July 2024
This Data Processing Addendum (“DPA“) supplements and forms part of the agreement (the “Agreement“) entered into between an individual business subscriber or organization (the Organization) and ZeroTier in relation to the transfer and processing of Covered Data in connection with the performance of the Agreement.
1.1 Capitalized terms used but not defined within this DPA will have the meaning set forth in the Agreement. The following capitalized terms used in this DPA will be defined as follows:
“Administration Data” means
(a) contact details relating to, and the content of correspondence with the Organization’s main account holder or administrator; and
(b) support enquiries submitted by the Organization’s authorized users in relation to the Service.
“Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR, Swiss Data Protection Laws and the US Data Protection Laws.
“Authorized Sub-Processor” means the Sub-Processors listed in Schedule 4, and any other Sub-Processors appointed in accordance with paragraph 7.4.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.
“Controller Purposes” means: (a) undertaking internal research and development to develop, test, improve and alter the functionality of ZeroTier’s products and services; (b) creating anonymized datasets for training or evaluation of ZeroTier’s products and services; and (c) administering ZeroTier’s relationship with the Organization under the Agreement.
“Covered Data” means Personal Data that is: (a) provided by or on behalf of the Organization to ZeroTier in connection with the provision of the Service; or (b) obtained, developed, produced or otherwise Processed by ZeroTier, or its agents or subcontractors, for the purposes of providing the Service, in each case as further described in Schedule 1.
“Customers” means customers of the Organization.
“Data Subject” means a natural person whose Personal Data is Processed.
“De-identified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR“, as defined in section 3(10) of the Data Protection Act 2018.
“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data”, “personal information”, “personally identifiable information”, or similarly defined data or information under Applicable Data Protection Laws.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process“, “Processes” and “Processed” will be interpreted accordingly.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 and available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.
“Sub-Processor” means a processor engaged by another processor to carry out the instructions of the controller.
“Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP“) and the Swiss Data Protection Ordinance of 31 August 2022 (the “Ordinance“), and any new or revised version of these laws that may enter into force for time to time.
“US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).
“Usage Data” means diagnostic, usage and performance information collected by ZeroTier in relation to the Organization’s and its authorized users’ use of the Service, including information collected through any Telemetry Node(s) installed in accordance with the Agreement.
1.2 The terms “controller“, “processor“, “business” and “service provider” have the meanings given to them in the Applicable Data Protection Laws.
2.1 This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.
3.1 The Parties acknowledge and agree that:
(a) save as set out in paragraph 3.1(b), ZeroTier Processes Covered Data as a processor, Sub-processor or service provider in the performance of its obligations under the Agreement and this DPA and Organization acts as a controller, processor or business; and
(b) for the purposes of the GDPR, ZeroTier acts as a controller with respect to the Processing of Usage Data and Administration Data for the Controller Purposes.
4.1 The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
4.2 ZeroTier shall comply with its obligations under and provide the same level of privacy protection as is required by Applicable Data Protection Laws.
4.3 Other than in respect of its Processing of Usage Data and Administration Data for the Controller Purposes:
(a) ZeroTier will only Process Covered Data under the instructions provided by the Organization and in accordance with Applicable Data Protection Laws; and
(b) the Agreement and this DPA shall constitute the instructions to ZeroTier for the Processing of Covered Data by ZeroTier, and the Organization may issue further written instructions in accordance with this DPA.
4.4 Without limiting the foregoing paragraph 4.3, ZeroTier is prohibited from:
(a) selling Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
(b) sharing Covered Data with any third party for cross-context behavioral advertising;
(c) retaining, using, or disclosing Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;
(d) retaining, using, or disclosing Covered Data outside of the direct business relationship between the Parties; and
(e) except as otherwise permitted by Applicable Data Protection Laws, combining Covered Data with Personal Data that ZeroTier receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
4.5 ZeroTier will:
(a) provide the Organization with information to enable the Organization or (where applicable) its Customers to conduct and document any data protection impact assessments and prior consultations with supervisory authorities required under Applicable Data Protection Laws; and
(b) promptly inform the Organization if, in its opinion, an instruction from the Organization infringes Applicable Data Protection Laws.
