or Customer Affiliates, as applicable. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Agreement.
1. DEFINITIONS
General. The terms “Personal Data,” "Personal Data Breach," “Process/Processing,” “Controller,” “Processor,” “Subprocessor,” and “Data Subject” have the meanings ascribed to them under the General Data Protection Regulation; provided that the term “Personal Data” as used herein only applies to Personal Data for which ZaapIT is a Processor.
"EEA" means the European Economic Area.
“General Data Protection Regulation” or “the GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Processor Privacy Code” or “Processor Code” means ZaapIT’s processor binding corporate rules for the Processing of Personal Data, the most current version of which is available on ZaapIT’s website, available at https://www.brosh.io/page/Terms-and-Conditions.
2. DATA PROCESSING AND PROTECTION OF PERSONAL DATA
2.1 Scope of Data Processing. The duration of the Processing of Personal Data will be the same as the duration of the Agreement, except as otherwise agreed to in writing by the parties. The subject matter of the Processing of Personal Data is set out in the Agreement and this DPA. The nature and purpose of the Processing of Personal Data involve the provision of the service to Customer, as set out in the Agreement and this DPA.
2.2 Data Processing Limitations. With respect to Personal Data Processed by ZaapIT or ZaapIT Affiliate as a Processor on behalf of Customer or Customer Affiliate or as a Subprocessor where Customer Processes such Personal Data on behalf of its customers (or both), ZaapIT will: (a) Process Personal Data only as necessary to provide the Services in accordance with the terms of the Agreement or as instructed by Customer in writing, including in electronic form, and consistent with the terms of the Agreement; and (b) not disclose Personal Data to third parties except: (i) to employees, service providers, or advisers who have a need to know the Personal Data and are under confidentiality obligations at least as restrictive as those described under this DPA or (ii) as required to comply with valid legal process in accordance with the terms of the Agreement. If ZaapIT has reason to believe Customer’s instructions infringe the GDPR or other EEA data protection provisions, then ZaapIT will immediately notify Customer.
2.3 Assistance to Customer and Regulatory Investigation. Upon written request, ZaapIT will provide reasonable assistance and information to Customer in fulfilling any legal obligations that Customer may have under the GDPR regarding data protection impact assessments, data and systems inventory, and related consultations of data protection authorities, or in the event of an investigation by any governmental authorities, if and to the extent that such investigation relates to Personal Data Processed by ZaapIT in accordance with the Agreement. Such assistance will be at Customer’s sole expense, except where such an investigation was required due to ZaapIT’s failure to act in accordance with the Agreement.
2.4 Transfers of Personal Data from EEA. In providing the service, ZaapIT may transfer and access Personal Data to and from other countries where ZaapIT has operations or Subprocessors, or as otherwise required by applicable law. ZaapIT’s Processor Privacy Code and the additional terms in this Section 2.4 will apply to ZaapIT’s Processing of Personal Data on Customer’s behalf as a data processor in providing the service, where such Personal Data is: (i) subject to any restriction under the GDPR or other applicable EEA data protection laws regarding outbound transfers of Personal Data, and (ii) Processed by ZaapIT in a country outside of the EEA. The most current version of the Processor Code is available on ZaapIT’s website, currently located at https://www.brosh.io/page/Terms-and-Conditions, and the terms of the Processor Code are incorporated by reference into this DPA. Capitalized terms used but not defined in this Section 2.4 have the meanings set forth in the Processor Code.
ZaapIT will make commercially reasonable efforts to maintain the EU authorization of its Processor Code for the duration of the Agreement and will promptly notify Customer of any subsequent material changes in the EU authorization of its Processor Code.
3. CUSTOMER RESPONSIBILITIES. Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities of the service that Customer may elect to use and that it will do so in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data. ZaapIT will be entitled to rely solely on Customer or Customer Affiliate’s instructions relating to Personal Data Processed by ZaapIT. Customer is responsible for coordinating all communication with ZaapIT under this DPA, including, without limitation, any communication in relation to this DPA on behalf of its Affiliates.
