Data Processing Addendum
Last Updated: February 16, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms or other written subscription agreement mutually entered into between the Customer and EZO to reflect the parties’ agreement with regard to the Processing of Personal Data on behalf of the Customer.
For existing customers this DPA shall go into effect on March 16, 2026. For new customers, the DPA shall be effective as of the last update date.
1. Roles
1.1. EZO acts as a Data Processor and the Customer may act as a Data Controller or a Data Processor under this DPA in relation to Processing by EZO.
1.2. Both parties agree to Process Personal Data in accordance with the requirements of the Data Protection Laws.
1.3. The Customer shall not feed in any special categories of Personal Data or Sensitive Personal Data into the Service.
2. Processing by EZO
2.1. EZO shall Process Personal Data on documented instructions from the Customer for the following purposes: (i) Processing in accordance with the Terms, this DPA and any applicable Order Forms, (ii) Processing initiated by Authorized Users, (iii) Processing in accordance with the instructions provided by the Customer (e.g. via email) where such instructions do not conflict with the Agreement and this DPA.
2.2. If the documented instructions are not in line with the requirements of the Data Protection Laws, EZO shall notify the Customer.
2.3. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects processed under this DPA are further described in Annex I of the Appendix.
3. Assistance
3.1. EZO shall, if permitted by law, notify the Customer without undue delay if it receives a request from a Data Subject under the Data Protection laws (“Data Subject Requests”). All Data Subject Requests shall be handled by the Customer, unless EZO is otherwise authorized by the Customer, is required by the Data Protection Laws, or acts as a Data Controller in relation to a Data Subject. Upon request of the Customer, EZO shall, taking into account the nature of the Processing, provide commercially reasonable assistance in the fulfillment of the Customer’s obligations with respect to Data Subject Requests.
3.2. Upon Customer’s request, EZO shall provide Customer with reasonable and timely cooperation and assistance needed to fulfill Customer’s obligation under the Data Protection Laws to carry out a data protection impact assessment or respond to a request from a supervisory authority that relates to the Customer’s use of the Service.
4. Confidentiality and Security
4.1. EZO will ensure that only Authorized Persons are able to access Personal Data being Processed on behalf of the Customer. Further, EZO will ensure that all Authorized Persons are given training regarding their responsibilities and the confidential nature of Personal Data, and are subject to appropriate confidentiality commitments.
4.2. EZO shall implement technical and organizational measures for the protection of security, integrity, and confidentiality of Personal Data appropriate to the risk. At a minimum, EZO shall at least implement the Security Measures against unlawful Processing, accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to Personal Data.
4.3. As between the Customer and EZO, Customer is responsible for making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Personal Data, including securing the account credentials, systems, devices that the Customer uses to access the Service.
5. Use of Sub-Processors
5.1. Subject to this section 5 of the DPA, the Customer authorizes EZO to engage Sub-Processors specified on the Sub-Processors Page. Sub-Processors will be subject to appropriate measures that comply with the requirements of this DPA.
5.2. EZO shall ensure a mechanism for the Customer to be notified of any planned changes regarding the addition to or replacement of Sub-Processors thirty (30) days in advance of such change. The Customer may subscribe to receive email notifications for any changes on the Sub-Processors Page. If the Customer reasonably objects to the changes, the Customer shall notify EZO via email at legal@ezo.io of its objection within thirty (30) days of receipt of the notification by EZO. However, if the Customer does not raise an objection within such time, the change notified by EZO shall be deemed as accepted by the Customer.
5.3. In the event a justifiable objection is raised by the Customer, both parties shall act in good faith to a mutually acceptable resolution to address such objection within the scope of commercial viability for EZO. However, if EZO cannot accommodate the Customer with regard to the objections raised within sixty (60) days of the objection, EZO will either: (i) allow the Customer to terminate the impacted portion Service upon written notice to the EZO and receive a prorated refund of the unused fees covering the reminder of the impacted portion of the Service as of the effective date of termination or (ii) continue providing the Service without the use of the Subprocessor(s) objected to by the Customer. Any previously accrued rights and obligations between the parties shall survive such termination.
6. Personal Data Breach
6.1. Unless prohibited by supervisory authority or law, EZO will notify the Customer without undue delay after becoming aware of a Personal Data Breach.
6.2. Based on available information, EZO will provide necessary details as required by the applicable Data Protection Laws to the Customer, and will take appropriate measures to remediate the cause of such Personal Data Breach.
6.3. The obligations related to Personal Data Breach shall not apply with respect to incidents that are caused by the Customer or any Authorized User of the Service. EZO’s response to a Personal Data Breach will not be construed as an acknowledgement by EZO of any fault or liability with respect to the Personal Data Breach.
