Annex I – Data Processing Agreement

IN THIS ANNEX WE WILL DEFINE OUR RESPONSIBILITIES WITH REGARD TO COMPLIANCE WITH THE LEGISLATION APPLICABLE TO INFORMATION SECURITY, PRIVACY AND PROTECTION OF PERSONAL DATA PROCESSED WITHIN THE SCOPE OF THE CONTRACT.

1. FOR THE APPLICATION OF THIS ANNEX, THE FOLLOWING DEFINITIONS WILL BE ADOPTED:

– Zenvia Group: These are all companies that are in the same Economic Group as Zenvia, that is, the companies listed in “Annex I – Affiliate List” from Zenvia’s Privacy Policy.
– Client: Those who contract any service provided by the Zenvia Group, including natural persons who, representing the contractor, operate the services.

– Personal Data: information relating, directly or indirectly, to an identified or identifiable natural person.

– Processing: any operation carried out with Personal Data, such as collection, storage, access, use, sharing, enrichment and/or deletion.

– Data subject: natural person to whom the Personal Data being Processed refers.

– Data Controller: the party responsible for decisions regarding the Processing of Personal Data, in particular regarding the purposes and means of the Processing of Personal Data.

– Data Processor: the party that processes Personal Data following the instructions of the Controller.

– Sub-processor: a third party and/or subcontractor appointed by the Processor to assist in the fulfillment of obligations relating to the Processing of Personal Data under the contractual relationship between the Controller and the Processor.

– Data Protection Officer: person appointed by ZENVIAto act as a channel of communication with data subjects and the National Data Protection Authority.

– Data Protection Authorities: the public administration body responsible for ensuring, implementing and monitoring compliance with the Applicable Legislation.

– Security Incident (involving Personal Data): any accidental, unlawful or unauthorized access, acquisition, use, modification, disclosure, loss, destruction or damage involving Personal Data.

– Applicable Legislation:  means the privacy and data protection laws applicable to the processing of personal data outlined in the contract entered into by the Parties, including any applicable local, state, and federal laws, rules, and regulations in the United States relating to the use, collection, retention, storage, security, disclosure, transfer, sale or other Processing of Personal Data, such as the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), the Utah Consumer Privacy Act, (the “UCPA ”).

The remaining terms capitalized herein shall have the same meanings ascribed to them in the General Terms of Service, except when expressly provided otherwise herein.

2. COMPLIANCE WITH APPLICABLE PRIVACY AND DATA PROTECTION LEGISLATION.

2.1 The Parties declare that they are aware of and comply with all Applicable Legislation, and will process all personal data following the rights and obligations provided for in the Applicable Legislation. 2.2 The CLIENT declares that it is  aware of the provisions contained in ZENVIA’s Privacy Policy, available at https://www.zenvia.com/politica-de-privacidade/.

3. PURPOSE OF THE PROCESSING OF PERSONAL DATA WITHIN THE SCOPE OF THE CONTRACT

3.1 For the purposes of this DPA, the CLIENT shall be considered the Data Controller, while ZENVIA shall be considered the Data Processor.

3.2 As a Processor, ZENVIA guarantees that the Personal Data received will only be processed to comply with the provisions of the Contract entered into with the CUSTOMER or to comply with the instructions provided by the CUSTOMER, as a result of the condition of Controller, always observing the principles, rules and Applicable Legislation.

3.2.1. The CLIENT acknowledges and agrees that ZENVIA may utilize aggregated and, to the extent possible, anonymized data, for the purpose of developing its products, services, or other technologies, as well as for enhancing solutions based on artificial intelligence.

4. CONFIDENTIALITY OF PERSONAL DATA

4.1 All Personal Data made available by the CUSTOMER within the scope of the services provided by ZENVIA will be considered confidential and will be treated in accordance with the conditions set out in Clause 7 of ZENVIA’s General Terms and Conditions of Services.

5. SECURITY MEASURES AND CONTROLS ADOPTED BY ZENVIA

5.1 ZENVIA declares and guarantees that it has measures in place to protect the Personal Data Processed, as well as having security policies in place, which determine technical and administrative measures to guarantee the integrity, availability, and confidentiality of the information.

5.2 The security measures adopted by ZENVIA to guarantee the greatest possible security for the Personal Data Processed are:

(a) authentication of users;

(b) encryption of Data and the content of transactions;

(c) intrusion prevention and detection;

(d) prevention of information leakage;

(e) protection against malicious software;

(f) traceability mechanisms;

(g) access controls and computer network segmentation; and

(h) maintaining backup copies of Personal Data and information.

5.3 If the CUSTOMER has any questions regarding the security measures adopted by ZENVIA, they can contact ZENVIA via the “Chat with Zoe” option, available on the questions button of the https://app.zenvia.com/ environment.

6. SHARING PERSONAL DATA

6.1 In certain cases, ZENVIA may share Personal Data with any Sub-Processor hired to fulfill certain contractual obligations and provide the services or part of them.

6.2 When requested by the CLIENT, ZENVIA will provide visibility of these third-party  Sub-Processors and the specific activities they perform, provided that they are directly linked to the execution of the services contracted by the CLIENT, while respecting ZENVIA’s trade secrets and proprietary information.

6.3 When Personal Data is shared, ZENVIA must ensure that all Sub-Processors undertake to adopt equivalent levels and standards of protection for Personal Data and information security measures as those set out in this DPA, and ZENVIA shall be held liable for all losses and damages arising from the improper use of Personal Data, provided that such losses and damages are linked to the culpable or willful misconduct of ZENVIA or the Sub-Processors.

