VZBL Inc.

Data Processing Agreement

Updated: January 2024

Data Processing Agreement

This Data Processing Agreement (“DPA”) establishes the terms for processing Personal Data under and in connection with the Agreement between the Customer and VZBL Inc. This DPA is an inseparable part of the Agreement.

The Parties acknowledge that VZBL Inc.’s provision of the SaaS platform involves the Processing of Personal Data. In this context, the Customer is the Controller, and VZBL Inc. is the Processor, processing Personal Data on behalf of the Customer.

In case of any conflict between this DPA and the Terms of Service, the terms of this DPA shall prevail.

Definitions

The terms used in this DPA, such as "Controller", "Processor", "Data Subject", "Special Categories of Personal Data", "Processing", "Data Protection Impact Assessment," and "Personal Data Breach", shall have the meanings as defined in the applicable Data Protection Regulation.

Personal Data - refers to any information relating to an identified or identifiable person, which VZBL Inc. processes on behalf of the Customer or its Affiliates under the Agreement.

Data Protection Regulation - encompasses all applicable laws relating to the protection of Personal Data, including but not limited to the CCPA, the GDPR, and national laws supplementing the GDPR.

CCPA - denotes the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., and its amendments and implementing regulations.

GDPR - indicates the EU General Data Protection Regulation (EU) 2016/679 and its amendments.

Standard Contractual Clauses - refer to the Decision (EU) 2021/914 by the European Commission on standard contractual clauses for transferring personal data to third countries, or subsequent decisions by the Commission, and amendments thereto.

Description of Processing

VZBL Inc. processes Personal Data under the Agreement for the purpose of providing its SaaS platform to the Customer.

This includes access to and analysis of data provided by the Customer in connection with the service.

Data Subjects include the Customer's employees or other individuals whose Personal Data the Customer has provided to VZBL Inc. in connection with the service.

For the purposes of the CCPA, VZBL Inc. will act as a “Service Provider”, and the Customer will act as a single point of contact for its Affiliates regarding CCPA compliance. Claims in connection with the CCPA under this DPA will be brought by the Customer, either for itself or on behalf of an Affiliate.

Categories of Personal Data

Personal Data categories include metadata on employees using the SaaS platform in software development projects, such as nature and time of modifications and identifiers of individuals making modifications. VZBL Inc. may also process other categories of Personal Data as included in the Customer Material.

Responsibilities of the Customer

The Customer must comply with obligations applicable to Controllers as set out in the Data Protection Regulation and this DPA.

The Customer is responsible for complying with the CCPA in connection with collecting, using, and storing Personal Data and ensuring lawful Processing of Personal Data by VZBL Inc. in accordance with the Agreement.

The Customer's documented instructions to VZBL Inc. on the processing of Personal Data are given in this DPA. Additional instructions require prior written agreement between the Parties.

The Customer is solely responsible for providing appropriate access rights to VZBL Inc. and limiting access to Personal Data strictly necessary for the purpose of the Service.

Responsibilities of VZBL Inc.

VZBL Inc. shall process Personal Data in accordance with this DPA and the Data Protection Regulation.

VZBL Inc. ensures that personnel with access to Personal Data are bound by confidentiality obligations.

VZBL Inc. will process Personal Data only as permitted under this DPA, the Agreement, or applicable Data Protection Regulation.

VZBL Inc. will refrain from collecting, combining, sharing, using, retaining, accessing, transferring, selling, or otherwise processing Personal Data not related to providing the Service.

VZBL Inc. shall implement and maintain appropriate technical and organizational measures to ensure a suitable level of security to protect Personal Data. Security measures are detailed in VZBL Inc.’s support center.

VZBL Inc. shall notify the Customer of Personal Data Breaches without undue delay and take reasonable steps to mitigate any damage resulting from such breaches. The notification shall contain at least the information required by the Data Protection Regulation.

VZBL Inc. shall, upon the Customer's detailed written request, assist the Customer in carrying out Data Subject requests and supervisory authorities' requests and carrying out Data Protection Impact Assessments when required by the Data Protection Regulation.

VZBL Inc. may use its Affiliates and third parties as subcontractors to provide parts of the Service. The Customer authorizes VZBL Inc. to use these subcontractors for processing Personal Data. VZBL Inc. will notify the Customer of a new subcontractor at least fourteen (14) days prior to their appointment or replacement. The Customer may object to a subcontractor on reasonable grounds related to the protection of Personal Data.

VZBL Inc. ensures that its subcontractors, with access to Personal Data, comply with equivalent obligations as set out in this DPA. VZBL Inc. remains liable for its subcontractors' work.

Except for permitted disclosures to subcontractors, VZBL Inc. shall not disclose, release, transfer, make available, or otherwise communicate any Personal Data to another business or third party without the Customer's prior written consent.

The Service can be hosted within the European Economic Area (EEA). However, some subcontractors are located in or have access to Personal Data outside of the EEA.

Where Personal Data is processed outside of the EEA, VZBL Inc. and its subcontractor shall enter into Standard Contractual Clauses to ensure adequate data protection.

Auditing

VZBL Inc. shall engage independent third-party auditors to conduct audits of its compliance with this Data Processing Agreement (DPA). These audits will be carried out at least once every twelve (12) months. Upon completion of an audit, VZBL Inc. will make the resulting audit reports available to the Customer upon the Customer’s written request. The Customer is required to provide VZBL Inc. with a written notification at least thirty (30) days in advance of their request for an audit report.

Term and Termination

This DPA continues until the termination of the Agreement or as long as VZBL Inc. processes Personal Data on behalf of the Customer.

Upon termination or expiry of the Agreement, or upon the Customer's request, VZBL Inc. shall either destroy or return the processed Personal Data, unless otherwise required by Data Protection Regulation or other applicable legislation.