Zonos data processing agreement


Zonos Data Processing Agreement

This Data Processing Agreement (“DPA“) acts as an addendum to the Zonos Terms of Service and Privacy Policy (“Principal Agreement”) between iGlobal Exports, LLC, DBA Zonos (“Zonos”) and the Customer (“Customer”), (together as the “Parties”).


A. The Customer acts as a Data Controller.

B. The Customer wishes to subcontract certain Services, which imply the processing of personal data, to Zonos as the Processor.

C. The Parties seek to implement a DPA that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

D. The Parties wish to lay down their rights and obligations.

This DPA includes and incorporates by reference the annexes and addenda referenced at the bottom of this document. All capitalized terms not defined in this DPA shall have the meaning set forth in the Principal Agreement.

The parties agree as follows:

1. Definitions

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

  1. Contracted Processor” means a Sub-processor;

  2. Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

  3. Data Transfer” means:

    1. A transfer of Personal Data from the Customer to a Contracted Processor; or
    2. An onward transfer of Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
  4. DPA” means this Data Processing Agreement and all Schedules;

  5. EEA” means the European Economic Area;

  6. EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

  7. GDPR” means EU General Data Protection Regulation 2016/679;

  8. Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Customer pursuant to or in connection with the Principal Agreement;

  9. Services” means any product or service provided by Zonos to the Customer pursuant to and as more particularly describe in the Principal Agreement;

  10. Sub-processor” means any Processor appointed by or on behalf of Zonos to process Personal Data on behalf of the Customer in connection with the DPA.

  11. The terms, “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach” and “Processing” shall have the same meaning as in the GDPR and their cognate terms shall be construed accordingly.

2. Customer Obligations

  1. Compliance with Laws.

    1. Within the scope of the DPA and in its use of the Services, the Customer agrees that it shall comply with its obligations as a Controller under Data Protection Laws in the Processing of Personal Data and any Processing instructions it issues to Zonos.
    2. The Customer has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Zonos to process Personal Data and provide the Services pursuant to the Principal Agreement and this DPA.
  2. Controller Instructions. The Parties agree that the Principal Agreement (including this DPA), together with the Customer’s use of Zonos Services in accordance with the Principal Agreement, constitute the Customer’s complete and final instructions to Zonos in relation to the Processing of Personal Data, and additional instructions outside the scope of the instructions shall require prior written agreement between the Customer and Zonos.

3. Zonos Obligations

  1. Compliance with Laws. Within the scope of the DPA and in its use of the Services, Zonos shall:

    1. Be responsible for complying with all applicable Data Protection Laws as a Processor in the Processing of Personal Data; and
    2. Not Process the Customer’s Personal Data other than on the Customer’s documented instructions.
  2. Zonos Personnel. Zonos shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

  3. Security.

    1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Zonos shall, in relation to the Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    2. In assessing the appropriate level of security, Zonos shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
  4. Sub-processing. Zonos shall not appoint (or disclose any Personal Data to) any Sub-processor unless required or authorized by the Customer.

  5. Data Subject Rights.

    1. Taking into account the nature of the Processing, Zonos shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Zonos' obligations, as reasonably understood by Zonos, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

    2. Zonos agrees to:

      1. Promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
      2. Ensure that it does not respond to that request except on the documented instructions of the Customer or as required by Applicable Laws to which Zonos is subject, in which case Zonos shall to the extent, permitted by Applicable Laws, inform the Customer of that legal requirement before the Contracted Processor responds to the request.
  6. Personal Data Breach.

    1. Zonos shall notify the Customer without undue delay upon Zonos becoming aware of a Personal Data Breach affecting Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
    2. Zonos shall cooperate with the Customer and take reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
  7. Data Protection Impact Assessment and Prior Consultation. Zonos shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

  8. Return or Deletion of Data. Upon deactivation or termination of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent Zonos is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on backup systems, which such Personal Data Zonos shall securely isolate and protect from any further processing, except to the extent required by applicable law.

  9. Security Reports. Zonos shall maintain records of its security standards. Upon the Customer’s written request, Zonos shall provide responses (on a confidential basis) to all reasonable requests for information made by the Customer, including responses to information security and audit questionnaires, that the Customer (acting reasonably) considers necessary to confirm Zonos’ compliance with this DPA, provided that the Customer shall not exercise this right more than once per year.

  10. Data Transfer. The Customer acknowledges and agrees that Zonos may access and process Personal Data on a global basis as necessary to provide the Services in accordance with the Principal Agreement, and in particular that Personal Data will be transferred to and processed by Zonos in the United States and to other jurisdictions where Zonos' Sub-processors have operations. Zonos shall ensure such transfers are made in compliance with the requirements of Data Protection Laws, including compliance with EU approved standard contractual clauses for transfer of personal data.

  11. Additional Provisions for California Personal Information.

    1. This Section 11 shall only apply with respect to California Personal Information.

    2. When processing California Personal Information in accordance with the Customer’s instructions, the Parties acknowledge and agree that the Customer is a business and Zonos is a service provider for the purposes of the CCPA.

    3. The Parties agree that Zonos will process California Personal Information as a service provider strictly for the purpose of performing the Services under the Principal Agreement. Zonos uses service data for its own legitimate business purposes as per the Zonos Privacy Policy. The Parties agree that Zonos shall not do the following:

      1. Sell California Personal Information (as defined in the CCPA);
      2. Retain, use, or disclose California Personal Information for a commercial purpose other than for the business purpose or as otherwise permitted by the CCPA; or
      3. iii. Retain, use, or disclose California Personal Information outside of the direct business relationship between the Customer and Zonos.
    4. Zonos certifies that it understands and will comply with the restrictions set out in Section 11(c).

4. General Terms

  1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

    1. Disclosure is required by law;
    2. The relevant information is already in the public domain.
  2. Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.

5. Governing Law and Jurisdiction

This DPA is governed by the laws and jurisdiction provisions in the Principal Agreement unless required otherwise by Data Protection Laws.\

Annex A. List of Zonos Sub-processors

Available upon request

Annex B. Security Measures

Available upon request

Was this page helpful?