4. INFORMATION SECURITY. ZaapIT will safeguard Personal Data with appropriate technical, physical, and organizational measures as described more fully in the Processor Code and the Agreement for the provision of the ZaapIT's service. The parties agree that the audit rights provided under the Processor Code and Agreement will be used to satisfy any audit or inspection requests by or on behalf of Customer and to demonstrate compliance with applicable obligations of ZaapIT under this DPA.
5. PERSONAL DATA BREACH. ZaapIT will notify Customer without undue delay if ZaapIT becomes aware of a Personal Data Breach affecting the Personal Data. Taking into account the nature of Processing and the information available to ZaapIT, ZaapIT will assist Customer at Customer’s request and at Customer’s expense in complying with Customer’s notification obligations regarding Personal Data Breaches as required by the GDPR.
6. DATA PRIVACY CONTACT. ZaapIT’s data privacy officer can be reached at the following email address: support at BROSH.io
7. DATA SUBJECT RIGHTS – ACCESS, CORRECTION, RESTRICTION, AND DELETION. Taking into account the nature of the Processing, ZaapIT's service provides functionality to assist Customer by appropriate technical and organizational measures, insofar as this is possible, to access, correct, amend, restrict, or delete Personal Data contained in the ZaapIT apps to address requests by a Data Subject under the GDPR. To the extent Customer, in its use of the service, is not familiar with ZaapIT's functionality that may be used for these purposes, ZaapIT's Customer with additional Documentation or customer support assistance to educate the Customer on how to take such actions in a manner consistent with the functionality of the service and in accordance with the terms of the Agreement. If ZaapIT receives any request from any Data Subject to access, correct, restrict, or delete Personal Data, ZaapIT will advise such Data Subject to submit its request to Customer and Customer will be responsible for responding to any such request using the functionality provided with the service.
8. SUBPROCESSORS. ZaapIT may engage Subprocessors to provide parts of the service, subject to the restrictions of the Agreement and this DPA. ZaapIT will ensure that Subprocessors Process Personal Data only in accordance with the terms of this DPA and that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required by this DPA. Before appointing any new Subprocessors, ZaapIT will inform Customer of the appointment (including the name and location of such Subprocessor and the activities it will perform) either by electronic mail, or by publication to a ZaapIT website (https://www.brosh.io/page/Security-Policy) provided to Customer prior to any appointment. Customer may object to ZaapIT’s appointment by giving written notice to ZaapIT within thirty (30) days of being informed by ZaapIT of such appointment, and if, within thirty (30) days of ZaapIT’s receipt of Customer’s objection, ZaapIT fails to provide a commercially reasonable alternative to avoid the Processing of Personal Data by the appointed Subprocessor, Customer may, as its sole and exclusive remedy, terminate any ZaapIT services to which this DPA applies.
9. RETURN OR DISPOSAL. Prior to termination or expiration of the Agreement for any reason, Customer may retrieve Personal Data processed by ZaapIT in accordance with the terms of the Agreement, and at Customer’s request provided in writing to ZaapIT, ZaapIT will promptly return or delete Personal Data from ZaapIT, unless applicable law requires storage of the Personal Data.
10. Agreement to Governing Law and Jurisdiction:The Agreement is governed by the laws of Israel. The Agreement shall not be governed by the United Nations Convention on the International Sale of Goods. Exclusive venue for all disputes arising out of the Agreement shall be in Tel-Aviv Israel, and we each agree not to bring an action in any other venue. You waive all objections to this venue and agree not to dispute personal jurisdiction or venue in these courts. You agree that you will not bring or participate in any class action lawsuit against ZaapIT, Inc or any of its employees or affiliates. Each of us agrees that we will not bring a claim under the Agreement more than two years after the time that the claim accrued.