zcal Data Processing Addendum

Last updated January 1, 2024

This Data Processing Addendum (DPA), which incorporates the referenced Standard Contractual Clauses and UK Addendum (including Exhibits A and B), is incorporated into and forms part of any existing and valid Master Services Agreement or Terms of Use (the Agreement) previously or concurrently established between you, the Customer (including your subsidiaries and affiliates), and zcal, Inc. (the Processor, including its subsidiaries and affiliates). This DPA introduces extra conditions that apply whenever the information you provide to zcal under the Agreement contains Personal Data (as defined below). The DPA's effective date is governed by zcal's Terms of Use.

1.0 Defined Terms

The following definitions are used in this DPA.

1.1 “Authorized Personnel” refers to (a) zcal's staff who require access to or knowledge of Personal Data to perform the relevant services; and (b) zcal's contractors, agents, and auditors who require access to or knowledge of Personal Data to allow zcal to fulfill its duties under the Agreement and this DPA, and who are legally bound by written confidentiality and other obligations that adequately protect Personal Data according to this DPA.

1.2 "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code § [1798.100 - 1798.199.100], as modified, including by the California Privacy Rights Act of 2020 and its subsequent implementing rules.

1.3 “Customer Data” is any information, data, and other content, in any format, that you or your representatives, as a customer or user, submit, post, or otherwise send via the Services, or that is submitted by or on behalf of your prospective clients, clients, or other end-users of the Services who interact with you and your users.

1.4 “Data Protection Laws” means all applicable federal, state, and international laws, as well as binding regulations and formal directives, concerning data protection, privacy, and data security, as updated over time. This includes, without limitation, the EU Data Protection Laws, UK Data Protection Laws, the Swiss Data Protection Laws, the CCPA, the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA), but specifically excludes consent decrees.

1.5 “Data Subject” means the specific person or consumer to whom the Personal Data relates.

1.6 “EU Data Protection Laws” means the GDPR alongside any applicable laws or regulations that implement it, as well as European Union or Member State laws, as amended periodically.

1.7 “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data).

1.8 “Personal Data” is any Customer Data relating to a specific, identified, or identifiable natural person that zcal Processes on behalf of the Customer while providing the Services, when such information is legally protected as "personal data," "personal information," or a similar term under any Data Protection Law(s).

1.9 “Process” or “Processing” means any action or set of actions performed on Personal Data, whether automated or not, such as gathering, logging, organizing, storing, altering, retrieving, viewing, utilizing, sending, broadcasting, or otherwise making available, combining, restricting, deleting, or destroying the data.

1.10 “Security Breach” means a confirmed violation of zcal's information security measures that results in the accidental or unlawful destruction, loss, modification, unauthorized disclosure of, or access to Personal Data covered by this DPA.

1.11 “Services” means the services zcal provides to you under the Agreement.

1.12 "Standard Contractual Clauses" or "SCCs" means the standard clauses for transferring Personal Data to processors in third countries, which were approved by the European Commission. The current approved version is detailed in European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e.

1.13 “Swiss Data Protection Laws” means all laws currently effective in Switzerland concerning data protection, the Processing of Personal Data, privacy, and/or electronic communications. This includes the Federal Act on Data Protection of June 19, 1992, its ordinances, and the future revised Swiss Federal Act on Data Protection dated 25 September 2020 once it becomes effective (collectively, “FADP”).

1.14 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “SCCs” defined above) issued by the Commissioner under S119A(1) Data Protection Act 2018, Version B1.0, effective 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

1.15 “UK Data Protection Laws” means all laws currently in force in the United Kingdom regarding data protection, the Processing of Personal Data, privacy, and/or electronic communications, including the United Kingdom GDPR and the Data Protection Act 2018.

1.16 “UK GDPR” means the United Kingdom General Data Protection Regulation, which is part of United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.17 The terms “Processor” and “Controller” will have the meanings assigned to them by the applicable Data Protection Law. Any capitalized terms not defined in this DPA will carry the meanings associated with them in the Agreement and are formally adopted by reference here.

2.0 Processing and Transfer of Personal Data

2.1 Customer Obligations. The Customer is the Controller of the Personal Data and must (a) determine the purpose and main methods for the Processing of Personal Data in line with the Agreement; (b) be responsible for the accuracy of the Personal Data; and (c) adhere to its duties under Data Protection Laws. This includes, where necessary, ensuring a legal basis for collecting Personal Data, providing required notifications to Data Subjects, and/or obtaining the Data Subject’s consent to Process the Personal Data.

