3.1 Compliance with Applicable Law
Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
3.2 Authority to process Customer Data
Each Party acknowledges and agrees that Zenwork has the sole and exclusive authority to determine the purposes for and means of Processing Customer Data under this Agreement, and that Zenwork is acting solely as a Service Provider with respect to this Customer Data. Zenwork has implemented and will maintain the technical and organizational measures as described in the Data Security Measures. Detailed controls can be reviewed in the current Zenwork SOC 2 Type 2 Audit report.
3.3 Disclosure of and Access to Personal Data; No Sales of Customer Data
Zenwork will not access or use, or disclose to any third party, any Customer Data, except, in each case,
as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a
governmental body (such as a subpoena or court order). If a governmental body sends Zenwork a demand for Customer Data, Zenwork will
attempt to redirect the governmental body to request that data directly from Customer. As part of this effort,
Zenwork may provide Customer’s basic contact information to the governmental body.
If compelled to disclose Customer Data to a governmental body, then Zenwork will give Customer reasonable notice of the demand
to allow Customer to seek a protective order or other appropriate remedy unless Zenwork is legally prohibited from doing so. Zenwork
restricts its personnel from processing Customer Data without authorization by Zenwork as described in the Data Security Measures.
Zenwork imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality,
data protection and data security.
3.4 Information Security and Incident Response
3.4.1 Zenwork will implement and maintain a comprehensive written information security program that complies with Applicable Law, including the Data Security Measures, to protect Customer Data Processed under this Agreement from loss; theft; misuse; unauthorized access, disclosure, or acquisition; destruction or other compromise
3.4.2 Zenwork will (a) notify Customer of a security incident involving the loss of or unauthorized access to Customer Data (“Security Incident”) without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
3.4.3 Zenwork’s obligation to report or respond to a Security Incident under
this Section is not and will not be construed as an acknowledgement by Zenwork of
any fault or liability of Zenwork with respect to the Security Incident.
3.5 Zenwork Audits and Penetration Testing .
3.5.3 Zenwork Audits. Zenwork uses external auditors to verify the adequacy of its security measures. Since our applications and customer data is hosted on AWS infrastructure, we review independent audit reports of AWS at least annually and include all AWS security controls relevant to Zenwork in our SOC audit reports for informational purposes. Zenwork SOC Audits and web application penetration tests are performed at least annually by a group of independent and qualified professionals.
3.5.4 Audit Reports. In addition to the information contained in this DPA, upon Customer’s written request, Zenwork will make available the following documents and information: (i) SOC 1 Type 2 Report (ii) SOC 2 Type 2 Report (iii) Third Party penetration testing report.
3.5.5 Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Zenwork, Zenwork will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Zenwork makes available under this Section.
3.6 Data Destruction I
Promptly upon the expiration or earlier termination of this Agreement, or any earlier time that Customer requests, Zenwork will securely Delete or, at Customer’s option, return all Personal Data to Customer, and securely Delete any existing copies of the Personal Data, unless further storage of the Personal Data is required by Applicable Law, in which case Zenwork: (i) will continue to ensure the privacy, security and confidentiality of the Personal Data; (ii) will not Process the Personal Data further except to maintain it for 3 years and securely store it for at least one year in archive; (iii) will continue to comply with its obligations under this Agreement; and (iv) will securely Delete the Personal Data immediately after Zenwork’s duty under Applicable Law to
retain it expires.