Data Processing Agreement

Last update: January 28, 2025

This Data Processing Agreement ("DPA" or "Addendum"), including the Standard Contractual Clauses (as defined below) attached hereto (collectively, the "DPA"), is made and entered into as of the effective date (the "Effective Date") of the applicable customer's ("Customer") acceptance of the Terms of Service between Zenovay Inc. ("Company" or "Zenovay") and Customer to which this DPA is attached and incorporated (the "Agreement"). All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement.

This Addendum shall become legally binding upon Customer entering into the Agreement or upon execution of this Addendum.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

"Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
"Data Subject" means (i) an identified or identifiable natural person who is in the EEA or whose rights are protected by EU Data Protection Laws; or (ii) a "Consumer" as the term is defined in the CCPA.
"Customer Data" means any content, data, information or other materials (including Personal Information) that Customer, End Users, or Customer's Affiliates submit to, or which are collected by, the Services for processing by Zenovay in connection with the Services.
"EEA" means the European Economic Area.
"EU Data Protection Laws" means all data protection laws and regulations applicable to the processing of Personal Information under the Agreement, including, where applicable, EU Directive 95/46/EC, Regulation (EU) 2016/679 ("GDPR"), and the EU e-Privacy Directive (Directive 2002/58/EC) and any national implementing laws.
"Personal Information" or "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject. Personal Information includes information that is considered "personal data", "personally identifiable information", or similar terms as defined by applicable Data Protection Laws.
"Processing" means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries approved by the European Commission Decision 2021/914 of 4 June 2021.
"Sub-processor" means any third-party processor engaged by Zenovay or its Affiliates to process Personal Information on behalf of Customer under the Agreement.

2. Relationship of the Parties; Processing of Data

2.1 Roles and Scope of Processing

The parties acknowledge and agree that with regard to the processing of Personal Information, Customer is the data controller (or "business" under the CCPA) and Zenovay is the data processor (or "service provider" under the CCPA). Customer shall, in its use of the Services, process Personal Information in accordance with the requirements of applicable Data Protection Laws. Customer's instructions for the processing of Personal Information shall comply with applicable Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of Personal Information and the means by which Customer acquired Personal Information.

2.2 Customer's Processing Instructions

By entering into this DPA, Customer instructs Zenovay to process Personal Information only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Customer's use of the Services (including through the dashboard, API, or other interfaces); (c) as documented in the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Customer and acknowledged by Zenovay as constituting instructions for purposes of this DPA.

2.3 Zenovay's Compliance with Instructions

Zenovay shall process Personal Information only in accordance with Customer's documented instructions, unless processing is required by applicable laws to which Zenovay is subject, in which case Zenovay shall inform Customer of that legal requirement before processing unless such law prohibits such information on important grounds of public interest.

2.4 Details of Processing

The subject matter, nature, purpose, duration, and types of Personal Information and categories of Data Subjects processed under this DPA are described in Exhibit A (Details of Processing) attached hereto.

3. Confidentiality

Zenovay shall ensure that any persons authorized to process Personal Information on its behalf are subject to a duty of confidentiality, whether by contract or statutory obligation.

4. Security

4.1 Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Zenovay shall implement and maintain appropriate technical and organizational measures to protect Personal Information from Security Incidents (as defined below) and to preserve the security and confidentiality of Personal Information, as described in Exhibit B (Security Measures) attached hereto.

4.2 Security Incident Notification

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. Zenovay shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of any Security Incident. Such notification shall:

Describe the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Information records concerned
Communicate the name and contact details of Zenovay's data protection officer or other relevant contact from whom more information can be obtained
Describe the likely consequences of the Security Incident
Describe the measures taken or proposed to be taken to address the Security Incident and to mitigate its possible adverse effects

5. Sub-processors

5.1 Authorized Sub-processors

Customer acknowledges and agrees that Zenovay may engage Sub-processors to process Personal Information on Customer's behalf. The current list of Sub-processors is available at zenovay.com/legal/subprocessors.

5.2 Sub-processor Obligations

Zenovay shall:

Enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those imposed on Zenovay under this DPA
Remain fully liable to Customer for the performance of each Sub-processor's obligations
Conduct appropriate due diligence on each Sub-processor before engagement

5.3 Changes to Sub-processors

Zenovay shall provide Customer with at least 30 days' prior written notice of the addition of any new Sub-processor. Customer may object to Zenovay's use of a new Sub-processor by notifying Zenovay in writing within 10 days of receipt of Zenovay's notice, provided such objection is based on reasonable grounds relating to data protection. If Customer reasonably objects to a new Sub-processor and Zenovay cannot provide a commercially reasonable alternative, Customer may terminate the affected Services by providing written notice to Zenovay.