2.2 zcal Obligations. zcal is the Processor of the Personal Data and must (a) Process Personal Data on the Customer’s behalf according to the Customer’s written directions given during the term of this DPA (unless a written waiver is provided), and (b) comply with its duties under Data Protection Laws. Annex 1 of Exhibit A describes the intended Processing of Personal Data under this DPA. The parties agree that the Agreement, including this DPA, along with the Customer's use of the Services as per the Agreement, represents the Customer's complete and definitive written instructions to zcal for Processing Personal Data. Any further instructions outside this scope will require a prior, mutually signed written agreement between the Customer and zcal. If zcal reasonably suspects that a conflict exists between a Data Protection Law and the Customer’s instructions, zcal will inform the Customer promptly, and both parties will collaborate in good faith to resolve the conflict while achieving the instruction's objectives.

2.3 Data Use. zcal will not use Personal Data, except when authorized by the Customer’s instructions, or as necessary to initiate or defend claims, comply with legal requirements, cooperate with regulatory bodies, or for other similar permissible uses as explicitly allowed under Data Protection Laws.

2.4 Location of Processing. Both parties acknowledge and agree that Personal Data Processing will occur in the United States and potentially in other jurisdictions outside the Data Subject’s residence. The Customer must adhere to all notice and consent requirements for such transfer and Processing as mandated by Data Protection Laws.

2.5 Return or Destruction of Data. zcal shall either return or securely destroy Personal Data, following the Customer’s instructions, upon the Customer’s request or upon the termination of the Customer's account(s), unless retention is required to comply with applicable law.

3.0 EU, Swiss and United Kingdom Data Protection Laws

This Section 3 applies to the Processing of Personal Data when it is subject to the EU Data Protection Laws, Swiss Data Protection Laws, or UK Data Protection Laws.

3.1 Transfers of Personal Data. The Customer acknowledges and agrees that zcal is based in the United States and that providing Personal Data from the European Economic Area (“EU”), Switzerland, or the United Kingdom to zcal for Processing constitutes a transfer of Personal Data to the United States. All transfers of Customer Personal Data originating from the EU (“EU Personal Data”), Switzerland (“Swiss Personal Data”), or the United Kingdom (“UK Personal Data”) to the United States will be governed by the Standard Contractual Clauses and the UK Addendum, as applicable, under the following conditions:

a. For transfers of EU Personal Data or transfers including Swiss Personal Data that are subject to both EU Data Protection Laws and Swiss Data Protection Laws (in the latter case, the GDPR standard will be used for all data transfers), Module 2 of the SCCs (for Controller to Processor transfers), along with the Annexes in Exhibit A to this DPA, will apply and are incorporated herein. The parties agree that: (a) Clause 7 does not apply; (b) Option 2 of Clause 9(a) applies with a notice period of 30 days in advance; (c) the optional language in Clause 11(a) does not apply; (d) the governing law in Clause 17 is that of Ireland; (e) disputes in Clause 18 will be resolved by the courts of Ireland; and (f) the annexes are completed in Exhibit A to this DPA.

b. For transfers of only Swiss Personal Data, Module 2 of the SCCs (for Controller to Processor transfers), along with the Annexes in Exhibit A to this DPA, will apply and are incorporated herein. The parties agree that: (a) Clause 7 does not apply; (b) Option 2 of Clause 9(a) applies with a notice period of 30 days in advance; (c) the optional language in Clause 11(a) does not apply; (d) the competent supervisory authority in Annex I.C under Clause 13 will be the Federal Data Protection and Information Commissioner; (e) the governing law in Clause 17 is that of Switzerland; (e) disputes in Clause 18 will be resolved by the courts of Switzerland; (f) the annexes are completed in Exhibit A to this DPA; and (g) any references to the GDPR are to be understood as references to the FADP.

c. For transfers of Swiss Personal Data subject to Sections 3.1.a. and 3.1.b of this DPA, the term ‘member state’ must not be interpreted to prevent Data Subjects in Switzerland from exercising their right to sue in Switzerland according to Clause 18c.

d. For transfers of UK Personal Data, Module 2 of the SCCs will apply as described in subsection 3.1.a. above, and the UK Addendum set out in Exhibit B to this DPA will apply and is incorporated herein.

