GDPR / Data Processing Agreement (DPA)

1. Purpose

This Data Processing Agreement (“DPA”) outlines how Zebotix, acting as a data processor, handles personal data on behalf of the Client (data controller) in compliance with the EU General Data Protection Regulation (GDPR).

2. Data Processing Scope

Data types: Client names, email addresses, usage data, website content, and any other personal data provided in the course of the Services.

Purpose: Processing is carried out to provide digital, design, and development services as described in the applicable contract or SOW.

Duration: Personal data will be processed for the term of the engagement and until termination or until a lawful deletion request is fulfilled, subject to any legal retention obligations.

3. Processor Responsibilities

Zebotix will:

• Process personal data only under the Client’s documented instructions.
• Maintain appropriate technical and organizational security measures to protect personal data.
• Ensure confidentiality and restrict access to authorised personnel only.
• Assist the Client with data subject requests and compliance obligations where reasonable and feasible.
• Notify the Client of any personal data breach affecting the Client's data within 72 hours of discovery.

4. Sub-processors

Zebotix may engage trusted sub-processors (for example, hosting providers, email services, or cloud storage vendors) to assist in providing services. Zebotix will ensure that any sub-processor is bound by obligations at least as protective as those in this DPA.

5. Data Transfers

If personal data is transferred outside the EU/EEA, Zebotix will implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms to ensure an adequate level of protection for the data.

6. Termination

Upon termination of the contract, Zebotix will, at the Client's choice, return or securely delete all personal data processed on behalf of the Client, unless retention is required by law.