5.1 The Organization shall comply with its obligations under Applicable Data Protection Laws and shall ensure that:
(a) any instructions to ZeroTier in relation to the Processing of Covered Data comply with Applicable Data Protection Laws;
(b) it provides (or procures that its Customer provides) such information to Data Subjects regarding: (i) the Processing of Covered Data by ZeroTier; and (ii) the Processing of Usage Data for the Controller Purposes, in each case as required under Applicable Data Protection Laws;
(c) it obtains (or procures that its Customer obtains) any consents from Data Subjects required for the lawful Processing of (i) the Covered Data by ZeroTier; and (ii) the Usage Data for the Controller Purposes, in each case as required under Applicable Data Protection Laws; and
(d) it promptly notifies ZeroTier of any request received from a Data Subject to exercise their rights under Applicable Data Protection Laws in respect of Usage Data or Administration Data.
6.1 ZeroTier shall:
(a) limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and
(b) ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.
7.1 ZeroTier may Process Covered Data anywhere that ZeroTier or its sub-processors maintain facilities, subject to the remainder of this paragraph 7.
7.2 The Organization grants ZeroTier general authorization to engage any Authorized Sub-processor to Process Covered Data.
7.3 ZeroTier shall:
(a) enter into a written agreement with each Authorized Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than ZeroTier’s obligations under this DPA; and
(b) remain liable for each Authorized Sub-processor’s compliance with the obligations under this DPA.
7.4 ZeroTier will provide the Organization with at least fourteen (14) days’ notice of any proposed changes to the Authorized Sub-processors. The Organization shall notify ZeroTier if it objects to the proposed change to the Authorized Sub-processors (including, where applicable, when exercising its right to object under clause 9(a) of the SCCs) by providing ZeroTier with written notice of the objection within seven (7) days after ZeroTier has provided notice to the Organization of such proposed change (an “Objection“).
7.5 In the event the Organization submits an Objection, ZeroTier and the Organization shall work together in good faith to find a mutually acceptable resolution to address such Objection. If ZeroTier and the Organization are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days, ZeroTier may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to the Organization.
8.1 ZeroTier will notify the Organization without undue delay of any request received by ZeroTier or any Authorized Sub-processor from a Data Subject to assert their rights under Applicable Data Protection Laws in relation to Covered Data Processed by ZeroTier as a processor or Sub-processor (a “Data Subject Request“).
8.2 Other than in respect of ZeroTier’s Processing of Usage Data and Administration Data for the Controller Purposes, as between ZeroTier and the Organization, the Organization will have sole discretion in responding to the Data Subject Request. ZeroTier shall not respond to the Data Subject Request without the Organization’s prior consent, save that ZeroTier may advise the Data Subject that their request has been forwarded to the Organization.
8.3 ZeroTier will provide the Organization (and, where applicable, the Customer) with reasonable assistance as necessary for the Organization or the Customer (where applicable) to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests in respect of Covered Data.
9.1 ZeroTier will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.
9.2 When assessing the appropriate level of security, ZeroTier shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
9.3 ZeroTier will implement and maintain as a minimum standard the measures set out in Schedule 2.
10.1 ZeroTier shall notify the Organization promptly if ZeroTier determines that it can no longer meet its obligations under Applicable Data Protection Laws.
10.2 The Organization may take reasonable and appropriate steps to:
(a) ensure that ZeroTier uses Covered Data in a manner consistent with the Organization’s obligations under Applicable Data Protection Laws; and
(b) upon reasonable notice, stop and remediate unauthorized use of Covered Data.
10.3 The Organization may audit ZeroTier’s compliance with this DPA in respect of its Processing of Covered Data. The Parties agree that all such audits will be conducted:
(a) not more than annually, unless more frequent audits are required by a supervisory authority with jurisdiction over the Processing of Covered Data or otherwise under Applicable Data Protection Laws;
(b) upon reasonable written notice to ZeroTier;
(c) only during ZeroTier’s normal business hours; and
(d) in a manner that does not materially disrupt ZeroTier’s business or operations.
10.4 With respect to any audits conducted in accordance with paragraph 10.3:
(a) the Organization may engage a third-party auditor to conduct the audit on its behalf, save that ZeroTier may reasonably object to the engagement of a third-party auditor if such third-party auditor is a competitor of ZeroTier; and
(b) ZeroTier shall not be required to facilitate any such audit unless and until the Parties have agreed in writing the scope and timing of such audit.
10.5 The Organization shall promptly notify ZeroTier of any non-compliance discovered during an audit.
10.6 The results of the audit shall be ZeroTier’s confidential information.
10.7 ZeroTier shall provide to the Organization upon request, or may provide to the Organization in response to any audit request submitted by the Organization to ZeroTier, either of the following:
(a) data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or
(b) such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards.
