Data Processing Addendum
Last Updated: July 29, 2025
Preamble
A. This Data Protection Addendum (the "Addendum") applies to the processing of Personal Data by Ex Quanta, Inc. dba Zenlytic ("Zenlytic") including, without limitation, Personal Data relating to data subjects located in the European Economic Area ("EEA") or Switzerland ("EU Personal Data"), the United Kingdom ("UK") ("UK Personal Data") and individuals located in California ("CA Personal Data"). For this Addendum's purposes, EU Personal Data and UK Personal Data are collectively referred to as "European Personal Data."
B. This Addendum supplements the online terms of use or other signed agreement (the "Agreement") entered into between Zenlytic and the customer ("Customer") that is accessing or using Zenlytic's products and services (the "Services"). This Addendum is hereby incorporated into the Agreement. In the event of a conflict between this Addendum and any other terms in the Agreement, the terms of this Addendum will govern.
C. "Controller", "Processor", "data subject" and "process" have the meanings given in the relevant Data Protection Requirements (as defined below). The term "Supervisory Authority" means (a) in the context of the UK and the UK GDPR (as defined below), the UK Information Commissioner's Office; and/or (b) in the context of the EEA and EU GDPR (as defined below), the definition of that term in Article 4(21) of the EU GDPR. "Consumer", "business", "sale", and "service provider" shall have the meaning given in the CCPA (as defined below). "Personal Data" means (a) the "personal data" (as defined in GDPR) that Customer provides to Zenlytic for the provision of the Services and (b) any other information that Customer provides to Zenlytic for the provision of the Services that constitutes "personal information" under and governed by the CCPA (as defined below). The term "Data Subject Request" means the exercise of rights by a data subject of Personal Data made under and in accordance with applicable Data Protection Requirements. The term "EU Restricted Transfer" means a transfer of EU Personal Data to any person in a Restricted Country, which would be prohibited without a legal basis therefor under Chapter V of the EU GDPR. The term "EU Standard Contractual Clauses" means the standard contractual clauses adopted by the European Commission under Article 46 of the EU GDPR for the transfer of Personal Data from data exporters in the EEA to data importers in third countries. The term "Relevant Body" means (a) in the context of the UK and the UK GDPR, the UK Government; and/or (b) in the context of the EEA and EU GDPR, the European Commission. The term "Restricted Country" means (a) in the context of the UK, a country or territory outside the UK; and/or (b) in the context of the EEA, means a country or territory outside the EEA, that the Relevant Body has not deemed to provide an 'adequate' level of protection for Personal Data pursuant to a decision made in accordance with Article 45 of the GDPR. The term "Restricted Transfer" means (a) an EU Restricted Transfer; and/or (b) a UK Restricted Transfer, as the context requires. The term "Standard Contractual Clauses" means (a) the EU Standard Contractual Clauses; and/or (b) the UK Standard Contractual Clauses, as the context requires. The term "UK Restricted Transfer" means a transfer of UK Personal Data to any person in a Restricted Country, which would be prohibited without a legal basis therefor under Chapter V of the UK GDPR. The term "UK Standard Contractual Clauses" means the standard contractual clauses adopted by the UK Information Commissioner's Office and/or the UK Government under Article 46 of the UK GDPR from time to time for the transfer of Personal Data from data exporters in the UK to data importers outside the UK.
D. As between the parties, with regard to European Personal Data, Customer is a Controller or Processor and Zenlytic may be either a Processor or a subprocessor for Customer.
E. As between the parties, with regard to CA Personal Data, Customer is a business and Zenlytic is a service provider.
F. Zenlytic reserves the right to modify this Addendum in order to comply with applicable law and regulation. To the extent that Zenlytic modifies this Addendum in order to ensure such compliance, Zenlytic will provide notice to Customer of the modifications, and Customer's continued use of the Services will constitute Customer's agreement to those modifications. Zenlytic may provide that notice in a variety of ways, including, among other things, sending Customer an email, posting a notice on the Service itself, or by posting the revised Addendum on Zenlytic's website and revising the "last updated" date at the top of this Addendum.
