Data Protection Addendum

DEFINITIONS

1. Applicable Laws: means:

1a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.

1b) To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which Zylpha is subject.

2. Applicable Data Protection Laws: means:

2a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.

2b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Zylpha is subject, which relates to the protection of personal data.

3. Client Personal Data: any personal data which Zylpha processes in connection with this agreement, in the capacity of a processor on behalf of the Client.

4. EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

5. Purpose: the purposes for which the Client Personal Data is processed, as set out in clause 1.8(a).

6. Zylpha Personal Data: any personal data which Zylpha processes in connection with this agreement, in the capacity of a controller.

7. UK GDPR: has the meaning given to it in the Data Protection Act 2018.  

1. DATA PROTECTION

1.1 For the purposes of this clause 1, the terms controller, processor, data subject, personal data, personal data breach and processing shall have the meaning given to them in the UK GDPR.  

1.2 Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 1 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.  

1.3 The parties have determined that, for the purposes of Applicable Data Protection Laws, Zylpha shall process the personal data set out in Annex 1 as a processor on behalf of the client in respect of the processing activities set out in Annex 1.  

1.4 Should the determination in clause 1.3 change, then each party shall work together in good faith to make any changes which are necessary to this clause 1 or the related annexes.

1.5 By entering into this agreement, the Client consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by Zylpha in connection with the processing of Zylpha Personal Data, provided these are in compliance with the then-current version of Zylpha's privacy policy available at https://www.zylpha.com/policies/privacy (Privacy Policy).

1.6 Without prejudice to the generality of clause 1.2, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Client Personal Data to Zylpha and or lawful collection of the same by Zylpha for the duration and purposes of this agreement.

1.7 In relation to the Client Personal Data, Annex 1 sets out the scope, nature and purpose of processing by Zylpha, the duration of the processing and the types of personal data and categories of data subject.

1.8 Without prejudice to the generality of clause 1.2, Zylpha shall, in relation to Client Personal Data:

(a) process that Client Personal Data only on the documented instructions of the Client, which shall be to process the Client Personal Data for the purposes set out in Annex 1, unless Zylpha is required by Applicable Laws to otherwise process that Client Personal Data. Where Zylpha is relying on Applicable Laws as the basis for processing Client Processor Data, Zylpha shall notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Zylpha from so notifying the Client on important grounds of public interest. Zylpha shall inform the Client if, in the opinion of Zylpha, the instructions of the Client infringe Applicable Data Protection Laws;

(b) implement the technical and organisational measures set out in Annex 2 to protect against unauthorised or unlawful processing of Client Personal Data and against accidental loss or destruction of, or damage to, Client Personal Data, which the Client has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;  

(c) ensure that any personnel engaged and authorised by Zylpha to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;  

(d) assist the Client insofar as this is possible (taking into account the nature of the processing and the information available to Zylpha), and at the Client's cost and written request, in responding to any request from a data subject and in ensuring the Client's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(e) notify the Client without undue delay on becoming aware of a personal data breach involving the Client Personal Data;

(f) at the written direction of the Client, delete or return Client Personal Data and copies thereof to the Client on termination of the agreement unless Zylpha is required by Applicable Law to continue to process that Client Personal Data. For the purposes of this clause 1.8(f) Client Personal Data shall be considered deleted where it is put beyond further use by Zylpha; and

(g) maintain records to demonstrate its compliance with this clause 1 and allow for reasonable audits by the Client or the Client's designated auditor, for this purpose, on reasonable written notice.

1.9 The Client hereby provides its prior, general authorisation for Zylpha to:

(a) appoint sub-processors listed at www.zylpha.com/policies/sub-processors to process the Client Personal Data, provided that Zylpha:

(i) shall ensure that the terms on which it appoints such sub-processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on Zylpha in this clause 1;

(ii) shall remain responsible for the acts and omission of any such sub-processor as if they were the acts and omissions of Zylpha; and

(iii) shall inform the Client of any intended changes concerning the addition or replacement of the sub-processors, thereby giving the Client the opportunity to object to such changes. Such objection may only be made on reasonable grounds relating to an actual or likely breach of Applicable Data Protection Laws. If an objection is raised, the parties shall work together in good faith to resolve the issues.

(b) transfer Client Personal Data outside of the UK strictly as required for the Purpose, provided that Zylpha shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Client shall promptly comply with any reasonable request of Zylpha, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

1.10 Either party may, at any time on not less than 30 days' notice, revise this clause 1 with any applicable standard clauses approved by the EU Commission or the UK Information Commissioner's Office or forming part of an applicable certification scheme or code of conduct (Amended Terms). Such Amended Terms shall apply when replaced by attachment to this agreement, but only in respect of such matters which are within the scope of the Amended Terms.

Annex 1 - Particulars of the processing

1. Scope

Zylpha will process personal data on behalf of the Client for the purpose of providing access to, and use of, Zylpha’s document bundling software-as-a-service platform, including associated support, hosting and maintenance.

2. Subject Matter of the Processing

The processing concerns the provision of Zylpha’s SaaS platform for creating, managing, storing, and distributing document bundles.

