zee logo

Data Processing Addendum

Updated at June 5, 2026

This Data Processing Addendum ("DPA" or "Addendum") forms an integral part of the Terms of Use of the Ziett platform and applies whenever Ohrus Labs - Service, Lda ("Ohrus" or "Processor") processes personal data on behalf of the customer ("Controller" or "Customer"), by virtue of using the Ziett Platform Services.

This Addendum is especially relevant for customers subject to the GDPR (EU/EEA), the UK GDPR (United Kingdom) or the LGPD (Brazil), which legally require a formal written agreement between controller and sub-processor. Angolan customers may also request to sign this Addendum.

By using the Platform, the Customer accepts the terms of this Addendum. If you represent an entity that requires a signed DPA, please contact privacy@ziett.co.

1. Definitions

For the purposes of this Addendum, the following expressions shall have the meanings set forth below, complementing the definitions in the Terms of Use:

Data Controller — The entity that determines the purposes and means of the processing of personal data; in this context, the Customer (Billing Account).

Sub-processor / Processor — The entity that processes personal data on behalf of the Controller; in this context, Ohrus.

Subsequent Sub-processor — A third party engaged by Ohrus to assist in providing the Services, who processes personal data under Ohrus's instructions.

Customer Personal Data — Personal data provided by the Customer to Ohrus for processing within the scope of providing the Services, including Recipient data, message content, and contact lists.

Personal Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Applicable Data Protection Laws — As defined in the Terms of Use: LPDP, GDPR, UK GDPR, LGPD and other mandatory applicable legislation.

Documented Instructions — Instructions from the Controller to Ohrus regarding the processing of Customer Personal Data, contained in the Terms of Use, this Addendum and any subsequent written communications.

2. Scope and Object

2.1 This Addendum regulates the processing of Customer Personal Data by Ohrus in the context of providing the Ziett Platform Services.

2.2 The details of the processing are as follows:

ElementDetail
ObjectProvision of Ziett Platform Services in accordance with the Terms of Use
DurationFor the duration of the Agreement between the parties
Nature and purposeSending and managing multi-channel digital communications on behalf of the Customer
Type of personal dataRecipient data (name, phone number, email, channel identifiers), message content, delivery metadata
Categories of data subjectsRecipients of messages sent by the Customer through the Platform

2.3 Ohrus processes Customer Personal Data only for the purposes determined by the Customer and described in the Terms of Use, unless otherwise required by law.

3. Obligations of Ohrus as Processor

Ohrus undertakes to:

3.1 Process under instruction — Process Customer Personal Data only on the basis of the Documented Instructions of the Controller. If Ohrus is legally required to process data beyond these instructions, it will notify the Customer prior to processing, unless prohibited by law.

3.2 Confidentiality — Ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations, whether by contract or by law.

3.3 Security — Implement the technical and organizational measures described in Section 7 of this Addendum, appropriate to the risk of processing.

3.4 Subsequent Sub-processors — Not engage new Subsequent Sub-processors without prior notification to the Customer, in accordance with Section 5 of this Addendum.

3.5 Rights of data subjects — Assist the Customer, to the extent possible and through appropriate technical and organizational measures, to comply with the obligations to respond to requests from data subjects, in accordance with Section 6.

3.6 Assist the Customer with legal compliance — Support the Customer in complying with obligations regarding security, data breaches, impact assessments, and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available.

3.7 Deletion or return — Upon termination of the Agreement, delete or return to the Customer all Customer Personal Data, in accordance with Section 9 of this Addendum.

3.8 Information and audits — Make available to the Customer all information necessary to demonstrate compliance with the obligations established in this Addendum, and allow for and contribute to audits and inspections, in accordance with Section 10.

