Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions (“Agreement”)  between: 

Zenoo Ltd (“Zenoo”, “Processor”) 

and 

the subscribing customer (“Customer”, “Controller”). 

This DPA governs the processing of Personal Data by Zenoo on behalf of the Customer through the  AML Buddy platform (“Services”). 

1. Definitions 

For the purposes of this DPA: 

  • “Applicable Data Protection Law” means UK GDPR, EU GDPR (where applicable), the  Data Protection Act 2018, and any local privacy regulations. 
  • “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”,  “Processing”, “Sub-processor” have the meanings set out in GDPR. 
  • “Customer Data” means Personal Data processed through the Services on behalf of the  Customer. 
  • “Sub-processor List” means the list of third-party service providers used by Zenoo, as  updated from time to time. 

2. Roles of the Parties 

1. Customer is the Data Controller in respect of Customer Data. 

2. Zenoo is the Data Processor, processing Customer Data solely on the Customer’s  documented instructions. 

3. Where the Customer processes Personal Data as a processor for its own clients, Zenoo acts  as a Sub-processor and Customer warrants it has the authority to appoint Zenoo. 

3. Instructions for Processing 

Zenoo shall: 

  • process Customer Data only to provide the Services, 
  • not process Customer Data for its own purposes, 
  • comply with Customer’s written instructions unless prohibited by law, 
  • notify Customer if it considers an instruction unlawful. 

4. Sub-processing 

1. Customer authorises Zenoo to use Sub-processors necessary for delivery of the Services,  including: 

  • AWS (hosting and infrastructure) 
  • Identity verification suppliers (Refinitiv/GDC, GBG, etc.)
  • Communication, monitoring, support, and analytics providers 

2. Sub-processors must be bound by obligations equivalent to those in this DPA. 3. Zenoo will notify Customer 30 days in advance of adding a new Sub-processor. 4. Customer may object on reasonable data protection grounds. 

5. Zenoo remains responsible for Sub-processor performance. 

5. International Data Transfers 

1. Customer Data is primarily stored in AWS EU-West (Ireland)

2. Transfers outside the UK/EEA will rely on: 

  • EU Standard Contractual Clauses (2021), 
  • UK Addendum or IDTA, 
  • Any successor framework. 

3. Zenoo will not transfer Customer Data to a country without appropriate safeguards. 

6. Security Measures 

Zenoo shall implement appropriate technical and organisational measures including: 

  • Encryption at rest and in transit 
  • Multi-factor authentication and role-based access control 
  • Network isolation and firewalls 
  • SIEM logging and monitoring 
  • Regular vulnerability scanning and annual penetration tests 
  • Business continuity and disaster recovery processes 
  • Secure backup and rolling deletion policies 

(See Annex II for detailed measures.) 

7. Data Subject Rights 

Zenoo shall: 

  • assist the Customer with requests from Data Subjects, including access, rectification, erasure,  portability, and objection, 
  • not respond directly unless instructed or legally required, 
  • promptly forward any request received directly to the Customer. 

8. Personal Data Breach 

Zenoo shall: 

  • notify Customer without undue delay upon becoming aware of a Personal Data Breach, 
  • provide sufficient information for the Customer to meet breach notification requirements, 
  • cooperate with remediation efforts. 

9. Audits and Compliance

1. Customer may audit Zenoo’s compliance with this DPA once per year, with 30 days’ notice. 2. Audits must not disrupt Zenoo’s operations. 

3. Zenoo may fulfil audit obligations by providing: 

  • ISO 27001 or SOC2 reports, 
  • penetration test summaries, 
  • security documentation. 

10. Return or Deletion of Data 

Upon termination of the Agreement: 

● Zenoo will delete Customer Data from live systems within 30 days, and ● delete encrypted backups within 90 days through automated rolling deletion. 

Customer may request a data export prior to deletion. 

11. Liability 

Liability under this DPA is subject to the limitations and exclusions set out in the Agreement. This DPA does not expand Zenoo’s liability beyond the terms of the Agreement. 

12. Duration 

This DPA remains in effect for the duration of the Agreement and until all Customer Data has been  deleted. 

ANNEX I — DETAILS OF PROCESSING 

1. Subject Matter of Processing 

Identity verification, AML/KYC workflows, fraud prevention, compliance automation. 

2. Duration 

For the duration of the Agreement and applicable AML regulatory retention periods. 

3. Nature & Purpose of Processing 

Processing includes collection, matching, verification, scoring, fraud analysis, reporting, and secure  storage. 

4. Categories of Personal Data 

  • name, address, date of birth 
  • email, phone 
  • government identifiers 
  • device identifiers and IP 
  • biometric verification outputs (if enabled)
  • verification metadata and results 

5. Categories of Data Subjects 

  • Customers’ clients 
  • applicants 
  • employees 
  • identity subjects undergoing verification 

ANNEX II — TECHNICAL & ORGANISATIONAL MEASURES Zenoo implements industry-standard security controls, including: Technical Measures 

  • AES-256 encryption at rest, TLS 1.2+ in transit 
  • MFA, RBAC, session controls 
  • network segregation, firewalls, DDoS protection 
  • SIEM logging, anomaly detection, intrusion detection 
  • regular patching, vulnerability scanning, pen testing 
  • least-privilege access for administrators 

Organisational Measures 

  • employee background checks 
  • mandatory security & privacy training 
  • documented incident response plan 
  • audited onboarding/offboarding procedures 
  • signed confidentiality agreements 

Business Continuity & Backups 

  • multi-AZ architecture 
  • encrypted automated backups 
  • rolling deletion within 90 days