Zscaler Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Zscaler, Inc., located at 120 Holger Way, San Jose, CA 95134, USA, on behalf of itself and its Affiliates (“Zscaler”) and Customer (defined below) (collectively, the “parties” or “Parties”). This DPA is incorporated by reference in the Agreement (defined below). Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

DEFINITIONS

1. “Agreement” means any agreement between Zscaler and a specific customer or between a specific customer and a Zscaler-authorized partner under which Products are provided by Zscaler and/or a Zscaler-authorized partner to that customer.  Such an agreement may have various titles, such as “Order Form”, “Quotation”, “Purchase Order”, “End User Subscription Agreement”, or “Master Services Agreement”.

2. “Controller”, “data subject”, “personal data”, “personal data breach,” “process”, “processing”, “Processor”, and “supervisory authority” shall have the meanings given in applicable Data Protection Legislation or, if not defined in applicable Data Protection Legislation, the GDPR.

3. “Customer” means the customer that is identified on, and is a party to, the Agreement, and any Customer affiliates.

4. “Data Protection Legislation” means all applicable data protection laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, as amended or replaced from time to time, including without limitation, the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).

5. “Personal Data” means personal data that is submitted to the Products by Customer and processed by Zscaler for the purposes of providing the Products to Customer.  The types of Personal Data and the specific uses of the Personal Data are detailed in Exhibit A attached hereto.

6. “Products” means the Zscaler services and products ordered or subscribed to by Customer in an Agreement.

DATA PROCESSING

1. Roles of the Parties.  The parties acknowledge and agree that with regard to the processing of Personal Data for the provision of the Products, Customer is the Controller and Zscaler is the Processor. The parties agree to comply with the applicable Data Protection Legislation.

2. Instructions. Zscaler will process the Personal Data only in accordance with any documented Customer instructions received by Zscaler with respect to the processing of such Personal Data. Zscaler will process Personal Data from its global data centers depending on where Customer’s users are located, for the following purposes: (a) processing necessary for the provision of the Products in accordance with this DPA and the Agreement; (b) any processing initiated by Customer’s end users in their use of the Products; and (c) any processing to comply with the other reasonable written instructions provided by Customer to Zscaler (e.g., via email or via support requests) where such instructions are consistent with the terms of the Agreement, as required to comply with applicable Data Protection Legislation, or as otherwise mutually agreed by the parties in writing. Zscaler will promptly inform Customer if in its opinion compliance with any Customer instruction would infringe Data Protection Legislation.

3. Customer Responsibilities.  Customer will, in its use of the Products, comply with the requirements of applicable Data Protection Legislation which includes instructions to Zscaler in regards to the processing of Personal Data.  Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and for ensuring that the Personal Data was lawfully acquired by Customer (including any authorizations or consents if required).  Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to Zscaler so that Zscaler may lawfully use, process, and transfer the Personal Data in accordance with Customer’s instructions.

4. Cooperation. Zscaler will assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Zscaler 

5. Data Storage and Retention. During the deployment process for a Product, Customer may choose to have its transaction logs (“Customer Logs”) stored in a jurisdiction specified in Exhibit A, depending on a particular Product. The Customer Logs will be retained by Zscaler as indicated in Exhibit A, depending on the Product (“Retention Period”). If Customer has specific retention requirements, then Zscaler offers the following, if available for the purchased Product: 

   1. Nanolog Streaming Service (“NSS”). Allows Customer to stream the Customer Logs in real-time to Customer’s designated systems allowing Customer to customize its retention and deletion of the Customer Logs. With NSS, copies of the Customer Logs are retained and deleted by Zscaler according to the Retention Period.  

   2. Private Nanolog Cluster. Allows Customer to customize its retention and deletion of the Customer Logs.  Customer may retain and then delete the Customer Logs for a minimum one (1) month period up to a maximum six (6) month period. With the Private Nanolog Cluster, Zscaler does not retain any copies of the Customer Log beyond the Customer’s configured retention period.