3.2 GDPR and UK GDPR Obligations. zcal will: (a) provide reasonable assistance to the Customer in fulfilling its obligations regarding EU Personal Data under Articles 32 to 36 of the GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); (b) maintain a record of all types of Processing activities performed on behalf of the Customer as required by Article 30(2) of the GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); and (c) cooperate, upon request, with an EU or UK supervisory authority concerning the performance of the Services.

4.0 United States Data Protection Laws

This Section 4 applies to the Processing of Personal Data when it is subject to Data Protection Laws in the United States.

4.1 CCPA/CPRA. This subsection 4.1 governs zcal’s Processing of Personal Data subject to the CCPA, for which zcal acts as the Customer’s service provider. The Customer shares the Personal Data with zcal, and zcal will Process such Personal Data exclusively for the business purposes defined in this Agreement, including this DPA.

a. zcal will not:

i. sell or share the Personal Data;

ii. retain, use, or disclose the Personal Data (i) for any purpose other than the business purposes specified in the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between the parties;

iii. combine the Personal Data that zcal receives from, or on behalf of, the Customer with Personal Data that zcal receives from, or on behalf of, another party, or collects from its own interaction with the consumer. However, zcal may combine Personal Data to perform any business purpose allowed by the CCPA, including its regulations, or by regulations adopted by the California Privacy Protection Agency.

b. zcal will comply with the duties applicable to it as a service provider under the CCPA and will ensure the Personal Data receives the same level of privacy protection required by the CCPA.

c. The Customer has the right to take reasonable and appropriate measures to help ensure that zcal utilizes the Personal Data in a manner consistent with the Customer’s obligations under the CCPA. The procedure for taking such measures is outlined in Section 9 below.

d. zcal will notify the Customer if it determines that it can no longer fulfill its obligations as a service provider under the CCPA. If zcal provides such notification, the Customer will have the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of Personal Data.

e. For any sub-processors zcal uses to Process Personal Data subject to the CCPA, in addition to its duties in Section 5 below, zcal’s agreement with the sub-processor must require the sub-processor to comply with the requirements set forth in subsection 4.1.a above.

f. For the purpose of this Section 4, the terms “consumer,” “service provider,” “sell,” and “share” will have the meanings ascribed to them under the CCPA.

4.2 Virginia, Colorado, Connecticut and Utah. For clarity and for the purposes of the VCDPA, CPA, CTDPA, and UCPA, the relevant details of Processing set forth in Section B in Exhibit A will apply.

5.0 Sub-processors

5.1 Sub-processor List. The Customer authorizes zcal’s use of the sub-processors listed in Exhibit A attached hereto. zcal may update its list of sub-processors periodically and will make any updates available here: https://zcal.co/data-processors.

6.0 Customer Representation and Warranty

The Customer asserts and guarantees, on behalf of itself and its employees, that the Personal Data provided to zcal for Processing under the Agreement and this DPA is collected, lawfully obtained, and utilized by the Customer and its employees in compliance with all Data Protection Laws, including without limitation the provisions for disclosure, informed affirmative consent, and targeted advertising of Data Protection Laws, including Chapter II of the GDPR. Furthermore, the Customer agrees to defend, indemnify, and hold zcal harmless from any loss, cost (including reasonable out-of-pocket legal fees and court expenses), damage, or liability resulting from any claim arising from a breach of this Section 6.

7.0 Data Protection

7.1 Data Security. zcal will employ commercially reasonable efforts to protect the security, confidentiality, and integrity of the Personal Data transferred to it by using reasonable administrative, physical, and technical safeguards. Without limiting the foregoing, zcal shall: (a) implement reasonable administrative, physical, and technical safeguards (including commercially reasonable safeguards against worms, Trojan horses, and other disabling or damaging codes) to protect the Personal Data in accordance with Data Protection Laws as appropriate for the nature of the Personal Data; (b) utilize commercially reasonable efforts to keep the Personal Data reasonably secure and encrypted, and use industry-standard security procedures and systems applicable to the use of Personal Data to prevent, and take prompt and appropriate corrective action against, unauthorized access, copying, modification, storage, reproduction, display, or distribution of Personal Data; and (c) cease to retain documents containing Personal Data, or remove the methods by which Personal Data can be linked to specific individuals, reasonably promptly after it is reasonable to assume that (i) the specified purposes no longer require zcal’s retention of Personal Data, and (ii) retention is no longer necessary for legal or business reasons.

