GDPR Compliance Statement

Zenith Analysis ("we", "us", "our") is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (GDPR) for individuals within the European Economic Area (EEA), the United Kingdom (UK), and Switzerland. This statement outlines how we handle personal data in the context of our business-to-business services.

Our Role: Processor vs. Controller

In the context of our B2B relationships, our role under GDPR is clearly defined:

• As a Processor: When your organization uses our platform to process, analyze, or store data about your customers, employees, or other data subjects, Zenith Analysis acts strictly as a Data Processor. Your organization is the Data Controller that determines the purposes and means of processing personal data. We process this data only according to your documented instructions.
• As a Controller: We act as a Data Controller only for the business contact information of your organization's representatives who interact with our service (such as account administrators or billing contacts), website visitors, and for limited account administration data necessary to provide our services.

This distinction is important as it determines the respective responsibilities and obligations of each party under GDPR.

Legal Basis for Processing

Where we act as a Data Controller, we process personal data on the following legal grounds:

• Contractual Necessity: Processing necessary for the performance of our contract with your organization.
• Legitimate Interests: Processing necessary for our legitimate business interests (such as providing customer support, enhancing security, improving our services) where these interests are not overridden by the rights of data subjects.
• Compliance with Legal Obligations: Processing necessary to comply with applicable laws and regulations.
• Consent: Where required and appropriate, we obtain explicit consent for specific processing activities.

Where we act as a Data Processor, we process personal data solely on the instructions of your organization (the Controller) and in accordance with our Data Processing Addendum.

Business Data Subject Rights

Under GDPR, individuals whose personal data we process as a Controller (such as your organization's representatives) have certain rights:

• The right to be informed about our collection and use of personal data
• The right to access their personal data
• The right to have inaccurate data corrected
• The right to request erasure of their data (under certain conditions)
• The right to restrict or object to processing
• The right to data portability
• The right to withdraw consent at any time (where processing is based on consent)

For data we process as a Processor on behalf of your organization, data subject rights requests should be directed to your organization as the Controller. We will assist your organization in responding to such requests as required by GDPR and specified in our Data Processing Addendum.

Data Processing Addendum (DPA)

In accordance with Article 28 of the GDPR, we offer a comprehensive Data Processing Addendum (DPA) that forms part of our contract with your organization. The DPA specifies:

• The subject matter and duration of processing
• The nature and purpose of processing
• The types of personal data and categories of data subjects
• Our obligations and rights as a Processor
• Sub-processor engagement and management
• Technical and organizational security measures
• Audit and compliance provisions
• Process for data return or deletion upon service termination

To obtain our standard DPA, please contact us or visit zenithanalysis.com/legal/data-processing.

Technical and Organizational Security Measures

We have implemented comprehensive security measures to protect personal data processed through our services, including:

• Encryption of data in transit and at rest
• Regular security testing and vulnerability assessments
• Access controls and authentication mechanisms
• Regular backup procedures
• Employee training on data protection and security
• Incident response plans and procedures
• Regular reviews and updates of security measures

We are committed to maintaining appropriate security measures in line with industry standards and best practices. Details of our security measures are available to clients upon request under appropriate confidentiality terms.

International Data Transfers

As a global service provider, we may transfer personal data across international borders. For transfers of data from the EEA, UK, or Switzerland to countries not deemed to provide adequate protection, we implement appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Compliance with approved certification mechanisms or codes of conduct
• Implementation of supplementary measures as recommended by European data protection authorities

We continuously monitor the legal framework for international data transfers and update our practices as necessary to ensure compliance with evolving requirements.

Sub-processor Management

When engaging sub-processors to assist in providing our services, we:

• Conduct due diligence to ensure they provide sufficient guarantees to implement appropriate technical and organizational measures
• Enter into contracts that impose the same data protection obligations as contained in our DPA with your organization
• Maintain a list of current sub-processors and notify clients of any intended changes
• Remain fully liable for the performance of our sub-processors' obligations

Our sub-processor management procedures are designed to ensure that your data remains protected throughout our supply chain.

Contact Information / Data Protection Officer

For questions regarding our GDPR compliance, to exercise your data protection rights, or to request our DPA, please contact us. We have appointed a Data Protection Officer (DPO) who can be reached at: GDPR@zenithanalysis.com.

Last updated: April 15, 2025