6. Deletion and Return of Personal Data. Zscaler will, at Customer’s option, and subject to the terms of this DPA (a) delete or return all Personal Data to Customer after the end of the provision of the Products, and (b) delete existing copies of Personal Data unless legally required to retain the Personal Data. Notwithstanding the foregoing, Zscaler will not store Personal Data beyond the applicable Retention Period starting from the end of the provision of the Products.

INTERNATIONAL TRANSFERS

1. International Transfers. Customer consents to Zscaler processing or transferring any Personal Data in or to a territory other than the territory in which the Personal Data was first collected. Zscaler will take such measures as are necessary to ensure such processing or transfer is in compliance with applicable Data Protection Legislation and in accordance with any applicable transfer mechanism provisions set forth in Section 3.2 (Transfer Mechanism) below. 

2. Transfer Mechanism. If applicable Data Protection Legislation places restrictions on the transfer of Personal Data across international borders, then Zscaler will work with Customer to ensure that any international transfer is performed in accordance with applicable Data Protection Legislation and, if required, the parties will execute such applicable legal mechanism (“Transfer Mechanism”). This includes relying on the following Transfer Mechanisms as part of this DPA:

   1. EU Standard Contractual Clauses and UK Addendum. To the extent that Personal Data is transferred outside of the EEA, Switzerland, or the United Kingdom those transfers will be subject to the Transfer Mechanisms found here: https://www.zscaler.com/resources/legal/EU-standard-contractual-clauses.

   2. Data Privacy Framework (“DPF”). Zscaler is certified to the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF and the commitments they entail. These frameworks enable the transfer of personal information to the US from the EU, UK, and Switzerland on the basis of an adequacy decision from the European Commission. Zscaler’s status under the DPF frameworks can be found at https://www.dataprivacyframework.gov/.

   3. Alternative Transfer Mechanism. Zscaler will notify Customer if it determines that a change in applicable Data Protection Legislation will adversely affect or invalidate the warranties and obligations provided under an executed Transfer Mechanism or if an alternative Transfer Mechanism becomes available to use by the parties.  In such an event, Zscaler will work with the Customer to find a mutually agreeable solution to ensure that Personal Data is transferred in compliance with applicable Data Protection Legislation.

SUB-PROCESSORS

1. Sub-processing. Customer provides a general authorization to Zscaler to engage sub-processors that are listed at the following link(“Sub-processors”): https://www.zscaler.com/privacy-compliance/subprocessors (the “Sub-Processor List”) to enable Zscaler to fulfill its contractual obligations under the Agreement and to provide support services on Zscaler’s behalf, subject to compliance with the requirements in this Section. The Sub-processor List includes information on Sub-processors’ location and services provided. The Sub-processor List may be updated by Zscaler from time to time in accordance with Subsection 4.3 (Changes to Sub-Processor List).

2. Sub-processor Agreements. Zscaler will: (a) enter into a written agreement with any Sub-processor that will process Personal Data; (b) ensure that each such written agreement contains terms that are no less protective of Personal Data than those contained in this DPA; and (c) be liable for the acts and omissions of its Sub-processors to the same extent that Zscaler would be liable if it were performing the services of each of those Sub-processors directly under the terms of this DPA. Upon written request by Customer, copies of Sub-processor agreements may be provided to Customer. The parties agree that copies of any Sub-processor agreements that are provided by Zscaler to Customer may have all commercial information, business secrets, or other confidential information redacted by Zscaler beforehand. 

3. Changes to Sub-processor List. Zscaler will provide Customer with advance notice before a new Sub-processor processes any Personal Data (which may be provided via email to the address shared by Customer when registering at the Zscaler Trust portal located at the following link: https://trust.zscaler.com, or such other reasonable means). Customer may object to the new Sub-processor within thirty (30) days of such notice on reasonable grounds relating to the protection of Personal Data and by following the instructions provided in such notice.  In such case, Zscaler shall have the right to cure the objection through one of the following options:  (a) Zscaler will cancel its plans to use the Sub-processor with regards to processing Personal Data or will offer an alternative to provide the Products without such Sub-processor; or (b) Zscaler will take the corrective steps requested by Customer in its objection notice and proceed to use the Sub-processor; or (c) Zscaler may cease to provide, or Customer may agree not to use whether temporarily or permanently, the particular aspect or feature of the Product that would involve the use of such Sub-processor.  If none of the above options are commercially feasible, in Zscaler’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days after Zscaler’s receipt of Customer’s objection notice, then either party may terminate the Agreement and in such case, Customer will be refunded any pre-paid fees for the applicable Product(s) pro-rated for the unused portion of the Subscription Term. Such termination right is Customer's sole and exclusive remedy if Customer objects to any new Sub-processor.

