Effective Date: 01/01/2025

Purpose
This Data Processing Addendum, including its Schedules (“DPA”), is entered into by and between Zapp and the Customer (each a “Party” and together the “Parties”).
This DPA forms an integral part of the Main Service Agreement, or other applicable written or electronic terms of service between the Parties (“Agreement”).
Unless amended in writing by Zapp, this DPA shall take effect on the earlier of:
(i) the Customer’s initial access to any Service via online provisioning, registration or ordering; or
(ii) the effective date of the first applicable Service Order Form (the “Effective Date”).
The obligations herein shall only apply to the extent that:
(i) Personal Data is subject to Applicable Data Protection Laws; and
(ii) such law has entered into force.

Modifications
Zapp may modify this DPA from time to time. Unless otherwise stated, such modifications shall take effect for the Customer upon renewal of the then-current Subscription Term or upon execution of a new Service Order Form referencing the updated DPA.
Zapp will make reasonable efforts to notify the Customer of any changes via the Customer Account, by email, or by other appropriate means.

Acceptance
By accepting this Data Processing Addendum or by accessing or using the Service, you confirm that you have read and understood the terms of this DPA, agree to be bound by it on behalf of the Customer, and represent and warrant that you have full legal authority to bind the Customer to its terms.

Relationship with the Agreement
Unless otherwise defined in this DPA or the Agreement, all capitalised terms shall have the meanings set out in clause 10.
In the event of a conflict between this DPA and the Agreement, the DPA shall prevail to the extent of the inconsistency.
Where the Parties rely on an International Data Transfer Mechanism, any conflict between its terms and those of this DPA shall be resolved in favour of the mechanism.

a processing

a. Scope and roles
This DPA applies whenever Zapp processes Personal Data.
Section 5 applies where Zapp acts as a Processor on behalf of the Customer, who acts as Controller.
Section 6 applies where Zapp processes certain Personal Data about the Customer or its users as an independent Controller, in accordance with its privacy notice available at https://www.zapp.com/privacy.

b. Processing details
Schedule 1 of this DPA sets out:
(i) the purposes of processing by Zapp, the types or categories of Personal Data processed, and the categories of Data Subjects concerned; and
(ii) the roles of the Parties under Applicable Data Protection Laws.

c. Location of processing
Personal Data processed by Zapp as a Processor may be stored within or outside the European Union, depending on the product or service used.
Personal Data processed by Zapp as a Controller may also be stored or processed within or outside the European Union.

d. International data transfers

i. Where required under Applicable Data Protection Laws, the Parties agree to implement a valid international data transfer mechanism (“International Data Transfer Mechanism”) where Personal Data is transferred to a jurisdiction that does not ensure an adequate level of data protection.

ii. If the International Data Transfer Mechanism relied upon by the Parties is invalidated or replaced, the Parties shall cooperate in good faith to implement a suitable alternative.

iii. Schedule 4 sets out:
(i) jurisdiction-specific obligations; and
(ii) information relating to international transfers, including the Standard Contractual Clauses (SCCs).

e. Compliance with laws
Each Party shall comply with its respective obligations under Applicable Data Protection Laws.

f. Notification of inability to comply
Zapp shall notify the Customer without undue delay if it determines that it is unable to comply with its obligations under Applicable Data Protection Laws.

 

3. Zapp’s obligations as a Processor

a. Scope of processing
Zapp shall process Personal Data solely for the purpose of fulfilling its obligations under the Agreement and in accordance with the Customer’s documented instructions.

b. Processing instructions

i. This DPA constitutes the Customer’s initial instructions to Zapp.
The Customer may update or amend these instructions in writing at any time. Zapp shall comply with such instructions unless they conflict with applicable law or fall outside the scope of the Agreement.

ii. Notwithstanding any restrictions set out in this DPA or the Agreement, the Customer authorises Zapp to process Personal Data as necessary to:
– detect or respond to data security incidents;
– prevent fraud or other unlawful activity;
– perform maintenance and repairs; and
– ensure the continuity and improvement of the Services.

iii. Where new processing activities are required that fall outside the scope of this DPA, the Parties shall agree on such activities in writing before commencement. This may include a contract amendment if required under the Agreement.

iv. Upon the Customer’s written instruction, Zapp shall correct, delete or block the relevant Personal Data.

v. Zapp shall promptly inform the Customer in writing if, in its opinion, any instruction infringes Applicable Data Protection Laws, providing the reasons for its assessment.

vi. Zapp shall not be liable for any losses arising from processing conducted in accordance with the Customer’s lawful instructions.

c. Confidentiality
Zapp shall ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

d. Disclosure to third parties
Zapp shall not disclose Personal Data to any third party, including public authorities, except:
– as provided in this DPA;
– with the prior written consent of the Customer; or
– where required by applicable law.

