Data Processing Addendum (DPA)

Last updated: 13.01.2026

This Data Processing Addendum ("DPA") forms part of the agreement between Zlick LTD ("Zlick", "Processor") and the customer using Zlick's Services ("Customer", "Controller") and applies to the extent Zlick processes Personal Data on behalf of the Customer in the course of providing the Services.

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation ("GDPR").

1. Definitions

Capitalized terms not defined in this DPA have the meaning given to them in the GDPR or the applicable agreement between the parties.

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data as defined in Article 4(2) GDPR.
  • "Services" means the services provided by Zlick to the Customer as defined in the applicable Terms of Service.
  • "Sub-processor" means any third party engaged by Zlick to process Personal Data on behalf of the Customer.

2. Roles of the Parties

2.1 The Customer is the Controller of Personal Data processed through the Services.

2.2 Zlick acts as a Processor, processing Personal Data solely on documented instructions from the Customer and for the purpose of providing the Services.

2.3 Zlick does not determine the purposes or means of processing End User Personal Data.

3. Scope, Nature, and Purpose of Processing

3.1 Subject matter: Support communications, tickets, and related workflow data.

3.2 Nature of processing: Accessing, structuring, analyzing, summarizing, classifying, and storing Personal Data as necessary to provide AI-assisted support functionality.

3.3 Purpose of processing:

  • Providing and operating the Services;
  • Generating draft support responses;
  • Enabling Customer support agents to review, edit, and send responses;
  • Security, troubleshooting, and quality assurance.

3.4 Duration of processing: For the duration of the Customer's use of the Services, subject to deletion and retention terms in Section 9.

4. Categories of Data Subjects and Personal Data

4.1 Categories of Data Subjects:

  • Customer personnel;
  • End Users contacting Customer support (including, incidentally, children).

4.2 Categories of Personal Data:

  • Contact information (e.g. name, email address);
  • Support communications (email content, attachments);
  • Metadata (timestamps, message identifiers);
  • Account and billing-related data.

Zlick does not intentionally process special categories of Personal Data.

5. Customer Obligations

The Customer represents and warrants that:

  • It has a valid legal basis for processing Personal Data and for instructing Zlick to process such data;
  • It has provided all required notices to, and obtained all necessary consents from, data subjects;
  • Its instructions to Zlick comply with applicable data protection laws.

6. Zlick Obligations

Zlick shall:

  • 6.1 Process Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries.
  • 6.2 Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • 6.3 Implement appropriate technical and organizational measures to protect Personal Data.
  • 6.4 Assist the Customer, taking into account the nature of processing, in responding to data subject requests under GDPR.
  • 6.5 Assist the Customer in meeting its obligations relating to security, breach notification, DPIAs, and consultations with supervisory authorities, to the extent required by GDPR.
  • 6.6 Not use Personal Data to train general-purpose AI models.

7. Sub-processors

7.1 The Customer authorizes Zlick to engage Sub-processors for the purpose of providing the Services.

7.2 Zlick shall ensure that all Sub-processors are bound by written data protection obligations no less protective than those set out in this DPA.

7.3 The current list of authorized Sub-processors is described in Zlick's Privacy Policy. That list may be updated from time to time in accordance with the Privacy Policy.

7.4 By entering into this DPA, the Customer acknowledges and agrees to the engagement of the Sub-processors listed in the Privacy Policy.

8. International Data Transfers

Where Personal Data is transferred outside the EU/EEA, Zlick shall ensure appropriate safeguards are in place, including the use of Standard Contractual Clauses approved under GDPR.

9. Deletion and Return of Data

9.1 Upon termination of the Services, Zlick shall, at the Customer's choice, delete or return Personal Data, unless retention is required by law.

9.2 Data retention periods during the term of the Services are governed by Zlick's Privacy & Data Protection Policy.

10. Security Measures

Zlick implements appropriate technical and organizational measures, including:

  • Encryption of data at rest and in transit;
  • Role-based access controls;
  • Logging and monitoring;
  • Secure cloud infrastructure.

11. Personal Data Breach Notification

Zlick shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

12. Audits

The Customer may audit Zlick's compliance with this DPA through reasonable requests for information or documentation, subject to confidentiality and proportionality.

13. Liability

Liability arising out of this DPA shall be subject to the limitations of liability set out in the applicable agreement between the parties.

14. Governing Law

These Terms are governed by the laws of England and Wales.

The courts of England and Wales shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

15. Order of Precedence

In the event of any conflict between this DPA and the applicable agreement, this DPA shall prevail with respect to data protection matters.