Translating legal content...

Privacy & Data Processing Addendum (DPA)

Effective {{EFFECTIVE_DATE}} | Version {{DPA_VERSION}}

Non-binding Dutch summary

Deze DPA regelt wanneer Zlox verwerker is namens merchant, welke beveiliging geldt, hoe subverwerkers en doorgiften worden beheerd, hoe datalekken worden gemeld, en hoe data wordt verwijderd of geretourneerd.

Table of Contents

  • Role Allocation
  • Processing Instructions and Scope
  • Security Measures
  • Sub-processors and International Transfers
  • Data Subject Rights and Incident Handling
  • Audits, Retention, Return/Deletion
  • Schedules and Change Log

1. Role Allocation

Zlox is an independent controller for its own business purposes (security, anti-fraud, analytics, legal compliance, product administration). For customer data processed solely on Merchant instructions, Merchant is controller and Zlox is processor.

2. Processing Instructions and Scope

Zlox processes personal data only on documented instructions from Merchant, unless legal requirements mandate otherwise. Merchant warrants lawful basis, transparency notices, and rights management toward data subjects.

3. Security Measures

Zlox implements appropriate technical and organizational measures including encryption in transit, access controls, role segregation, logging, vulnerability management, backup controls, and incident response procedures proportionate to risk.

4. Sub-processors and Transfers

Zlox may engage sub-processors under written agreements imposing data protection obligations materially equivalent to this DPA. For transfers outside EEA/UK/CH, Zlox uses lawful safeguards such as SCCs and supplementary measures where required.

5. Rights Requests and Data Breaches

Zlox provides reasonable assistance for rights requests and DPIAs where required. Zlox notifies Merchant without undue delay after becoming aware of a personal data breach affecting Merchant-controlled data, and provides available information for legal reporting duties.

6. Audits, Retention, Return/Deletion

Zlox provides information reasonably required to demonstrate compliance. Audits are limited to proportionate frequency, confidentiality safeguards, and no disruption to security operations. On termination, Zlox deletes or returns personal data as instructed, unless legal retention is required.

7. Schedules and Change Log

Schedule A: Subject matter, duration, categories of data and data subjects.

Schedule B: Security controls summary.

Schedule C: Sub-processor list and transfer mechanisms.

Schedule D: Data retention/deletion matrix.

  • v{{DPA_VERSION}} ({{EFFECTIVE_DATE}}): Initial DPA outline

Implementation Notes (non-legal)

  • Add DPA acceptance or countersign workflow for merchant org admin
  • Expose sub-processor list with timestamped revision history
  • Implement rights-request intake and SLA tracking in support tooling
  • Keep deletion/return job logs and retention exception records