Where Zapp is legally obliged to disclose Personal Data to a third party (including public authorities), it shall:
– notify the Customer in advance, unless legally prohibited from doing so; and
– take reasonable steps to protect the Personal Data against undue disclosure, as if it were Zapp’s own confidential information.

e. Data subject requests

i. Where the Customer receives a request from a data subject in relation to the processing of their Personal Data (“Request”), Zapp shall provide all reasonable cooperation and assistance to enable the Customer to respond to the Request.

ii. If Zapp receives a Request directly, it shall:
– not respond to the Request itself;
– forward the Request to the Customer within three (3) business days of identifying it as relating to the Customer; and
– provide assistance in accordance with the Customer’s further instructions.

f. Assistance

i. Zapp shall assist the Customer, to the extent reasonably possible, in complying with Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Zapp.

ii. Upon request, Zapp shall assist the Customer in meeting its obligations to conduct data protection impact assessments or prior consultations with supervisory authorities, provided the Customer lacks access to the relevant information and such information is reasonably available to Zapp.

g. Information rights and audit

i. Zapp shall, upon written request, provide the Customer with information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws.

ii. Zapp maintains third-party certifications and audit reports, as listed at https://www.zapp.com/security/resources/. Copies of current certifications or audit summaries may be provided to the Customer upon written request, subject to the confidentiality terms of the Agreement.

iii. Zapp shall allow and contribute to reasonable audits or inspections by the Customer or its designated auditor (excluding competitors), with prior written notice and during normal business hours, provided such auditor is bound by appropriate confidentiality obligations.

iv. If the Customer conducts more than one audit or inspection in any twelve (12)-month period, Zapp may charge reasonable fees for the time and resources incurred.

v. If the Customer identifies unauthorised use of Personal Data by Zapp or its Subprocessors, it may take reasonable steps to address the issue upon giving notice to Zapp.

4. Zapp’s obligations as an independent Controller

This section applies solely to Zapp’s processing of certain Personal Data about the Customer or its users where Zapp acts as an independent Controller, as described in Zapp’s Privacy Notice at https://www.zapp.com/privacy.

a. Zapp acknowledges and agrees that it is independently responsible for complying with Applicable Data Protection Laws when acting as a Controller, including all obligations applicable to Controllers under such laws.

b. Zapp shall be responsible for providing appropriate privacy notices to Data Subjects where required and for responding to Data Subjects’ requests to exercise their rights under Applicable Data Protection Laws.

c. If Zapp receives a request, complaint, inquiry or other form of contact (“Inquiry”) from a government, legislative, judicial, regulatory or law enforcement authority, or becomes subject to a claim relating to the Parties’ processing of Personal Data described in Schedule 1, Zapp shall:
– notify the Customer without undue delay, and in any event within ten (10) business days, unless legally prohibited from doing so; and
– provide relevant information and cooperation to the Customer, including information necessary to respond to or defend such Inquiry.

5. Security

a. Zapp shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, in accordance with Articles 32 and 33 of the GDPR.

b. Upon becoming aware of any confirmed Personal Data Breach, Zapp shall:
i. notify the Customer without undue delay;
ii. take reasonable steps to identify the cause of the breach and to remediate the breach to the extent within Zapp’s control; and
iii. provide reasonable cooperation and assistance to the Customer in meeting any legal obligations regarding breach notification to Data Protection Authorities or Data Subjects.

6. Amendments and Miscellaneous

a. Amendments for compliance
If amendments to this DPA are necessary to ensure compliance with Applicable Data Protection Laws or to satisfy requirements of competent supervisory authorities, the Parties shall cooperate in good faith to agree on such amendments upon Customer’s request, without additional cost to the Customer.
If the Parties cannot agree on such amendments, either Party may terminate the Agreement and this DPA by providing ninety (90) days’ written notice.

b. Limitation of Liability
The limitation of liability set out in the Agreement shall apply to any breaches of this DPA.

c. No consideration
Neither Party shall receive any remuneration for performing obligations under this DPA, except as expressly provided in this DPA or in the Agreement.

d. Notices
Where written notice is required under this DPA, such notice may be sent by email to the contact persons listed in Schedule 1.

e. Modifications
Zapp may modify this DPA from time to time. Unless otherwise stated, changes shall take effect upon renewal of the then-current Subscription Term or the execution of a new Service Order Form referencing the updated DPA.
Zapp shall use reasonable efforts to notify the Customer of any changes via the Customer Account, email or other appropriate means.

f. Further amendments
Any further amendments to this DPA must be made in writing and signed by both Parties, except as otherwise set forth in the Agreement or this DPA.

g. Severability
If any provision of this DPA is held invalid or unenforceable by a court of competent jurisdiction, the remainder of the DPA shall remain in full force and effect.

ule 1: Description of the Processing

A. List of Parties

Data exporter:
The Customer as described in the Agreement.
Name, address, contact person’s name, position and contact details are as set out in the Agreement or may be requested by either Party.

Activities relevant to the data transferred under these Clauses:
Export of Personal Data in connection with the use of the Processor’s services.

Role:
Controller or Processor, as applicable.

Data importer:
Name: Zapp S.L.
Address: Calle Asturias 4, 28850 Torrejón de Ardoz, Madrid, Spain
Contact person: Sandra López, sandra.lopez@ecaldima.com

Activities relevant to the data transferred under these Clauses:
Processing of Personal Data on behalf of the Customer as Processor.

