Zevoy Data Processing Agreement
Zevoy Data Processing Agreement
Zevoy Data Processing Agreement
Effective from 1 Dec 2025
Effective from 1 Dec 2025
Effective from 1 Dec 2025
This Data Processing Agreement (“DPA”) is supplemental to, and forms an integral part of, the entire agreement (“Agreement”) between Zevoy Aktiebolag (“Zevoy”) and the Customer for the purchase of services from Zevoy. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. By executing the DPA, the Customer enters this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and behalf of its Affiliates. This DPA shall be effective on the date both parties execute the Agreement. This DPA shall be deemed executed at the same time as the execution of the Agreement. This DPA applies to Zevoy’s processing of Personal Data under the Agreement executed between Zevoy and the Customer for Zevoy’s provision of the services rendered under or pursuant to the Agreement.
This Data Processing Agreement (“DPA”) is supplemental to, and forms an integral part of, the entire agreement (“Agreement”) between Zevoy Aktiebolag (“Zevoy”) and the Customer for the purchase of services from Zevoy. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. By executing the DPA, the Customer enters this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and behalf of its Affiliates. This DPA shall be effective on the date both parties execute the Agreement. This DPA shall be deemed executed at the same time as the execution of the Agreement. This DPA applies to Zevoy’s processing of Personal Data under the Agreement executed between Zevoy and the Customer for Zevoy’s provision of the services rendered under or pursuant to the Agreement.
This Data Processing Agreement (“DPA”) is supplemental to, and forms an integral part of, the entire agreement (“Agreement”) between Zevoy Aktiebolag (“Zevoy”) and the Customer for the purchase of services from Zevoy. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. By executing the DPA, the Customer enters this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and behalf of its Affiliates. This DPA shall be effective on the date both parties execute the Agreement. This DPA shall be deemed executed at the same time as the execution of the Agreement. This DPA applies to Zevoy’s processing of Personal Data under the Agreement executed between Zevoy and the Customer for Zevoy’s provision of the services rendered under or pursuant to the Agreement.
1. Definitions and interpretation
The terms of this DPA will follow the terms of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement. “Adequate Country” means a country or territory that is recognized under European Data Protection Laws as providing adequate protection for Personal Data. “Affiliate” means an entity that directly or indirectly Controls, or is Controlled by, or is under common Control with an entity. “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly. “Customer Personal Data” means any Personal Data processed by the Data Processor or a Sub-Processor on behalf of the Customer pursuant to or in connection with the Agreement. “Data Controller” means an entity that determines the purposes and means of processing of Personal Data. “Data Processor” means an entity that processes Personal Data on behalf of a Data Controller. ”Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data. “DPA” means this Data Processing Agreement and all Schedules. “EEA” means the European Economic Area. “EU Data Protection Laws” means data protection laws applicable in the European Union, including: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (DORA); and (iv) applicable national implementations of (i) and (ii). “Group” means any and all Affiliates that are part of an entity’s corporate group. “Instructions” means the written, documented instructions issued by a Data Controller to a Data Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Personal Data. “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly. It includes but is not limited to any operation or set of operations which is performed upon Personal Data such as transmission, storage, usage, and erasure. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data. “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. “Sub-Processor” means any Data Processor engaged by the Data Processor or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-Processors may include third parties or subsidiaries of the Data Processor. “Supervisory Authority” means any independent public authority responsible for monitoring the application of the Data Protection Laws, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing and to facilitate the free flow of personal data within the EU (as applicable).
1. Definitions and interpretation
The terms of this DPA will follow the terms of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement. “Adequate Country” means a country or territory that is recognized under European Data Protection Laws as providing adequate protection for Personal Data. “Affiliate” means an entity that directly or indirectly Controls, or is Controlled by, or is under common Control with an entity. “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly. “Customer Personal Data” means any Personal Data processed by the Data Processor or a Sub-Processor on behalf of the Customer pursuant to or in connection with the Agreement. “Data Controller” means an entity that determines the purposes and means of processing of Personal Data. “Data Processor” means an entity that processes Personal Data on behalf of a Data Controller. ”Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data. “DPA” means this Data Processing Agreement and all Schedules. “EEA” means the European Economic Area. “EU Data Protection Laws” means data protection laws applicable in the European Union, including: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (DORA); and (iv) applicable national implementations of (i) and (ii). “Group” means any and all Affiliates that are part of an entity’s corporate group. “Instructions” means the written, documented instructions issued by a Data Controller to a Data Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Personal Data. “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly. It includes but is not limited to any operation or set of operations which is performed upon Personal Data such as transmission, storage, usage, and erasure. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data. “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. “Sub-Processor” means any Data Processor engaged by the Data Processor or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-Processors may include third parties or subsidiaries of the Data Processor. “Supervisory Authority” means any independent public authority responsible for monitoring the application of the Data Protection Laws, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing and to facilitate the free flow of personal data within the EU (as applicable).
