Data Processing | ZEBRABYTE | CyberSecurity

Data Processing Agreement

I. Introduction

This agreement governs the processing of personal data carried out by ZebraByte as the "Data Processor," on behalf of the client acting as the "Controller." The Data Processing Agreement represents the understanding between the parties and establishes the rules regarding the processing of data by ZebraByte as the Processor, on behalf of the client as the Controller. This agreement supplements the Terms and Conditions and/or the contract concluded between ZebraByte and the Client.

II. Definitions

In this agreement:

Services - represent the service provided to the Client in accordance with the respective Terms and Conditions or contract concluded with ZebraByte.
Personal data - means any information relating to an identified or identifiable natural person (data subject).
Client or Controller - represents the natural person, legal entity, public authority, or any other entity determining the purpose and means of processing personal data.
Processor or ZebraByte - represents the authority that will process personal data on behalf of the controller.
Processing - means any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or making available, alignment or combination, restriction, erasure, or destruction.
Sub-processor or Partner - represents a third party, a ZebraByte-designated partner, for the delivery of services and/or the processing of the client's personal data.
Technical and Organizational Security Measures - measures aimed at ensuring an appropriate level of security, including pseudonymization and encryption of personal data, the ability to ensure confidentiality, integrity, availability, and resilience of processing systems and services, the capability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, a regular process for testing and assessing the effectiveness of processing security.
Applicable Laws - all national and European Union laws and provisions in the field of personal data protection.
Data Subjects - users or customers of the controller.

III. Application of the Agreement

In relation to the services provided, this agreement applies to:

all data sent by the client to ZebraByte for processing
all data accessed by ZebraByte for processing on behalf of the client
all data received by ZebraByte on behalf of the client

IV. Processing of Personal Data

In accordance with GDPR policy, it is the sole responsibility of the client to ensure the accuracy, quality, and processing of personal data of data subjects. ZebraByte will access, use, or process this data on behalf of the client only under the following specific circumstances:

at the direct request of the client
for the purpose of providing contracted services
to provide technical assistance regarding the provided services
for maintenance operations

The client will be responsible for determining the origin and purpose of personal data, as well as the categories of data subjects involved.

In order to fulfill the agreement and specifically for the provision of contracted services, ZebraByte will process certain categories and types of personal data on behalf of the client in accordance with the client's authorization and request.

The types and categories of personal data processed by ZebraByte are:

Contact Information:

Name, surname, address, phone number, email address, personal identification number
Personal data of representatives, employees, and other third parties provided by the client

These personal data are not covered by this Data Processing Agreement but are addressed under the Privacy Policy, as ZebraByte plays the role of a Controller in this situation.

Service-related Data:

Data residing on ZebraByte's servers

Data stored and processed by users, such as source code, databases, files, etc.

Electronic logs: connection logs, authentication logs, access logs, error logs

ZebraByte does not have control over the content of these logs, as they are automatically generated by the services running on the equipment and by the client's applications.

The processing activities carried out will be limited to those necessary and relevant for the provided services. Processing requests from the client will be recorded by ZebraByte and kept until the client exercises the right to be forgotten. ZebraByte will process personal data related to the client and the contacts provided through the sales departments and the ZebraByte .ro website, in accordance with GDPR provisions.

V. Data Access

During the use of the services, the client has the right to access, modify, and delete personal data by authenticating into the owned accounts using common protocols and tools.

In case of any modification or alteration to the data, the original version may be stored as an entry in a log for a period of 10 years, in accordance with ZebraByte data retention policy.

VI. Instructions / indications

ZebraByte will act and process personal data exclusively for the purpose of providing the contracted services, in strict accordance with precise and documented instructions received from the client. By accepting this Data Processing Agreement, it is understood that ZebraByte has the right to process the client's personal data solely for the purpose of providing the contracted services and in accordance with the presented Terms and Conditions or the concluded contract. The client guarantees that the provided personal data comply with applicable laws, including legal requirements regarding data processing. In case ZebraByte believes that the instructions received from the client regarding data processing conflict with applicable laws, ZebraByte will promptly notify the client in this regard.

VII. ZebraByte's Obligations

Confidentiality

ZebraByte will treat all personal data received from clients as confidential information and will ensure that they are used solely for the purpose of providing the contracted services. Personal data will not be disclosed or transferred to third parties, except for ZebraByte employees and partners who require access to this data for service provision and who are obligated by confidentiality agreements to handle them with utmost seriousness and strict confidentiality.