7.2 Authorized Personnel. zcal must ensure that Authorized Personnel have agreed to confidentiality or are under a suitable statutory confidentiality obligation with duties at least as strict as those in this DPA.

7.3 Security Breaches. Following confirmation of a Security Breach: (a) zcal will promptly: (i) inform the Customer of the Security Breach; (ii) investigate the Security Breach; (iii) provide the Customer with necessary details about the Security Breach as required by applicable law; and (iv) take reasonable actions to prevent the Security Breach from recurring; and (b) zcal agrees to cooperate with the Customer's management of the situation by: (i) offering reasonable assistance with the Customer’s investigation; and (ii) making available relevant records and other materials related to the Security Breach’s impact on the Customer, as required to comply with Data Protection Laws.

8.0 Assistance

8.1 Processor Assistance. Upon the Customer’s written request, zcal will provide reasonable assistance to the Customer as necessary to help the Customer meet its duties under Data Protection Laws, including by providing information to the Customer about zcal’s technical and organizational security measures, and as required to complete data protection assessments.

8.2 Data Subject Requests. zcal will provide reasonable assistance to the Customer with fulfilling the Customer’s obligations to Data Subjects exercising rights granted by Data Protection Laws, concerning Personal Data, should the Customer be unable to act on such a request without zcal’s help. If a Data Subject submits a request to zcal to exercise a right regarding their Personal Data for which the Customer is the Controller, zcal will promptly inform the Customer of the request and will advise the Data Subject to submit their request directly to the Customer. The Customer will be responsible for responding to the request.

9.0 Audits

Within thirty (30) days of the Customer’s written request, and limited to once per year and subject to the confidentiality obligations in the Agreement, zcal will make available to the Customer (or a mutually agreed-upon third-party auditor) information reasonably necessary to demonstrate zcal’s compliance with the duties outlined in this DPA.

10.0 Miscellaneous

10.1 Conflict. In the event of any conflict or inconsistency between this DPA and Data Protection Laws, the Data Protection Laws will prevail. Should there be any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail, but only to the extent the subject matter involves the Processing of Personal Data.

10.2 Amendments. This DPA cannot be changed except as specified in the “Changes” section of zcal’s Terms of Use or the modification terms set out in the Agreement. If any data protection authority determines that the Agreement or this DPA is inadequate to comply with Data Protection Laws or changes to them, the Customer and zcal agree to collaborate in good faith to amend the Agreement or this DPA, or to enter into additional mutually acceptable data processing agreements, in an effort to comply with all Data Protection Laws.

10.3 Liability. Each Party’s liability arising from or related to this DPA, whether in contract, tort, or under any other legal theory, is subject to the limitations of liability specified in the Agreement. For the avoidance of doubt, every reference herein to the “DPA” includes this DPA and its exhibits and appendices.

10.4 Entire Agreement. This DPA does not affect the rights and obligations of the parties under the Agreement, which remain fully effective. This DPA, together with the Agreement, constitutes the final, complete, and exclusive understanding of the Parties concerning the subject matter hereof, superseding and merging all prior discussions and agreements between the parties regarding such subject matter.

Exhibit A: Standard Contractual Clauses

This Annex is part of the Standard Contractual Clauses.

Annex I

A. List of Parties

Data exporter

The data exporter is the Customer.

Address: The Customer’s address as detailed in the Agreement.

Contact person’s (DPO and/or EU representative) name, position, and contact details: The Customer’s contact details as provided in the Agreement/order form.

Activities relevant to the data transferred under these Clauses: Activities required to provide the Services outlined in the Agreement.

Signature and date: The Customer is considered to have signed this Annex I by accepting zcal’s Terms of Use.

Data importer

The data importer is zcal.

Address: 9800 Centre Pkwy, Houston, TX 77036

Contact person’s (DPO and/or EU representative) name, position, and contact details: Saurabh Chandarana, [email protected]

Activities relevant to the data transferred under these Clauses: Activities required to provide the Services outlined in the Agreement.

Signature and date: zcal is considered to have signed this Annex I by accepting zcal’s Terms of Use.