1. Definitions and interpretation
The terms of this DPA will follow the terms of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement. “Adequate Country” means a country or territory that is recognized under European Data Protection Laws as providing adequate protection for Personal Data. “Affiliate” means an entity that directly or indirectly Controls, or is Controlled by, or is under common Control with an entity. “Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly. “Customer Personal Data” means any Personal Data processed by the Data Processor or a Sub-Processor on behalf of the Customer pursuant to or in connection with the Agreement. “Data Controller” means an entity that determines the purposes and means of processing of Personal Data. “Data Processor” means an entity that processes Personal Data on behalf of a Data Controller. ”Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data. “DPA” means this Data Processing Agreement and all Schedules. “EEA” means the European Economic Area. “EU Data Protection Laws” means data protection laws applicable in the European Union, including: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (DORA); and (iv) applicable national implementations of (i) and (ii). “Group” means any and all Affiliates that are part of an entity’s corporate group. “Instructions” means the written, documented instructions issued by a Data Controller to a Data Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Personal Data. “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly. It includes but is not limited to any operation or set of operations which is performed upon Personal Data such as transmission, storage, usage, and erasure. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data. “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. “Sub-Processor” means any Data Processor engaged by the Data Processor or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-Processors may include third parties or subsidiaries of the Data Processor. “Supervisory Authority” means any independent public authority responsible for monitoring the application of the Data Protection Laws, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing and to facilitate the free flow of personal data within the EU (as applicable).
2. Roles
The parties acknowledge and agree that with regards to the processing of Customer Personal Data, Customer may act as a Data Controller or Data Processor and Zevoy is a Data Processor. Zevoy will process Customer Personal Data in accordance with Customer’s instructions as outlined in this DPA.
2. Roles
The parties acknowledge and agree that with regards to the processing of Customer Personal Data, Customer may act as a Data Controller or Data Processor and Zevoy is a Data Processor. Zevoy will process Customer Personal Data in accordance with Customer’s instructions as outlined in this DPA.
2. Roles
The parties acknowledge and agree that with regards to the processing of Customer Personal Data, Customer may act as a Data Controller or Data Processor and Zevoy is a Data Processor. Zevoy will process Customer Personal Data in accordance with Customer’s instructions as outlined in this DPA.
3. Customer Responsibilities
Within the scope of the Agreement and in its use of the Service, the Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its processing of Personal Data and the Instructions it issues to Zevoy. The Customer agrees that it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Zevoy to process Customer Personal Data and provide the Service pursuant to the Agreement and this DPA. Zevoy shall process Customer Personal Data in accordance with Customer’s Instructions. By entering into the Agreement, the Customer instructs Zevoy to process Customer Personal Data to provide the Service and pursuant to any other written Instructions given by the Customer and acknowledged in writing by Zevoy as constituting Instructions for purposes of the Agreement. The Customer acknowledges and agrees that such Instructions authorize Zevoy to process Customer Personal Data(i) to perform its obligations and exercise its rights under the Agreement; (ii) to perform its legalobligations and to establish, exercise or defend legal claims in respect to the Agreement; and (iii) to provide the Service as described in the Agreement, including but not limited to billing, accountmanagement, technical support and product development.
3. Customer Responsibilities
Within the scope of the Agreement and in its use of the Service, the Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its processing of Personal Data and the Instructions it issues to Zevoy. The Customer agrees that it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Zevoy to process Customer Personal Data and provide the Service pursuant to the Agreement and this DPA. Zevoy shall process Customer Personal Data in accordance with Customer’s Instructions. By entering into the Agreement, the Customer instructs Zevoy to process Customer Personal Data to provide the Service and pursuant to any other written Instructions given by the Customer and acknowledged in writing by Zevoy as constituting Instructions for purposes of the Agreement. The Customer acknowledges and agrees that such Instructions authorize Zevoy to process Customer Personal Data(i) to perform its obligations and exercise its rights under the Agreement; (ii) to perform its legalobligations and to establish, exercise or defend legal claims in respect to the Agreement; and (iii) to provide the Service as described in the Agreement, including but not limited to billing, accountmanagement, technical support and product development.
3. Customer Responsibilities
Within the scope of the Agreement and in its use of the Service, the Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its processing of Personal Data and the Instructions it issues to Zevoy. The Customer agrees that it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Zevoy to process Customer Personal Data and provide the Service pursuant to the Agreement and this DPA. Zevoy shall process Customer Personal Data in accordance with Customer’s Instructions. By entering into the Agreement, the Customer instructs Zevoy to process Customer Personal Data to provide the Service and pursuant to any other written Instructions given by the Customer and acknowledged in writing by Zevoy as constituting Instructions for purposes of the Agreement. The Customer acknowledges and agrees that such Instructions authorize Zevoy to process Customer Personal Data(i) to perform its obligations and exercise its rights under the Agreement; (ii) to perform its legalobligations and to establish, exercise or defend legal claims in respect to the Agreement; and (iii) to provide the Service as described in the Agreement, including but not limited to billing, accountmanagement, technical support and product development.