7. Transfer of Personal Data
7.1. If and to the extent that the Personal Data Processed by EZO is subject to an EEA Data Transfer, the EEA Standard Contractual Clauses are incorporated herein by reference and shall apply as follows:
- Application. EZO shall act as the data importer and the Customer shall act as the data exporter;
- Modules. MODULE TWO applies when Customer acts as a Controller and EZO acts as the Processor. MODULE THREE applies when the Customer and EZO both act as Processors;
- Docking. For the purposes of Clause 7, the optional docking clause does not apply;
- Sub-Processors. For the purposes of Clause 9(a) of Module Two and Module Three, Option 2 applies (the time period for the data importer to inform the data exporter of any intended changes shall be as set forth in Section 5 of the DPA and the list of subprocessors already authorised by the data exporter can be found at Subprocessors Page);
- Redress. For purposes of Clause 11(a), the optional language does not apply;
- Governing law. For the purposes of Clause 17, Option 1 will apply and the law of Ireland shall apply;
- Forum and Jurisdiction. For the purposes of Clause 18(b), the disputes will be resolved in the courts of Dublin, Ireland;
- Completion of Annex I. Annex I is hereby deemed to be completed as set out in the Annex I of the Appendix;
- Completion of Annex II. Annex II is hereby deemed to be completed as set out in Annex II of the Appendix; and
- Conflict. In case of a conflict in section 7.1 and the EEA Standard Contractual Clauses, the EEA Standard Contractual Clauses shall prevail.
7.2. UK Data Transfer. If and to the extent that Personal Data Processed by EZO is subject to a UK Data Transfer, the UK SCC Addendum is incorporated herein by reference and shall apply as follows:
- Completion of Table 1. Table 1 of the UK SCC Addendum is completed with the details of Customer (as data exporter) and the details of the EZO (as the data importer), as provided in Annex I of the Appendix. The “start date” is the start date, effective date, or equivalent date of the Agreement.
- Completion of Tables 2 and 3. Table 2 of the UK SCC Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.” For the purposes of Table 2 and Table 3 of the UK SCC Addendum, the “Approved EU SCCs” are completed as set out above Section 7.1(a)-(j).
- Completion of Table 4. Table 4 of the UK SCC Addendum is completed by selecting “neither party.”
- Conflict. In the event of any inconsistency or conflict between the UK SCC Addendum and this DPA, the UK SCC Addendum shall prevail.
8. Audit
8.1. At the Customer’s request, EZO will, within a reasonable time, provide a third-party audit report, such as an ISO 27001 certificate or a SOC 2 Type II report, that relates to the security of the Service.
8.2. If a Customer is not reasonably satisfied with the compliance measures in place, and an audit is required under applicable Data Protection Laws, EZO will allow the Customer to conduct an audit. To exercise its audit rights, unless otherwise required by applicable Data Protection Laws, the Customer must: (I) provide at least thirty (30) days’ prior written notice to legal@ezo.io, and the parties will mutually agree on the dates and duration of the audit, the scope of the audit, and the identity of the auditor; (II) ensure that the Customer and the auditor enter into an appropriate confidentiality agreement in relation to the audit and treat any audit reports and findings as confidential; (III) conduct no more than one (1) audit in any twelve (12) month period; (IV) conduct the audit in a manner that does not interfere with EZO’s operations and does not create a risk to the confidentiality or security of EZO’s other customers’ or third-party information that is not related to the Customer; (V) reimburse EZO for the time spent and support provided in connection with the audit at EZO’s then-current hourly rates; and (VI) share the audit findings with EZO promptly following completion of the audit.
9. Deletion of Personal Data
Customer may delete or export content stored in the Service, including Personal Data, using the Service functionality during the Subscription Term. Following the termination of the Agreement, upon the Customer’s request, EZO will delete Personal Data contained in Your Content within thirty (30) days of your request. Any Personal Data stored in back-ups may be deleted within six (06) months of your request following termination. In the event that applicable Data Protection Law does not permit EZO to delete certain Personal Data, EZO shall ensure the confidentiality of Personal Data in accordance with this DPA.
10. EZO as Independent Controller
Where EZO acts as a Controller, with respect to certain categories of Personal Data the EZO Privacy Policy applies.
11. Liability
The liability of either party, including either parties’ affiliates will be subject to the limitations and exclusions under the Agreement. All other limitations of EZO’s liability in damages under the Agreement will apply. The liability of either party, including all of either parties’ affiliates, under the Agreement and this DPA together will be aggregate.
12. General Terms
12.1. This DPA takes effect on the effective date of the Agreement and will remain in effect until the Agreement is terminated or expires or EZO retains Personal Data in accordance with section 9 of this DPA.
12.2. In case of any inconsistency between this DPA and the Agreement, this DPA shall govern.
13. Definitions
Capitalized Terms unless otherwise defined shall have the meaning as given to them under the Terms.