SECURITY MEASURES AND DATA ACCESS

1. Security Measures. Zscaler will implement appropriate technical, administrative, physical, and organizational measures set forth here: https://www.zscaler.com/legal/security-measures (“Security Measures”) to adequately safeguard and protect the security and confidentiality of Personal Data. against accidental, unauthorized, or unlawful destruction, alteration, modification, processing, disclosure, loss, or access. Zscaler will not materially decrease the overall security of the Products during the term of the Agreement.  Zscaler will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance.

2. Confidentiality and Limitation of Access. Zscaler will ensure that persons authorized to process Personal Data on behalf of Zscaler have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Only Zscaler persons authorized to process Personal Data will have access to Personal Data to the extent it is necessary. 

SECURITY INCIDENTS

Zscaler shall notify Customer without undue delay if it becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Customer’s Personal Data, including any “personal data breach” as defined in the GDPR (a “Security Incident”). In the event of a Security Incident Zscaler will take (a) reasonable steps to identify the cause of the Security Incident; and (b) take any actions necessary and reasonable to remediate the cause of such Security Incident. Zscaler will also reasonably cooperate with Customer with respect to any investigations and with preparing potentially required notices, and provide any information reasonably requested by Customer in relation to the Security Incident.

RIGHTS OF DATA SUBJECTS

Taking into account the nature of the processing, Zscaler will reasonably assist Customer to enable their ability to respond to data subject rights requests provided under applicable Data Protection Legislation relating to the processing of Personal Data, including providing reasonable assistance in implementing technical and organizational measures. Zscaler shall, to the extent legally permitted, promptly notify Customer if Zscaler receives such request. To the extent legally permitted, Customer shall be responsible for any reasonable costs that Zscaler may incur in providing such assistance.

DOCUMENTATION AND AUDIT RIGHT

1. Records of Processing. Zscaler will maintain a record of all categories of processing activities carried out on behalf of Customer. Zscaler will make available to Customer or relevant supervisory authority, if requested, all information necessary to demonstrate Zscaler’s compliance with its obligations under applicable Data Protection Legislation. 

2. Audits. The parties agree that the audits required under applicable Data Protection Legislation, including clause 8.9(d) of the EU SCCs (the “Audit”), will be carried out in accordance with the following conditions:

   1. An Audit of its data processing facilities may be performed no more than once per year during Zscaler’s normal business hours, unless (a) otherwise agreed to in writing by Customer and Zscaler, (b) required by a regulator or under applicable Data Protection Legislation, or (c) there is a Security Incident concerning Personal Data;

   2. Customer will provide Zscaler with at least thirty (30) days’ prior written notice of an Audit, which may be conducted by Customer, or an independent auditor appointed by Customer that is not a competitor of Zscaler (an “Auditor”);

   3. The Auditors will conduct Audits subject to any appropriate and reasonable confidentiality restrictions requested by Zscaler;

   4. The scope of an Audit will be limited to Zscaler systems, processes, and documentation relevant to the processing and protection of Personal Data;

   5. Prior to the start of an Audit, the parties will agree to reasonable scope, time, duration, place, and conditions for the Audit, and a reasonable reimbursement rate payable by Customer to Zscaler for Zscaler’s Audit expenses;

   6. If available, Zscaler will provide an Auditor, upon request, with any third-party certifications pertinent to Zscaler’s compliance with its obligations under this DPA (for example, ISO 27001 and/or SOC 2, Type II); and

   7. Customer will promptly notify and provide Zscaler with full details regarding any perceived non-compliance or security concerns discovered during the course of an Audit.