1. Nature of Data Processing
The subject matter of the data processing, including the processing operations carried out by Zenlytic on behalf of Customer and Customer's data processing instructions for Zenlytic, will be described in the Agreement, this Addendum, and each statement of work, order form, or equivalent document where Customer orders Services from Zenlytic, which form integral parts of the Agreement.
Categories of data subjects: Individuals who may use Zenlytic's Services as provided to Customer under the Agreement.
Types of Personal Data processed: Personal Data provided by Customer to Zenlytic in connection with the Agreement.
2. Compliance with Laws
The parties shall each comply with their respective obligations under all applicable laws, regulations, and other legal requirements relating to (i) privacy and data security; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data ("Privacy Laws"), including, without limitation, the California Consumer Privacy Act of 2018 (as amended) ("CCPA"). With regard to European Personal Data, the parties will comply with each of their respective obligations under (i) the European Union Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "General Data Protection Regulation" or "EU GDPR") and any subordinate legislation and regulation implementing the EU GDPR which may apply; and (ii) the EU GDPR as it forms part of United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended ("UK GDPR") (collectively, with Privacy Laws, the "Data Protection Requirements"). Together, the EU GDPR and UK GDPR shall be referred to as the "GDPR." References to "Articles" and "Chapters" of the GDPR shall be construed accordingly.
3. Customer Obligations
Customer shall:
3.1 Instructions and Purpose
Provide instruction to Zenlytic and determine the purposes and general means of Zenlytic's processing of Personal Data on behalf of Customer under the Agreement; and
3.2 Data Protection Compliance
comply with its personal data protection, data security and other obligations prescribed by Data Protection Requirements for Controllers by, without limitation, meeting its obligations under Data Protection Requirements to:
establish and maintain a procedure for the exercise of the rights of the individuals whose Personal Data Zenlytic processes on behalf of Customer;
as required by Data Protection Requirements, provide notice and obtain consent from the individuals whose Personal Data Zenlytic processes on behalf of Customer;
establish or ensure that another party has established a legal basis for Zenlytic's processing of Personal Data contemplated by this Addendum;
process only data that have been lawfully and validly collected and ensure that such data will be relevant and proportionate to the respective uses; and
ensure compliance with the provisions of this Addendum by its personnel and by any person accessing or using Personal Data on its behalf.
3.3 Processing Instructions
By entering into this Addendum, Customer instructs Zenlytic to process Customer Personal Data, in accordance with applicable law: (a) to provide the Services; (b) as authorized by the Agreement, including this Addendum; and (c) as further documented in any other written instructions given by Customer and acknowledged in writing by Zenlytic as constituting instructions for purposes of this Addendum.
4. Zenlytic Obligations
4.1 Processing Requirements
Zenlytic, in its capacity as a Processor or subprocessor of Personal Data, shall:
process Personal Data solely for the purposes of providing the Services as described in the Agreement (which shall encompass the processing authorized by Customer's instructions), and in compliance with the instructions received from Customer and the Agreement;
not sell any CA Personal Data or retain, use or disclose CA Personal Data outside of the direct business relationship between Zenlytic and Customer;
inform Customer promptly if, in Zenlytic's opinion, an instruction from Customer violates applicable Data Protection Requirements;
adopt and maintain appropriate security measures including organizational and technical measures, which will be at least as stringent as those set forth as Exhibit A attached hereto (the "Security Measures"), designed to maintain a level of security appropriate to the risks presented by processing the Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
grant access to Personal Data only to personnel who need such access for the scope of their job duties, and are subject to appropriate confidentiality arrangements;
if it intends to engage one or more third parties acting on its behalf ("subprocessor") to help it to satisfy its obligations in accordance with this Addendum or to delegate all or part of the processing activities to such subprocessors: (i) remain responsible, and liable, to Customer for the subprocessors' acts and omissions with regard to data protection; and (ii) enter into contractual arrangements with such subprocessors requiring them to provide a substantially similar level of data protection compliance and information security to that provided for herein. Subject to the requirements of this Section 4.1(6), Customer hereby generally authorizes the engagement of subprocessors. When any new subprocessor is engaged during the term of the Agreement, Zenlytic will promptly notify Customer of the engagement. If Customer objects to such engagement in a written notice to Zenlytic within 15 days of being informed thereof on reasonable grounds relating to the protection of Personal Data, Zenlytic and Customer will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement for its convenience (without liability to Zenlytic) and cancel the Services by providing written notice to Zenlytic. If Customer does not object to Zenlytic's appointment of a subprocessor during the 15-day period referred to in this Section 4.1(6), Customer shall be deemed to have approved Zenlytic's engagement and ongoing use of that subprocessor.