6. Data Subject Rights

Zenovay shall, to the extent legally permitted and within the scope of its role as processor, promptly notify Customer if Zenovay receives a request from a Data Subject for access to, correction, amendment, or deletion of that person's Personal Information. Zenovay shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligations to respond to requests for exercising Data Subject rights under Data Protection Laws, including the right to access, rectify, erase, restrict processing, data portability, and object to processing.

7. Return and Deletion of Data

Upon termination or expiration of the Agreement, Zenovay shall (at Customer's election): (a) return to Customer all Personal Information in Zenovay's possession or control; or (b) delete all Personal Information in Zenovay's possession or control. This requirement shall not apply to the extent Zenovay is required by applicable law to retain some or all of the Personal Information, in which event Zenovay shall isolate and protect the Personal Information from any further processing except to the extent required by such law.

8. Audit Rights

Zenovay shall make available to Customer, upon reasonable request and subject to confidentiality obligations, all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. Customer may exercise its audit rights under this Section by:

Reviewing Zenovay's SOC 2 Type II report or other applicable security certifications, which Zenovay will make available upon request
Sending Zenovay a questionnaire concerning Zenovay's data protection practices (limited to once per year unless required by Data Protection Laws)
In exceptional circumstances, conducting an on-site audit of Zenovay's data protection practices, subject to reasonable notice, confidentiality obligations, and reimbursement of Zenovay's reasonable costs

9. International Transfers

9.1 Data Transfers

Zenovay may transfer and process Personal Information globally as necessary to provide the Services. If Zenovay transfers Personal Information from the EEA to a country outside the EEA that has not been recognized by the European Commission as providing an adequate level of data protection, such transfers shall be subject to appropriate safeguards as required by Data Protection Laws.

9.2 Standard Contractual Clauses

To the extent that Zenovay processes Personal Information protected by EU Data Protection Laws and transfers such Personal Information to a country not recognized by the European Commission as providing an adequate level of protection, the Standard Contractual Clauses (Module Two: Controller-to-Processor) shall apply and are incorporated by reference into this DPA. For the purposes of the Standard Contractual Clauses:

Customer is the "data exporter" and Zenovay is the "data importer"
The parties agree to the optional clauses in Clause 7, Clause 11, and Clause 9(a)
The Member State governing law shall be the law of the Member State in which Customer is established or, if Customer is not established in a Member State, the law of Ireland
The competent supervisory authority shall be the supervisory authority of the Member State in which Customer is established or, if Customer is not established in a Member State, the Irish Data Protection Commission
The description of the transfer is set out in Exhibit A (Details of Processing)
The technical and organizational measures are set out in Exhibit B (Security Measures)

10. Limitation of Liability

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.

11. General Provisions

11.1 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of such conflict or inconsistency.

11.2 Modification

Zenovay may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or industry best practices. Material changes will be notified to Customer at least 30 days before they take effect.

11.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

11.4 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, except where the Standard Contractual Clauses specify otherwise.

Exhibit A: Details of Processing

List of Parties

Data exporter: Customer (as defined in the Agreement)

Data importer: Zenovay Inc., 415 Branding Street #4200, San Francisco, CA 94105, United States

Description of Transfer

Subject matter: The subject matter of the data processing is the provision of website analytics services.

Nature and purpose of processing: Zenovay will process Personal Information to provide website and application analytics services, including:

Collecting and analyzing website visitor data
Generating analytics reports and insights
Providing dashboard and data visualization services
Storing and maintaining analytics data
Providing customer support and account management

Duration of processing: The duration of processing is for the term of the Agreement plus any data retention period as configured by Customer.

Categories of Personal Information: The categories of Personal Information transferred may include:

The categories of personal information transferred relates to website and application visitors (end users of Customer's websites and applications). At a minimum, this includes IP addresses, user agent strings, referrer URLs, page URLs, timestamps, and may include location data, device identifiers, and interaction data. Customer also has the option to enable tracking of additional analytics data which could include session recordings, form interactions, and custom event data. Customer is responsible for determining what Personal Information is collected and ensuring compliance with applicable privacy laws.

Categories of Data Subjects: Data Subjects whose Personal Information is processed include:

Visitors to Customer's websites and applications
Users of Customer's online services
Customers of Customer's products or services
Employees or representatives of Customer (for account management purposes)

Sensitive data: Zenovay does not intend to process sensitive personal data (e.g., health information, biometric data, financial account details). Customer is prohibited from transmitting sensitive personal data to Zenovay without prior written agreement and appropriate safeguards.

Frequency of transfer: The frequency of transferring the personal data is continuous, until the agreement comes to an end.

Exhibit B: Security Measures

Zenovay has implemented and will maintain the following technical and organizational security measures:

1. Physical Access Controls

Cloud infrastructure hosted in secure data centers certified to industry standards (SOC 2, ISO 27001)
Physical access controls managed by infrastructure providers (AWS, Vercel, Cloudflare)
24/7 security monitoring and surveillance of data center facilities