Data Processing
1. Purpose of This Document
This Data Processing Agreement (“DPA”) forms part of the contractual framework between ZenWorkflow Ltd (the “Processor”) and the customer using ZenWorkflow services (the “Controller”).
It governs the processing of personal data carried out by the Processor on behalf of the Controller in accordance with Regulation (EU) 2016/679 (GDPR).
2. Roles of the Parties
- Controller: The customer who determines the purposes and means of processing personal data.
- Processor: ZenWorkflow Ltd, which processes personal data solely on documented instructions from the Controller.
ZenWorkflow does not determine how or why customer data is processed.
3. Scope of Processing
The Processor processes personal data only to the extent necessary to provide the services offered through ZenWorkflow.io, including but not limited to:
- User account management
- Workflow, task, and document management
- Communication and collaboration features
- Technical support and system maintenance
Processing is limited to the duration of the contractual relationship unless otherwise required by law.
4. Categories of Data Subjects
Personal data may relate to:
- Employees, contractors, or representatives of the Controller
- End users authorised by the Controller
- Clients or counterparties recorded by the Controller within the platform
5. Categories of Personal Data
Depending on usage, the Processor may process:
- Identification data (e.g. name, email address)
- Contact details
- User credentials and access logs
- Business-related data uploaded by the Controller
- Technical data (IP address, timestamps, device identifiers)
The Processor does not intentionally process special categories of personal data unless explicitly instructed by the Controller.
6. Processor Obligations
ZenWorkflow Ltd shall:
- Process personal data only on documented instructions from the Controller
- Ensure all authorised personnel are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Assist the Controller in responding to data subject requests
- Notify the Controller without undue delay in the event of a personal data breach
- Delete or return personal data upon termination of services, unless retention is required by law
7. Sub-Processors
The Controller authorises the use of sub-processors strictly for service provision purposes (e.g. hosting, infrastructure, email delivery).
ZenWorkflow ensures that all sub-processors:
- Are subject to equivalent data protection obligations
- Comply with GDPR requirements
An up-to-date list of sub-processors is available upon request.
8. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), such transfers are safeguarded by:
- EU Standard Contractual Clauses (SCCs), or
- Other lawful transfer mechanisms recognised under GDPR
9. Audits and Compliance
The Controller may request reasonable information to verify compliance with this DPA.
Audits, where applicable, shall be subject to confidentiality and reasonable notice.
10. Liability
Each party shall be liable for damages arising from its own breach of GDPR obligations in accordance with applicable law and contractual terms.
11. Governing Law
This DPA is governed by the laws of the Republic of Cyprus, and any disputes shall be subject to the exclusive jurisdiction of the Cyprus courts.
12. Contact
For data protection-related inquiries:
🌐 www.zenworkflow.io