Zensli Data Processing Agreement (DPA)

Introduction

This Data Processing Agreement ("DPA") governs how PKG AB, a Swedish company (Reg. No. SE559008922201) (hereafter referred to as the “Service Provider,” “we,” “us,” “our”), processes personal data on behalf of its Customers in connection with providing the Zensli service.

Definitions

  • Customer means the organisation using the Zensli Service.
  • Service means the Zensli service provided by us to collect and analyse online behaviour of the Customer’s website visitors or app users.
  • Data Protection Legislation means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and all other applicable laws relating to the processing of personal data and privacy.
  • Data Controller, Data Processor, Data Subject, Personal Data, Processing, and Appropriate Technical and Organisational Measures shall be interpreted according to the definitions in Data Protection Legislation.

The parties acknowledge that the Customer is the Data Controller and the Service Provider is the Data Processor with respect to personal data processed through the Service.

Nature and Purpose of Processing

Personal data is processed solely for statistical evaluation and analysis of performance and usage behaviour of individuals interacting with the Customer’s websites or apps. Such processing is performed in an anonymous or pseudonymised manner. The Service Provider does not use the personal data for its own purposes.

Categories of Personal Data Processed

Depending on the Customer’s configuration of the Service, the following types of personal data may be processed:

  • IP address
  • Geographic data (city, region, country, approximate latitude/longitude)
  • Browser, device type, operating system, and user agent
  • Date, time, and time zone
  • Pages and screens visited (URLs and titles)
  • Referrer URL
  • Marketing campaign URL parameters
  • Files downloaded and external links clicked
  • Screen resolution
  • Session recordings (HTML pages, mouse movements, clicks, scrolls, and keypresses)
  • Internal search terms
  • Custom dimensions, variables, events, and content
  • User ID
  • E-commerce data (order ID, date, abandoned carts)
  • Media titles and URLs
  • Email addresses, phone numbers, and other personal identifiers may be collected. Zensli does not classify or determine the sensitivity of data; it is the exclusive responsibility of the site owner to ensure compliance with all applicable laws and regulations, to appropriately limit the collection of sensitive data, and to provide clear notice to their visitors regarding such data processing.

The data subjects affected are end-users of the Customer’s websites and apps.

Credit card numbers, bank details, financial information, passwords, or any other sensitive personally identifiable information (PII) must never be sent to Zensli under any circumstances, regardless of consent obtained from end users.

All input fields within website forms that collect Personally Identifiable Information (PII) or any other sensitive data must be explicitly marked with a custom attribute such as data-type="pii". Compliance with this requirement is mandatory to ensure proper data handling and regulatory adherence. It is the sole responsibility of the site owner to identify and understand which data their visitors may consider sensitive and to ensure appropriate measures are taken accordingly.

Obligations of the Service Provider (Data Processor)

  • Processing Instructions: The Service Provider shall process personal data only on documented instructions from the Customer, as configured through the Service.
  • Confidentiality: The Service Provider guarantees confidentiality of personal data and ensures all personnel authorised to process personal data are bound by confidentiality obligations.
  • Compliance with Laws: The Service Provider shall notify the Customer without undue delay if it believes any instruction violates Data Protection Legislation.
  • Data Subject Requests: Should a data subject contact the Service Provider directly with a request, the Service Provider shall promptly forward it to the Customer and will not act on such requests without documented Customer instructions, except where required by law.
  • International Transfers: Any transfer of personal data outside the EU/EEA shall require prior written consent from the Customer and be conducted in compliance with GDPR Article 44.
  • Employee Training: The Service Provider shall ensure that employees handling personal data are trained regarding confidentiality and data protection obligations.
  • Subprocessors: The Service Provider may engage subprocessors who will comply with obligations substantially similar to those in this DPA. The Customer will be notified of changes to subprocessors and may object within 30 days.
  • Incident Notification: The Service Provider shall notify the Customer without undue delay of any personal data breach, including details and mitigation measures.
  • Assistance: The Service Provider shall assist the Customer in complying with GDPR obligations related to personal data processing, including breach reporting, data protection impact assessments, and consultations with supervisory authorities.
  • Nature of Service and Limitation of Responsibility: The Service Provider acts solely as a technical data processor, providing the Zensli platform as a service. The Service Provider does not create, control, verify, or assume responsibility for the content, accuracy, lawfulness, or completeness of any personal data collected or processed through the Service. The Customer remains solely responsible for ensuring lawful use, retention, and integrity of all collected data. The Service Provider disclaims any liability for data loss, corruption, or legal non-compliance arising from the Customer’s use of the Service.

