Zenith Analysis LogoZenith Analysis
Sign in

Data Processing Addendum (DPA)

Last updated: April 15, 2025


This Data Processing Addendum ("DPA") forms part of the agreement between Zenith Analysis ("Processor" or "Company") and the Customer ("Controller") for the provision of services that involve the processing of personal data subject to data protection laws including the General Data Protection Regulation (GDPR).


Definitions

In this DPA, the following terms shall have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR.
  • "Processing" means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, etc.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any Processor engaged by the Company to process Personal Data.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.


Processing of Personal Data

The Company shall process Personal Data only for the purpose of providing the services specified in the main agreement between the parties. The types of Personal Data processed may include contact information, user account data, usage data, and any other data provided by the Controller or its users through the Service. The categories of Data Subjects may include the Controller's employees, customers, and other end users.


Processor Obligations

The Company shall:

  • Process Personal Data only on documented instructions from the Controller;
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Assist the Controller in responding to requests from Data Subjects exercising their rights;
  • Assist the Controller in ensuring compliance with security obligations, considering the nature of processing and information available;
  • At the Controller's choice, delete or return all Personal Data after the end of the provision of services;
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA;
  • Notify the Controller without undue delay after becoming aware of a Personal Data Breach.


Controller Obligations

The Controller shall:

  • Ensure it has a lawful basis for the processing of Personal Data;
  • Provide clear instructions to the Processor regarding the processing of Personal Data;
  • Ensure the accuracy and quality of the Personal Data provided to the Processor;
  • Respond to Data Subject requests and ensure appropriate notices have been provided to Data Subjects;
  • Comply with all applicable data protection laws in relation to its processing of Personal Data.


Sub-processors

The Controller provides general authorization for the Company to engage Sub-processors for the processing of Personal Data. The Company will maintain a list of Sub-processors and will provide notice to the Controller prior to engaging any new Sub-processor. The Company shall ensure that its contract with each Sub-processor contains data protection terms no less protective than this DPA.


Security Measures

The Company has implemented and will maintain appropriate technical and organizational security measures including:

  • Encryption of personal data in transit and at rest;
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
  • Processes for regularly testing and evaluating the effectiveness of security measures;
  • Measures to restore access to personal data in a timely manner in the event of a physical or technical incident.
For more details on our security practices, please contact our Data Protection Officer.


Data Transfers

The Company shall not transfer Personal Data outside the European Economic Area (EEA) unless:

  • The transfer is to a country deemed by the European Commission to provide an adequate level of protection;
  • The transfer is subject to appropriate safeguards such as Standard Contractual Clauses;
  • The Controller has expressly authorized such transfer in writing.


Contact Information

For any questions regarding this DPA, please contact our Data Protection Officer at GDPR@zenithanalysis.com.