Last Update: 30 January 2017

§ 1 Preamble and Order of Precedence

(1) This Data Processing Agreement describes how zenloop will Process Survey Recipient Data that you provide to us in connection with your use of our Services, in accordance with the requirements of Data Protection Laws.

(2) In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over the provisions of the Agreement.

§ 2 Definitions

(1) “Agreement” means the agreement between you and zenloop relating to the provision of our Services, as set forth in our Terms of Service.

(2) “BDSG” means the German Federal Data Protection Act (Bundesdatenschutzgesetz).

(3) “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the processing of personal data (including in connection with providing telecommunication services and conducting email marketing), and including, without limitation, the BDSG, the German Act Against Unfair Competition (UWG), the German Tele¬communications Act (TKG) and the German Telemedia Act (TMG).

(4) “Process” or “Processing” means any operation or set of operations which is performed by zenloop as part of the Services upon Survey Recipient Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

(5) “Services” means the services that we provide through our Site, including our customer insight and loyalty services.

(6) “Site” means our website, www.zenloop.com, as well as the associated platform.

(7) “Subprocessor” means a third party subcontractor engaged by zenloop which, as part of the subcontractor’s role of delivering the Services, will Process Survey Recipient Data.

(8) “Survey Recipient” means any identified or identifiable natural person who is a customer, employee or business contact of yours and who has been or will be contacted by you through our Site.

(9) “Survey Recipient Data” means any personal information relating to a Survey Recipient that you or any of your Survey Recipients provide to zenloop in connection with your use of the Services. Other terms have the definitions provided for them in the Agreement or as otherwise specified below.

§ 3 Subject, Duration, and Categories of Survey Recipient Data

(1) Under the terms of this Data Processing Agreement, zenloop will Process Survey Recipient Data on behalf of Customer in accordance with section 11 BDSG (Auftragsdatenverarbeitung).

(2) This Data Processing Agreement shall be effective for the duration of zenloop’ Services under the Agreement, and shall terminate automatically upon expiration or termination of the Agreement for any reason.

(3) The scope and nature of the Processing of Survey Recipient Data hereunder shall be as defined in the Agreement.

(4) Processing may include the following categories of Survey Recipient Data: personal information including name or email address, usage data, device data, referral data and information from cookie and page tags.

§ 4 Customer Instructions

(1) During our Services, you may provide instructions to us in addition to those specified in this Data Processing Agreement with regard to the processing of Survey Recipient Data (each such instruction hereinafter, a “Processing Instruction”) in connection with our Services. Any Processing Instruction must be in writing or in electronic form.

(2) Any Processing Instruction that amends or deviates from the terms of this Data Processing Agreement will constitute a change request and will be subject to the requirements set forth in § 14(1). We will negotiate in good faith with you with respect to any change in the Services and/or fees resulting from any Processing Instructions.

(3) You are responsible for ensuring that your Processing Instructions comply with Data Protection Laws. If we believe that a Processing Instruction violates Data Protection Laws, we will inform you thereof without undue delay.

§ 5 Customer Obligations

(1) You are responsible for ensuring that the Processing of Survey Recipient Data hereunder complies with the requirements of Data Protection Laws, including, but not limited to, concerning (i) the transmission of Survey Recipient Data to zenloop (including providing any required notices and obtaining any required consents), (ii) the use of any Survey Recipient Data in connection with any marketing or advertising you conduct, and (iii) your decisions and actions regarding the Processing and use of the Survey Recipient Data.

(2) You will be the responsible body (verantwortliche Stelle) as defined in section 3 paragraph 7 BDSG. You shall have sole responsibility for the accuracy, quality, and legality of Survey Recipient Data and the means by which you have acquired Survey Recipient Data.

(3) You will maintain a public register of processing (öffentliches Verfahrensverzeichnis) in accordance with section 4g paragraph 2 sentence 2 BDSG.

(4) You will, without undue delay, inform us of any defect you may detect in our Services, and of any irregularity in the implementation of statutory regulations on data privacy.