B. Description of Transfer

Categories of data subjects whose personal data is transferred

The data exporter may submit Personal Data to zcal. The scope of this data is determined and controlled solely by the data exporter and may include, but is not limited to, Personal Data related to the following groups of data subjects: (i) the data exporter’s end-users, including employees, contractors, representatives, business partners, collaborators, and customers; and (ii) individuals with whom the data exporter is scheduling appointments via the data importer’s Services, which may include their representatives, business partners, collaborators, customers, and prospective customers.

Categories of personal data transferred

The data exporter may submit Personal Data to zcal. The scope of this data is determined and controlled solely by the data exporter and may include, but is not limited to, the following categories of Personal Data: (a) First and last name; (b) Title; (c) Position; (d) Employer; (e) Contact information (company, email, phone, physical business address); (f) Connection data; (g) Localisation data; and (h) other electronic data used by the Customer in the context of the Services.

Sensitive data transferred (if applicable)

None

The Frequency of the Transfer

Continuous

Nature of the processing

The processes may include gathering, storing, retrieving, viewing, using, erasing or destroying, disclosing by transmitting, disseminating, or otherwise making available the data exporter’s data as necessary to provide the Services in accordance with the data exporter’s instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.).

Purpose(s) of the data transfer and further processing

The objective of zcal’s Processing of Personal Data is the fulfillment of the contractual services under the Agreement with the data exporter.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Personal data is kept for as long as is reasonably necessary to achieve the purposes for which it was collected, to meet our contractual and legal obligations, and for any applicable statutes of limitations periods for the purpose of bringing and defending legal claims.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The subject matter and nature of the Processing by sub-processors are detailed in Annex III to this DPA. The duration of the Processing by sub-processors will be for as long as the data importer provides the Services under the Agreement to the data exporter.

C. Competent Supervisory Authority

Where the EU GDPR applies, the competent supervisory authority will be the Irish Data Protection Commissioner. Where the UK GDPR applies, the competent supervisory authority will be the UK Information Commissioner’s Office.

Annex II: Technical And Organizational Measures Including Technical And Organizational Measures To Ensure The Security Of The Data

The Processor will maintain reasonable administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of Personal Data transferred to the Processor, as described in this DPA and at the following link: https://zcal.co/security.

Annex III: Processor’s Sub-Processors

By executing this DPA, the Customer has authorized the use of the listed sub-processors found here: https://zcal.co/data-processors.

Exhibit B: UK Addendum

Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties undertaking Restricted Transfers. The Information Commissioner deems that it offers Appropriate Safeguards for Restricted Transfers when executed as a legally binding contract.

Part 1: Tables

Table 1: Parties

Exporter (who sends the Restricted Transfer)

Full legal name: As specified in Annex I of Exhibit A
Trading name (if different): n/a
Main address (if a company registered address): As specified in Annex I of Exhibit A
Official registration number (if any) (company number or similar identifier): n/a
Full Name (optional): As specified in Annex I of Exhibit A
Job Title: As specified in Annex I of Exhibit A
Contact details including email: As specified in Annex I of Exhibit A
Signature: The Exporter is considered to have signed this Addendum by accepting zcal’s Terms of Use.

Importer (who receives the Restricted Transfer)

Full legal name: zcal
Trading name (if different): n/a
Main address (if a company registered address): As specified in Annex I of Exhibit A
Official registration number (if any) (company number or similar identifier): n/a
Full Name (optional): As specified in Annex I of Exhibit A
Job Title: As specified in Annex I of Exhibit A
Contact details including email: As specified in Annex I of Exhibit A
Signature: The Importer is considered to have signed this Addendum by accepting zcal’s Terms of Use.

Table 2: Selected SCCs, Modules, and Selected Clauses

Addendum EU SCCs

The version of the Approved EU SCCs to which this Addendum is attached, detailed below, including the Appendix Information:

Date: As specified in the DPA
Reference: n/a
Other identifier (if any): n/a

Table 3: Appendix Information

“Appendix Information” means the information required for the selected modules as set out in the Appendix of the Approved EU SCCs (excluding the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As specified in Annex I of Exhibit A

Annex 1B: Description of Transfer: As specified in Annex I of Exhibit A

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As specified in Annex II of Exhibit A

Annex III: List of Sub processors (Modules 2 and 3 only): As specified in Annex III of Exhibit A

Table 4: Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum as set out in Section 19:

Importer
Exporter

Part 2: Mandatory Clauses

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and presented to Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as updated under Section 18 of those Mandatory Clauses.