4. Zevoy Obligations
Zevoy will only process Customer Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of the Customer’s lawful Instructions, except where and to the extent otherwise required under applicable law. The parties agree that this DPA and the Agreement set out the Customer’s complete and final Instructions to Zevoy in relation to the processing of Customer Personal Data and processing outside the scope of these Instructions (if any) shall require aprior written agreement between the Customer and Zevoy. Zevoy is not responsible for compliance with any Data Protection Laws applicable to the Customer or the Customer’s industry that are not generally applicable to Zevoy. If Zevoy becomes aware that it cannot process Personal Data in accordance with the Customer’s Instructions due to a legal requirement under applicable law, Zevoy will (i) promptly notify the Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all other processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new Instructions with which Zevoy is able to comply. Zevoy shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and have received appropriate training on their responsibilities.
4. Zevoy Obligations
Zevoy will only process Customer Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of the Customer’s lawful Instructions, except where and to the extent otherwise required under applicable law. The parties agree that this DPA and the Agreement set out the Customer’s complete and final Instructions to Zevoy in relation to the processing of Customer Personal Data and processing outside the scope of these Instructions (if any) shall require aprior written agreement between the Customer and Zevoy. Zevoy is not responsible for compliance with any Data Protection Laws applicable to the Customer or the Customer’s industry that are not generally applicable to Zevoy. If Zevoy becomes aware that it cannot process Personal Data in accordance with the Customer’s Instructions due to a legal requirement under applicable law, Zevoy will (i) promptly notify the Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all other processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new Instructions with which Zevoy is able to comply. Zevoy shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and have received appropriate training on their responsibilities.
4. Zevoy Obligations
Zevoy will only process Customer Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of the Customer’s lawful Instructions, except where and to the extent otherwise required under applicable law. The parties agree that this DPA and the Agreement set out the Customer’s complete and final Instructions to Zevoy in relation to the processing of Customer Personal Data and processing outside the scope of these Instructions (if any) shall require aprior written agreement between the Customer and Zevoy. Zevoy is not responsible for compliance with any Data Protection Laws applicable to the Customer or the Customer’s industry that are not generally applicable to Zevoy. If Zevoy becomes aware that it cannot process Personal Data in accordance with the Customer’s Instructions due to a legal requirement under applicable law, Zevoy will (i) promptly notify the Customer of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all other processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new Instructions with which Zevoy is able to comply. Zevoy shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality and have received appropriate training on their responsibilities.
5. Personal data being processed
Zevoy will process Customer Personal Data as necessary to provide the Service pursuant to the Agreement and as further instructed by Customer in Customer’s use of the Service. The subject matter of the data processing under this DPA is the Customer Personal Data. The duration of the processing under this DPA is until the termination of the Agreement in accordance with its terms. Zevoy will process identification and contact data (name, address, title, contact details, date of birth, national identification number), financial information (account details, payment information) and employment details (employer, job title, area of responsibility).
5. Personal data being processed
Zevoy will process Customer Personal Data as necessary to provide the Service pursuant to the Agreement and as further instructed by Customer in Customer’s use of the Service. The subject matter of the data processing under this DPA is the Customer Personal Data. The duration of the processing under this DPA is until the termination of the Agreement in accordance with its terms. Zevoy will process identification and contact data (name, address, title, contact details, date of birth, national identification number), financial information (account details, payment information) and employment details (employer, job title, area of responsibility).
5. Personal data being processed
Zevoy will process Customer Personal Data as necessary to provide the Service pursuant to the Agreement and as further instructed by Customer in Customer’s use of the Service. The subject matter of the data processing under this DPA is the Customer Personal Data. The duration of the processing under this DPA is until the termination of the Agreement in accordance with its terms. Zevoy will process identification and contact data (name, address, title, contact details, date of birth, national identification number), financial information (account details, payment information) and employment details (employer, job title, area of responsibility).
