Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the End User Agreement between Zigaflow Ltd and the Customer (the "Agreement") and applies to the extent that Zigaflow processes Personal Data on behalf of the Customer in connection with the Service.

Where there is any conflict between this Addendum and the Agreement in relation to the processing of Personal Data, this Addendum prevails.

1. Definitions

Terms not defined in this Addendum have the meaning given to them in the Agreement. In this Addendum:

"Data Protection Legislation" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, in each case as amended or replaced from time to time.

"UK GDPR" means the UK General Data Protection Regulation as defined in section 3(10) of the Data Protection Act 2018.

"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" have the meanings given in the Data Protection Legislation.

"Customer Personal Data" means any Personal Data contained within Customer Data that Zigaflow processes on behalf of the Customer in the course of providing the Service.

"Sub-processor" means any third party engaged by Zigaflow to process Customer Personal Data in connection with the Service.

"Restricted Transfer" means a transfer of Customer Personal Data to a country or territory outside the United Kingdom that does not benefit from UK adequacy regulations.

"UK Transfer Mechanism" means the International Data Transfer Agreement issued by the Information Commissioner, the UK Addendum to the EU Standard Contractual Clauses, or any other transfer mechanism recognised as valid under the Data Protection Legislation.

2. Roles of the Parties

2.1 The parties acknowledge that, in respect of the processing of Customer Personal Data, the Customer is the Controller and Zigaflow is the Processor.

2.2 Where the Customer is itself acting as a processor on behalf of a third-party controller, the Customer warrants that it has the authority and necessary instructions to engage Zigaflow as a sub-processor on the terms of this Addendum.

2.3 Zigaflow acts as an independent Controller in respect of limited Personal Data it processes for its own purposes, including account administration, billing, security, service improvement, and compliance with its legal obligations. That processing is governed by Zigaflow's Privacy Policy and is outside the scope of this Addendum.

3. Processing of Customer Personal Data

3.1 Zigaflow shall process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers, unless required to do otherwise by law, in which case Zigaflow shall, where legally permitted, inform the Customer of that legal requirement before processing.

3.2 The Agreement, this Addendum (including Annex 1), and the Customer's use and configuration of the Service constitute the Customer's complete and final documented instructions to Zigaflow for the processing of Customer Personal Data. Any additional or alternative instructions must be agreed in writing.

3.3 Zigaflow shall promptly inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation, although Zigaflow is under no obligation to monitor the Customer's compliance.

3.4 The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.

4. Confidentiality

Zigaflow shall ensure that any personnel authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality, whether contractual or statutory, and are made aware of the confidential nature of the data.

5. Security

5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, Zigaflow shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2.

5.2 The Customer acknowledges that the measures in Annex 2 are subject to technical progress and development, and that Zigaflow may update them from time to time provided that such updates do not result in a material reduction in the overall level of security.

6. Sub-processors

6.1 The Customer grants Zigaflow general authorisation to engage Sub-processors to process Customer Personal Data, subject to this clause 6. The Sub-processors engaged at the date of this Addendum are listed in Annex 3.

6.2 Zigaflow shall impose on each Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this Addendum.

6.3 Zigaflow remains fully liable to the Customer for the performance of each Sub-processor's obligations.

6.4 Zigaflow shall give the Customer prior notice of any intended addition or replacement of a Sub-processor, giving the Customer the opportunity to object on reasonable data protection grounds within 14 days of notice. If the Customer objects and the parties cannot reach a resolution, the Customer may terminate the affected part of the Service in accordance with the Agreement.

7. Data Subject Rights

7.1 Taking into account the nature of the processing, Zigaflow shall, by appropriate technical and organisational measures and insofar as is reasonably possible, assist the Customer in responding to requests from Data Subjects exercising their rights under the Data Protection Legislation.

7.2 If Zigaflow receives a request from a Data Subject in relation to Customer Personal Data, it shall, where legally permitted, direct the Data Subject to the Customer and shall not respond to the request itself except on the documented instructions of the Customer.

8. Assistance to the Customer

Taking into account the nature of the processing and the information available to it, Zigaflow shall assist the Customer in ensuring compliance with its obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with the Supervisory Authority.

9. Personal Data Breach

9.1 Zigaflow shall notify the Customer without undue delay, and in any event no later than 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

9.2 The notification shall, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

9.3 Zigaflow shall reasonably cooperate with the Customer in investigating and mitigating the breach. Zigaflow's notification of a breach is not an acknowledgement of fault or liability.

