Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Zabt Terms of Service between Zabt ("Processor") and the customer organization ("Controller") and governs the processing of Personal Data in connection with the Zabt platform.

1. Definitions

"Personal Data," "Processing," "Controller," "Processor," and "Sub-processor" carry the meanings set out in applicable data protection law, including the GDPR. "Evaluation Data" means participant profiles, submissions, scores, and committee comments processed within a Zabt workspace.

2. Scope and Roles

The Controller determines the purposes and means of processing Evaluation Data. Zabt acts solely as a Processor and processes Personal Data only on documented instructions from the Controller, including those reflected in the Terms of Service and the configured workspace settings.

3. Subject Matter and Duration

• Subject matter: Provision of the Zabt selection intelligence platform.
• Duration: The term of the underlying subscription, plus the 90-day decommissioning window.
• Nature: Hosting, structured evaluation, scoring aggregation, and reporting.
• Categories of data subjects: Workspace members, judges, applicants, and participants.

4. Confidentiality

Zabt ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and receive role-appropriate data protection training.

5. Security Measures

Zabt implements appropriate technical and organizational measures, including AES-256 encryption at rest, TLS in transit, Row-Level Security isolation, least-privilege administrative access, and continuous monitoring. Detail is published in our Security page.

6. Sub-processors

The Controller authorizes Zabt to engage Sub-processors for hosting, email delivery, and payment processing. Zabt maintains a current list of Sub-processors and provides prior notice of material changes, allowing the Controller to object on reasonable grounds.

7. International Transfers

Where Personal Data is transferred outside the originating jurisdiction, Zabt relies on appropriate safeguards, including the European Commission's Standard Contractual Clauses, supplemented as necessary by additional technical and organizational measures.

8. Data Subject Requests

Zabt provides workspace administrators with self-service tools to access, correct, export, and delete Personal Data. Where additional assistance is required to respond to data subject requests, Zabt provides reasonable cooperation.

9. Incident Notification

Zabt notifies the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller data, providing information sufficient to meet the Controller's own notification obligations.

10. Audits

Zabt makes available the information necessary to demonstrate compliance with this DPA, including third-party reports and security documentation, and allows for audits on reasonable advance notice.

11. Return and Deletion

Upon termination of the subscription, Zabt returns or deletes Personal Data within the 90-day decommissioning window, subject to legal retention obligations.

Contact

To execute a counter-signed DPA or request our Sub-processor list, contact privacy@zabt.io.