6. security
Zevoy shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Customer Personal Data, in line with Article 32(1) of the GDPR. Zevoy operates an information security management system certified to the ISO/IEC 27001:2022 standard by an independent third party. This certification covers all core infrastructure, data processing, and supporting business processes related to Zevoy’s services. A valid certificate is available upon request. The Customer is responsible for determining whether Zevoy’s security measures meet Customer’s requirements and legal obligations under Data Protection Laws. In assessing the appropriate level of security, Zevoy shall take due account of the risks that are involved in the processing for the data subjects, in particular of a Security Incident. The data security arrangements are regularly assessed, inspected and updated. Zevoy will implement and maintain information security policies that govern Zevoy’s security measures. The information security policies will be documented, reviewed and approved by management, and communicated to relevant personnel. Zevoy uses the measures stated below to verify its data security and the lawful processing of personal data. Personnel - The roles, tasks and responsibilities of the personnel in data processing have been clearly defined. - Access by personnel to Customer Personal Data will be conducted in a manner that is protected, to the extent reasonable, by authentication and authorization mechanisms, requires personnel to be assigned a unique user account, requires strong authentication, requires access privileges based on job requirements limited to that necessary for the applicable personnel to undertake their duties, and ensures access is revoked upon termination of employment or consulting relationships. - The need for an employee’s access rights is examined following a material change in their duties. - All Zevoy employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards. - Security and privacy awareness training will be provided to all personnel. Additional role-based training will be provided to personnel with access to Customer Personal Data. Security at the premises - The premises of Zevoy have electronic access control. - Zevoy will ensure that data centers holding Customer Personal Data will include physical access restrictions and monitoring. Cloud services In this section, cloud services refer to data systems delivered as SaaS services which Zevoy use to support the provision of its Service. - A written service level agreement is included in Zevoy’s agreements on cloud service use. - Zevoy has received reports from the cloud service provider, which verify that the service is being provided while taking into account the security and retention requirements set by the GDPR.
6. security
Zevoy shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Customer Personal Data, in line with Article 32(1) of the GDPR. Zevoy operates an information security management system certified to the ISO/IEC 27001:2022 standard by an independent third party. This certification covers all core infrastructure, data processing, and supporting business processes related to Zevoy’s services. A valid certificate is available upon request. The Customer is responsible for determining whether Zevoy’s security measures meet Customer’s requirements and legal obligations under Data Protection Laws. In assessing the appropriate level of security, Zevoy shall take due account of the risks that are involved in the processing for the data subjects, in particular of a Security Incident. The data security arrangements are regularly assessed, inspected and updated. Zevoy will implement and maintain information security policies that govern Zevoy’s security measures. The information security policies will be documented, reviewed and approved by management, and communicated to relevant personnel. Zevoy uses the measures stated below to verify its data security and the lawful processing of personal data. Personnel - The roles, tasks and responsibilities of the personnel in data processing have been clearly defined. - Access by personnel to Customer Personal Data will be conducted in a manner that is protected, to the extent reasonable, by authentication and authorization mechanisms, requires personnel to be assigned a unique user account, requires strong authentication, requires access privileges based on job requirements limited to that necessary for the applicable personnel to undertake their duties, and ensures access is revoked upon termination of employment or consulting relationships. - The need for an employee’s access rights is examined following a material change in their duties. - All Zevoy employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards. - Security and privacy awareness training will be provided to all personnel. Additional role-based training will be provided to personnel with access to Customer Personal Data. Security at the premises - The premises of Zevoy have electronic access control. - Zevoy will ensure that data centers holding Customer Personal Data will include physical access restrictions and monitoring. Cloud services In this section, cloud services refer to data systems delivered as SaaS services which Zevoy use to support the provision of its Service. - A written service level agreement is included in Zevoy’s agreements on cloud service use. - Zevoy has received reports from the cloud service provider, which verify that the service is being provided while taking into account the security and retention requirements set by the GDPR.
6. security
Zevoy shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Customer Personal Data, in line with Article 32(1) of the GDPR. Zevoy operates an information security management system certified to the ISO/IEC 27001:2022 standard by an independent third party. This certification covers all core infrastructure, data processing, and supporting business processes related to Zevoy’s services. A valid certificate is available upon request. The Customer is responsible for determining whether Zevoy’s security measures meet Customer’s requirements and legal obligations under Data Protection Laws. In assessing the appropriate level of security, Zevoy shall take due account of the risks that are involved in the processing for the data subjects, in particular of a Security Incident. The data security arrangements are regularly assessed, inspected and updated. Zevoy will implement and maintain information security policies that govern Zevoy’s security measures. The information security policies will be documented, reviewed and approved by management, and communicated to relevant personnel. Zevoy uses the measures stated below to verify its data security and the lawful processing of personal data. Personnel - The roles, tasks and responsibilities of the personnel in data processing have been clearly defined. - Access by personnel to Customer Personal Data will be conducted in a manner that is protected, to the extent reasonable, by authentication and authorization mechanisms, requires personnel to be assigned a unique user account, requires strong authentication, requires access privileges based on job requirements limited to that necessary for the applicable personnel to undertake their duties, and ensures access is revoked upon termination of employment or consulting relationships. - The need for an employee’s access rights is examined following a material change in their duties. - All Zevoy employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards. - Security and privacy awareness training will be provided to all personnel. Additional role-based training will be provided to personnel with access to Customer Personal Data. Security at the premises - The premises of Zevoy have electronic access control. - Zevoy will ensure that data centers holding Customer Personal Data will include physical access restrictions and monitoring. Cloud services In this section, cloud services refer to data systems delivered as SaaS services which Zevoy use to support the provision of its Service. - A written service level agreement is included in Zevoy’s agreements on cloud service use. - Zevoy has received reports from the cloud service provider, which verify that the service is being provided while taking into account the security and retention requirements set by the GDPR.
