Zation Logo

PERSONAL DATA PROCESSOR AGREEMENT (PDPA-G)

Date: March 2025

I. This Personal Data Processing Agreement becomes effective upon the commencement of the provided services and is entered into between:
1.1. This Personal Data Processor Agreement (the "Agreement") outlines the terms under which Zation AG, Suurstoffi 18b, CH-6343 Rotkreuz ("Processor") will process personal data on behalf of its clients ("Controller"). This Agreement is intended to govern all data processing activities related to orders and quotes without the need for individual execution.

II. Definitions
2.1. "Personal Data" refers to any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
2.2. "Processing" means any operation or set of operations which is performed on Personal Data, including but not limited to collection, recording, storage, use, disclosure, and deletion.
2.3. "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the General Data Protection Regulation (GDPR).

III. Scope of Processing
3.1. The Processor shall process Personal Data on behalf of the Controller for the purposes to analyze usage and consumption for software and cloud products to identify potential to optimize, modernize, reduce cost, increase utilization of software and cloud products.
3.2. The types of Personal Data processed under this Agreement include: User date (username, principal username & AD data), Application usage data and Consumption owner data.
3.3. The categories of data subjects include: Technical Active Directory User (Member & Guests)

IV. Obligations of the Processor
4.1. The Processor shall only process Personal Data in accordance with the Controller's documented instructions.
4.2. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
4.3. The Processor shall ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
4.4. The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects to exercise their rights under Data Protection Laws.
4.5. The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach.

V. Sub-processors
5.1. The Processor shall not engage any sub-processor without the prior written consent of the Controller.
5.2. If the Processor engages a sub-processor, the Processor shall ensure that the sub-processor is bound by a written agreement that imposes the same data protection obligations as set out in this Agreement.

VI. Data Transfers
6.1. The Processor shall not transfer Personal Data outside the European Economic Area (EEA) without the Controller’s prior written consent and ensuring that appropriate safeguards are in place as required by Data Protection Laws.

VII. Term and Termination
7.1. This Agreement shall commence on the Effective Date and shall continue until terminated by either party with 90 days written notice.
7.2 Upon termination of this Agreement, the Processor shall, at the Controller’s choice, return or delete all Personal Data processed on behalf of the Controller.

VIII. Liability and Indemnification
8.1. The Processor shall indemnify the Controller against any claims arising out of the Processor's breach of this Agreement or applicable Data Protection Laws.

IX. Governing Law
9.1. This Agreement shall be governed by and construed in accordance with the laws of Switzerland.