Zevero Data Processing Agreement

TERMS

1. What is this agreement about?

1.1. Purpose.

The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Relevant Personal Data (as defined below). The terms “Client” and “Zevero” have the meanings given to them in the Main Agreement.

1.2. Term.

This DPA will commence on the final date of signature and will continue for the duration of the Main Agreement.

1.3. Definitions. Under this DPA:

 (a) Adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing personal data by means of an “adequacy decision” adopted by the European Commission or an “adequacy regulation” adopted by the UK Government;

 (b) Breach Notification Period means without undue delay after becoming aware of a personal data breach;

 (c) Controller, data subject, personal data, personal data breach, process (and its derivatives such as processing and processed), processor, special category personal data, the Commissioner, and supervisory authority have the same meanings as in the Data Protection Laws;

 (d) Data Protection Laws means all laws which apply to the processing of Relevant Personal Data in the European Economic Area (EEA); and the United Kingdom (UK) as applicable. This includes the European Union Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018, and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR), each as amended from time to time;

 (e) EU Restricted Transfer means a transfer of Relevant Personal Data to or access to Relevant Personal Data in a jurisdiction or territory outside of the EEA that is not (i) to an adequate country; or (ii) otherwise permitted under applicable Data Protection Laws without the need for EU Standard Contractual Clauses whether by virtue of an adequacy decision, binding corporate rules, certification, or otherwise;

 (f) EU Standard Contractual Clauses means the standard contractual clauses for the transfer of Personal Data as approved by the European Commission (as amended and superseded from time to time), including “Standard Contractual Clauses (Module 2)” for the international transfer of Personal Data from a Controller to a Processor as laid down in the European Commission Decision of 4 June 2021 (the EU Controller-Processor SCCs) and “Standard Contractual Clauses (Module 4)” for the international transfer of Personal Data from a Processor to a Controller as laid down in the European Commission Decision of 4 June 2021 (the EU Processor-Controller SCCs);

 (g) Governing Law and Jurisdiction is the same governing law and jurisdiction in the Main Agreement;

 (h) Relevant Personal Data means personal data (including, for the avoidance of doubt, special category personal data) which is processed in connection with the Main Agreement or this DPA;

 (i) Sub-processor means another processor engaged by Zevero to carry out specific processing activities with respect to Relevant Personal Data;

 (j) Main Agreement means Zevero’s Terms of Service and the Service Agreement (as defined in the Terms of Service;

 (k) Sub-processor Notification Period means 14 days before the new Sub-processor is granted access to Relevant Personal Data;

 (l) Restricted Transfer means either (i) a UK Restricted Transfer or (ii) an EU Restricted Transfer;

 (m) Transfer Mechanism means the EU Standard Contractual Clauses or the UK Standard Contractual Clauses, each as applicable and as required by Data Protection Laws as amended by this DPA and subject to any variation set out in Clause 5 of the Service Agreement;

 (n) UK Restricted Transfer means a transfer of Relevant Personal Data to or access to Relevant Personal Data in a jurisdiction or territory outside of the UK that is not (i) to an adequate country; or (ii) otherwise permitted under applicable Data Protection Laws without the need for UK Standard Contractual Clauses whether by virtue of an adequacy decision, binding corporate rules, certification, or otherwise; and

 (o) UK Standard Contractual Clauses means UK-specific standard contractual clauses for the international transfer of Personal Data, including (i) from a Controller to a Processor in the form of the EU Controller-Processor SCCs amended by the addendum published by the ICO at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (the UK Controller-Processor SCCs) or (ii) from a Processor to a Controller in the form of the EU Processor-Controller SCCs amended by the addendum published by the ICO at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (the UK Processor-Controller SCCs).

2. What are each party’s obligations?

2.1. Client obligations.

Client instructs Zevero to process Relevant Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences, and legal bases required to allow Zevero to process Relevant Personal Data in accordance with Data Protection Laws.

2.2. Zevero’s obligations.

Zevero will:

 (a) only process Relevant Personal Data in accordance with this DPA and Client’s documented instructions, unless required to do otherwise by applicable laws, in which case Zevero shall inform the Client of this prior to the processing, unless such information is prohibited by such laws on the grounds of important public interest;

 (b) not sell, retain, or use any Relevant Personal Data for any purpose other than as permitted by this DPA and the Main Agreement;

 (c) inform Client immediately if (in its opinion) any instructions infringe Data Protection Laws;

 (d) implement appropriate technical and organisational measures when processing Relevant Personal Data to ensure a level of security appropriate to the risk involved and, at a minimum, those set out in Annex 1, which the Client agrees are appropriate to the risk involved;

 (e) notify Client of a personal data breach within the Breach Notification Period and provide assistance to Client as required under Data Protection Laws in responding to it and issuing notifications to data subjects and the Commissioner or supervisory authority as required;

 (f) ensure that any person authorised by Zevero to process Relevant Personal Data is committed to appropriate obligations of confidentiality;