4.2 Information Obligations
Zenlytic shall promptly inform Customer if Zenlytic becomes aware of:
any legally binding request for disclosure of Personal Data by a law enforcement authority; or
any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data.
4.3 Personal Data Breach Notification
Zenlytic further agrees to notify Customer of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in Zenlytic's possession, custody or control ("Personal Data Breach") without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
4.4 Customer Assistance
Zenlytic shall reasonably assist Customer regarding:
any requests from data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Personal Data. In the event that a data subject sends such a request directly to Zenlytic, Zenlytic will direct the data subject to submit such request to Customer directly, and Customer shall be responsible for responding to such requests. Where relevant, Customer acknowledges and agrees, both generally and specifically for the purpose of Clause 10(a) of Module Three of the EU Standard Contractual Clauses, that there are no circumstances in which it would be appropriate for Zenlytic to notify any third-party controller of any data subject request and that any such notification shall be the Customer's responsibility;
the investigation of Personal Data Breaches and the notification to the Supervisory Authority and data subjects in respect of such breaches by providing available details of the Personal Data breaches, including steps Zenlytic has taken to mitigate the potential risks and steps Zenlytic recommends Customer take to address the Information Security Incident; and
the preparation of data protection impact assessments and, where applicable, carrying out consultations with any Supervisory Authority.
4.5 Legal Processing Requirements
If Zenlytic is required by Data Protection Requirements to process any Personal Data other than as set forth in this Addendum, Zenlytic shall inform Customer of this requirement in advance of any processing, unless Zenlytic is legally prohibited from informing Customer of such processing.
5. Audit; Certification
Customer may audit Zenlytic's compliance with this Addendum up to once per year and on such other occasions as may be required by Data Protection Requirements. Zenlytic will cooperate with the audit by providing Customer or Customer's Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. Customer will reimburse Zenlytic for its reasonable expenses incurred to cooperate with such an audit. The audit must be conducted during regular business hours, subject to an agreed upon audit plan and Zenlytic's safety, security or other relevant policies, and may not unreasonably interfere with Zenlytic's business activities. Zenlytic shall not be required to breach any duties of confidentiality in connection with such audit, and Customer may use the audit reports only for the purposes of meeting Customer's regulatory audit requirements and/or confirming compliance with the requirements of this Addendum.
6. Data Transfers
6.1 General Transfer Provisions
Zenlytic is located in the United States, and may store and process Personal Data in the United States or anywhere Zenlytic or its subprocessors maintains facilities. Accordingly, Customer acknowledges that certain Restricted Transfers may be effected under this Addendum. The provisions of this Section 6 shall apply to any such Restricted Transfers (if and as applicable, having regard to the nature of those transfers and the application or otherwise of Chapter V of the EU GDPR and/or UK GDPR). The Standard Contractual Clauses referred to in this Section 6 shall only have effect if and to the extent permitted and required under the EU GDPR and/or UK GDPR to establish a valid basis under Chapter V of the EU GDPR and/or UK GDPR (if and as applicable) in respect of the transfer to Zenlytic of Personal Data.
6.2 EU Restricted Transfers
To the extent that any processing of European Personal Data under this Addendum involves an EU Restricted Transfer, the parties shall comply with their respective obligations set out in the EU Standard Contractual Clauses.
The following modules of the EU Standard Contractual Clauses apply in the manner set out below (having regard to the Customer's role):
Module 2 of the EU Standard Contractual Clauses applies to any EU Restricted Transfer involving processing of European Personal Data in respect of which Customer is a Controller in its own right; and/or
Module 3 of the EU Standard Contractual Clauses applies to any EU Restricted Transfer involving processing of European Personal Data in respect of which Customer is itself acting as a processor on behalf of any other person.