Role:
Processor

B. Description of Transfer

Categories of Data Subjects:
Data Subjects may include the Customer’s Users, Agents, End Users, prospects, customers, suppliers, business partners, employees, contractors, agents and advisors, all of whom are natural persons.

Categories of Personal Data:
May include, but are not limited to: names, contact information (email, phone, address), unique identifiers (IP address), internet or electronic activity data (browsing history, search history), account information, user data, communications, purchase and transaction history, and any inferences derived from such data.

Sensitive Data (if applicable):
May include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life or sexual orientation.

Frequency of Transfer:
Continuous for the duration of the Agreement.

Nature and Purpose of Processing:
Processing is necessary to provide the Services under the Agreement and as instructed by the Customer.

Retention Period:
Data will be retained for the term of the Agreement and in accordance with the Data Retention Period set forth therein.

Subprocessors:
Further details are provided in Schedule 3.

Schedule 2: Technical and Organisational Measures (TOMs) to Ensure the Security of the Data

Zapp has implemented and maintains appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
These measures are reviewed and updated regularly to ensure ongoing compliance with Applicable Data Protection Laws.

The current description of Zapp’s TOMs is available at:
https://www.ecaldima.com/technical-organisational-measures/

Zapp’s TOMs include, but are not limited to:

Access controls to limit personnel access to Personal Data;

Encryption and pseudonymisation of Personal Data where appropriate;

Physical security measures at data centres and offices;

Regular security awareness training for staff;

Incident detection and response procedures;

Business continuity and disaster recovery plans;

Data minimisation and retention policies;

Regular audits and penetration testing.

Upon Customer’s reasonable request, and subject to confidentiality obligations, Zapp will provide evidence or certification of compliance with these security measures.

Schedule 3: List of Sub-processors

The Customer hereby consents to Zapp engaging the Sub-processors listed below to assist in the provision of the Services.
Zapp shall ensure that each Sub-processor is bound by written contractual terms imposing obligations equivalent to those contained in this DPA.

Zapp will provide the Customer with at least fifteen (15) calendar days’ prior written notice of any planned addition, replacement or removal of Sub-processors.
The Customer may object to such changes by providing written notice to Zapp within the notice period.
In the event of a valid objection, Zapp shall either refrain from engaging the proposed Sub-processor or the Customer may suspend or terminate the affected Services without penalty, subject to payment of any outstanding fees incurred prior to suspension or termination.

Current Sub-processors:
[List to be inserted here or referenced via URL]

For the most current list of Sub-processors, please refer to:
https://www.zapp.com/privacy/sub-processor/

Schedule 4: Jurisdiction-specific Obligations and Information for International Transfers

A. General Provisions

The Parties agree that for any jurisdiction not explicitly listed below, which requires an International Data Transfer Mechanism, they shall be bound by the Standard Contractual Clauses (“SCCs”) or any other appropriate mechanism as required under Applicable Data Protection Laws.
Should any such mechanism be invalidated or replaced, the Parties commit to cooperate in good faith to adopt a suitable alternative.

The Parties acknowledge that additional technical, organisational and/or contractual safeguards may be necessary based on the results of any transfer impact assessments.

B. Standard Contractual Clauses

By entering into this DPA, the Parties also enter into and agree to be bound by the Standard Contractual Clauses as annexed and incorporated herein by reference, forming an integral part of the Agreement.

Module Two (Controller to Processor) applies where the Customer is the Controller.

Module Three (Processor to Processor) applies where the Customer is also a Processor.

The Parties acknowledge that for Personal Data transferred from jurisdictions subject to the SCCs, this DPA and its Schedules 1-4 contain relevant information and commitments.

The execution of the Agreement by the Parties is deemed to constitute their execution of the SCCs, even if the SCCs are not separately signed.

C. European Union

For transfers from the European Union that are not subject to an adequacy decision or alternative mechanism (such as the EU-U.S. Data Privacy Framework), the Parties are bound by the SCCs as implemented by the European Commission (Commission Implementing Decision (EU) 2021/914).
The Parties agree on the following SCC options:

Clause 7 (Docking Clause) – Optional provision applies;

Clause 9(a) (Use of Sub-processors) – Option 2 applies (with notice and objection rights);

Clause 11(a) (Redress) – Optional provision does not apply;

Clause 17 (Governing law) – Option 1 applies (Spanish law);

Clause 18(b) (Choice of forum and jurisdiction) – Parties submit to the exclusive jurisdiction of courts in Madrid, Spain.

D. Switzerland

For transfers from Switzerland not covered by an adequacy decision or alternative mechanism, the Parties shall adopt modified SCCs as set forth by Swiss data protection authorities, including adaptations on competent authority and rights of data subjects.

E. United Kingdom

For transfers from the United Kingdom, the Parties incorporate the UK International Data Transfer Agreement (“UK IDTA”), as updated from time to time by the UK Information Commissioner.
The UK IDTA shall be coterminous with this DPA.
Relevant clauses include governing law (England and Wales), jurisdiction (England and Wales), and rights and obligations under the UK GDPR.