(5) You will defend, indemnify and hold harmless zenloop, its agents, employees, officers and directors from and against any losses, damages and expenses which may be incurred as a result of your breach of your obligations set forth in this § 5.

§ 6 zenloop Obligations

(1) We will Process your Survey Recipient Data solely for the provision of our Services and will not otherwise (i) Process or use your Survey Recipient Data for purposes other than those set forth in the Agreement or this Data Processing Agreement or (ii) disclose your Survey Recipient Data to third parties other than Subprocessors for the aforementioned purposes or as required by law.

(2) We will Process Survey Recipient Data exclusively within the territory of the Federal Republic of Germany, a Member State of the European Union or another signatory to the Agreement on the European Economic Area.

(3) Upon your written request, and except where you are able to obtain such information directly, we will provide to you all information necessary for compiling the overview defined by section 4g paragraph 2 sentence 2 BDSG.

(4) We will ensure that our personnel engaged in the Processing of Survey Recipient Data are informed of the confidential nature of the Survey Recipient Data and have undertaken to comply with the principle of data secrecy in accordance with section 5 BDSG.

(5) We have appointed a data protection officer: Inna Gendelman, ISiCO Datenschutz GmbH, Am Hamburger Bahnhof 4, 10557 Berlin. The person can be reached by email via dpo@zenloop.com.

§ 7 Technical and Organizational Measures

(1) When we Process Survey Recipient Data on your behalf, we have implemented and will maintain certain technical and organizational security measures for the Processing of such data, as such measures are specified in Annex 1. These measures are intended to protect Survey Recipient Data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and against all other unlawful forms of processing.

(2) All technical and organizational security measures are subject to technical progress and development. Accordingly, we may modify our security measures and/or implement alternative security measures, provided, however, that these do not fall short of the level of security as contractually agreed upon in Annex 1.

§ 8 Customer Audit Rights

(1) You may, prior to the commencement of our Services and up to once per year during the performance of our Services, audit the technical and organizational measures implemented by zenloop. You may perform more frequent audits to the extent required by Data Protection Laws.

(2) In the course of such audit, you may, in particular, conduct the following measures: (i) You may obtain information from zenloop. (ii) You may request zenloop to submit to you an existing certificate by a qualified third party auditor. (iii) You may, upon reasonable advance agreement, during regular business hours and without interfering with zenloop’ business operations, conduct an on-site inspection of those parts of zenloop’ business facilities where Survey Recipient Data is being processed, subject to zenloop’ then-applicable security policies.

(3) To request an on-site inspection, you must submit an inspection plan to us at least two weeks in advance of the proposed inspection date, describing the proposed scope, duration and start date of the inspection. We will review the inspection plan and provide you with any concerns or questions (for example, any request for information that could compromise zenloop’ security, privacy, employment or other relevant policies).

(4) If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within the prior twelve months, you agree to accept those findings in lieu of requesting an audit of the systems covered by the report.

(5) You will provide us with any audit reports generated under this section, unless prohibited by law. You may use the audit reports only for the purpose of confirming that our technical and organizational measures are in compliance with the requirements of this Data Processing Agreement. The audit reports are confidential information of the parties under the terms of the Agreement.

(6) Any audits are at your expense. Any request for zenloop to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required for the provision of the Services. We will seek your written approval and agreement to pay any related fees before performing such audit assistance.

(7) If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and zenloop and must execute a written confidentiality agreement acceptable to zenloop before conducting the audit.

§ 9 Subprocessors

(1) We may engage Subprocessors to assist in the Processing of your Survey Recipient Data. We maintain a list of our Subprocessors and will provide a copy of that list to you upon your written request.

(2) We will ensure that all of our Subprocessors are required to abide by substantially the same obligations as zenloop under this Data Processing Agreement as applicable to their performance of the Services. This shall apply in particular, but not be limited to, the requirements in § 4, § 7, § 8, and § 10 to § 13. zenloop remains responsible at all times for compliance with the terms of this Data Processing Agreement by all Subprocessors engaged in the performance of our Services to you.