13.1. “Agreement” means Terms that references this DPA which are accepted by the Customer, or an otherwise written subscription agreement or an Order Form entered into between the parties for subscription to the Service.
13.2. “Authorized Person” means a necessary employee, contractor or agent authorized by EZO, who has a need to know or access Personal Data for fulfilling obligations of EZO to the Customer.
13.3. “CCPA” means Cal. Civ. Code § 1798.100 et seq. of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any regulations made under it.
13.4. “Data Controller” means the entity which determines the purposes and the means of Processing of Personal Data. “Data Controller” shall also include a “Business,” as such term is defined by CCPA.
13.5. “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. “Data Processor” shall also include a “Service Provider,” as such term is defined by the CCPA.
13.6. “Data Protection Laws” means any federal, state, provincial, local, foreign, international, multinational laws and regulations, including but not limited to the laws and regulations of the European Union, the European Economic Area (“EEA”) and their member states, Switzerland, the United Kingdom (“UK”), and the US Data Protection Laws, applicable to the Processing of Personal Data by EZO under the Agreement.
13.7. “Data Subjects” means identified or identifiable person to whom Personal Data relates.
13.8. “EEA Data Transfer” means a transfer of Personal Data that is subject to the GDPR to a country or territory outside of the EEA which has not been deemed adequate by the EU Commission.
13.9. “EEA Standard Contractual Clauses” or “SCCs” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
13.10. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
13.11. “Personal Data” means any information relating to a natural person, including any information defined as “personally identifiable information”, “personal information”, “personal data” or similar terms as such terms are defined under the Data Protection Laws, limited to that Personal Data EZO Processes in connection with the Agreement.
13.12. “Personal Data Breach” means a breach of EZO’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data contained in Your Content.
13.13. “Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
13.14. “Security Measures” means the security controls applicable to the Service purchased by the Customer, as described under Annex II of the Appendix of this DPA.
13.15. “Sensitive Personal Data” shall mean Personal Data revealing racial or ethnic origin; the Processing of genetic data, biometric data for the purpose of uniquely identifying a Data Subject; and subsets of Personal Data that are deemed “sensitive” or require enhanced protections under applicable Data Protection Laws.
13.16. “Service” means the service used by the Customer pursuant to the Agreement and/or an applicable Order Form.
13.17. “Sub-Processor” means any person or entity which Processes Personal Data on behalf of the Data Processor. A list of Sub-Processors is available at https://ezo.io/terms-of-service/subprocessors/.
13.18. “Terms” means the online terms of service available at https://ezo.io/terms-of-service/.
13.19. “UK Data Transfer” means a transfer of Personal Data that is subject to the UK GDPR to a country or territory outside of the UK which has not been deemed adequate by the UK.
13.20. “UK GDPR” means the GDPR as it forms part of the laws of the UK by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
13.21. “UK SCC Addendum” means the template addendum issued by the UK’s Information Commissioner’s Office available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf
13.22. “US Data Protection Laws” mean all applicable state and federal laws in effect that apply to the protection and Processing of Personal Data in the United States, including, without limitation the CCPA, Colorado Privacy Act, Utah Consumer Privacy Act, Connecticut Data Privacy Act , and the Virginia Consumer Data Protection Act.
Past events
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: Customer (the entity creating an account to use the Service or signing this DPA)
Address: As provided in the signing up form by the account owner creating the account to use the Service or as otherwise stated in the Agreement signed between the parties that references this DPA
Contact person’s name, position and contact details: As provided in the signup form or an Agreement that references this DPA
Activities relevant to the data transferred under these Clauses: As set forth in the Agreement and this DPA
Signature and Date: As of the date the Agreement
Role (controller/processor): Controller
Data importer(s):
Name: EZ Web Enterprises, Inc. doing business as EZO
Address: 701 S Carson St STE 200, Carson City, NV 89701, United States
Contact person’s name, position and contact details: EZO privacy team can be contacted at legal@ezo.io
Activities relevant to the data transferred under these Clauses: As set forth in the Agreement and this DPA
Signature and Date: As of the date the Agreement
Role (controller/processor): Processor
Categories of data subjects whose personal data is transferred
The Customer controls the extent to which it may submit Personal Data into the Service which may include, but is not limited to Personal Data for the following:
- Authorized Users of the Service
- The Customer’s employees or the contacts of such employees
- The Customer’s customers, vendors, and business partners
Categories of personal data transferred
The Customer controls the extent to which it may submit Personal Data into the Service, but is not limited to the following categories of Personal Data:
- Name
- Title
- Address
- Telephone
- Employer
- Online Identifiers such as IP Address
- Any other information fed into the Service that may qualify as Personal Data under the Data Protection Laws
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- EZO does not require special categories of data to provide the Service, but it may unknowingly process such special categories of data as uploaded into the Service. EZO restricts the Customer from storing or processing special or sensitive categories of Personal Data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous for the duration of the provision of the Service.