10. International Transfers

10.1 Zigaflow shall not make a Restricted Transfer of Customer Personal Data without ensuring that an appropriate UK Transfer Mechanism, or another lawful basis for the transfer, is in place.

10.2 Where Customer Personal Data is processed by a Sub-processor outside the United Kingdom, the relevant transfer mechanism is identified in Annex 3.

10.3 The Customer authorises the transfers described in Annex 3 and any further transfers made in accordance with this clause 10.

11. Return and Deletion

11.1 On termination or expiry of the Agreement, Zigaflow shall, at the Customer's choice, delete or return all Customer Personal Data and delete existing copies, unless storage is required by law.

11.2 Zigaflow shall complete deletion within 90 days of termination, subject to any data retained in routine backups, which shall be deleted in accordance with Zigaflow's backup cycle and protected from active processing in the meantime.

12. Audit and Records

12.1 Zigaflow shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Addendum and with Article 28 of the UK GDPR.

12.2 Zigaflow shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, no more than once in any 12-month period (save where required by a Supervisory Authority or following a Personal Data Breach), on reasonable prior written notice, during business hours, and subject to confidentiality undertakings. Zigaflow may satisfy an audit request by providing relevant third-party certifications or audit reports where these reasonably address the Customer's request.

13. Liability

The liability of each party under or in connection with this Addendum is subject to the limitations and exclusions of liability set out in the Agreement.

14. Term and Precedence

14.1 This Addendum takes effect on the Effective Date of the Agreement and continues for as long as Zigaflow processes Customer Personal Data on behalf of the Customer.

14.2 This Addendum is governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, consistent with the Agreement.

Annex 1 - Details of Processing

Data Exporter / Controller: the Customer, as identified in the Order Form.

Data Importer / Processor: Zigaflow Ltd, a company incorporated in England and Wales (registered number 03888530), registered address 2A Charing Cross Road, London WC2H 0HF. ICO registration ZA262432.

Subject matter of processing: provision of the Service to the Customer under the Agreement.

Duration of processing: for the duration of the Subscription Term and until deletion or return of Customer Personal Data in accordance with clause 11.

Nature and purpose of processing: hosting, storage, organisation, retrieval, structuring, transmission, and otherwise processing of Customer Data as necessary to provide the business management and automation functionality of the Service, including any features that use automated or AI-assisted processing.

Types of Personal Data: as determined by the Customer through its use of the Service. These typically include identification and contact details (names, email addresses, telephone numbers, job titles); business and organisation details; account and authentication data of Authorised Users; and Personal Data contained within records the Customer chooses to store, such as leads, contacts, customers, suppliers, quotes, orders, invoices, and related correspondence.

Categories of Data Subjects: as determined by the Customer through its use of the Service. These typically include the Customer's Authorised Users and staff; the Customer's clients, customers, leads, and prospects; the Customer's suppliers and their personnel; and any other individuals whose Personal Data the Customer chooses to input into the Service.

Special category data: the Service is not intended for the processing of special category Personal Data, and the Customer should not input such data unless expressly agreed in writing with Zigaflow.

Annex 2 - Technical and Organisational Measures

Zigaflow implements and maintains technical and organisational measures appropriate to the risk, in accordance with Article 32 of the UK GDPR. These include measures designed to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; to restore availability and access to Personal Data in a timely manner following an incident; and to regularly test and evaluate the effectiveness of those measures.

A summary of the technical and organisational measures in place at any given time is available to the Customer on request.

Annex 3 - Sub-processors

Zigaflow engages Sub-processors to process Customer Personal Data in connection with the Service. A current list of Sub-processors, including each Sub-processor's purpose and location, is available to the Customer on request. Zigaflow will give the Customer notice of any intended addition or replacement of a Sub-processor in accordance with clause 6.4, allowing the Customer to object on reasonable data protection grounds.

Note on customer-enabled integrations: where the Customer connects a third-party integration to the Service (for example accounting, payments, eCommerce, or email providers under clause 12 of the Agreement), that third party processes the Customer's data under the Customer's own arrangement with that provider, and is not a Zigaflow Sub-processor for the purposes of this Addendum. The Customer is responsible for the data protection terms governing any integration it enables.