7. Sub-processing
The Customer agrees that Zevoy may engage third party Sub-Processors to process Customer Personal Data. Where Zevoy engages Sub-Processors, Zevoy will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Zevoy shall remain liable for any Sub-Processor it may engage. Any Sub-Processor shall process Customer Personal Data only in accordance with Zevoy ’s Instructions and only for the purposes of delivering the Service Customer has retained and shall be prohibited from processing Customer Personal Data for any other purpose. Sub-Processors involved in the processing of Customer Personal Data are subject to Standard Contractual Clauses. Some Sub-Processors will apply to Customer as default, and some Sub-Processors will apply only by opt-in. Zevoy shall make available to the Customer a list of Sub-Processors. The list is available as a Schedule to this DPA, including their functions and locations. The list of Sub-Processors may be updated by Zevoy from time to time in accordance with the terms set out in this DPA. Zevoy shall provide notification of a new Sub-Processor before authorizing any new Sub-Processor to process Customer Personal Data in connection with the provision of the applicable Service at least fifteen (15) days before the new Sub-Processor processes any Customer Personal Data. The Customer may object to Zevoy’s use of a new Sub-Processor by notifying Zevoy without undue delay within 15 days from the notice, in writing to dpo@zevoy.com. If Customer objects to a new Sub-Processor, Zevoy will use reasonable efforts to make available to the Customer a change in the Service to avoid processing of Customer Personal Data by the objected new Sub-Processor. If Zevoy is unable to make available such change, Customer may terminate the Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to termination). If Customer does not provide a timely objection to any new or replacement Sub-Processor in accordance with this clause 7, Customer will be deemed to have consented to the Sub-Processor and waived its right to object.
7. Sub-processing
The Customer agrees that Zevoy may engage third party Sub-Processors to process Customer Personal Data. Where Zevoy engages Sub-Processors, Zevoy will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Zevoy shall remain liable for any Sub-Processor it may engage. Any Sub-Processor shall process Customer Personal Data only in accordance with Zevoy ’s Instructions and only for the purposes of delivering the Service Customer has retained and shall be prohibited from processing Customer Personal Data for any other purpose. Sub-Processors involved in the processing of Customer Personal Data are subject to Standard Contractual Clauses. Some Sub-Processors will apply to Customer as default, and some Sub-Processors will apply only by opt-in. Zevoy shall make available to the Customer a list of Sub-Processors. The list is available as a Schedule to this DPA, including their functions and locations. The list of Sub-Processors may be updated by Zevoy from time to time in accordance with the terms set out in this DPA. Zevoy shall provide notification of a new Sub-Processor before authorizing any new Sub-Processor to process Customer Personal Data in connection with the provision of the applicable Service at least fifteen (15) days before the new Sub-Processor processes any Customer Personal Data. The Customer may object to Zevoy’s use of a new Sub-Processor by notifying Zevoy without undue delay within 15 days from the notice, in writing to dpo@zevoy.com. If Customer objects to a new Sub-Processor, Zevoy will use reasonable efforts to make available to the Customer a change in the Service to avoid processing of Customer Personal Data by the objected new Sub-Processor. If Zevoy is unable to make available such change, Customer may terminate the Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to termination). If Customer does not provide a timely objection to any new or replacement Sub-Processor in accordance with this clause 7, Customer will be deemed to have consented to the Sub-Processor and waived its right to object.