7. CONDUCTING AUDITS

7.1 ZENVIA recognizes the CLIENT’s right to conduct audits related to the existing Processing activities under this DPAand the services provided by ZENVIA. Accordingly, the Parties shall make available, upon request, provided that five (5) working days’ prior notice is given and that regular activities are not jeopardized, all documentation necessary to demonstrate compliance with the obligations set forth in this DPA and the Applicable Legislation on privacy and protection of Personal Data.

7.2 Under no circumstances will access be granted to any information and/or Personal Data (i) relating to clients other than those directly related to the services provided by ZENVIA to the CLIENT; and/or (ii) which are subject to confidentiality obligations with third parties or protected by commercial and/or industrial secrets.

8. INTERNATIONAL DATA TRANSFERS 

8.1 The CLIENT agrees that, if necessary for the performance of the Contract and compliance with any of the conditions set forth therein, ZENVIA may carry out international data transfers during the performance of the services provided.

8.2 In the event of an international data transfer, ZENVIA undertakes to take all necessary and possible measures to ensure, in good faith, that such transfer complies with the Applicable Legislation.

9.FULFILLMENT OF REQUESTS FROM DATA SUBJECTS 

9.1 The CLIENT is the Data Controller and the one responsible to  comply with requests from Data Subjects to exercise their rights or requests from Data Protection Authorities or any other authority that may supervise the Processing of Personal Data.

9.2 ZENVIA, whenever necessary and requested by the CUSTOMER, shall provide all support to fulfill requests made by the Data Subjects or by any authority, such as:

(a) requests for access to Personal Data;

(b) correction of incomplete, inaccurate or outdated Personal Data;

(c) erasure:

(d) portability; and

(e) other rights provided for in Applicable Legislation.

10. COMMUNICATION OF SECURITY INCIDENTS

10.1 In the event of a Security Incident that may cause relevant risk or damage to the Data Subjects, the Parties must notify the other party of the Security Incident within 48 (forty-eight) working hours of becoming aware of its occurrence, as the case may be.

10.2 The communication shall contain at least the following information:

(a) Date and time of the Security Incident;

(b) Date and time of acknowledgement by the notifier;

(c) List of the types of Personal Data affected by the Security Incident;

(d) Number of data subjects affected (volume of the Security Incident) and, if possible, a list of these individuals;

(e) Contact details of the Person in Charge or other person from whom further information about the incident can be obtained; and

(f) A description of the possible consequences of the event.

10.3 The CLIENT, as the Data Controller, will be responsible for making the necessary communications to the Data Protection Authorities and to the Data Subjects, when necessary, under the terms of the Applicable Legislation.

10.4 If the Security Incident or the effects of the Security Incident involve ZENVIA, the communications in question must be previously aligned between the CUSTOMER and ZENVIA.

10.5 When the CLIENT, acting as Controller, does not prove compliance with the notification of the Security Incident to the Data Protection Authorities, as requested by the Applicable Legislation, ZENVIA will have the right to carry out the necessary communications, without the need for prior consent, unless the delay is for a justified reason.

10.6 The Parties agree that they will work together to prevent and stop any Security Incident, investigating the possible causes and even considering carrying out audits to conclude the investigation.

11. DISPOSAL OF PERSONAL DATA

11.1 ZENVIA will permanently delete or return Personal Data to the CLIENT when:

(a) requested by the CLIENT;

(b) when the contractual relationship of the Parties and the obligations arising therefrom are terminated; or

(c) when the purpose of the Processing has been fulfilled.

11.1.1 ZENVIA may keep any Personal Data when the continued Processing is permitted by law or when it is necessary to comply with any legal or regulatory obligation or to protect a legitimate right.

11.2 Even after the termination of the Contract or other agreements entered into between the Parties, the obligations provided for in this DPA shall continue for as long as the Parties have access to, are in possession of or are able to carry out any Data Processing operation involving information provided during the contractual relationship.

12. RESPONSIBILITIES OF THE CLIENT WHEN USING THE PLATFORM

12.1 In addition to the other responsibilities provided for in the General Terms and Conditions of Service, in this DPA, in the Contract, and in the Applicable Legislation, the CLIENT declares and guarantees that:

(a) all Personal Data that, in any way, has been or will be transferred to ZENVIA, has been and will be obtained lawfully, with an appropriate legal basis under Applicable Legislation, with due transparency to Data Subjects regarding how Personal Data will be processed, under Applicable Legislation, including regarding the protection and confidentiality of Personal Data;

(b) has obtained, in advance and by means of a free, unequivocal and informed manifestation, the consent of the Data Subjects to send messages, when this authorization is required for the legality of the communication, under the terms of the Applicable Legislation and/or on account of responsibilities assumed contractually with third parties;

(c) if, during the use of the services, there is the possibility of Processing Personal Data of minors or sensitive Personal Data, it has obtained the necessary consent, in accordance with the legal requirements determined by Applicable Legislation, and will previously notify ZENVIA of the possibility of such Processing;

(d) is fully responsible for the format, accuracy, quality, content and lawfulness of the Personal Data uploaded, stored, and processed on the Platforms used in the services, under the terms of the Applicable Legislation;

(e) is fully responsible for the Processing of Personal Data carried out by itself, or as requested by the CLIENT, in the context of the execution of the contractual relationship, and will hold ZENVIA harmless from any losses and damages, direct or indirect, arising from any operation of Processing of Personal Data carried out in disagreement with this DPAand the Applicable Legislation.

12.1.1 To hold ZENVIA harmless shall mean, for example, as the case may be: (1) to indemnify and reimburse ZENVIA, (2) to provide guarantees in proceedings, (3) to assume responsibility for acts and facts related to the use of the channel by the CLIENT, (4) to qualify in judicial and administrative proceedings that have as their object acts or facts related to the use of the channel by the CLIENT, requesting, where appropriate, the exclusion of ZENVIA from the proceedings.