 (g) without undue delay, and only in respect of Relevant Personal Data, provide Client with reasonable assistance with:

     (i) data protection impact assessments,

     (ii) the Client’s security obligations,

     (iii) responses to data subjects’ requests to exercise their rights under Data Protection Laws; and

     (iv) engagement with supervisory authorities and the Commissioner

 (h) if requested, provide Client with information necessary to demonstrate its compliance with obligations under Data Protection Laws;

 (i) allow for audits at Client’s reasonable request, provided that audits are limited to once a year and during business hours, except in the event of a personal data breach; and

 (j) return Relevant Personal Data upon Client’s written request or delete Relevant Personal Data at the end of the Term unless retention is legally required.

2.3. Warranties.

The parties warrant that they, and any of their staff and/or subcontractors, will comply with their respective obligations under Data Protection Laws for the Term.

3. Sub-processing

3.1. Use of Sub-processors.

Client authorises Zevero to engage Sub-processors when processing Relevant Personal Data. Zevero’s existing Sub-processors are listed in Annex 2, which are hereby authorised by the Client.

3.2. Sub-processor requirements.

Zevero will, in relation only to Relevant Personal Data:

 (a) require its Sub-processors to comply with equivalent terms as Zevero’s obligations in this DPA;

 (b) ensure appropriate safeguards are in place before internationally transferring Relevant Personal Data to its Sub-processor; and

 (c) where the Sub-processor fails to fulfil its data protection obligations, remain fully liable to the Client for the performance of the Sub-processor’s obligations.

3.3. Approvals.

Zevero may appoint new Sub-processors provided that they notify Client in writing within the Sub-processor Notification Period.

3.4. Objections.

Client may reasonably object in writing to any future Sub-processor within 14 days of being notified in accordance with paragraph 3.3 (Approvals) above. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

4. International Relevant Personal Data transfers

4.1. Instructions.

Zevero will perform a Restricted Transfer of Relevant Personal Data only on documented instructions from Client, unless otherwise required by law. For the avoidance of doubt, the Client’s approval of Zevero’s Sub-processors also constitutes approval of necessary transfers to outside the UK, EEA, or an adequate country in order to allow transfers to the Sub-processors.

4.2. Transfer mechanism.

In the case of a Restricted Transfer of Relevant Personal Data, the parties will only perform such a transfer in compliance with applicable Data Protection Laws and acknowledge that:

 (a) the party located outside of the UK, EEA, or an adequate country will act as the data importer,

 (b) the party located inside of the UK, EEA, or an adequate country will act as the data exporter, and

 (c) the relevant Transfer Mechanism will apply and is herein incorporated by reference.

4.3. Additional measures.

If the Transfer Mechanism is insufficient to safeguard the transferred Relevant Personal Data, the data importer will promptly implement supplementary measures to ensure Relevant Personal Data is protected to the same standard as required under Data Protection Laws.

4.4. Disclosures.

Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Relevant Personal Data, it will (if legally allowed):

 (a) challenge the request and promptly notify the data exporter about it, and

 (b) only disclose to the public authority the minimum amount of Relevant Personal Data required and keep a record of the disclosure.

4.5. Relevant transfer mechanism:

The parties agree and acknowledge that the following Transfer Mechanisms will apply further to paragraph 4.2(c), in each case as amended by paragraph 4.6 and the Annexes to this DPA:

 (a) in the case of a UK Restricted Transfer where the Client is the data exporter and Zevero is the data importer, the UK Controller-Processor SCCs shall apply;

 (b) in the case of a UK Restricted Transfer where the Client is the data importer and Zevero is the data exporter, the UK Processor-Controller SCCs shall apply;

 (c) in the case of an EU Restricted Transfer where the Client is the data exporter and Zevero is the data importer, the EU Controller-Processor SCCs shall apply; and

 (d) in the case of an EU Restricted Transfer where the Client is the data importer and Zevero is the data exporter, the EU Processor-Controller SCCs shall apply.

4.6. Amendments to the SCCs:

The parties agree and acknowledge that, in respect of the UK Standard Contractual Clauses and the EU Standard Contractual Clauses, as applicable and where relevant:

 (a) Clause 7 shall be held to apply;

 (b) Option 2 shall be held to apply in respect of Clause 9(a) with a time period of 30 days from the date of notification to the Client;

 (c) the Option within Clause 11 shall not be held to apply;

 (d) Annex 3 of this DPA shall serve as Annex I;

 (e) Annex 1 of this DPA shall serve as Annex II;

 (f) Annex 2 of this DPA shall serve as Annex III;

 (g) in the case of the UK Standard Contractual Clauses, the governing law of the clauses shall be the law of England and Wales, disputes are subject to the jurisdiction of the English courts and the competent Supervisory Authority shall be the UK Information Commissioner’s Office. In the case of the EU Standard Contractual Clauses, the governing law of the clauses shall be the law of Ireland, disputes are subject to the jurisdiction of the Irish courts and the competent Supervisory Authority shall be the Data Protection Commissioner of Ireland; and

 (h) in the case of Table 4 within the UK Standard Contractual Clauses, the data exporter may end the UK Standard Contractual Clauses.

