Data Processing

Last Updated on
2025 December 26

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) entered into between:

  • ZenWorkflow Ltd, a company incorporated under the laws of the Republic of Cyprus (“Processor”); and
  • The customer subscribing to ZenWorkflow services (“Controller”).

This DPA applies where the Processor processes Personal Data on behalf of the Controller under Regulation (EU) 2016/679 (“GDPR”).

1. Purpose and Scope

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of services through ZenWorkflow.io (the “Services”).

The Processor shall process Personal Data solely:

  • For the purpose of providing the Services
  • In accordance with the Agreement
  • On documented instructions from the Controller
  • In compliance with GDPR

2. Roles of the Parties

For the purposes of GDPR:

  • The Controller determines the purposes and means of processing Personal Data.
  • The Processor processes Personal Data on behalf of the Controller.

The Processor does not determine the purposes of processing Customer Data and does not act as a joint controller unless explicitly agreed in writing.

3. Description of Processing

3.1 Nature and Purpose of Processing

Processing activities may include:

  • Hosting and storing data within the Platform
  • Workflow and task management
  • Document storage and retrieval
  • User account management
  • Communication and collaboration tools
  • Technical support and system maintenance
  • Security monitoring and system logging

3.2 Duration

Processing shall continue for the duration of the Agreement unless otherwise required by law.

4. Categories of Data Subjects

Personal Data may relate to:

  • Employees, officers, and contractors of the Controller
  • Authorised Platform users
  • Clients, customers, suppliers, or counterparties recorded within the Platform
  • Other individuals whose data is uploaded by the Controller

5. Categories of Personal Data

Depending on usage, the Processor may process:

  • Identification data (name, surname)
  • Contact details (email, phone number, address)
  • Authentication credentials (hashed passwords)
  • Account metadata
  • Business documents uploaded by the Controller
  • Financial or transactional records
  • IP addresses and access logs
  • Technical usage data

The Processor does not intentionally process special categories of personal data (Article 9 GDPR) unless the Controller uploads such data into the Platform.

The Controller is solely responsible for determining the lawfulness of any special category data processed within the Platform.

6. Processor Obligations

The Processor shall:

  1. Process only on documented instructions from the Controller unless required by EU or Member State law.
  2. Ensure that personnel authorised to process Personal Data are subject to confidentiality obligations.
  3. Implement appropriate technical and organisational measures in accordance with Article 32 GDPR.
  4. Assist the Controller in responding to:

    • Data subject access requests
    • Rectification, erasure, restriction, and portability requests
  1. Assist the Controller in ensuring compliance with:

    • Data breach notification obligations
    • Data protection impact assessments (DPIAs)
    • Prior consultations with supervisory authorities
  1. Notify the Controller without undue delay after becoming aware of a Personal Data breach.
  2. Delete or return Personal Data upon termination of the Agreement unless legally required to retain it.

7. Security Measures

The Processor maintains appropriate safeguards, including but not limited to:

  • Encrypted data transmission (TLS/SSL)
  • Role-based access control
  • Authentication and session management
  • Infrastructure security monitoring
  • Regular system updates and patch management
  • Data isolation within cloud infrastructure

Security measures are reviewed periodically to ensure continued effectiveness.

8. Sub-Processors

8.1 General Authorisation

The Controller provides general authorisation for the Processor to engage sub-processors strictly for the purpose of delivering the Services.

8.2 Obligations

The Processor shall:

  • Enter into written agreements with sub-processors
  • Impose data protection obligations equivalent to those in this DPA
  • Remain fully liable for the performance of its sub-processors

An up-to-date list of sub-processors is available upon request.

9. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy Decisions
  • Other lawful transfer mechanisms under GDPR

10. Audit Rights

The Processor shall make available information necessary to demonstrate compliance with this DPA.

Where reasonably required, the Controller may conduct an audit:

  • With reasonable prior notice
  • During normal business hours
  • Subject to confidentiality obligations
  • Not more than once annually (unless required by law or following a breach)

Audits must not disrupt business operations or compromise other customers’ security.

11. Data Breach Notification

In the event of a Personal Data breach affecting Controller Data, the Processor shall:

  • Notify the Controller without undue delay
  • Provide relevant information necessary for compliance with Article 33 and 34 GDPR
  • Cooperate in mitigation efforts

12. Liability

Each party shall be liable for damages arising from its own breach of GDPR obligations.

Nothing in this DPA limits liability where such limitation is prohibited under applicable law.

13. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the Republic of Cyprus.

Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Cyprus.

14. Contact

For data protection inquiries:

ZenWorkflow Ltd

📧 support@zenworkflow.io

🌐 www.zenworkflow.io