Nature and Purpose of the Processing
- EZO’s provision of the Service to the Customer
- EZO will Process Personal Data for the following purposes:
- For processing activities in the course of providing the Service pursuant to the Agreement and this DPA
- Processing initiated by Authorized Users
- And as further instructed by the Customer
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- Personal Data will be retained as agreed by the parties in the Agreement and the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- The subject matter, nature and duration of the processing is set forth in the Agreement and the DPA.
Identify the competent supervisory authority/ies in accordance with Clause 13.
The competent supervisory authority determined in accordance with the Data Protection Laws.
ANNEX II- Technical Security Measures
The following technical and organizational measures are in place to protect Personal Data Processed by EZO under this DPA. EZO may update these measures from time to time, without reducing the protections offered below:
- Encryption. EZO relies on industry-standard encryption to secure Personal Data in transit over the internet and at rest when transferring from or to the Service. TLS 1.2 or higher is used when transferring Personal Data over the internet. AES-256 or AES-128 encryption is used to protect Personal Data at rest.
- Network and Physical Security. A firewall is implemented at the server level by EZO’s third-party cloud hosting service provider to control and properly manage network traffic. All EZO applications are hosted on Amazon Web Services (AWS) Cloud. AWS physical and environmental security controls are audited for SOC 2 and ISO 27001 compliance, among other certifications, and EZO relies on AWS’s security compliance programs for the physical security of AWS data centers
- Monitoring and Logging. EZO implements tools for detecting incorrect or unusual activity through the Service, and system logs are monitored regularly for suspicious activity. All activity across the Service and systems (including servers and the cloud) is logged. Alerts are generated against unusual and suspicious activity and notifications are sent to the information security team for investigation and resolution.
- Vulnerability Management, Patch Management, and Testing. EZO maintains vulnerability and patch management processes which regularly assess the Service for security vulnerabilities and deploy patches and updates. External Third-Party Penetration testing is conducted at least annually to detect vulnerabilities. Commercially reasonable operational procedures are kept in place to mitigate reasonably foreseeable or actual attacks.
- Access Controls and Authentication. Access controls are implemented and information is shared on a need-to-know basis with EZO personnel. All EZO personnel accessing the Service or providing support are identified by a unique user ID and password. Strict access controls and multi-factor authentication are deployed on production servers.
- Backup, Disaster Recovery and Resilience. Backups of all data contained in accounts using the Service are taken at least once every twenty-four (24) hours. Backup copies are maintained in a location separate from the primary data location. Disaster recovery drills for testing recovery points are performed at least annually.
- Secure Development and Segregation. All testing and development of software and applications is carried out on a separate network from production systems. No customer data is used in EZO’s development or testing environments.
- Security Training. All EZO Personnel undergo information security awareness training at least once annually.
- Information Security Governance, Risk Management, and Audits. EZO maintains an Information Security Program that is reviewed annually. This program includes documented policies and standards of administrative, technical, physical and organizational measures that govern the handling of data in compliance with security standards that EZO complies with. EZO maintains SOC 2 Type 2 and ISO 27001:2013 certifications. Upon Customer’s request, EZO shall furnish certifications once every twelve (12) months.
ANNEX III
US Privacy Addendum
To the extent that any US Data Protection Laws apply related to the Customer’s use of the Service, the following additional terms shall govern Processing of Personal Data of any Consumers (or other similarly defined term under US Data Protection Laws) by EZO as a Service Provider on behalf of the Customer (or other similarly defined term under US Data Protection Laws). Capitalised terms unless otherwise defined in the main DPA or the Agreement shall have the meaning given to them under the applicable US Data Protection Laws:
- EZO will: (a) comply with the US Data Protection Laws to the extent applicable and in effect, (b) not Share or Sell Personal Data, (c) not directly share Personal Data outside the business relationship of the parties, (c) process only in accordance with the Terms, the DPA, Order From and as permitted under the applicable US Data Protection Laws, (d) not combine such Personal Data with Personal Data it receives from or on behalf of another person, or collects from its own interaction with Consumers, except as permitted under the applicable US Data Protection Laws, (e) inform the Customer if it cannot meet its obligations under the applicable US Data Protection Laws.
- The Customer: (a) in its role as a data controller remains responsible for determining what categories of Personal Data are Processed by the Customer via the Service, (b) shall not Process any Sensitive Data, (c) remains responsible for determining the appropriateness of the Security Measures described under Annex II for Processing of Personal Data; (d) will take appropriate steps to stop and remediate any unauthorized use of Personal Data by EZO upon notice.
Subscribe below to receive updates regarding our DPA or list of Subprocessors:
