This Data Protection Addendum (“Addendum”), including its Annexes, forms part of the Agreement between Zendrive, Inc. (“Zendrive”) acting on its own behalf and as agent for each Zendrive Affiliate and Company (defined below).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
- “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Applicable Laws" means European Union, EU Member State or UK laws with respect to any Company Personal Data in respect of which Company is subject to Data Protection Laws;
- "Company” means the counterparty to Zendrive in the Agreement acting on its own behalf and as agent for each of its Affiliates permitted to use the Services;
- "Company Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of the Company and its permitted Affiliates pursuant to or in connection with the Agreement;
- "Contracted Processor" means Zendrive, a wholly owned subsidiary of Zendrive, or a Subprocessor;
- "Data Protection Laws" means the EU/UK Data Protection Law;
- "EEA" means the European Economic Area;
- “EU/UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
- "Restricted Transfer" (i) where the EU GDPR applies, a transfer of Company Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Company Personal Data from the United Kingdom to any other country which is not subject to an adequacy determination based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
- "Services" means the services and other activities to be supplied to or carried out by or on behalf of Zendrive for the Company pursuant to the Agreement;
- “SCC Agreement” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs");
- "Subprocessor" means any person (including any third party, but excluding an employee of Zendrive, and employee of any wholly owned subsidiaries, or any of its sub-contractors) appointed by or on behalf of Zendrive to Process Personal Data on behalf of the Company in connection with the Agreement as set out in Annex 2 (List of Subprocessors); and
- The terms, "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the EU GDPR, and their cognate terms shall be construed accordingly.
Processing of Company Personal Data
Information you provide to us directly
When you sign up or contract for the Service or create an account with the Service, we may receive or collect one or more of the following items: name, address, email address, telephone number, account identifiers, account password, payment information, credit card information and other billing data. For example, you may provide personal information directly to us in connection with signing up, registering or interacting with Zendrive through the use of the Service, when you set up an account for Services, when you subscribe to email alerts, updates or newsletters, or when you respond to a survey, fill out a form, or complete or update any user or Client profile through the Service.
Client Customer Data
Client Customer Data consists of personal and non-personal information collected from Client Customers as a result of using Client Services that is then received or collected by Company in connection with the Services (“Client Customer Data”).
As a result of your use of the Service, we may collect the following Client Customer Data: an individual’s gender, city or state of residence, age, characteristics, driving behavior, driving locations and driving activities as well as data regarding particular trips one has taken, types of vehicles used and similar information. We collect, receive, and store non-identifying data when you directly provide it to us through the Services, or when a Client Customer provides it through the use of Client Services that employ or are connected to the Services. Client may choose to share additional Client Customer Data with us, such as name, email address and other information, which will then identify the user associated with the Client Customer Data.
Information we automatically collect
- Zendrive shall (i) comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and (ii) not Process Company Personal Data other than on Company’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Zendrive shall, to the extent permitted by Applicable Laws, inform the Company of that legal requirement before the relevant Processing of that Personal Data. The documented instructions of the Company shall be deemed to include any use of Company Personal Data described in the Agreement.
- Company (i) hereby instructs and authorizes Zendrive (and hereby instructs and authorizes Zendrive to instruct each Subprocessor) to: (a) Process Company Personal Data; and (ii) in particular, transfer Company Personal Data to any country or territory, subject to Sections 5 (Subprocessing) and 11 (Restricted Transfers), as reasonably necessary for the provision of the Services and consistent with the Agreement; and (ii) warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in Section 2.2.
- Annex 1 (Details of Processing of Company Personal Data) to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Company Personal Data as required by Article 28(3) of the EU GDPR and UK GDPR. Company and Zendrive may, upon mutual written agreement, make reasonable amendments to Annex 1 (Details of Processing of Company Personal Data) from time to time as they mutually reasonably consider necessary to meet those requirements. Nothing in Annex 1 (Details of Processing of Company Personal Data) (including as amended pursuant to this section 2.3) confers any right or imposes any obligation on any party to this Addendum.
Zendrive shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and access the relevant Company Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Zendrive shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Zendrive shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach.
- The Company authorizes Zendrive to appoint (and permit each Subprocessor appointed in accordance with this section 5 (Subprocessing) to appoint) Subprocessors in accordance with this section 5 (Subprocessing) and any restrictions in the Agreement.
- Company hereby authorizes Zendrive to continue to use those Subprocessors already engaged by Zendrive as at the date of this Addendum, as set out in Annex 2 (List of Subprocessors), subject to Zendrive meeting the obligations set out in section 5.4.
- Company hereby provides general authorization for Zendrive to engage Subprocessors. Upon the written request of Company, Zendrive shall give Company a written list of all current Subprocessors. If, within thirty (30) days after receipt of such list, Company notifies Zendrive in writing of any objections (on reasonable grounds) to any Subprocessor, Zendrive shall take commercially reasonable steps to address the objections raised by the Company and shall provide to Company a reasonable written explanation of the steps taken.
- With respect to each Subprocessor, Zendrive shall:
- Use commercially reasonable efforts to ensure that the arrangement between Zendrive, and the relevant intermediate Subprocessor is governed by a written contract including terms which offer at least the level of protection for Company Personal Data that meets the requirements of Article 28(3) of the EU GDPR;
- if that arrangement involves a Restricted Transfer ensure that a data protection safeguard, derogation or other mechanism authorized under Data Protection Laws, such as an SCC Agreement, applies to such Restricted Transfer.
Data Subject Rights
- Taking into account the nature of the Processing, Zendrive shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company’s obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
- Zendrive shall: (i) promptly notify Company if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and (ii) ensure that, except for providing an acknowledgement of the request, the Contracted Processor does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Contracted Processor is subject, in which case Zendrive shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
Personal Data Breach
- Zendrive shall notify Company without undue delay and where feasible, not later than 72 hours after Zendrive becomes aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- Zendrive shall cooperate with Company and its Affiliates and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
Zendrive shall, at Company’s expense, provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Article 35 or 36 of the EU GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Deletion of Company Personal Data
- Subject to section 9.2, upon Company’s reasonable request, Zendrive shall promptly from the date of cessation of all Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data, unless Company requests, by written notice given within five (5) days of the Cessation Date, that Zendrive return all of the Company Personal Data to Company; provided that Zendrive may retain Company Personal Data to the extent and for such period that it is required to do so under Applicable Laws.
- Each Contracted Processor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Zendrive shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
Security assessment rights
Upon written request by Company, Company shall have the right directly or through its representative(s) (provided however, that such representative(s) shall enter into written obligations of confidentiality and non-disclosure directly with Zendrive), to access all reasonable and industry recognized documentation evidencing Zendrive’s policies and procedures governing the security of Customer Data. Zendrive reserves the right to refuse to provide Company (or its representatives) with any information which would pose a security risk to Zendrive or its customers, or that Zendrive is prohibited to provide or disclose under applicable law or contractual obligation.
The parties agree that when the transfer of Company Personal Data from Company to Zendrive is a Restricted Transfer it shall be subject to the appropriate SCC Agreement as follows:
in relation to personal data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
- Module Two or Module Four (as appropriate) will apply;
- in Clause 7, the optional docking clause will apply;
- in Clause 9 (Module Two only), Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in section 5.2 of this DPA;
- in Clause 11 (Module Two only), the optional language will not apply;
- in Clause 17, for Module Two, Option 1 will apply, and for Module Two and Module Four, the EU SCCs will be governed by Irish law;
- in Clause 18, disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 4 to this Agreement;
- Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this Agreement; and
- Annex III of the EU SCCs (Module Two only) shall be deemed completed with the information set out in Annex 2 to this Agreement.
in relation to Company Personal Data that is protected by the UK GDPR, the UK SCCs (International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers) will apply completed as follows:
- Annexes 1A and 1B of the UK SCCs shall be deemed completed with the information set out in Annex 4 to this Agreement;
- Annex II of the UK SCCs shall be deemed completed with the information set out in Annex 3 to this Agreement;
- Annex III of the UK SCCs (Module Two only) shall be deemed completed with the information set out in Annex 2 to this Agreement; and
- Neither party may end the UK SCCs as set out in section 19 of the UK SCCs.
Measures and assurances with respect to United States government intelligence activities (“Additional Measures”).
- the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of precedence.
- Nothing in this Addendum reduces Zendrive's obligations under the Agreement in relation to the protection of Personal Data or permits Zendrive to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement.
- With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail with respect to the parties’ data protection obligations for Personal Data of a Data Subject in the EEA or the UK, as applicable. In the event of any conflict or inconsistency between this Addendum and an SCC Agreement, the SCC Agreement shall prevail.
Changes in Data Protection Laws, etc. Company may:
- by at least thirty (30) days written notice to Zendrive from time to time make any variations to the SCC Agreement (including any SCC Agreement entered into under sections 11.2 or 11.3), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
- propose any other variations to this Addendum which Company reasonably considers to be necessary to address the requirements of any Data Protection Law.
- If Company gives notice under section 13.3.1, Company shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Zendrive to protect the Contracted Processors against additional risks associated with the variations made under section 13.3.1:
- If Company gives notice under section 13.3.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Company's notice as soon as is reasonably practicable.
Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Liability. This Addendum is subject to the limitation of liability as set out in the Agreement.
ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Company Personal Data
The subject matter and duration of the Processing of the Company Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Company Personal Data
The Contracted Processor shall Process Company Personal Data as required to provide the Services in accordance with the Agreement.
The types of Company Personal Data to be Processed
As may be set out in the Agreement, the below data may be Processed by the Contracted Processor. The parties to the Agreement acknowledge that certain of the below data may not constitute Company Personal Data and that to the extent any such data does not constitute Company Personal Data, the terms of this Addendum may not apply thereto.
- IP Address that is presented in the (web) requests made by the device
- Anonymous Driver ID generated by customer's apps
- Trip Start time/location
- Trip end time/location
- Trip Route
- Hard brake events (location, time, duration, magnitude)
- Aggressive Acceleration events (location, time, duration, magnitude)
- Phone Use events (location, time, duration, magnitude)
- Speeding events (location, time, duration, magnitude)
- Hard cornering events (location, time, duration, magnitude)
- Collision events (location, time, duration, magnitude)
- Trip Driver Score
- Zendrive Score
- Device Info (Phone type, Make/model, OS version, sensors availability and dynamic range
- Trip type and feedback (Mode of transport driving, biking, public transport etc)
- Performance of SDK (CPU, network, battery)
- Raw sensor data (GPS, Accelerometer, Gyroscope, proximity, barometer, bluetooth)
- Bluetooth connection and disconnection events, bluetooth connection type, bluetooth tagged vehicle’s connection identifier
The parties to the Agreement acknowledge and agree that any driving behavior captured by the Zendrive technology is recorded against anonymous IDs generated by the Company and that the Company, as controller, maintains the mapping between the anonymous IDs and the Data Subject. Zendrive generally has no means of determining the identity of the Data Subject.
Additional Data collected if Customer is using optional service DRIVER DASHBOARD
If the Agreement includes Services related to the Driver Dashboard, the below additional personal data may be processed relating to Customer personnel. Personal Data and that to the extent any such data does not constitute Company Personal Data, the terms of this Addendum may not apply thereto.
- First Name, Last Name
- Email address
- Password Use logs
- IP Address
The categories of Data Subject to whom the Company Personal Data relates
Company may submit Company Personal Data relating to the following categories of data subjects:
Company Customers, past, current and prospective and Company personnel, past and current.
The obligations and rights of Company
The obligations and rights of Company are set out in the Agreement and this Addendum.
ANNEX 2: LIST OF SUBPROCESSORS
Subject to the obligations in Section 5 (Subprocessing) of this Addendum, Zendrive uses the following Subprocessors to provision the Services:
Subprocessor Entity: AWS, Inc
Location: Oregon, USA; Virginia, USA; Frankfurt, Germany; Dublin, Ireland
Subprocessor Entity: Here Maps
Subprocessor Entity: Google Cloud Platform, USA
Location: Dublin, Ireland
Subprocessor Entity: Zendrive India Pvt Limited
Location: Bangalore, India
Subprocessor Entity: Zendrive Ireland Limited
Location: 1st Floor, 9 Exchange Place I.F.S.C., Dublin 1 D01 X8H2 Ireland
Subprocessor Entity: Zendrive, Inc
Location: 201 Spear Street, Suite 1100, San Francisco, CA 94105
If the Agreement includes Services related to the Driver Dashboard, the below Subprocessors may be used by Zendrive.
Subprocessor Entity: AWS, Inc
Subprocessor Entity: Heap Analytics
Subprocessor Entity: Salesforce
Annex 3: Technical and Organizational Measures
Zendrive will have in place technical, physical and organizational security measures that meet the requirements set forth in this Annex 3.
At Zendrive, we take the security and privacy of our customer information seriously; we use industry leading security measures and technology to protect data from unauthorized access or alteration, disclosure or destruction. Security at Zendrive follows both a top-down and bottom-up approach where both leadership and executive organizations complement each other in instrumenting and realizing our security obligations for our customers. We employ technical security controls with procedural and administrative oversight where applicable to drive security at Zendrive.
As of April 01st 2023, Zendrive is SOC II Type 2 compliant, a copy of the report can be made available to our clients under Zendrive’s standard NDA.
- Zendrive makes use of AWS to host its solution and customer data. We employ isolation using virtual private cloud that allows us to implement fine grained access controls for permission sets.
- Production workloads and data are isolated from development workloads.
- Data in transit from mobile application to Zendrive’s APIs is protected using industry standard TLS protection.
- Production systems are accessible only to a dedicated group of Backend and Devops personnel.
- Personnel access over SSH to production environment is governed through dedicated bastion hosts
- SSH access to the production environment requires that personnel are over a VPN connection that enforces 2-factor authentication.
- SSH sessions require key based authentication and actions are recorded and archived.
- We employ standard linux base images for our AWS EC2 Fleet.
- Our hosts and network are regularly scanned for vulnerabilities and patches are applied based on priority of the issues discovered.
- AWS Console access is restricted to select individuals on a need to know basis.
Development and Change Management Practices
Zendrive follows an Agile development methodology.
- Code analysis tools are used to scan code for security issues
- Every line of production code at Zendrive is peer reviewed
- All code changes must pass Unit tests to be productionized
- Only after pre-prod deployment and tests succeed can one promote a build to prod
- Code changes require QA team validation and sign off
- Each design document has mandatory sections on
- Security groups and AWS IAM policy changes are peer reviewed among DevOps team before being committed
- Zendrive has an automated system for monitoring and alerting on system performance, security and availability and system health related incidents.
- We use cloudwatch and hosted graphite for monitoring.
- We make use of OSSEC across our fleet for host intrusion detection and file system monitoring capabilities
- AWS changes are monitored using Security Monkey
- We use pagerduty for on-call notifications
- We use pingdom for monitoring uptime of our external facing services
Backup and Recovery
Daily snapshots and archivals are done in order to ensure continuity of our services in the event of an adversity.
- Our primary database is configured to take incremental backups on a daily basis
- Our database is set up in a multi Availability Zone configuration to withstand disruption events.
- Daily backups are shipped to our DR location over TLS
- Backup data in our DR region is encrypted at rest
- We perform quarterly tests of our DR procedures
- All production systems are set up in multiple availability zones.
- Application servers are setup with auto-scaling
Annex 4 – SCC Agreement Details
List of Parties
Controller(s) / Data exporter(s):
- Name: Each of the Company entities identified in the Agreement
- Address: The addresses of each of the Company entities identified in the Agreement
- Contact person’s name, position and contact details: Company contact details as collected during account set-up
- Activities relevant to the data transferred under the SCC Agreement: Company is a Zendrive customer availing of Zendrive services via the Agreement with respect to driving behavior.
- Signature and date: This Schedule 1 shall be deemed executed upon signature of the Agreement.
- Role (controller/processor): controller.
Processor(s) / Data importer(s):
- Name: Each of the Zendrive entities identified in the Agreement
- Address: The addresses of each of the Zendrive entities identified in the Agreement
- Contact person’s name, position and contact details: [ZENDRIVE TO INSERT]
- Activities relevant to the data transferred under the SCC Agreement: Zendrive provides the Services as detailed in the Agreement.
- Signature and date: This SCC Agreement shall be deemed executed upon signature of the Agreement.
- Role (controller/processor): processor.
Description of Transfer
- Categories of data subjects whose personal data is transferred: Please see Annex 1.
- Categories of personal data transferred: Please see Annex 1.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions, (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional measures.
- The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the duration of the Agreement and the period following termination during which the Customer can request the return of the data.
- Nature of the processing: Please see Annex 1.
- Purpose of the data transfer and further processing: Please see Annex 1.
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Please see Annex 1.
- For transfers to processors, also specify subject matter, nature and duration of the processing. Please see Annex 1.
Competent Supervisory Authority
- Where the EU GDPR applies, the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs.
- Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner's Office.