10.8 If an audit requested by the Organization is addressed in the documents or certification provided by ZeroTier in accordance with paragraph 10.7, and:
(a) the certification or documentation is dated within twelve (12) months of the Organization’s audit request; and
(b) ZeroTier confirms that there are no known material changes in the controls audited,
The Organization agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.
11.1 ZeroTier shall notify the Organization in writing without undue delay after becoming aware of any Security Incident.
11.2 ZeroTier shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send the Organization timely information about the Security Incident, to the extent known to ZeroTier or as the information becomes available to ZeroTier, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.
11.3 ZeroTier shall provide reasonable assistance with the Organization’s (or, where applicable, its Customers’) investigation of any Security Incidents and any of the Organization’s (or, where applicable, its Customers’) obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.
11.4 ZeroTier’s notification of or response to a Security Incident under this paragraph 11 shall not be construed as an acknowledgement by ZeroTier of any fault or liability with respect to the Security Incident.
12.1 This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, the later of (a) ZeroTier’s deletion of all Covered Data as described in this DPA; and (b) termination of ZeroTier’s Processing of Usage Data and Administration Data for the Controller Purposes.
12.2 ZeroTier shall:
(a) if requested to do so by the Organization (on behalf of its Customers, as appropriate) within sixty (60) days of expiry of the Agreement (the “Retention Period“), provide a copy of all Covered Data in such commonly used format as requested by the Organization, or provide a self-service functionality allowing the Organization to download such Covered Data; and
(b) on expiry of the Retention Period, delete all copies of Covered Data Processed by ZeroTier or any Authorised Sub-processors, save to the extent that ZeroTier is required by any applicable law to retain some or all of the Covered Data, and other than any Administration Data that ZeroTier Processes for the Controller Purposes.
13.1 The Standard Contractual Clauses shall, as further set out in Schedule 3, apply to transfers of Covered Data from the Organization to ZeroTier, and form part of this DPA, to the extent that:
(a) the GDPR or Swiss Data Protection Law applies to the Organization’s Processing of such Covered Data when making the transfer; or
(b) the Applicable Data Protection Laws that apply to the Organization when making that transfer (the “Exporter Data Protection Laws“) prohibit the transfer of Covered Data to ZeroTier under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
(i) the relevant authority with jurisdiction over the Organization’s transfer of Covered Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws and established market practice in relation to transfers subject to the Exporter Data Protection Laws is to enter into standard contractual clauses approved by the European Commission to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
(ii) entering into standard contractual clauses approved by the European Commission would otherwise reasonably satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
(c) the transfer is an “onward transfer” (as defined in the applicable module of the SCCs).
13.1 The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.
If ZeroTier receives De-identified Data from or on behalf of the Organization, ZeroTier shall:
(a) take reasonable measures to ensure the information cannot be associated with a Data Subject;
(b) Publicly commit to Process the De-identified Data solely in de-identified form and not to attempt to re-identify the information; and
(c) contractually obligate any recipients of the De-identified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
15.1 The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
15.2 The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.
ORGANIZATION | ZEROTIER | |
ROLE | Data exporter (controller / processor) | Data importer (controller / processor) |
CONTACT PERSON | The administrator of the Organization’s account as notified to ZeroTier | privacy@zerotier.com |
ACTIVITIES RELEVANT TO THE TRANSFER | The performance of the Agreement |
CATEGORIES OF DATA SUBJECTS |
|
CATEGORIES OF PERSONAL DATA | Authorized Users
End Users
|
SPECIAL CATEGORIES OF PERSONAL DATA | None |
FREQUENCY OF THE TRANSFER | Continuous |
NATURE OF THE PROCESSING | Collection, storage, deletion, rectification, analysis and aggregation |
PURPOSES OF THE DATA TRANSFER AND FURTHER PROCESSING | The delivery of the Service, including:
|
RETENTION PERIOD | For the duration of the Agreement, unless earlier deletion is requested or communicated by the Organization |
SUB-PROCESSORS | As set out in Schedule 4 |
The competent supervisory authority is Autoriteit Persoonsgegevens (Dutch Data Protection Authority).
ZeroTier employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure or destruction.
ZeroTier assigns personnel with responsibility for the determination, review and implementation of security polices and measures.
ZeroTier:
ZeroTier establishes and follows secure configurations for systems and software and ensures that security measures are considered during project initiation and the development of new IT systems.
