Zenedu stands with Ukraine and its people
Join us
This Data Processing Agreement ("DPA") forms part of the Zenedu Terms of Service between Zenedu Limited, a company registered in Cyprus ("Zenedu", "Processor"), and the Client who accepts the Terms of Service ("Client", "Controller"). It applies where Zenedu processes personal data on behalf of the Client. By accepting the Terms of Service, the Client agrees to this DPA.
1. Definitions
— "Client" means the creator or merchant who uses the Zenedu platform and accepts the Terms of Service
— "Subscriber" means an end user who accesses the Client's content through the platform
— "Controller", "Processor", "personal data", "processing", and "data subject" have the meanings given in the GDPR.
— "GDPR" means Regulation (EU) 2016/679
2. Roles of the Parties
In respect of Subscriber personal data processed through the platform, the Client acts as the Controller and Zenedu acts as the Processor. Zenedu processes such personal data only on the documented instructions of the Client, including as set out in the Terms of Service and this DPA, unless required otherwise by applicable law.
Zenedu remains an independent Controller for personal data relating to the Client's own account, billing, security, and Zenedu's product analytics, as described in the Privacy Policy. That data is outside the scope of this DPA.
3. Subject Matter and Details of Processing
— Subject matter: provision of the Zenedu platform to the Client
— Duration: for the term of the Client's use of the platform
— Nature and purpose: hosting, storing, and transmitting Subscriber data to deliver the Client's content and operate the platform
— Categories of data subjects: the Client's Subscribers
— Categories of personal data: identifiers and contact details (such as Telegram ID, name, email, phone number), activity data (such as progress and access to the Client's content), and records of payments made for the Client's content
4. Obligations of Zenedu as Processor
Zenedu shall:
— Process personal data only on the Client's documented instructions;
— Ensure that persons authorised to process the data are bound by confidentiality;
— Implement appropriate technical and organisational security measures as described in Section 7;
— Respect the conditions for engaging sub-processors set out in Section 5;
— Assist the Client, taking into account the nature of processing, in responding to data subject requests and in meeting its GDPR obligations regarding security, breach notification, and data protection impact assessments;
— At the Client's choice, delete or return personal data at the end of the services, unless retention is required by law;
— Make available to the Client information necessary to demonstrate compliance with Article 28 GDPR.
5. Sub-processors
The Client provides general authorisation for Zenedu to engage sub-processors to deliver the platform. Zenedu's sub-processors fall into the following categories: cloud hosting and infrastructure, payment processing, video hosting and delivery, customer support and messaging, and product analytics. Zenedu imposes data protection obligations on each sub-processor consistent with this DPA and remains responsible for their performance. Zenedu will inform the Client of any intended changes concerning the addition or replacement of sub-processors and give the Client a reasonable opportunity to object.
6. Data Subject Rights
Taking into account the nature of the processing, Zenedu shall assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligation to respond to requests from data subjects exercising their rights under the GDPR.
7. Security
Zenedu implements appropriate technical and organisational measures to protect personal data, including: storage on servers located in Germany (EU), TLS encryption of data in transit, access restricted to authorised personnel, monitoring of security events, and regular encrypted backups.
8. Personal Data Breach
Zenedu shall notify the Client without undue delay after becoming aware of a personal data breach affecting Subscriber data, and shall provide information reasonably necessary to enable the Client to meet its own breach notification obligations.
9. International Transfers
Personal data is stored within the EU. Where any transfer of personal data outside the European Economic Area occurs, Zenedu relies on an appropriate safeguard under the GDPR, such as the European Commission's Standard Contractual Clauses or an adequacy decision.
10. Deletion and Return
On termination of the Client's account, or on the Client's request, Zenedu shall delete or return Subscriber personal data, unless applicable law requires continued storage.
11. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service or Privacy Policy regarding the processing of Subscriber personal data, this DPA prevails.