Security

ZebraByte will implement and maintain appropriate technical and organizational measures to protect personal data against illegal or unauthorized processing, as well as against accidental loss, destruction, or damage. A detailed description of the conditions under which backup copies are performed and stored is available in the backup service documentation provided by ZebraByte.

To ensure the confidentiality and security of personal data, ZebraByte will restrict access to this data only to employees who need it for the provision of contracted services by the client. All employees will be subject to confidentiality agreements and will be instructed to process the client's personal data in accordance with the precise instructions received from the client.

If requested by the client, ZebraByte will provide detailed information about the security measures implemented so that the client can assess and verify how personal data is protected.

ZebraByte will periodically review and update security measures to ensure their effectiveness and compliance with technological advancements and legal requirements regarding personal data protection.

Security Breaches

In the event that ZebraByte identifies a breach of the security of personal data, affecting the personal information of its clients, the affected client will be immediately notified. To the extent possible, ZebraByte will engage to provide the necessary information and appropriate assistance to the client, with the aim of enabling them to fulfill all obligations related to reporting data breach incidents.

VIII. Client's Obligations

The client has the obligation to fully comply with applicable legal requirements as a data controller. Within this responsibility, it is the client's duty to ensure that any transfer or provision of personal data to ZebraByte is carried out with the explicit consent of the data subjects. Furthermore, the client must be able to justify each transfer of personal data to ZebraByte and provide the reasons and rationale for the decisions made regarding the processing and use of this data.

IX. Rights of the Data Subject

ZebraByte commits to providing the client with access to the services that manage the personal data of data subjects, allowing the client to perform actions such as deletion, release, correction, or blocking of the respective data. In cases where providing this access is not feasible for certain reasons, ZebraByte will act in accordance with the instructions received from the client, in order to perform these operations in full compliance with applicable laws. Additionally, ZebraByte will undertake to forward to the client any requests received from data subjects regarding access to their own personal data.

Location of Personal Data Processing

Personal data is processed by ZebraByte exclusively within its offices, workplaces, and data centers of its partners. Any transfer of personal data to international organizations or to third countries will only be carried out if such action is necessary and permissible, and fully complies with applicable legal provisions. By international organizations or third countries, reference is made to domain registries or certificate providers.

X. Subcontracting

ZebraByte will not subcontract any processing operation on behalf of the client under this Agreement without the prior consent of the client. For services that are not under ZebraByte's direct administration (such as domains, certificates, licenses), by placing and paying for the order, the client expresses consent for the processing of personal data through third-party providers.

ZebraByte has the implicit right to engage third parties to perform data processing operations on behalf of the client, without the need for written approval from the client. However, in order to ensure transparency and respect for the client's rights, ZebraByte will provide information regarding the identity of the third party upon explicit request from the client.

XI. Technical and Organizational Measures

ZebraByte will ensure that adequate technical and organizational measures are implemented and maintained throughout the processing of personal data on behalf of the client. These measures include, but are not limited to, employing qualified personnel, strict control of access to data centers and equipment, rigorous data access management, using secure protocols for data transmission, detailed logging of system activities, isolating client data from that of other clients on internal systems, regular backups, and more.

XII. Audit

In the interest of transparency and respect for personal data protection, the client has the right to request an audit by submitting a written request to verify how ZebraByte fulfills its obligations according to the Data Processing Agreement. During this procedure, specific details concerning the choice of auditor and audit procedures will be established through a clear and transparent consensus between the parties. However, ZebraByte reserves the right to refuse an audit request in situations where the client has not complied with contractual and Data Processing Agreement provisions.

XIII. Duration

The Data Processing Agreement is valid for the entire duration of the Contract between the Client and ZebraByte. In accordance with legal provisions, the authorization granted by ZebraByte for processing personal data on behalf of the Client will immediately cease upon the expiration of the Contract.

In its role as a data processor, in line with requirements and legal regulations, ZebraByte commits to continuing the processing of personal data for a period of 30 days after the Contract's termination. Simultaneously, ZebraByte will retain a backup copy of the Client's data in accordance with its established backup policies. Any data processing actions conducted by ZebraByte during this period will be deemed to be in accordance with the instructions received from the Client.

ZebraByte undertakes to erase all personal data processed on behalf of the Client within a maximum of 45 days after the termination of the Agreement. However, in cases where there are legal requests or requirements for data retention, ZebraByte will act in accordance with those demands, ensuring the security and confidentiality of the respective data.