Zyme Nav LogoZyme Nav Label
Data Processing Agreement (DPA)
Last updated on April 5, 2025.

This Data Processing Addendum ("DPA") forms part of the Terms of Service or any other agreement between you and zyme, Inc. ("Company," "We," "Us," or "Our") covering the use of our products or services (the "Agreement"). This DPA is incorporated into the Agreement and reflects the parties' agreement regarding the processing of Personal Data in compliance with Data Protection Laws.

Interpretation and Definitions

Interpretation

Terms not defined in this DPA have the meanings set forth in the Agreement. In case of a conflict between this DPA and the Agreement, this DPA will prevail regarding data protection matters.

Definitions

For the purposes of this DPA:

  • Affiliate means an entity that controls, is controlled by, or is under common control with the Company.
  • Controller means the entity which determines the purposes and means of processing Personal Data.
  • Processor means the entity which processes Personal Data on behalf of the Controller.
  • Data Protection Laws refers to all applicable privacy and data protection laws and regulations including the GDPR, CCPA, and PIPEDA.
  • GDPR means the General Data Protection Regulation (EU) 2016/679 and its implementation in European Economic Area countries.
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, or erasure.
  • Sub-Processor means any third-party processor engaged by the Company.

Scope of Data Processing

The parties agree that:

  • You act as the Controller and determine the purposes and means of processing Personal Data.
  • The Company acts as the Processor or Sub-Processor on your behalf.
  • The Company will only process Personal Data in accordance with your documented instructions unless otherwise required by law.

Categories of Personal Data

This may include, but is not limited to:

  • Full name
  • Email address
  • Account metadata
  • Usage data
  • Device identifiers

Categories of Data Subjects

May include:

  • End users of your application
  • Your employees and contractors
  • Customers or partners

Processor Obligations

The Company shall:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure personnel authorized to process Personal Data are under confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in responding to requests for exercising data subject rights.
  • Notify the Controller of any Personal Data breach without undue delay and in any event within 72 hours.
  • Upon termination, delete or return all Personal Data, unless retention is required by law.

Sub-Processors

We may engage Sub-Processors to help provide the Service. We maintain an up-to-date list of Sub-Processors at zyme.sh/subprocessors. You may subscribe to updates via email.

  • We ensure Sub-Processors are contractually bound to meet the obligations outlined in this DPA.
  • We remain fully liable for any act or omission of any Sub-Processor.

International Data Transfers

If Personal Data is transferred outside the jurisdiction of the Controller (e.g., from Singapore to Canada or the US), the Company will:

  • Ensure such transfers comply with applicable Data Protection Laws.
  • Use approved transfer mechanisms such as Standard Contractual Clauses (SCCs), where required.
  • Provide transparency and allow audits under reasonable circumstances to verify compliance.

Data Subject Rights

The Company will:

  • Promptly notify the Controller of requests received from data subjects.
  • Assist the Controller, to the extent reasonably possible, in fulfilling obligations to respond to data subject rights (access, correction, erasure, restriction, portability, objection).

Data Breach Notification

In the event of a Personal Data breach, the Company shall:

  • Notify the Controller without undue delay, within 72 hours.
  • Provide reasonable assistance to investigate and mitigate the breach.
  • Provide sufficient information for the Controller to fulfill legal obligations to notify individuals or authorities.

Audits and Certifications

Upon reasonable written request, the Company shall:

  • Provide information necessary to demonstrate compliance with this DPA.
  • Cooperate with audits conducted by the Controller or its authorized representative, not more than once annually, unless required by law or after a security incident.

Limitation of Liability

Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability in the Agreement. This DPA does not expand or limit the Company’s liability beyond the Agreement.

Term and Termination

This DPA is effective from the date you first use the Service and remains in effect until the Agreement is terminated or expires. Provisions that by their nature survive termination (e.g., data deletion, confidentiality) shall remain in effect.

Governing Law

This DPA is governed by the same laws and jurisdiction as the Agreement unless otherwise required under Data Protection Laws.

Contact Us

For questions or concerns related to data processing or this DPA, please contact:

  • Data Protection Officer: privacy@zyme.sh
  • Address: 3421 Rue Drummond, Montreal, QC, Canada