(3) You are entitled, upon written request, to receive copies of the relevant terms of zenloop’ agreement with each Subprocessor that Processes your Survey Recipient Data, unless the agreement contains confidential information, in which case zenloop may provide a redacted version of the agreement.

(4) This § 9 shall not apply where we engage third parties for ancillary services; these include, but are not limited to, telecommunications services, mail and shipping services, building security services, facility management services, and services relating to the cleaning or disposal of data media.

§ 10 Rights of Survey Recipients

(1) Where a Survey Recipient requests us to correct, delete or block Survey Recipient Data, we will pass on such request to you. zenloop will not respond to any requests of Survey Recipients without your prior written consent.

(2) Where a Survey Recipients requests you to correct, delete or block Survey Recipient Data or to provide information about the collection, processing or use of Survey Recipient Data in connection with our Services and you are unable to fulfil the request by yourself through our Site, we will support you in fulfilling the request, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for the cost and expenses incurred in providing such support.

§ 11 Deletion of Data and Return of Data Media

(1) Upon cancellation of your account, or at any time upon your written request, we will delete all copies of your Survey Recipient Data from our systems. We are not liable for any loss or damage following, or as a result of, such deletion, and it is your responsibility to ensure that any Survey Recipient Data which you require is backed-up or replicated before deletion.

(2) If, in connection with our Services, we have received from you any data media containing Survey Recipient Data, we will return to you any such data media still in our possession at the time of cancellation of your account or earlier upon your written request.

(3) Notwithstanding the above, we will retain and use your Survey Recipient Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

§ 12 Service Analyses

(1) We may (i) compile statistical and other information related to the performance, operation and use of our Services, and (ii) use data from our Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (clauses i and ii are collectively referred to as “Service Analyses”).

(2) Service Analyses will not incorporate Customer’s Survey Recipient Data in a form that could identify or serve to identify any Survey Recipient. zenloop retains all intellectual property rights in Service Analyses.

§ 13 Duties to Notify

(1) We will, without undue delay, inform you if your Survey Recipient Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in our control. In such event, we will inform all pertinent parties in such action, that any data affected thereby is in your sole property and area of responsibility, that data is at your sole disposition, and that you are the responsible body in the sense of the BDSG.

(2) We will, without undue delay, inform you if we determine that (i) your Survey Recipient Data has been subject to a security incident (including by a zenloop employee) or (ii) there has been a breach by zenloop (including by a zenloop employee) of Data Protection Laws applicable to the performance of our Services to you or of any of the provisions set forth in this Data Processing Agreement. In such event, we will promptly investigate the security incident or breach and take reasonable measures to identify its root cause and prevent a recurrence.

(3) In the event that, due to the security incident or breach, you are required to fulfill any disclosure obligations in accordance with section 42a BDSG, we will support you fulfilling such obligations, provided that (i) you instruct us to do so in writing or in text form and (ii) you reimburse us for our reasonable and documented cost and expenses incurred in providing such support.

§ 14 Miscellaneous

(1) No modification of this Data Processing Agreement shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the provisions of this Data Processing Agreement. The foregoing shall also apply to any waiver or modification of this mandatory written form.

(2) Where individual provisions of this Data Processing Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Data Processing Agreement shall not be affected.

(3) This Data Processing Agreement is governed by German law. Any disputes arising out of or in connection with this Data Processing Agreement shall be exclusively submitted to the courts of Berlin.




Annex 1 to the zenloop Data Processing Agreement

Data Security Concept

Technical and organizational measures pursuant to section 9 Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), including its annex

Last Update: 24 October 2016

§ 1 Physical Access Control (Zutrittskontrolle)

Legal requirements^

Processor must take suitable measures to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.