ZeroTier has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated.
ZeroTier’s IT systems used to process personal data have appropriate data security software installed on them, including industry standard firewall, anti-virus, anti-malware, intrusion detection system and data loss prevention tools.
ZeroTier collects, maintains and reviews event logs to identify suspicious activity, and monitors all traffic leaving ZeroTier and unauthorized use of encryption.
ZeroTier limits access to personal data by implementing appropriate access controls, including:
ZeroTier has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated.
ZeroTier regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested regularly.
ZeroTier:
ZeroTier:
ZeroTier encrypts data at rest using AES-256 and in transit using TLS 1.2 or higher.
Encryption keys are stored separately from the encrypted information.
Appropriate controls are implemented by ZeroTier to secure personal data during transmission or transit, including:
ZeroTier ensures that all virtual machines are hardened in accordance with the Center for Internet Security (CIS) Benchmarks.
ZeroTier maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.
ZeroTier:
ZeroTier stores all API keys securely, including as follows:
ZeroTier implements physical security measures to safeguard personal data. This may include:
ZeroTier’s agreements with staff and contractors and employee handbooks set out its personnel’s responsibilities in relation to information security.
ZeroTier carries out:
ZeroTier ensures that information security responsibilities that are applicable immediately before termination or change of employment and those which apply after termination / change of employment are communicated and implemented.
Staff are subject to disciplinary measures for breaches of ZeroTier’s policies and procedures relating to data privacy and security.
ZeroTier assesses service providers’ ability to meet their security requirements before engaging them.
ZeroTier has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with ZeroTier’s instructions.
The Data Importer conducts audits of vendors (including subprocessors) that have access to the ZeroTier’s data by reviewing vendors’ security accreditation (such as ISO 27001 or SOC II) reports.
ZeroTier has implemented appropriate policies and measures to identify and address data subject rights requests, including:
Concerning any transfers referred to in clause 13, the Standard Contractual Clauses shall be completed as follows:
1.1 Module One (controller to controller) of the SCCs will apply with respect to ZeroTier’s Processing of Covered Data for Controller Purposes; otherwise, Module Two (controller to processor), or as appropriate, Module Three (processor to processor) of the SCCs will apply to ZeroTier’s Processing of Covered Data.
1.2 Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
1.3 Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in clause 7.4 of the DPA.
1.4 The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
1.5 With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Dutch law.
1.6 In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Netherlands.
1.7 For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
1.8 For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organizational measures.
2.1 This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from the Organization (as data exporter) to ZeroTier (as data importer), to the extent that:
(a) the UK Data Protection Laws apply to the Organization when making that transfer; or
(b) the transfer is an “onward transfer” as defined in the Approved Addendum.
2.2 As used in this paragraph 2:
“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
“UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
2.3 The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.
2.4 The Approved Addendum shall be deemed completed as follows:
(a) the “Addendum EU SCCs” shall refer to the SCCs as they are incorporated into this Agreement in accordance with clause 13 and this Schedule 3;
(b) Table 1 of the Approved Addendum shall be completed with the details in paragraph A of Schedule 1;
(c) the “Appendix Information” shall refer to the information set out in Schedule 1 and Schedule 2
(d) for the purposes of Table 4 of the Approved Addendum, ZeroTier (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section 19 of the Approved Addendum; and
(e) Section 16 of the Approved Addendum does not apply.
3.1 This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.
3.2 INTERPRETATION OF THIS ADDENDUM
(a) Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
“Addendum” means this addendum to the Clauses;
“Clauses” means the Standard Contractual Clauses as incorporated into this DPA in accordance with paragraph 13 and as further specified in this Schedule 3; and
“FDPIC” means the Federal Data Protection and Information Commissioner.
(b) This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties’ obligations under Article 16(2)(d) of the FADP.
(c) This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
(d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
(e) In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
(i) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
(ii) as standard data protection clauses approved, issued or recognised by the FDPIC for the purposes of Article 16(2)(d) of the FADP.
3.3 HIERARCHY
In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
3.4 CHANGES TO THE CLAUSES FOR TRANSFERS EXCLUSIVELY SUBJECT TO SWISS DATA PROTECTION LAWS
To the extent that the data exporter’s Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” (as defined in the Clauses, as amended by the remainder of this paragraph 3.3(a)) the following amendments are made to the Clauses:
(a) References to the “Clauses” or the “SCCs” mean this Swiss Addendum as it amends the SCCs.
(b) Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer.”