5. Other important information

5.1. Survival.

Any provision of this DPA which is intended to survive the Term will remain in full force.

5.2. Order of precedence.

In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:

 (a) Transfer Mechanism,

 (b) DPA,

 (c) Main Agreement.

5.3. Notices.

Formal notices under this DPA must be in writing and sent to the contact details in clause 1.1 of the Service Agreement or as may be updated by a party to the other in writing.

5.4. Third parties.

Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.

5.5. Entire agreement.

This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter, and neither party has relied on any statement or representation of any person in entering into this DPA.

5.6. Amendments.

Any amendments to this DPA must be agreed in writing.

5.7. Assignment.

Neither party can assign this DPA to anyone else without the other party’s consent.

5.8. Waiver.

If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.

5.9. Governing law and jurisdiction.

Subject to paragraph 4.6(g), the Governing Law and Jurisdiction applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.

ANNEX 1
Security measures. Technical and organisational measures to ensure the security of Relevant Personal Data Refer to the Technical and Organisational Measures Policy. (http://tinyurl.com/Zeverosecurity)

ANNEX 2
Sub-processors. Current sub-processors
Sub-processor Purpose Country Sub-processor Measures
Amazon Web Services Calculation, monitoring, and reporting of corporate greenhouse gas emissions European Economic Area AWS Shared Responsibility Model
Pitch Calculation, monitoring, and reporting of corporate greenhouse gas emissions, corporate carbon reduction analysis European Economic Area Security Policy
Outlook Tailored sustainability consulting United States Microsoft Security
Google Gmail Tailored sustainability consulting United States Gmail Security
Google Meets Tailored sustainability consulting United States Google Privacy
Microsoft Teams Tailored sustainability consulting United States Microsoft Security
Zoom Tailored sustainability consulting United States Security at Zoom
Notion Tailored sustainability consulting United States Notion Security
Google Drive Tailored sustainability consulting United States Google Drive Security
Radar Geofencing United States Security at Radar
Open AI Finding data from Client questions. Drafting AI carbon reduction strategies. United States Open AI Security
Zevero Ltd Calculation, monitoring, and reporting of corporate greenhouse gas emissions. Tailored sustainability consulting. United Kingdom Technical and Organisational Measures Policy
Zevero Co. Ltd (株式会社Zevero) Calculation, monitoring, and reporting of corporate greenhouse gas emissions. Tailored sustainability consulting. Japan Technical and Organisational Measures Policy

ANNEX 3
Description of processing
Parties’ roles The Client shall be the controller and Zevero shall be the processor.
Subject matter and services related to processing As described in the Main Agreement.
Duration of processing For the Term of this DPA.
The period for which the personal data will be retained For the Term of this DPA.
Nature and purpose of processing and transfer of Relevant Personal Data (as applicable) The data is processed within the Platform to conduct comprehensive environmental impact assessments across the entire lifecycle of products and services of the Client. This involves analysing input data on raw materials, energy consumption, manufacturing processes, and transportation. The Platform calculates greenhouse gas emissions and other environmental impacts at each stage of the product or service lifecycle, aggregating and modelling the data to provide a holistic view of the environmental footprint.
Categories of Relevant Personal Data processed and transferred (as applicable) The types of personal data processed in connection with this DPA and Main Agreement include:
  • Names (e.g., employee names, supplier names, customer names)
  • Contact details (e.g., email addresses, phone numbers, postal addresses)
  • Employment information (e.g., job titles, departments)
  • Company information (e.g., company names, supplier details)
  • Location data
  • Technical identifiers (e.g., device IDs, IP addresses)
  • Transactional data (e.g., purchase data, sales data, delivery data)
  • Financial information
  • Payment card details
  • Environmental data (e.g., carbon data, emission factors)
  • Behavioural data (e.g., activity data, employee commute data)
  • Views and opinions
  • Supplier information
  • Customer data (as provided by the Client)
Sensitive personal data transferred (if applicable, including special category personal data) None
Categories of data subjects The individuals whose Relevant Personal Data will be processed are:
  • Employees of the Client
  • Suppliers of the Client
  • Customers of the Client
Rights and obligations of the controller The rights and obligations of the Client are set out in this DPA and Main Agreement.
For transfers to (sub-)processors also specify subject matter, nature, and duration of the processing Our subsidiaries (Zevero Ltd and Zevero Co. Ltd (株式会社Zevero)) may access and analyse the Client’s data to provide environmental impact measurement support and related services. This processing will occur for the duration of this Agreement. The subject matter of the processing is environmental impact measurement support, including data analysis and service quality improvement.