7. Sub-processing
The Customer agrees that Zevoy may engage third party Sub-Processors to process Customer Personal Data. Where Zevoy engages Sub-Processors, Zevoy will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Zevoy shall remain liable for any Sub-Processor it may engage. Any Sub-Processor shall process Customer Personal Data only in accordance with Zevoy ’s Instructions and only for the purposes of delivering the Service Customer has retained and shall be prohibited from processing Customer Personal Data for any other purpose. Sub-Processors involved in the processing of Customer Personal Data are subject to Standard Contractual Clauses. Some Sub-Processors will apply to Customer as default, and some Sub-Processors will apply only by opt-in. Zevoy shall make available to the Customer a list of Sub-Processors. The list is available as a Schedule to this DPA, including their functions and locations. The list of Sub-Processors may be updated by Zevoy from time to time in accordance with the terms set out in this DPA. Zevoy shall provide notification of a new Sub-Processor before authorizing any new Sub-Processor to process Customer Personal Data in connection with the provision of the applicable Service at least fifteen (15) days before the new Sub-Processor processes any Customer Personal Data. The Customer may object to Zevoy’s use of a new Sub-Processor by notifying Zevoy without undue delay within 15 days from the notice, in writing to dpo@zevoy.com. If Customer objects to a new Sub-Processor, Zevoy will use reasonable efforts to make available to the Customer a change in the Service to avoid processing of Customer Personal Data by the objected new Sub-Processor. If Zevoy is unable to make available such change, Customer may terminate the Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to termination). If Customer does not provide a timely objection to any new or replacement Sub-Processor in accordance with this clause 7, Customer will be deemed to have consented to the Sub-Processor and waived its right to object.
8. Data Subject rights
Zevoy shall, to the extent legally permitted, promptly notify Customer if Zevoy receives a request from a Data Subject under any Data Protections Law in respect of Customer Personal Data. Taking into account the nature of the processing, Zevoy shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to requests to exercise Data Subject rights under Data Protection Laws. To the extent that Customer is unable to independently address a Data Subject request through the Service, Zevoy shall upon Customer’s request provide commercially reasonable assistance in responding to such Data Subject requests, to the extent Zevoy is legally permitted to do so and the response to such Data Subject requests is required under Data Protection Laws. Customer shall be responsible for the costs arising from this assistance. Notwithstanding the foregoing, Customer understands that Zevoy may retain Customer Personal Data if required by law, and such data will remain subject to the requirements of this DPA.
8. Data Subject rights
Zevoy shall, to the extent legally permitted, promptly notify Customer if Zevoy receives a request from a Data Subject under any Data Protections Law in respect of Customer Personal Data. Taking into account the nature of the processing, Zevoy shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to requests to exercise Data Subject rights under Data Protection Laws. To the extent that Customer is unable to independently address a Data Subject request through the Service, Zevoy shall upon Customer’s request provide commercially reasonable assistance in responding to such Data Subject requests, to the extent Zevoy is legally permitted to do so and the response to such Data Subject requests is required under Data Protection Laws. Customer shall be responsible for the costs arising from this assistance. Notwithstanding the foregoing, Customer understands that Zevoy may retain Customer Personal Data if required by law, and such data will remain subject to the requirements of this DPA.
8. Data Subject rights
Zevoy shall, to the extent legally permitted, promptly notify Customer if Zevoy receives a request from a Data Subject under any Data Protections Law in respect of Customer Personal Data. Taking into account the nature of the processing, Zevoy shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to requests to exercise Data Subject rights under Data Protection Laws. To the extent that Customer is unable to independently address a Data Subject request through the Service, Zevoy shall upon Customer’s request provide commercially reasonable assistance in responding to such Data Subject requests, to the extent Zevoy is legally permitted to do so and the response to such Data Subject requests is required under Data Protection Laws. Customer shall be responsible for the costs arising from this assistance. Notwithstanding the foregoing, Customer understands that Zevoy may retain Customer Personal Data if required by law, and such data will remain subject to the requirements of this DPA.
9. security incident
Zevoy shall notify Customer without undue delay upon Zevoy becoming aware of a Security Incident, providing Customer with timely information relating to the Security Incident as it becomes known or reasonably requested by Customer. At Customer’s request, Zevoy will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant personal data breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. A delay in giving such notice requested by law enforcement and/or in light of Zevoy’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. The notification shall at least include the following: i. a description of the Security Incident and the circumstances leading to it; ii. a description of the nature of the Security Incident, including, categories and approximate number of Data Subjects concerned as well as the categories and approximate number of personal data records concerned; iii. the name and contact details of Zevoy ’s data protection officer; iv. a description of the likely and/or realized consequences caused by the Security Incident; and v. a description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.
9. security incident
Zevoy shall notify Customer without undue delay upon Zevoy becoming aware of a Security Incident, providing Customer with timely information relating to the Security Incident as it becomes known or reasonably requested by Customer. At Customer’s request, Zevoy will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant personal data breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. A delay in giving such notice requested by law enforcement and/or in light of Zevoy’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. The notification shall at least include the following: i. a description of the Security Incident and the circumstances leading to it; ii. a description of the nature of the Security Incident, including, categories and approximate number of Data Subjects concerned as well as the categories and approximate number of personal data records concerned; iii. the name and contact details of Zevoy ’s data protection officer; iv. a description of the likely and/or realized consequences caused by the Security Incident; and v. a description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.