6.3 UK Restricted Transfers
To the extent that any processing of UK Personal Data under this Addendum involves an UK Restricted Transfer, the parties shall comply with their respective obligations set out in the UK Standard Contractual Clauses, which are hereby deemed to be entered into and populated in accordance with this Section 6.3.
In respect of any UK Standard Contractual Clauses entered into pursuant to this Section 6.3:
Customer acts as "data exporter", and Zenlytic acts as "data importer".
The details on pages 1 to 3 of such UK Standard Contractual Clauses shall be populated with the information of the parties as set out in, or determined by, the Agreement.
Clause 9 of such UK Standard Contractual Clauses shall be populated as follows: "The Clauses shall be governed by the law of the country of the United Kingdom in which the data exporter is established."
Clause 11(3) of such UK Standard Contractual Clauses shall be populated as follows: "The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the laws of the country of the UK where the data exporter is established."
Appendix 1 to such UK Standard Contractual Clauses shall be populated with the corresponding information set out in Section 1 of this Addendum.
Appendix 2 to such UK Standard Contractual Clauses shall be populated by selecting Option 2 and including the following: "The technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Section 4.1 of the Addendum."
In respect of any UK Restricted Transfer involving processing in respect of which Customer is itself acting as a Processor on behalf of any other person, Customer represents and warrants on an ongoing basis, and further undertakes, that it has full and sufficient authority to enter into the UK Standard Contractual Clauses for and on behalf of each such other person.
To the extent that Zenlytic effects a UK Restricted Transfer to a subprocessor, Zenlytic shall (and Customer hereby authorized Zenlytic to) enter into the UK Standard Contractual Clauses as agent for Customer (as "data exporter") with that subprocessor (as "data importer"). In respect of any such UK Restricted Transfer between Zenlytic and a subprocessor, Customer acknowledges and agrees that Zenlytic's obligation to enter into the UK Standard Contractual Clauses shall be satisfied by the inclusion of the details of the Personal Data in the general description of the "personal data" referred to in any existing or future UK Standard Contractual Clauses entered into by and between Zenlytic and that subprocessor.
6.4 Alternative Compliance Standards
Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the lawful transfer of European Personal Data outside the EEA or UK Personal Data outside the UK (e.g., binding corporate rules) applies to the transfer.
7. Term
This Addendum shall remain in effect as long as Zenlytic carries out Personal Data processing operations on behalf of Customer or until the termination of the Agreement (and all Personal Data has been returned or deleted in accordance with section 8 below).
8. Data Return and Deletion
The parties agree that upon the expiration or termination of the Agreement, Zenlytic shall securely destroy all Personal Data and, at the request of Customer, certify that it has taken such measures, unless applicable laws prevent Zenlytic from destroying all or part of the Personal Data disclosed. In such case, Zenlytic agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date in order to comply with the laws it is subject to.
9. Liability
The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with this Addendum and the Standard Contractual Clauses (if entered into as described in Section 6 of this Addendum) combined will be limited to the liability limitations or other liability caps agreed to by the parties in the Agreement. Notwithstanding the foregoing, nothing in this Section 9 will affect any party's liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent the limitation of such rights is prohibited by Privacy Laws or Local Data Protection Laws, where applicable.