Customer Obligations

  • Legal Basis: The Customer represents and warrants that it has established a valid legal basis, including obtaining all necessary consents, to provide personal data to the Service Provider for processing in accordance with applicable laws.
  • Regulatory Compliance: The Customer shall ensure full compliance with all applicable data protection and privacy laws, including but not limited to the General Data Protection Regulation (GDPR), in every jurisdiction where its website, application, or services are made available.
  • Responsibility for Data Practices: The Customer acknowledges sole responsibility for the implementation and use of the Zensli tracking script, including ensuring that all tracking, data collection, and processing activities are compliant with applicable laws and transparency obligations.
  • Data Accuracy and Limitations: The Customer understands and accepts that data collected through Zensli may not always precisely identify individual users. For example, shared devices, inaccurate user inputs, or use of third-party contact details may result in misattribution. The Service Provider disclaims all liability for any inaccuracies, user complaints, or reliance on such data. The Customer assumes sole responsibility for verifying and legally utilizing all collected information.
  • Disclaimer of Liability: By deploying the Zensli script or API, the Customer expressly accepts full responsibility for its lawful use. The Service Provider and Zensli disclaim any and all liability related to the Customer’s data collection practices or legal compliance.
  • Tracking Transparency and Opt-Out: The Customer must provide clear notice to end users regarding the use of tracking technologies. This includes informing users of their right to opt out by rejecting non-essential cookies or enabling “Do Not Track” settings in their browsers, as required by applicable laws.

Technical and Organisational Measures

The Service Provider implements appropriate technical and organisational measures to ensure the security of personal data in accordance with GDPR Articles 28(3)(c), 32, and 5(1)-(2). These measures include, but are not limited to:

  • Access Control: Restriction of access to authorised personnel only.
  • Encryption: Use of HTTPS for data in transit and encryption of data at rest.
  • Incident Detection and Response: Logging and monitoring of system activities, with established incident response procedures.
  • Availability and Redundancy: Implementation of fault-tolerant systems and regular data backups.

Detailed descriptions of these measures are provided in Appendix 1.

Liability and Indemnity

Each party shall indemnify and hold harmless the other from claims, losses, damages, or liabilities arising out of any breach of this DPA.

Duration and Termination

This DPA is effective upon acceptance by the Customer and continues until termination in accordance with the Zensli Terms of Service. Upon termination, the Service Provider shall delete all personal data processed on behalf of the Customer within 30 days, unless otherwise stipulated in its data retention policy.

Appendix 1 – Technical and Organisational Measures

The Service Provider’s implemented measures include:

  • Access Control:
    • Authentication and authorisation mechanisms.
    • Restricted access to production environments.
    • Employee training on data security and confidentiality.
  • Transmission Control:
    • HTTPS encryption for data in transit.
    • Disk encryption for data at rest.
  • Incident Detection and Response:
    • Logging and monitoring of system activities.
    • Incident response and tracking procedures.
  • Availability Control:
    • Redundant systems and backups.
    • Regular testing of failover and recovery mechanisms.

Privacy Policy

For additional information, please refer to the Zensli Privacy Policy.

By accepting this DPA, you confirm that you have the authority to bind the Customer to these terms. If you do not have such authority, please do not accept this DPA.