9. security incident
Zevoy shall notify Customer without undue delay upon Zevoy becoming aware of a Security Incident, providing Customer with timely information relating to the Security Incident as it becomes known or reasonably requested by Customer. At Customer’s request, Zevoy will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant personal data breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. A delay in giving such notice requested by law enforcement and/or in light of Zevoy’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. The notification shall at least include the following: i. a description of the Security Incident and the circumstances leading to it; ii. a description of the nature of the Security Incident, including, categories and approximate number of Data Subjects concerned as well as the categories and approximate number of personal data records concerned; iii. the name and contact details of Zevoy ’s data protection officer; iv. a description of the likely and/or realized consequences caused by the Security Incident; and v. a description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects.
10. Demonstration of Compliance
Zevoy shall provide reasonable assistance to Customer with any data protection impact assessment, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to Zevoy. During the terms of this DPA and not more than once per year, Customer may request Zevoy to make available to Customer information to demonstrate compliance with the obligations set out in this DPA. Zevoy will reasonably respond to such requests by providing documentation demonstrating compliance or by completing Customer questionnaires without undue delay. Customer acknowledges that the Service is hosted by Zevoy’s hosting Sub-Processor who maintains independently validated security programs (including SOC 2 and ISO 27001). The Customer may authorize an external inspector to perform the audit; however, such inspectors may not be competitors to Zevoy. The Customer is responsible for covering all costs incurred from the audit.
10. Demonstration of Compliance
Zevoy shall provide reasonable assistance to Customer with any data protection impact assessment, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to Zevoy. During the terms of this DPA and not more than once per year, Customer may request Zevoy to make available to Customer information to demonstrate compliance with the obligations set out in this DPA. Zevoy will reasonably respond to such requests by providing documentation demonstrating compliance or by completing Customer questionnaires without undue delay. Customer acknowledges that the Service is hosted by Zevoy’s hosting Sub-Processor who maintains independently validated security programs (including SOC 2 and ISO 27001). The Customer may authorize an external inspector to perform the audit; however, such inspectors may not be competitors to Zevoy. The Customer is responsible for covering all costs incurred from the audit.
10. Demonstration of Compliance
Zevoy shall provide reasonable assistance to Customer with any data protection impact assessment, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, to the extent Customer does not otherwise have access to the relevant information and to the extent such information is available to Zevoy. During the terms of this DPA and not more than once per year, Customer may request Zevoy to make available to Customer information to demonstrate compliance with the obligations set out in this DPA. Zevoy will reasonably respond to such requests by providing documentation demonstrating compliance or by completing Customer questionnaires without undue delay. Customer acknowledges that the Service is hosted by Zevoy’s hosting Sub-Processor who maintains independently validated security programs (including SOC 2 and ISO 27001). The Customer may authorize an external inspector to perform the audit; however, such inspectors may not be competitors to Zevoy. The Customer is responsible for covering all costs incurred from the audit.
11. Deletion or Return of Customer Personal Data
Zevoy shall (at Customer’s election) delete or return to Customer all Customer Personal Data (including copies thereof) in its possession or control upon termination or expiration of the Agreement. This term will apply except where Zevoy is required by applicable law to retain some or all of the Customer Personal Data, or where Zevoy has archived Customer Personal Data on back-up systems, which data Zevoy will securely isolate and protect from any further processing, except to the extent required by applicable law.
11. Deletion or Return of Customer Personal Data
Zevoy shall (at Customer’s election) delete or return to Customer all Customer Personal Data (including copies thereof) in its possession or control upon termination or expiration of the Agreement. This term will apply except where Zevoy is required by applicable law to retain some or all of the Customer Personal Data, or where Zevoy has archived Customer Personal Data on back-up systems, which data Zevoy will securely isolate and protect from any further processing, except to the extent required by applicable law.
11. Deletion or Return of Customer Personal Data
Zevoy shall (at Customer’s election) delete or return to Customer all Customer Personal Data (including copies thereof) in its possession or control upon termination or expiration of the Agreement. This term will apply except where Zevoy is required by applicable law to retain some or all of the Customer Personal Data, or where Zevoy has archived Customer Personal Data on back-up systems, which data Zevoy will securely isolate and protect from any further processing, except to the extent required by applicable law.
12. Data Transfer
Zevoy may transfer and process Customer Personal Data where Zevoy or its Sub-Processors maintain data processing operations. Zevoy shall at all times provide an adequate level of protection for the Customer Personal Data processed, in accordance with the requirements of Data Protection Laws. Any transfer of Customer Personal Data to third countries shall always take place in compliance with Chapter V GDPR. For the purposes of transfer of data from the EU to a third country, the Standard Contractual Clauses shall apply. If and as long as the country where Customer Personal Data is transferred to is classed as an Adequate Country according to Article 45(3) of the GDPR, no Standard Contractual Clauses are required. Once the adequacy decision is repealed or suspended, the Standard Contractual Clauses shall automatically apply accordingly.