10. Precedence and Application of Standard Contractual Clauses
10.1 Conflict Resolution
In the event of any conflict or inconsistency between:
this Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict or inconsistency; or
any Standard Contractual Clauses that apply pursuant to Section 6 and this Addendum and/or the Agreement, those Standard Contractual Clauses shall prevail in the context of the Restricted Transfer(s) to which they apply to the extent of such conflict or inconsistency; provided that, in order to establish the operational clarity in relation to certain provisions of the Standard Contractual Clauses, it is agreed that the following shall apply:
upon Customer's request under Clause 5(j) of the UK Standard Contractual Clauses that Zenlytic provide copies of the subprocessor agreements to Customer, Zenlytic may remove or redact all commercial information and/or any clauses, recitals, schedules, annexes, appendices, etc., unrelated to the UK Standard Contractual Clauses beforehand;
when complying with its transparency obligations under Clause 8.3 of the EU Standard Contractual Clauses, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Zenlytic's and its licensors trade secrets, business secrets, confidential information and/or other commercially sensitive information;
the audits described in Clauses 5(f) and 12(2) of the UK Standard Contractual Clauses and in Clauses 8.9(c) and 8.9(d) of the EU Standard Contractual Clauses shall be performed in accordance with Section 5 of this Addendum and shall be subject to any relevant conditions, limitations or restrictions therein;
in respect of subprocessors:
any approval by Customer of Zenlytic's appointment of a subprocessor that is given expressly or deemed given pursuant to Section 4.1 constitutes Customer's: (A) prior written consent to Zenlytic's appointment of that Subprocessor if and as required under Clause 5(h) of the UK Standard Contractual Clauses; and (B) documented instructions to effect onwards transfers to any relevant subprocessors if and as required under Clause 8.8 of the EU Standard Contractual Clauses;
for the purposes of Clause 9(a) of the EU Standard Contractual Clauses, the Parties are deemed to have selected Option 2, and the timeframe for advance notice of intended changes is as set out in Section 4.1; and
the terms and conditions of Section 4.1 apply generally to Zenlytic's appointment and use of subprocessors for the purposes of both sets of Standard Contractual Clauses.
certification of deletion of Personal Data as described in Clause 12(1) of the UK Standard Contractual Clauses and Clauses 8.5 and 16(d) of the EU Standard Contractual Clauses shall be provided upon Customer's written request; and
the parties agree that the provisions of Section 4.3 satisfy the requirements of the UK Standard Contractual Clauses.
Exhibit A - Security Measures
1. Access control to premises and facilities
Measures must be taken to prevent unauthorized physical access to premises and facilities holding personal data. Measures shall include:
Access control system
(Issue of) keys
Door locking (electric door openers etc.)
Surveillance facilities
Alarm system, video/CCTV monitor
Logging of facility exits/entries
2. Access control to systems
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
Password procedures (incl. special characters and minimum length)
No access for guest users or anonymous accounts
Central management of system access
Access to IT systems subject to approval from HR management and IT system administrators
3. Access control to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures shall include:
Differentiated access rights
Access rights defined according to duties
Automated log of user access via IT systems
4. Disclosure control
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
Encryption in transit and at rest
Creating an audit trail of all data transfers
5. Input control
Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained.
Measures should include:
Logging user activities on systems that access user data
That it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment
That it is possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data have been input
6. Job control
Measures should be put in place to ensure that data is processed strictly in compliance with the data importer's instructions. These measures must include:
Unambiguous wording of contractual instructions
Monitoring of contract performance
7. Availability control
Measures should be put in place designed to ensure that data are protected against accidental destruction or loss. These measures must include:
Installed systems may, in the case of interruption, be restored
Systems are functioning, and that faults are reported
Stored personal data cannot be corrupted by means of a malfunctioning of the system
Uninterruptible power supply (UPS)
Business Continuity procedures
Remote storage
8. Segregation control
Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include:
Restriction of access to data stored for different purposes according to staff duties.
Segregation of business IT systems
Segregation of IT testing and production environments
9. Supplemental Measures
Measures and assurances regarding U.S. government surveillance ("Additional Safeguards").
Zenlytic uses encryption both in transit and at rest (see Section 4 above).
As of the date of this DPA, Zenlytic has not received any national security orders of the type described in Paragraphs 150-202 of the judgment in the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.
No court has found Zenlytic to be the type of entity eligible to receive process issued under FISA Section 702: (i) an "electronic communication service provider" within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
Zenlytic shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific "targeted selector" (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
Zenlytic shall use all available legal mechanisms to challenge any demands for data access through national security process that Zenlytic receives, as well as any non-disclosure provisions attached thereto.
Zenlytic shall take no action pursuant to U.S. Executive Order 12333.
Zenlytic will notify Customer if Zenlytic can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
Was this helpful?