Data Processing Agreement
Last updated: January 2025
This Data Processing Agreement ("DPA") forms part of the agreement between XingZap ("Processor") and the Customer ("Company") for the provision of services including API access, datasets, and web applications ("Services").
1. Definitions
In this DPA:
- "Company Personal Data" means personal data processed by the Processor on behalf of the Company in connection with the Services.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Contracted Processor" means any subprocessor engaged by the Processor to process Company Personal Data.
- "Services" means the XingZap API, datasets, and web applications provided to the Company.
2. Processing Instructions
The Processor shall:
- Process Company Personal Data only in accordance with documented instructions from the Company.
- Comply with all applicable Data Protection Laws in the processing of Company Personal Data.
- Not process Company Personal Data for any purpose other than providing the Services.
3. Personnel
The Processor shall ensure that:
- All personnel with access to Company Personal Data are subject to confidentiality obligations.
- Access to Company Personal Data is limited to personnel who require such access to perform the Services.
- All personnel are appropriately trained on data protection requirements.
4. Security Measures
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account:
- The state of the art and costs of implementation.
- The nature, scope, context, and purposes of processing.
- The risk to the rights and freedoms of data subjects.
5. Subprocessors
The Processor shall not engage any subprocessor to process Company Personal Data without prior written authorization from the Company. Where authorized, the Processor shall:
- Enter into a written agreement with each subprocessor imposing equivalent data protection obligations.
- Remain fully liable for the acts and omissions of its subprocessors.
6. Data Subject Rights
The Processor shall:
- Assist the Company in fulfilling its obligations to respond to requests from data subjects exercising their rights under Data Protection Laws.
- Notify the Company promptly of any request received directly from a data subject.
7. Data Breach Notification
The Processor shall notify the Company without undue delay upon becoming aware of a personal data breach affecting Company Personal Data. Such notification shall include:
- A description of the nature of the breach.
- The categories and approximate number of data subjects affected.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach.
8. Assistance with Compliance
The Processor shall assist the Company in ensuring compliance with its obligations under Data Protection Laws, including with respect to:
- Data protection impact assessments.
- Prior consultation with supervisory authorities.
9. Data Deletion
Upon termination of the Services, the Processor shall, at the Company's election:
- Delete all Company Personal Data within 10 business days; or
- Return all Company Personal Data to the Company and delete existing copies.
10. Audit Rights
The Processor shall make available to the Company all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Company or an auditor mandated by the Company.
11. International Data Transfers
The Processor shall not transfer Company Personal Data outside the European Economic Area without:
- Prior written consent from the Company; and
- Appropriate safeguards in accordance with Data Protection Laws, including Standard Contractual Clauses where applicable.
12. Term
This DPA shall remain in effect for the duration of the Processor's processing of Company Personal Data on behalf of the Company.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of France. Any disputes arising from this DPA shall be submitted to the exclusive jurisdiction of the commercial courts of Paris.
Contact
For questions regarding this DPA, please contact: privacy@xingzap.com