12. Data Transfer
Zevoy may transfer and process Customer Personal Data where Zevoy or its Sub-Processors maintain data processing operations. Zevoy shall at all times provide an adequate level of protection for the Customer Personal Data processed, in accordance with the requirements of Data Protection Laws. Any transfer of Customer Personal Data to third countries shall always take place in compliance with Chapter V GDPR. For the purposes of transfer of data from the EU to a third country, the Standard Contractual Clauses shall apply. If and as long as the country where Customer Personal Data is transferred to is classed as an Adequate Country according to Article 45(3) of the GDPR, no Standard Contractual Clauses are required. Once the adequacy decision is repealed or suspended, the Standard Contractual Clauses shall automatically apply accordingly.
12. Data Transfer
Zevoy may transfer and process Customer Personal Data where Zevoy or its Sub-Processors maintain data processing operations. Zevoy shall at all times provide an adequate level of protection for the Customer Personal Data processed, in accordance with the requirements of Data Protection Laws. Any transfer of Customer Personal Data to third countries shall always take place in compliance with Chapter V GDPR. For the purposes of transfer of data from the EU to a third country, the Standard Contractual Clauses shall apply. If and as long as the country where Customer Personal Data is transferred to is classed as an Adequate Country according to Article 45(3) of the GDPR, no Standard Contractual Clauses are required. Once the adequacy decision is repealed or suspended, the Standard Contractual Clauses shall automatically apply accordingly.
Sub-Processor list
On commencement of the Agreement, the data Controller authorizes the engagement of the following Sub-Processors: Amazon Web Services (Hosting services, EU data center) Hubspot Inc. (Customer Relationship Management system, EU data center) Intercom (Customer Relationship Management system, US based) Enfuce (Card payment processing, EU data center) Google Workspace (Workspace, Communication, EU data center) Klippa (Receipt scanning, EU data center) Mailgun (Receipt forwarding, EU data center) Microsoft 365 (Workspace, internal communication, EU data center) Notion Labs inc. (Workspace, internal communication, US based) Opencard (Transaction enrichment services and electronic receipts, EU data center) ReceiptHero Oy (Electronic receipts EU data center) Signicat AS (Identity management and KYC checks, EU data center) Slack Inc. (Internal communication, US based)
Sub-Processor list
On commencement of the Agreement, the data Controller authorizes the engagement of the following Sub-Processors: Amazon Web Services (Hosting services, EU data center) Hubspot Inc. (Customer Relationship Management system, EU data center) Intercom (Customer Relationship Management system, US based) Enfuce (Card payment processing, EU data center) Google Workspace (Workspace, Communication, EU data center) Klippa (Receipt scanning, EU data center) Mailgun (Receipt forwarding, EU data center) Microsoft 365 (Workspace, internal communication, EU data center) Notion Labs inc. (Workspace, internal communication, US based) Opencard (Transaction enrichment services and electronic receipts, EU data center) ReceiptHero Oy (Electronic receipts EU data center) Signicat AS (Identity management and KYC checks, EU data center) Slack Inc. (Internal communication, US based)
Sub-Processor list
On commencement of the Agreement, the data Controller authorizes the engagement of the following Sub-Processors: Amazon Web Services (Hosting services, EU data center) Hubspot Inc. (Customer Relationship Management system, EU data center) Intercom (Customer Relationship Management system, US based) Enfuce (Card payment processing, EU data center) Google Workspace (Workspace, Communication, EU data center) Klippa (Receipt scanning, EU data center) Mailgun (Receipt forwarding, EU data center) Microsoft 365 (Workspace, internal communication, EU data center) Notion Labs inc. (Workspace, internal communication, US based) Opencard (Transaction enrichment services and electronic receipts, EU data center) ReceiptHero Oy (Electronic receipts EU data center) Signicat AS (Identity management and KYC checks, EU data center) Slack Inc. (Internal communication, US based)
Zevoy Aktiebolag
Södra Esplanaden 24 A
00130 Helsingfors
Finland
FO-nummer: 3147751-4
Zevoy är ett fintech-företag grundat 2020. Zevoy Aktiebolag är ett finskt e-pengainstitut reglerad och auktoriserad av Finlands Finansinspektion. Företagskorten utfärdas av Zevoy Aktiebolag under en Visa Europe Limited-licens. Vårt huvudkontor ligger i Helsingfors, Finland, och utöver vår hemmamarknad betjänar vi även Sverige, Norge, Danmark, Tyskland, Frankrike, Belgien, Nederländerna, Spanien, Portugal, Estland, Litauen och Lettland.