Data Processing
These terms describe how Zentallio processes personal data on behalf of our customers. They form part of, and are incorporated into, the agreement between Zentallio and the customer, and take precedence over conflicting terms in relation to the processing of personal data.
Scope & roles
These terms apply when Zentallio processes personal data on a customer’s behalf as part of the service. In that relationship the customer is the controller and Zentallio is the processor. Zentallio processes personal data only on the customer’s documented instructions, including as set out in the agreement, the service configuration, and this document. Zentallio will inform the customer if, in its opinion, an instruction infringes applicable data protection law.
Definitions
Controller, processor, personal data, processing, personal data breach, and data subject have the meanings given in the GDPR and equivalent data protection laws. Sub-processor means a third party engaged by Zentallio to process personal data. SCCs means the European Commission’s Standard Contractual Clauses.
Processing details
The nature and purpose of processing is to provide the Zentallio platform and Iris agent. Full particulars are in Annex I. In summary:
- Subject matter — operational and decision-support processing for multi-outlet operators.
- Duration — for the term of the agreement, plus any deletion period.
- Data subjects — the customer’s staff and, where applicable, guests/customers.
- Data types — as configured by the customer; special-category data only where explicitly agreed.
Our obligations
Zentallio will: process personal data only on the customer’s instructions; ensure people authorised to process it are bound by confidentiality; implement the security measures in Annex II; assist the customer, taking account of the nature of processing, with data subject requests, security, breach notification, and data protection impact assessments; and make available information needed to demonstrate compliance.
Sub-processors
The customer provides general authorisation for Zentallio to engage sub-processors listed in Annex III. Zentallio imposes data-protection obligations on each sub-processor no less protective than these terms and remains responsible for their performance. Zentallio will give the customer notice of intended additions or replacements so the customer may object on reasonable data-protection grounds.
Security measures
Zentallio maintains technical and organisational measures appropriate to the risk, described in Annex II, including encryption of personal data in transit and, where appropriate, at rest; access controls and least-privilege administration; logging and monitoring; and measures to restore availability and access after an incident.
Data subject requests
If Zentallio receives a request from a data subject relating to a customer’s data, it will, without undue delay, notify the customer and — taking account of the nature of processing — assist the customer in responding. Zentallio will not respond directly except on the customer’s instructions or as legally required.
Breach notification
Zentallio will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer’s data, and will provide information reasonably needed to help the customer meet its own notification obligations.
International transfers
Where processing involves transfers of personal data to a country without an adequacy decision, the parties agree that the SCCs (module controller-to-processor), together with the UK Addendum and any equivalent mechanism where relevant, are incorporated by reference and apply to that transfer. Annex details for the SCCs are populated by Annexes I–III below.
Audits
Zentallio will make available information necessary to demonstrate compliance with these terms and allow for and contribute to audits, including inspections, conducted by the customer or an appointed auditor on reasonable notice, no more than once per year (unless required by a supervisory authority), and subject to confidentiality and Zentallio’s security policies.
Liability & law
Each party’s liability under these terms is subject to the limitations of liability in the agreement or the Terms of Service. These terms are governed by the same law as the agreement; where the SCCs apply, the SCCs’ governing law and forum apply to matters arising under them.
Return & deletion
On termination, and at the customer’s choice, Zentallio will delete or return the personal data it processes and delete existing copies within a reasonable period, unless retention is required by law.
Annexes
Annex I — Details of processing
Controller: the customer. Processor: Zentallio. Categories of data subjects, categories of personal data, special categories (if any), frequency, nature and purpose, and duration: [complete per the specific engagement / order form].
Annex II — Technical & organisational security measures
Encryption in transit (and at rest where appropriate); role-based access control and least privilege; network and application security; logging, monitoring, and alerting; backup and recovery; personnel confidentiality and training; vendor management. [expand with specific controls / certifications, e.g. ISO 27001, SOC 2, once available].
Annex III — Approved sub-processors
Current sub-processors (name, role/service, location): [list hosting, infrastructure, analytics, email and other providers with locations]. The up-to-date list is available on request.