Data Processing Agreement

Zudello Data Processing Agreement (DPA)

‍
Below you can find the DPA contract between you (the Controller) and Zudello (the
Processor) that you may need to comply with GDPR if you operate within the EU or store data
from EU-based customers.

1. Subject Matter of Processing

The automation of accounts payable and receivable functions by the Processor for the
Controller for the purpose of efficiency, accuracy and security with audit trails on approvals.
‍

2. Duration of Processing

The duration of the processing is defined within the standard contract with the start date of
processing being confirmed on the contract. The last day of processing will be on termination
of contract which is defined as 90 days after written notice to terminate has been
acknowledged.
‍

3. The Nature of Processing

The nature of processing is the collection, organisation, saving, transferring, reporting,
restricting, and deleting of data.

The purposes of the processing is for the management and automation of Accounts Payable
and Receivable as well as for approvals and audit reviews.

4. Types of Personal Data:

● First Name – Mandatory
● Surname - Mandatory
● Email Address - Mandatory
● Mobile Number - Optional
● Credit Card Number - Optional and encrypted at point of entry using stripe.com
‍

5. Categories of Personal Data:

● Administrators
● Approvers
● Accounts Personnel - ie Users - including other role-based Users
● Administrators can add in other categories
● Contract and billing administrators or approvers

6. Special Categories of Personal Data

The Controller’s Users may enter other data in the process of using the service.
No categories designated as special categories are automatically collected by Zudello.

7. Obligations of the Processor:

a. The Processor shall only process personal data as contractually agreed or as instructed
by the Controller, unless the Processor is legally obliged to carry out a specific type of
data processing. Should the Processor be bound by such obligations, the Processor is
to inform the Controller thereof prior to processing the data, unless informing him/her
is illegal. Furthermore, the Processor shall not use the data provided for processing for
any other purpose, specifically his/her own.
b. The Processor confirms that he/she is aware of the principles of data protection. He is
to observe the principles of correct data processing.
c. The Processor shall be obliged to maintain strict confidentiality when processing the
data.
d. Any individuals who could have access to the data processed on behalf of the
Controller must be obliged in writing to maintain confidentiality, unless they are
already legally required to do so via another written agreement.
e. The Processor shall ensure that the individuals he/she employs, who are to process the
data, have been made aware of the relevant data protection provisions as well as this
contract before starting to process the data. The corresponding training and
sensitisation measures are to be appropriately carried out on a regular basis. The
Processor shall ensure that the individuals tasked with processing the data are
adequately instructed and supervised on an ongoing basis in terms of fulfilling data
protection requirements.
f. In connection with the commissioned data processing, the Processor must support
the Controller when designing and updating the list of processing activities and
implementing the data protection assessment. All data and documentation required
are to be provided and made immediately available to the Controller upon request.
g. Should the Controller be subject to the inspection of supervisory authorities or any
other bodies or should affected persons exercise any rights against the Controller,
then the Processor shall be obliged to support the Controller to the extent required, if
the data being processed on behalf of the Controller is affected.
h. Information may be provided to third parties by the Processor solely with the
Controller’s prior consent. Inquiries sent directly to the Processor will be immediately
forwarded to the Controller.
i. If he/she is legally obliged to do so, the Processor shall appoint a professional and
reliable individual as the authorised data protection officer. It must be ensured that
the officer does not have any conflicts of interest. In the event of any doubts, the
Controller can contact the data protection officer directly. The Processor is to then
immediately notify the Controller of the contact details of the data protection officer
or provide a reason as to why a data protection officer has not been appointed. The
Processor is to immediately inform the Controller of any changes to the status of the
data protection officer or of any changes to his in-house tasks.
‍

8. Technical and organisational measures

The data protection measures may be adjusted according to the continued technical and
organisational advancement. The Processor shall reasonably implement the changes
required for the purposes of maintaining information security.

9. Stipulations on correcting, deleting and blocking data

In the scope of the data processed on behalf of the Controller, the Processor may only correct,
delete or block the data in accordance with the contractual agreement or the Controller’s
instructions.