(c) References to “Regulation (EU) 2016/679” or “that Regulation” or “”GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
(d) References to Regulation (EU) 2018/1725 are removed.
(e) References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
(f) Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the FDPIC;
(g) Clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland”.
(h) Clause 18 is replaced to state: “Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
3.5 SUPPLEMENTARY PROVISIONS FOR TRANSFERS OF PERSONAL DATA SUBJECT TO BOTH THE GDPR AND SWISS DATA PROTECTION LAWS
(a) To the extent that the data exporter’s Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” under both the Clauses and the Clauses as amended by paragraph 3.4 of this Addendum:
(i) for the purposes of Clause 13(a) and Part C of Annex I:
(A) the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer, or such transfer is an “onward transfer” as defined in the Clauses (as amended by paragraph 3.4 of this Addendum); and
(B) subject to the provisions of paragraph 2 of this Schedule 3 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter’s processing, or such transfer is an “onward transfer” as defined in the Clauses.
(b) the terms “European Union”, “Union”, “EU”, and “EU Member State” shall not be interpreted in a way that excludes the ability of Data Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.
4.1 With respect to any transfers of Personal Data referred to in paragraph 13.1(b) (each a “Global Transfer“), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.
4.2 For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:
(a) for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter’s Processing when making that transfer; and
(b) to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws.
4.3 The amendments referred to in clause paragraph 4.2 include (without limitation) the following:
(a) references to the “GDPR” and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;
(b) reference to the “Union”, “EU” and “EU Member State” are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the “Exporter Jurisdiction“);
(c) the “competent supervisory authority” shall be the applicable supervisory in the Exporter Jurisdiction; and
(d) Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.
4.4 Where, at any time during ZeroTier’s Processing of Covered Data under this DPA, a transfer mechanism other than the SCCs is approved under the Exporter Data Protection Laws with respect to transfers of Covered Data by the Organization to ZeroTier, the Parties shall promptly enter into a supplementary agreement that:
(a) incorporates any standard data protection clauses or another transfer mechanism formally adopted by the relevant authority in the Exporter Jurisdiction;
(b) incorporates the details of Processing set out in Schedule 1; and
(c) shall, with respect to the transfer of Personal Data subject to the Exporter Data Protection Laws, take precedence over this DPA in the event of any conflict.
4.5 Where required under the Exporter Data Protection Laws, the relevant data exporter shall file a copy of the agreement entered into in accordance with paragraph 4.4 with the relevant national authority.
SUB-PROCESSOR | DESCRIPTION | ZEROTIER PRODUCT APPLICABILITY | LOCATION(S) |
Active Campaign | Marketing automation platform. Customer relationship management. Information stored can include names, addresses, email addresses, IP addresses, etc. | All | United States |
Atlassian | Customer support ticketing for technical support | All | United States |
Clearbit (HubSpot) | Data enrichment platform. Customer relationship management. Information stored can include names, addresses, email addresses, IP addresses, etc. | All | United States |
Crisp | Customer support chat, knowledge base, and contact management | All | European Union |
DataPacket | Cloud provider hosting network utility servers which touch IP address and ZeroTier node addresses | ZeroTierOne | United States, Switzerland |
DigitalOcean | Cloud provider hosting network utility servers which touch IP address and ZeroTier node addresses | All | United States |
DMARCLY | SaaS-based service providing email & messaging protection, reporting, and alerts. | ZeroTier Central | United States |
Fastly | Host backend services and transport layer security (TLS) termination | ZeroTier Central | United States |
FDC Servers (FDC) | Cloud provider hosting network utility servers which touch IP address and ZeroTier node addresses | ZeroTierOne | United States, Singapore |
Host backend services and transport layer security (TLS) termination | All | United States | |
HubSpot | Marketing automation platform. Customer relationship management. Information stored can include names, addresses, email addresses, IP addresses, etc. | All | United States |
Lemlist | Sales outreach platform. Customer relationship management. Information stored can include names, addresses, email addresses, IP addresses, etc. | All | European Union |
ReliableSite.Net LLC | Cloud provider hosting network utility servers which touch IP address and ZeroTier node addresses | ZeroTierOne | United States |
Salesforce | Customer relationship management. Information stored can include names, addresses, email addresses, IP addresses, etc. | All | United States |
Vultr | Cloud provider hosting network utility servers which touch IP address and ZeroTier node addresses | ZeroTierOne | United States |
This Schedule is subject to change as determined by ZeroTier Inc.