Data Processing Agreement

Data-protection terms for business customers whose data we process.

KEY DETAILS — the only place these values appear. To update the company, country, product, contact or date, change them here and nowhere else in this document.

FieldValue
Company / ProcessorZARSK Ltd (referred to in this document as "the Company", "we", "us", "our" or the "Processor")
Product / Service nameZARZOOM (the "Service")
Governing lawEngland & Wales, United Kingdom
Data protection contact[PRIVACY EMAIL]
Sub-processor list location[SUB-PROCESSOR PAGE / ON REQUEST]
Last updated[DATE]

1. About this Agreement

1.1 This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Controller") and the Company (the "Processor"). It applies where, in providing the Service, we process personal data on your behalf as your processor.

1.2 This DPA reflects Article 28 of the UK GDPR and EU GDPR. Terms such as "personal data", "processing", "controller", "processor", "data subject" and "personal data breach" have the meanings given in the applicable data protection law.

1.3 If you are a Business Customer, this DPA applies automatically to your use of the Service. Consumers are covered by the Privacy Policy; this DPA is primarily relevant where you process other people's personal data through the Service.

2. Roles and scope

2.1 As described in the Privacy Policy:

  • you are the controller of the personal data you put into the Service and of your audience's and customers' personal data processed through it; and
  • we act as your processor of that personal data.

2.2 We process that personal data only to provide the Service and only on your documented instructions, which include these Terms, your use and configuration of the Service, and any lawful written instruction you give. We will tell you if, in our opinion, an instruction breaches data protection law (without obligation to give legal advice).

2.3 The subject matter, duration, nature and purpose of the processing, the categories of personal data and data subjects, are set out in Annex 1.

3. Our obligations as processor

We will:

(a) process the personal data only on your documented instructions, including for international transfers, unless required to do otherwise by law (in which case we will inform you unless legally prohibited);

(b) ensure that personnel authorised to process the personal data are bound by confidentiality;

(c) implement appropriate technical and organisational security measures as described in Annex 2, having regard to the state of the art, costs, and the risks to data subjects;

(d) respect the conditions in section 4 for engaging sub-processors;

(e) taking into account the nature of the processing, assist you by appropriate measures, so far as possible, to respond to data subject requests to exercise their rights;

(f) assist you in ensuring compliance with your obligations on security, breach notification, data protection impact assessments and prior consultation, taking into account the nature of processing and the information available to us;

(g) at your choice, delete or return the personal data at the end of the provision of the Service, and delete existing copies unless law requires storage; and

(h) make available to you the information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits as described in section 7.

4. Sub-processors

4.1 You give general authorisation for us to engage sub-processors to process personal data, including those listed at the location in the Key Details (for example, hosting, storage, AI generation, voice, social publishing routing, payments, email and analytics providers).

4.2 We will impose data protection obligations on each sub-processor that are equivalent to those in this DPA, and we remain responsible to you for a sub-processor's performance.

4.3 We will give you reasonable notice of any intended addition or replacement of a sub-processor. You may object on reasonable data protection grounds within a reasonable period; if we cannot reasonably resolve your objection, you may terminate the affected part of the Service.

5. International transfers

5.1 Where processing involves transferring personal data outside the UK or EEA, we will ensure an appropriate safeguard is in place, such as an adequacy decision, the UK International Data Transfer Agreement / Addendum, or the EU Standard Contractual Clauses, which are incorporated into this DPA by reference where they apply, together with any required supplementary measures.

6. Personal data breaches

6.1 We will notify you without undue delay after becoming aware of a personal data breach affecting the personal data we process for you, and provide the information reasonably available to help you meet your own notification obligations.

7. Audits

7.1 We will make available information reasonably necessary to demonstrate compliance with this DPA. Where you reasonably require an audit, we may satisfy it through up-to-date certifications, reports or questionnaires; if that is insufficient, we will allow an audit by you or an independent auditor on reasonable prior notice, during business hours, subject to confidentiality, no more than once a year unless required by a regulator or following a breach, and conducted so as to minimise disruption.

8. Liability and term

8.1 Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

8.2 This DPA continues for as long as we process personal data for you and terminates with the Terms of Service. Sections that by their nature should survive (including deletion/return and confidentiality) survive.

9. Language and precedence

9.1 The authoritative version of this DPA is the English version. Translations are provided for convenience only, and in the event of any conflict, inconsistency, ambiguity, or question of interpretation, the English version prevails.

9.2 If there is a conflict between this DPA and the rest of the Terms of Service on the subject of data protection processing, this DPA prevails for that subject matter.


Annex 1 — Details of processing

  • Subject matter: provision of the Service (AI content generation, scheduling, and publishing to Connected Accounts) to the Customer.
  • Duration: the term of the Customer's use of the Service, plus any limited retention period described in the Privacy Policy.
  • Nature and purpose: hosting, storing, generating, processing, transmitting and publishing Content and related data, operating Connected Accounts on the Customer's instruction, providing support, security and analytics.
  • Categories of data subjects: the Customer's personnel and account users; the Customer's audience, followers and customers; individuals referenced or depicted in Content (including in any face/voice reference provided by the Customer).
  • Categories of personal data: identifiers and contact data; account and profile data; Content that may contain personal data; social engagement and performance data; and, where the Customer uses such features and has the right to provide it, image and voice data (which may be sensitive/biometric).
  • Special category data: only where the Customer chooses to provide it and is responsible for the lawful basis and consents.

Annex 2 — Technical and organisational measures

We maintain measures appropriate to the risk, including: encryption of data in transit; access controls and least-privilege access; secure management of credentials, secrets and access tokens; network and infrastructure controls; logical separation of customer environments / Workspaces; monitoring and logging; backup and recovery processes; vendor due diligence for sub-processors; and incident detection and response. Measures are reviewed and updated over time as the Service and risks evolve.


End of Data Processing Agreement.