Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of any master services agreement (“Agreement”) between Zentara One LLC (“Processor”) and the customer entity identified in the Agreement (“Controller” or “Customer”). This DPA applies where Processor processes Personal Data on behalf of Customer in connection with delivering the Services.

1. Definitions

Personal Data means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

Data Protection Laws include GDPR, UK GDPR, CCPA/CPRA (to the extent applicable), and similar laws governing personal data.

Other capitalized terms take meanings from the Agreement.

2. Roles of the Parties

Customer is the Controller (or Business); Zentara One is the Processor (or Service Provider) when handling Customer-provided Personal Data under the Agreement.

3. Processing Instructions

Processor will process Personal Data only (i) to provide the Services; (ii) per documented instructions from Customer; and (iii) as required by law. Processor will notify Customer if an instruction violates applicable law (where legally permitted).

4. Confidentiality

Processor ensures personnel authorized to process Personal Data are subject to confidentiality obligations.

5. Security

Processor maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Additional controls may be described in the Agreement or security schedule.

6. Subprocessors

Customer authorizes Processor to use Subprocessors to deliver the Services, provided Processor imposes data protection obligations at least as protective as those in this DPA. A current list of Subprocessors is available upon request.

7. Assistance to Controller

Processor will assist Customer, taking into account the nature of processing, with responding to data subject requests and fulfilling Controller obligations under Data Protection Laws (e.g., security, breach notification, DPIAs) as reasonably required and agreed.

8. Incident Notification

Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer data. Notification may be via email to the contact designated in the Agreement.

9. Return or Deletion

Upon termination or expiry of Services, Processor will delete or return Personal Data as instructed by Customer, unless retention is required by law.

10. Audits

Upon reasonable written request, Processor will provide information (e.g., SOC report, policy summaries) necessary to demonstrate compliance. On-site audits are subject to advance notice, confidentiality, and reasonable cost recovery.

11. International Transfers

If Processor transfers Personal Data outside the originating jurisdiction, Processor will use appropriate safeguards (e.g., Standard Contractual Clauses) where required.

12. Liability

Liability under this DPA is governed by the limitation-of-liability provisions in the Agreement.

13. Order of Precedence

If this DPA conflicts with the Agreement, this DPA controls to the extent of the conflict regarding Personal Data processing.

Schedule 1 – Data Processing Details

Back to top ↑