3. Nature of the Processing

The processing may include:

  • Collecting and receiving personal data uploaded or provided by the Client
  • Hosting, storing, and backing up document files and bundle content
  • Structuring, organising, combining, and transforming documents into document bundles
  • Displaying, exporting, and sharing documents on the Client’s instruction
  • Providing user account management and authentication
  • Logging, auditing and monitoring for security and compliance
  • Providing technical support, troubleshooting and platform maintenance
  • Integrating with thirdparty systems (e.g., Case and Document Management Systems) as configured by the Client

4. Purpose of the Processing

The purposes of the processing are to:

  • Enable the Client to generate and manage document bundles.
  • Provide access control, audit trails, and system logging to support evidential and compliance needs
  • Deliver Zylpha’s contracted services, including hosting, support, feature functionality and integrations
  • Improve and secure the performance of the platform (e.g., diagnostics, security monitoring, uptime management)

Zylpha will not process Client Personal Data for its own independent purposes.

5. Duration of the Processing

Personal data will be processed for:

  • The duration of the agreement; and
  • Any retention period agreed by the parties; and
  • Any additional period required by applicable law for audit, security or legal purposes.

All Client Personal Data will be deleted or returned in accordance with the data deletion provisions of the agreement.

6. Types of Personal Data

The types of personal data processed may include, at the Client’s discretion:

  • General personal data  
  • Special category data  
  • Criminal offence data  
  • Any other personal data contained in documents and media uploaded by the Client

User and account data

  • Names, email addresses, usernames
  • Authentication identifiers
  • Role or permissions data
  • Support communications and metadata

System and audit data

  • Usage logs
  • IP addresses
  • Device and browser metadata

Because Clients upload their own materials, Zylpha may process special category data and/or criminal offence data, depending on what the Client submits.

7. Categories of Data Subjects

Depending on Client uploads, data subjects may include:

  • Individuals involved in legal, administrative, financial, consumer or personal matters, including parties to disputes or proceedings.  
  • Clients of Clients, service users, and members of the public.  
  • Family members, dependants, household members and personal contacts of the Client.  
  • Employees, contractors, representatives and agents of organisations referenced in documents.  
  • Professionals or officials, including legal professionals, healthcare practitioners, teachers, social workers, law enforcement officers and government officials.  
  • Witnesses, experts, advisers, and other third parties connected to the materials provided.  
  • Any other individuals whose personal data is included in the documents or information uploaded or provided by the Client.

Annex 2 - Technical and organisational measures

Zylpha shall implement and maintain, throughout the duration of the Agreement, appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include the following:

1. Information Security Management

  • Maintenance of an Information Security Management System (ISMS) aligned to ISO 27001 standards.
  • Regular internal reviews of security policies, procedures and access controls.
  • Documented risk assessments covering confidentiality, integrity and availability of Client Personal Data.
  • Supplier staff subject to confidentiality obligations and mandatory security awareness training.

2. Access Controls

  • Role based access controls ensuring users are granted the minimum permissions required (principle of least privilege).
  • Unique user authentication for all Supplier staff with access to production systems.
  • Multifactor authentication (MFA) enforced for administrative and privileged accounts.
  • Segregation of duties between development, test and production environments.

3. Encryption and Data Protection

  • Data at rest encrypted using industry standard strong encryption (e.g., AES256 or equivalent).
  • Data in transit protected via TLS 1.2+ encryption.
  • Cryptographic keys managed securely in accordance with recognised best practice.
  • Secure hashing of passwords and authentication credentials.

4. Network and Infrastructure Security

  • Use of a secure, industry leading cloud hosting provider with strong physical and logical controls.
  • Firewalls and security groups configured to restrict ingress and egress to authorised endpoints.
  • Regular vulnerability scanning of externally facing components.
  • Hardening of servers, services and infrastructure based on industry standards.  

5. Monitoring, Logging and Audit

  • System level monitoring to detect security events, anomalies and unauthorised access attempts.
  • Audit logs maintained for authentication events, administrative actions and data access where applicable.
  • Logging infrastructure protected against alteration or unauthorised deletion.
  • Regular review of logs in accordance with incident detection procedures.

6. Data Handling, Storage and Backup

  • Client Personal Data stored only within approved regions and hosting environments.
  • Regular, encrypted backups of Client Personal Data performed to ensure resilience and recoverability.
  • Retention periods aligned with contractual requirements and Client instructions.
  • Secure deletion processes for storage media and temporary files.

7. Application Security

  • Secure development lifecycle incorporating code review, dependency scanning and testing.
  • Regular penetration testing performed by competent external specialists.
  • Use of modern authentication standards and secure session management.
  • Protections against common web application attacks, including XSS, CSRF and SQL injection.

8. Incident Management and Response

  • Documented and rehearsed incident response plan.
  • Processes in place to detect, investigate and contain potential security incidents.
  • Timely notification to the Client of any personal data breach affecting Client Personal Data, in accordance with the Agreement and UK GDPR.
  • Rootcause analysis and corrective actions implemented following incidents.

9. Business Continuity and Disaster Recovery

  • Documented business continuity and disaster recovery plans.
  • Regular testing of disaster recovery procedures.
  • Architecture designed with redundancy and resilience to minimise service disruption.

10. Sub Processor Oversight

  • Due diligence carried out on all sub processors prior to engagement.
  • Sub processors required to meet security standards no less protective than those described in this section.
  • Ongoing monitoring of sub processor compliance.