Data Processing Agreement
1. Scope and Application
This Data Processing Agreement (“DPA”) forms part of the Koonda Terms of Service between Koonda, Inc. and the customer. It applies whenever Koonda processes personal data on behalf of the customer in connection with the provision of the Koonda platform.
2. Definitions
Capitalised terms used in this DPA have the following meanings:
- Customer Personal Data — personal data that Koonda processes on behalf of the customer.
- Data Protection Laws — all laws applicable to the processing of Customer Personal Data, including the GDPR and the Zimbabwe Data Protection Act.
- Sub-processor — any third party engaged by Koonda to process Customer Personal Data.
3. Processing of Customer Personal Data
Koonda will only process Customer Personal Data on documented instructions from the customer, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by applicable law.
4. Confidentiality
Koonda will ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations, whether by contract or by statutory duty.
5. Security Measures
Koonda implements and maintains the technical and organisational measures described on our Security page to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
6. Sub-processors
The customer authorises Koonda to engage Sub-processors as needed to provide the service, subject to the conditions set out in this section. Koonda will:
- Maintain an up-to-date list of Sub-processors
- Provide at least 30 days' notice before engaging a new Sub-processor
- Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA
7. Data Subject Rights
Koonda will, taking into account the nature of the processing, assist the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws.
8. Personal Data Breaches
Koonda will notify the customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide reasonable information to assist the customer in meeting any obligations to report or inform data subjects.
9. International Transfers
Where Koonda transfers Customer Personal Data outside the customer's jurisdiction, it does so under the safeguards required by Data Protection Laws, including the Standard Contractual Clauses where applicable.
10. Return and Deletion of Data
On termination of the customer's subscription, Koonda will, at the customer's choice, return or delete all Customer Personal Data within 30 days, unless retention is required by applicable law.