Skip to content

Data Processing Agreement

Last Updated on February 6, 2025

Introduction

This Data Processing Agreement ("DPA") is incorporated into, and is subject to the terms and conditions of the Enzuzo Subscription Services Agreement (the “Agreement”) between the Enzuzo Compliance Suite User (the “Controller”) and Enzuzo Inc. (the “Processor”) (collectively referenced to as the “Parties”). This DPA shall be effective for the term of the Agreement.

Definitions

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

  1. "Controller Personal Data" means any Personal Data Processed by a Processor on behalf of Controller pursuant to or in connection with the Agreement;
  2. “Data Protection Laws" means EU Data Protection Laws, the California Consumer Privacy Act of 2018 (“CCPA”), including as modified by the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Connecticut Data Privacy Act (CTDPA), and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data;
  3. “DPA” means this Data Processing Agreement and all Annexes;
  4. "EEA" means the European Economic Area;
  5. "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; the UK General Data Protection Regulation, amended by the Data Protection Act 2018; and the Swiss Federal Act on Data Protection 2020;
  6. "GDPR" means EU General Data Protection Regulation 2016/679;
  7. "Data Transfer" means:
    1. a transfer of Controller Personal Data from the Controller to a Processor; or
    2. an onward transfer of Controller Personal Data from a Processor to a Subprocessor, or between two establishments of a Processor,

in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

  1. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined under the CCPA; 
  2. “Sell” has the meaning given in the Data Protection Laws; and
  3. "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the Agreement;
  4. “Subscription Services” refers to any and all activities carried out by the Processor in providing services, product, or deliverables under the Agreement, or in fulfilling any other obligations set forth in the Agreement;
  5. The terms, "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the applicable Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. 

Processing of Controller Personal Data

Processor shall comply with all applicable Data Protection Laws in the Processing of Controller Personal Data. Processor shall only Process Controller Personal Data as a Processor on behalf of and in accordance with Controller’s prior written instructions. Processor shall not (1) retain, use, or disclose Controller’s Personal Data other than as provided for in the Agreement, as needed to provide the Services, or as otherwise permitted by Data Protection Laws; (2) combine Controller Personal Data with Personal Data Processor receives from other customers or individuals (except as permitted by the CCPA); or (3) sell Controller Personal Data. Processor shall notify Controller if it determines that it cannot meet its obligations under the CCPA. 

Processor Personnel

Processor shall take reasonable steps to ensure that any personnel authorized to Process Controller Personal Data on Processor’s behalf is subject to appropriate confidentiality obligations with respect to the Controller Personal Data. 

Security

Processor will implement and maintain appropriate technical and organizational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. Processor’s security practices shall take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

Subprocessors

Processor may engage Subprocessors to process Controller Personal Data on Controller’s behalf. Processor shall ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of Processor by the DPA, including the limitations on use and disclosure of Controller Personal Data. Processor shall be responsible for the Subprocessors and ensure that these contractual obligations are met. Processor shall be liable to Controller for breaches of its Subprocessors’ obligations as it would be for its own. Processor shall provide a list of all Subprocessors to Controller.

Data Subject Rights

Processor shall assist the Controller by implementing appropriate technical and organizational measures for the fulfillment of the Controller’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws. 

Processor shall promptly notify Controller if it receives a request from a Data Subject under any Data Protection Laws concerning Controller Personal Data. Processor shall not respond to such requests without Controller’s prior written consent and written instructions, except as required by applicable Data Protection Laws. Before responding to the request, Processor shall inform Controller of their legal requirement to respond. 

Personal Data Breach

Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data. At Controller’s request, Processor will promptly provide Controller with all reasonable assistance necessary to enable Controller to notify relevant breaches to the competent data protection authorities and/or affected Data Subjects, if Controller is required to do so under Data Protection Laws.

Processor shall cooperate with Controller and take reasonable steps as directed by Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

Data Protection Impact Assessments

Processor shall provide reasonable assistance to the Controller with any data protection impact assessments as well as consultation with Supervising Authorities or other competent data protection authorities as deemed necessary by Controller pursuant to Data Protection Laws, taking into account the nature of the Processing and information available to Processor.

Audits

Processor shall make all information necessary to demonstrate compliance with this Agreement available to the Controller on request, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processors.

Data Transfers

Processor may transfer or authorize the transfer of Controller Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement. Personal Data may be transferred to and Processed by the Processor in the United States and to other jurisdictions where the Processor and Sub-Processors have operations.  Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

General Terms

Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement confidential and must not use or disclose that information without the prior written consent of the other Party except to the extent that:

  1. disclosure is required by law;
  2. the relevant information is already in the public domain.

Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

Governing Law

This Agreement is governed by the laws of Ontario, Canada.

Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Ontario, Canada.

ANNEX 1

  • LIST OF PARTIES

Data exporter(s):  The exporter (Controller) is the Enzuzo Compliance Suite User.

Data importer(s):  The importer (Processor) is Enzuzo Inc. 

  • DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred: Contacts and other end users including employees, contractors,  collaborators, customers, prospects, suppliers and subcontractors. 

Categories of Personal Data transferred: Contact information, and any other Personal Data submitted by, sent to, or received by you, or your end users, via the Agreement.

Sensitive data transferred: The parties do not anticipate the transfer of  sensitive data 

The frequency of the transfer:  Continuous

Nature of the processing: 

  1. Storage and other Processing necessary to provide, maintain and improve the  Subscription Services provided to you; and/or 
  2. Disclosure in accordance with the Agreement (including this DPA) and/or as  compelled by applicable laws. 

Purpose(s) of the data transfer and further processing: Processor will process Personal Data as necessary to provide the Subscription Services  pursuant to the Agreement, as further instructed by you in your use of the Subscription Services. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. 

List of Sub Processor and Purpose of processing:

Sub Processor

Purpose

Country

Amazon Web Services Inc.

Hosting & Infrastructure

USA

Cloudflare Inc.

CDN

USA

Google LLC

Email and File Share

SSO

Google Cloud

USA

Hubspot

CRM

USA

Intercom

Customer Support

USA

PostHog

Product Usage Analytics

USA

Meta Platforms Inc.

SSO

USA

Shopify

Customer Billing

Canada

BareMetrics

Business Metrics Reporting

USA

Stripe

Customer Billing

USA

Slack

Customer Support 

Communication

USA

Zapier

Automation

USA

Zoom

Meetings

USA

Fireflies.ai

Meeting Summary

USA

Atlassian Corporation

Project Management

Australia

Raintank, Inc. (Grafana Labs)

Infrastructure Logs

USA

Confluent / Kafka

Event Driven Platform

USA

 

  • COMPETENT SUPERVISORY AUTHORITY

The Data Exporter’s competent supervisory authority will be determined in accordance with Data Protection Laws.