Only 20 minutes to learn how to save thousands of hours.

Fill out the form and we’ll be in touch shortly.

DATA PROCESSING AGREEMENT
DOWNLOAD PDF

concluded between

Customer (hereinafter referred to as: „Controller")

and

Zowie (hereinafter referred to as: „Processor")

hereinafter jointly referred to as „Parties"

  1. this agreement (hereinafter: „DPA") is an integral part of Agreement;
  2. DPA specifies the rules for the processing personal data of people using the Zowie’s Subscription Services (Services) and for whom the Controller acts as the controller of the personal data;
  3. Zowie is an entity that processes personal data of those people collected as part of the provision of Services on behalf of the Controller;
  4. DPA regulates the principles of processing personal data by Zowie on behalf of the Customer in such a way that they comply with the provisions of the data protection laws, including GDPR (that is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – General Data Protection Regulation);
  5. terms used in DPA, which are capitalized and are not defined in DPA, have the meaning specified in the Agreement.

1. General Provisions

  1. Controller entrusts Processor with the processing of personal data described in Agreement, on the terms and for the purpose specified in the DPA and Agreement.
  2. The processing of personal data is entrusted to the Processor for the duration of the Agreement and for the additional period referred to in section 3.
  3. In the event of termination of the Agreement, DPA remains in force and expires after the data collected by Processor regarding the use of the Services (Customer Materials) is deleted, on the terms described in the Agreement.
  4. Processor processes personal data only in accordance with the Controller's documented instructions. DPA and its annexes constitute such documented processing instructions.
  5. To ensure compliance with the requirements of GDPR, Processor participates in the EU-U.S. Data Privacy Framework (DPF), the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF. Processor adheres to the DPF Principles concerning the transfer of personal data from the European Economic Area (EEA), Switzerland, and UK to the United States under the DPF. DPF’s participation results in the provision of an adequate level of protection of personal data.

2. Nature and Purpose of Processing

  1. Nature and purpose of the processing result from Agreement, including in particular:
    1. nature of processing results from Processor's obligations specified in Agreement, i.e. the provision of Services;
    2. purpose of processing is to enable Controller to use the Services.
  2. Processor is not authorized to process personal data for any other purposes.

3. Type of Data and Categories of Persons

  1. The entrusting of processing applies to all personal data collected from individuals in connection with their use of the Services. Such data may include, in particular, name and surname, email address, and image.
  2. The personal data referred to in section 1 concern individuals who communicate with the Authorized Usersvia the Services.

4. Rights and Obligations of Processor

  1. Processor undertakes to implement DPA with the utmost care and accordingly to the data protection laws binding the Parties.
  2. Processor:
    1. declares that he does transfer data to a third country outside the EEA, as Processor is entity based in the United States of the America;
    2. may the use of IT service providers based outside the EEA or based in the EEA, but processing data outside the EEA, which Processor uses when providing Services; Processor uses only entities based in countries for which the European Commission has stated that they provide an adequate level of protection or entities processing personal data on the basis of Standard Contractual Clauses adopted by the European Commission, referred to in art. 46 of the GDPR, concluded between Processor and this entity, or that process data on the basis of the Data Privacy Framework.
    3. confirms that, apart from the cases indicated in point 1) and 2), the transfer of the entrusted data to a third country (within the meaning of GDPR) may take place when such an obligation is imposed on Processor by applicable law; in this case, before the processing begins, Processor informs Controller of this legal obligation, unless the law prohibits the provision of such information due to important public interest.
    4. ensures that persons authorized to process personal data in connection with the implementation of DPA shall be obliged to maintain confidentiality;
    5. ensure that measures are taken regarding the security of personal data processing required under art. 32 of GDPR, in particular the measures described in Agreement;
    6. complies with the terms of use of the services of further Processors („Subprocessors") specified in the DPA.
  3. If Processor has doubts as to the legality of the instruction given to him by Controller, then Processor shall immediately inform Controller about the doubts raised.
  4. Processor undertakes to inform Controller about whether he keeps a record of all categories of processing activities carried out on behalf of the Controller, referred to in art. 30 section 2 GDPR.

5. Controller’s Rights and Obligations

  1. Controller declares that he is the controller of personal data entrusted under Agreement and that he is entitled to process them to the extent and for the purposes for which he entrusts processing to the Processor.
  2. Controller undertakes to cooperate with Processor to the extent that it is necessary for the implementation of DPA and compliance with the provisions of the GDPR.
  3. In the event that Processor raises doubts to Controller as to the legality of the instruction given to him by Controller, Controller shall provide Processor appropriate explanations.