Measures taken by zenloop

zenloop employs the following measures to prevent unauthorized persons from (physically) entering its facilities:

  • Alarm system / security systems

  • Secure entrance to building / facilities

  • Automatic access control (e.g, by chip cards)

  • Safety locks on doors

  • Video surveillance of entrances

  • Use of security staff

  • Admission management: authorized personnel and scope of authorization are pre-defined

  • Careful selection of security staff

  • Careful selection of cleaning staff

§ 2 System Access Control (Zugangskontrolle)

Legal requirements

Processor must take suitable measures to prevent data processing systems from being used without authorization.

Measures taken by zenloop

zenloop employs the following measures to prevent the use by unauthorized persons:

  • System and data access is restricted to properly authorized users
  • Users need to authenticate with username and password
  • User rights are granted restrictively
  • All log-ons / log-offs are recorded
  • Use of central password policy

§ 3 Data Access Control (Zugriffskontrolle)

Legal requirements

Processor must take suitable measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage.

Measures taken by zenloop

zenloop employs the following measures to ensure that authorized users can only access the data covered by their authorization and that personal data cannot be read, copied, changed, or deleted without authorization:

  • System and data access is restricted to properly authorized staff
  • Users need to authenticate with username and password
  • All data access is logged automatically
  • Use of archiving bots
  • Small number of system administrators
  • Use of central password policy
  • Records and log files are analyzed regularly

§ 4 Transmission Control (Weitergabekontrolle)

Legal requirements

Processor must take suitable measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

Measures taken by zenloop

  • zenloop employs the following measures to ensure data cannot be read, copied, modified or removed without authorization during transmission or transport:
  • Transmitted data is encrypted
  • Unnecessary printouts and misprints are destroyed
  • Local hard disks are read/write protected
  • Data carriers may not be taken home by staff
  • Private data carriers of staff may not be used at work

§ 5 Input Control (Eingabekontrolle)

Legal requirements

Processor must take suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed.

Measures taken by zenloop

zenloop employs the following measures to ensure that it is possible to review and determine ex-post if and by whom personal data was entered, altered, or deleted:

  • Entering, altering and deleting of data is logged
  • Activities of administrators are logged
  • Use of central rights management for entering, altering and deleting data

§ 6 Data Processing Control (Auftragskontrolle)

Legal requirements

Processor must take suitable measures to ensure that personal data which is processed by way of a commissioned data processing can be processed only in accordance with the data controller’s instructions.

Measures taken by zenloop

zenloop employs the following measures to ensure that personal data which is processed by way of a commissioned data processing can be processed only in accordance with the data controller’s instructions:

  • Data processor is selected based on aspects of diligence (especially data security)
  • Responsibilities are (contractually) allocated between data controller and data processor
  • Data processor’s staff is contractually obliged to maintain and adhere to data secrecy (§ 5 BDSG)
  • Data is destroyed after termination of contract

§ 7 Data Availability Control (Verfügbarkeitskontrolle)

Legal requirements

Processor must take suitable measures to ensure that personal data are protected from accidental destruction or loss.

Measures taken by zenloop

zenloop employs the following measures to ensure personal data is protected against accidental destruction or loss:

  • Backups are taken on a regular basis
  • Backup and recovery plan is in place
  • Data backup files are stored at a safe and remote location
  • Data recovery is regularly tested

§ 8 Data Segregation Control (Trennungskontrolle)

Legal requirements

Processor must take suitable measures to ensure that data collected for different purposes can be processed separately.

Measures taken by zenloop

zenloop employs the following measures to ensure that data collected for different purposes is processed separately:

  • Systems allow for data segregation (multi-tenancy), data is segregated by software
  • Data sets are stored on physically separate systems or data carriers
  • Productive systems and test systems are separated from each other
  • Data sets can be accessed only through those applications which have been pre-defined
  • Database user rights are issued and managed centrally



^ ‘Legal requirements’ refers to the requirements as set forth in the annex to section 9, first sentence, Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG); English translation as provided by the Language Service of the Federal Ministry of the Interior (Sprachendienst des Bundesministeriums des Inneren).

close icon