Zepo Intelligence (hereinafter, “Zepo” or the “Data Processor” or the “Processor”) is the owner of the website https://zepo.app/es and the application called Zepo. This Data Processing Agreement (hereinafter “DPA”) supplements Zepo’s Terms and Conditions (available at https://zepo.app/termsandconditions), and is part of the agreement between Zepo and the entity it represents (hereinafter, the “Company” or the “Data Controller” or the “Controller”).
CLAUSES
1. Definitions
The terms “Data Controller,” “Data Processor,” “Data Subject,” “Member State,” “Personal Data,” “Processing,” and “Supervisory Authority” shall have the meaning assigned to them in Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”).
2. Purpose and Term
This DPA governs the Processing of Personal Data by Zepo in accordance with Zepo’s Terms and Conditions, with respect to data under the responsibility of the Company. The duration of such processing shall be for the period in which the Parties fulfill their obligations under the Terms and Conditions.
3. Compliance with Personal Data Protection Legislation
Each Party shall comply with all applicable data protection regulations, including Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”), as of May 25, 2018, and Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”), as well as any laws that develop, supplement, amend, or replace these (collectively and individually, “Personal Data Protection Regulations”).
4. Data Access and Purpose of Processing
Zepo may access the types of Personal Data of the Company (“Controller’s Personal Data”) and categories of Data Subjects as described in Appendix I, and for the purposes described therein.
5. Rights and Responsibilities of Zepo as Data Processor
As provided in the GDPR, Zepo, as Data Processor, shall:
a. Process the Controller’s Personal Data only based on documented instructions from the Controller, including data transfers to a third country or international organization, unless required otherwise by Union or Member State law.
b. Ensure that all persons authorized to process the Controller’s Personal Data are bound by confidentiality obligations.
c. Implement all appropriate technical and organizational measures to ensure an adequate level of security, including:
- i. Pseudonymization and encryption of Controller’s Personal Data;
- ii. Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- iii. Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- iv. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring processing security.
d. Not engage another Data Processor, except as described in Clauses 7 and 8.
e. Assist the Controller, considering the nature of the processing, by appropriate technical and organizational measures to respond to Data Subjects’ rights requests.
f. Assist the Controller in ensuring compliance with its obligations, considering the nature of the processing and the information available to the Processor.
g. At the Controller’s choice, delete or return all Controller’s Personal Data after the end of the provision of services and delete existing copies unless Union or Member State law requires data retention.
h. Make available to the Controller all information necessary to demonstrate compliance and allow for audits and inspections by the Controller or authorized auditors.
i. Process Controller’s Personal Data made available to the Processor in a manner ensuring staff under its control follow the Controller’s instructions.
j. Ensure that Zepo’s Data Protection Officer, where required by law, is involved appropriately and timely in all matters relating to the protection of Controller’s Personal Data.
k. Adhere to an approved code of conduct, if applicable.
l. Maintain a record of processing activities when processing could result in a risk to Data Subjects’ rights and freedoms and/or is not occasional or involves special categories of data and/or data relating to convictions and offenses.
6. Security Measures
Zepo shall adopt appropriate security measures to ensure lawful processing as required by the GDPR and Section III of this DPA. Zepo undertakes to evaluate potential processing risks, considering the means used and circumstances affecting security.
7. Exercise of Data Subject Rights
If a Data Subject submits a request to exercise their rights under the Data Protection Law, the Controller and/or Processor shall provide the requested information and take required actions without delay and within one month of receiving the request, extendable by two months if necessary due to complexity and volume.
If the Controller and/or Processor does not act on the request, they shall inform the Data Subject without delay and within one month, stating reasons and informing them of their right to lodge a complaint with a supervisory authority and to seek judicial remedy. Responses shall be in the same format used by the Data Subject unless otherwise requested.
8. Subprocessing
Zepo, as the Processor, shall not subcontract its services to any subprocessor outside those authorized in Appendix II. If subcontracting is necessary, Zepo must obtain prior written authorization from the Controller and identify the subprocessor, its purpose, and objectives.
9. International Transfers of Controller’s Personal Data
No international transfers of Controller’s Personal Data may occur except to subprocessors listed in Appendix II. Zepo shall formalize such processing under an agreement per Data Protection Law, incorporating required safeguards. Any additional transfer requires prior written approval from the Controller.
10. Security Breach
If instructed by a competent Supervisory Authority or required by law, in the event of a security breach involving the Controller’s Personal Data, the Processor shall notify the Controller without delay and, if possible, within 72 hours.
11. Termination, Resolution, and Expiration
In case of termination, resolution, or expiration of the Contract, the Processor shall not retain Controller’s Personal Data unless legally required. Otherwise, Zepo shall destroy or return all Controller’s Personal Data and any copies or media containing such data.
Appendix I
Category and Type of Data
Categories of Data Subjects and Data Types:
According to this DPA and GDPR, Zepo may access and process the following Personal Data provided by the Controller:
| Category of Data Subjects | Data Categories |
|---|---|
| Client Employees or Staff | Identification data (name, surname, email, phone, country, language, time zone, employee number) |
| Academic and professional data (position, department, division, supervisor’s name/email, exposure level, training level) |
Purpose of Processing:
Processing necessary for providing Zepo services under the contract. Provision of cybersecurity training services.
Nature of Processing:
☐ Disclosure ☒ Collection ☐ Recording ☒ Organization ☒ Structuring ☐ Modification ☒ Storage
☐ Extraction ☐ Consultation ☐ Transmission ☐ Matching or Linking ☐ Restriction ☒ Erasure ☐ Usage
Appendix II
Authorized Subprocessors
| Subprocessor | Service Description | Privacy Policy URL | Country |
|---|
Zepo may expand this list upon notification from the Controller.
Appendix III
Security Measures
Zepo shall have the right and obligation to decide on technical and organizational security measures necessary to ensure the agreed level of data security.
However, Zepo shall implement, at a minimum, the following measures agreed with the Controller:
Technical Security Measures:
- Pseudonymization and encryption of personal data;
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- Ability to restore personal data availability and access in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security.