6. Controller and Processor’s Cooperation

  1. Controller and Processor cooperate to the extent that it is necessary to comply with the provisions of the GDPR.
  2. Processor helps Controller, through appropriate technical and organizational measures, in fulfilment of the obligation to respond to the requests of the data subject in the exercise of his rights set out in Chapter III of the GDPR.
  3. Processor helps Controller in fulfilment of the obligations specified in art. 32-36 of GDPR regarding the security of personal data.
  4. 4. Processor provides Controller with all information necessary to demonstrate compliance with the obligations set out in the DPA and art. 28 of GDPR.

7. Subprocessing

  1. Controller gives Processor general consent to the entrust further processing of the personal data covered by the Agreement to Subprocessors in the scope of specific operations.
  2. List of current Subprocessors used by the Processor constitutes appendix to this DPA.
  3. Subprocessing may not cover the entire processing resulting from the DPA and Agreement.
  4. Processor informs Controller of any intended changes regarding the addition or replacement of other processors, thus giving Controller the opportunity to object to such changes – Controller shall receive the prior notice of Subprocessor changes 7 days in advance (the conclusion of an annex to the DPA is not required).

8. Data Security

  1. Processor declares that the processing of the entrusted data takes place in accordance with appropriate technical and organizational measures, in particular those indicated in art. 32 of GDPR.
  2. 2. Processor, taking into account the nature, scope, context, purposes of processing and the risk of violation of the rights or freedoms of data subjects, has implemented the necessary measures to ensure the security of personal data being processed.
  3. Processor ensures that the level of security is appropriate and takes into account, in particular, the risk associated with the processing, including the risk resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed

9. Procedure in the Event of Breach

  1. In the event of a breach of personal data protection, Processor shall notify Controller without undue delay that there has been a breach.
  2. Along with the notification, Processor shall provide Controller with an explanation of the breach and all necessary documentation regarding the breach in order to enable the Controller to fulfill the obligation to notify the breach to the supervisory authority.
  3. Processor enables Controller to participate in activities explaining the circumstances and scope of the breach.

10. Liability of Parties

Processor is liable for damage caused by processing only if he has not fulfilled the obligations that the data protection laws imposes directly on Processor or if he acted outside Controller's lawful instructions or against these instructions.

10. Data Deletion

After the end of the Agreement, Processor deletes personal data in accordance with the provisions of the Agreement (Section regarding Customer Materials Deletion) and deletes all existing copies thereof, unless the provisions of generally applicable law require to continue storage of personal data.

Appendix:

List of the Subprocessors.

Subprocessor data

Purpose of entrustment

Is it required subprocessor

Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)

 Hosting, Backups, LLM provider, TTS, ASR Required
 AWS (Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA)

Hosting, Backups, LLM provider

 Required
Cloudflare (Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA)

Content Delivery Network, DDoS Protection

Required

Zowie Europe (Zowie Europe sp. z o.o.) Marszałkowska 107, 00-110 Warszawa, Poland

 Provision of customer service, helpdesk, actions allowing product development and hosting  Required regarding customer service, helpdesk, actions allowing product development and optional regarding hosting
OpenAI (OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland)

Selected LLM provider or fallback to default Google 

 Optional
Livekit (Livekit Inc., 4285 Payne Avenue #9154, San Jose, CA 95157, USA)

Only for AI Agent for Voice if Voice Activity Detection is enabled

Optional
ElevenLabs (Eleven Labs Inc. 169 Madison Ave #2484, New York, NY 10016, USA)  Only for AI Agent for Voice if ElevenLabs is selected as TTS provider

Optional
Anthropic (Anthropic Ireland, 6th Floor, South Bank House, Barrow Street, Dublin 4, D04 TR29, Ireland)  Selected LLM provider or fallback to default Google

Optional
AssemblyAI (Assembly AI Inc., 2261 Market Street #4577, San Francisco, California 94114, USA)

Only for AI Agent for Voice if Assembly is selected as TTS

Optional
 Azure (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland)

Only for AI Agent for Voice if Azure is selected as TTS

Optional
Sendgrid (Twilio Inc., 101 Spear Street, 5th Floor, San Francisco CA 94105, USA)  Required if Zowie needs to send emails from its own SMTP server (not applicable for mailboxes connected to Zowie Inbox via IMAP/oAuth)

Optional
Twilio (Twilio Inc., 101 Spear Street, 5th Floor, San Francisco CA 94105, USA) Required if Zowie needs to provide phone numbers

Required if Zowie needs to send text messages (SMS)

Optional

360Dialog(360dialog GmbH, Torstraße 61, 10119 Berlin, Germany)

 Required if WhatsApp channel is used

Optional
Clickhouse (ClickHouse Inc., 601 Marshall St, Redwood City, CA 94063, USA)

Only if Analytics 2.0 (Early Access Program) are enabled

Optional