Accord sur les Données

Responsabilités mutuelles.

Accord sur les Données

This Data Processing Addendum ("DPA") supplements and forms part of the Zerka Terms of Service ("Agreement") between Holmes Ayala, a sole proprietor doing business as Zerka ("Company" or "Processor"), and the user or customer ("Customer" or "Controller") utilizing the Zerka Service.

This DPA reflects the parties' agreement with regard to the Processing of Personal Data (as defined below) in accordance with applicable Data Protection Laws, including the GDPR and CCPA.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

  • "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any binding regulations promulgated thereunder.
  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purpose of this DPA, the Customer is the Controller.
  • "Data Protection Laws" means all applicable worldwide privacy and data protection laws and regulations, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the CCPA.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is Processed by the Company on behalf of the Customer in the course of providing the Service (e.g., individuals captured in screen recordings or screenshots uploaded to the Company's cloud servers).
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
  • "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For the purpose of this DPA, the Company is the Processor.
  • "Sub-processor" means any third-party Processor engaged by the Company to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.

2. Processing of Personal Data

2.1 Role of the Parties

The parties acknowledge and agree that the application of this DPA depends on the Customer's use case:

  • Business / Commercial Use: Where the Customer uses the Service for business, professional, or commercial purposes, the Customer is the Controller, and the Company is the Processor. The Company will Process Personal Data strictly in accordance with the Customer's documented instructions.
  • Personal Use: Where the Customer uses the Service exclusively for personal, family, or household purposes, the Company acts as the Data Controller under applicable Data Protection Laws, and this specific DPA does not apply. Instead, the processing of Personal Data is governed exclusively by the Zerka Privacy Policy.
2.2 Processing Instructions

The Agreement, this DPA, and the Customer's configuration and use of the Service (e.g., taking screenshots, recording screens, uploading to the cloud) constitute the Customer's complete and final documented instructions to the Company.

2.3 Customer Obligations

Customer warrants that it has all necessary rights, consents, and lawful bases to collect, record, and provide the Personal Data to the Company for Processing. Customer is solely responsible for ensuring that its use of the Service (including the capturing of third-party screens, audio, or video) complies with all applicable laws, including securing consent for recording where required.

3. Confidentiality

The Company shall ensure that its personnel, including employees and contractors, authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security Measures

4.1 Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, the Company shall implement and maintain appropriate industry-standard technical and organizational measures to ensure a level of security appropriate to the risk.

4.2 Specific Security Safeguards

These measures shall include, but are not limited to:

  • Encryption of Personal Data at rest and in transit.
  • Leveraging enterprise-grade security, DDoS protection, and DNS management via Cloudflare.
  • Secure authentication and access controls via Auth0.
4.3 Customer Environment Exclusions

The Company's security obligations apply strictly to the cloud infrastructure controlled by the Company. The Company is not responsible for the security of the Customer's local environment, local devices, or local files, nor for vulnerabilities arising from malicious software residing on the Customer's hardware.

5. Sub-processors

5.1 General Authorization

Customer provides general authorization for the Company to engage Sub-processors to Process Personal Data on Customer's behalf. Customer acknowledges and approves the current Sub-processors used to provide the Service: Auth0 (Authentication), Contabo (Cloud Servers), and Cloudflare (Storage and Security).

5.2 Flow-down Obligations

The Company shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. The Company remains fully liable to the Customer for the performance of the Sub-processor's obligations.

5.3 Notice of New Sub-processors

The Company shall provide notice to the Customer (via email or in-app notification) of any intended addition or replacement of Sub-processors at least fourteen (14) days prior to the change. Customer may object to the new Sub-processor on reasonable data protection grounds within ten (10) days of receiving notice. If the parties cannot resolve the objection, Customer's sole remedy is to terminate the Agreement.

6. Data Subject Rights

The Company shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws (such as access, rectification, or erasure). The Company shall not respond to such requests independently, except to redirect the Data Subject to the Customer. The Company shall provide Customer with commercially reasonable assistance, utilizing appropriate technical and organizational measures, to enable Customer to fulfill its obligations to respond to such requests.

7. Personal Data Breach Notification

Upon becoming aware of a Personal Data Breach affecting Customer's Personal Data, the Company shall notify the Customer without undue delay, and in any event within forty-eight (48) hours. The Company shall provide Customer with information reasonably necessary to allow Customer to meet any obligations to report the Personal Data Breach to regulatory authorities or Data Subjects.

8. Deletion and Return of Personal Data

Upon termination or expiration of the Customer's subscription, the Company shall securely delete all Personal Data (including uploaded cloud files) in accordance with the grace periods defined in the Agreement:

  • Trial Plans: Deleted five (5) days after expiration.
  • Pro Plans: Deleted fifteen (15) days after expiration.

Exception: The Company shall retain a secure record of the Customer's email address strictly for the legitimate business purpose of preventing fraud and abuse of the free Trial Plan. This retention is necessary to protect the integrity of the Service's commercial offerings.

9. Audit Rights

Upon Customer's written request, the Company shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer's audit rights shall be fulfilled primarily through the provision of existing security documentation, certifications, or audit reports from the Company or its Sub-processors (e.g., Cloudflare/Auth0 compliance summaries). If a physical audit is mandated by Data Protection Laws, it shall be conducted at the Customer's sole expense, during normal business hours, and subject to strict confidentiality agreements.

10. International Data Transfers (Standard Contractual Clauses)

The Company's infrastructure is primarily located in the United States (Contabo US-East, Cloudflare ENAM). If the Customer is located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the transfer of Personal Data to the Company constitutes a restricted transfer.

To the extent that Data Protection Laws require a valid transfer mechanism, the parties agree that the Standard Contractual Clauses (SCCs) adopted by the European Commission (Module Two: Controller to Processor), along with the UK Addendum (where applicable), shall be incorporated by reference into this DPA and deemed executed between the parties, with the following details:

  • Data Exporter: The Customer (Controller).
  • Data Importer: Holmes Ayala d/b/a Zerka (Processor).
  • Governing Law for SCCs: The laws of the EU Member State in which the Data Exporter is established. If none, the laws of the Republic of Ireland.
  • Annex I (Processing Details): The Processing involves screen captures, video recordings, and associated media uploaded by the Customer.
  • Annex II (Security Measures): Described in Section 4 of this DPA.

11. Limitation of Liability

Each party's and all of its affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions set forth in the main Agreement (Terms of Service).