10. Subcontracting

a. A subcontractor is any person or organization appointed by or on behalf of the
Processor to process Personal Data on behalf of the Controller.
b. Subcontracting is only possible if the subcontractor is subject to a contractual
minimum of data protection obligations, which are comparable with those stipulated
in this contract.
c. The Processor’s and subcontractor’s responsibilities must be clearly distinguished.
d. Any additional subcontracting carried out by the subcontractor is not permitted.
5. The Processor shall choose the subcontractor by specifically considering the suitability
of the technical and organisational measures taken by the subcontractor.
e. Any transfer of the data processed on behalf of the Controller to the subcontractor
shall only be permitted after the Processor has provided convincing documentation
that the subcontractor has met his/her obligations in full.
f. The Processor must review the subcontractor’s compliance with obligations on a
regular basis, every 12 months at the latest. The inspection and its results must be
documented such that they are understandable to a qualified third party.
g. Subcontracting, in terms of this contract, only refers to those services that are directly
associated with rendering the primary service. Additional services, such as
transportation, maintenance and cleaning, as well as using telecommunication
services or user services, do not apply. The Processor’s obligation to ensure that proper
data protection and data security is provided in these cases remains unaffected.

11. Rights and obligations of the Controller

a. The Controller shall be solely responsible for assessing the admissibility of the
processing requested and for the rights of affected parties.
b. The Controller shall document all orders, partial orders or instructions. In urgent cases,
instructions may be given verbally. These instructions will be immediately confirmed
and documented by the Controller.
Zudello Data Processing Agreement 3
c. The Controller shall immediately notify the Processor if he finds any errors or
irregularities when reviewing the results of the processing.

12. Notification obligations

a. The Processor shall notify the Controller of any personal data breaches. Notice must
be given to one of the Controller’s known addresses. This notification must contain at
least the following information:

    i. description of the type of the personal data protection infringement
including, if possible, the categories and approximate number of affected
persons as well as the respective categories and approximate number of the
personal data sets;
    ii. The name and contact details of the data protection officer or another point of
contact for further information;
   iii. A description of the probable consequences of the personal data protection
infringement;
    iv. A description of the measures taken or proposed by the Processor to rectify the
personal data protection infringement and, where applicable, measures to
mitigate their possible adverse effects.

13. Ending the commissioned processing:

a. When terminating the contractual relationship or at any time upon the Controller’s
request, the Processor must either destroy the data processed as part of the
commission or submit the data to the Controller at the Controller’s discretion, subject
to the Processor’s Terms and Conditions. All copies of the data still present must also
be destroyed. The data must be destroyed in such a way that restoring or recreating
the remaining information will no longer be possible, even with considerable effort.
b. Subject to the Processor’s Terms and Conditions, the Processor is obligated to
immediately ensure the return or deletion of data from subcontractors.
c. Any documentation that serves the purpose of providing proof of proper data
processing, shall be kept by the Processor according to the respective retention
periods, including the statutory period after the contract has expired. The Processor
may submit the respective documentation to the Controller once his/her contractual
obligations have ended.
‍

14. Liability:

a. The Controller shall be liable for compensation to anyone for damage caused by any
unauthorised party or for incorrect data processing within the scope of the contract.
Zudello Data Processing Agreement 4
b. The Controller shall bear the burden for proving that any damage is the result of
circumstances that the Processor is responsible for insofar as the relevant data have
been processed under this agreement. If this proof has not been provided, the
Controller shall, when initially requested to do so, release the Processor from all claims
that are levied against the latter in connection with the data processing.
c. The Processor shall be liable to the Controller for any damages culpably caused by the
Processor, his/her employees or appointed subcontractors or the contract-executing
agency in connection with rendering the contractual service requested.
d. The Processor’s liability is limited to the amount paid for Access Fees to the Processor
by the Controller in the twelve months preceding the incident causing the liability and
subject to the Processor’s Terms and Conditions.
e. Sections (2) and (3) in this clause shall not apply if the damage occurred as a result of
correctly implementing the service requested or an instruction provided by the
Controller.

15. Miscellaneous:

a. Both Parties are obligated to treat all knowledge of trade secrets and data security
measures, which have been obtained by the other party within the scope of the
contractual relationship, confidential, even after the contract has expired. If there is
any doubt as to whether information is subject to confidentiality, it shall be treated
confidentially until written approval from the other party has been received.
b. Should the Controller’s property be threatened by the Processor by third-party
measures (e.g. by seizure or confiscation), by insolvency or settlement proceedings or
by other events, the Processor shall immediately notify the Controller.
c. Should any parts of this agreement be invalid, this will not affect the validity of the
remainder of the agreement.