4. Obligations of the Customer as Controller

The Customer represents, warrants, and undertakes to:

4.1 Have an appropriate legal basis, under Applicable Data Protection Laws, for processing the Customer Personal Data provided to Ohrus;

4.2 Ensure that the data was collected lawfully and that data subjects were adequately informed;

4.3 Be solely responsible for the accuracy, quality, and legality of the Customer Personal Data;

4.4 Not provide Ohrus with sensitive personal data (special categories within the meaning of Art. 9 GDPR) without prior express agreement;

4.5 Not provide Ohrus with personal data of individuals under 18 years of age without appropriate parental authorization guarantees;

4.6 Comply with Applicable Data Protection Laws in all aspects regarding its activities as a Data Controller;

4.7 Indemnify Ohrus for any claims, losses, or costs resulting from the Customer's failure to comply with its obligations under this Addendum or Applicable Data Protection Laws.

5. Subsequent Sub-processors

5.1 The Customer grants a general authorization for Ohrus to engage Subsequent Sub-processors, provided that:

  • They are listed on Ziett's Sub-processors page; or
  • The Customer is notified 30 days in advance before any new Subsequent Sub-processor is involved in processing Customer Personal Data.

5.2 The Customer may object to the addition of a new Subsequent Sub-processor for legitimate reasons related to data protection by notifying Ohrus in writing within the 30-day period. The parties will seek to resolve the situation in good faith.

5.3 Ohrus contractually imposes on all Subsequent Sub-processors obligations equivalent to those established in this Addendum. Ohrus remains liable to the Customer for the compliance of these obligations by Subsequent Sub-processors.

5.4 The updated list of Subsequent Sub-processors is available at ziett.co/legal/subprocessors.

6. Rights of Data Subjects

6.1 Ohrus will notify the Customer, without undue delay, of any request received from a data subject regarding Customer Personal Data (including requests for access, rectification, erasure, portability, or objection).

6.2 Ohrus will not respond directly to such requests without the Customer's prior authorization, unless otherwise required by law.

6.3 Ohrus will make technical features available on the Platform that allow the Customer to respond to data subject requests, namely:

  • Export of contact and message data;
  • Deletion of contacts and message history;
  • Anonymization of records when technically feasible.

6.4 The Customer is responsible for responding to data subjects within the legally required timeframes (30 days under GDPR; 15 days under LGPD).

7. Security Measures

Ohrus implements and maintains the following technical and organizational measures to protect Customer Personal Data:

Technical Measures:

  • Data encryption in transit (TLS 1.2+/HTTPS in all communications);
  • Data encryption at rest in storage systems;
  • Multi-factor authentication available for user accounts;
  • Role-based access control (RBAC) with the principle of least privilege;
  • Continuous monitoring of access and security anomalies;
  • Periodic penetration testing and security audits;
  • Vulnerability management and regular application of security patches.

Organizational Measures:

  • Internal data protection and confidentiality policy;
  • Regular data protection training for employees;
  • Incident and data breach response procedures;
  • Physical access controls to premises (where applicable);
  • Regular reviews of contracts with Subsequent Sub-processors.

Ohrus may update these measures over time, provided that the level of protection is not reduced.

8. Personal Data Breaches

8.1 Ohrus will notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay and, whenever possible, within 48 hours after becoming aware of the breach.

8.2 The notification will include, to the extent that the information is available:

  • A description of the nature of the breach (categories and approximate number of data subjects and records affected);
  • The name and contact details of the data protection officer or contact point;
  • Likely consequences of the breach;
  • Measures taken or proposed to address the breach and mitigate its effects.

8.3 The Customer is responsible for determining whether it is necessary to notify supervisory authorities and/or affected data subjects under Applicable Data Protection Laws.

8.4 Ohrus will cooperate with the Customer in managing the breach and making the necessary communications.

9. Deletion and Return of Data

9.1 Upon termination of the Agreement (for any reason) or at the Customer's request:

  • Ohrus will delete all Customer Personal Data from its systems within a reasonable timeframe (not exceeding 90 days);
  • Or it will return the data to the Customer in an exportable format, as requested.

9.2 Subsequent Sub-processors are subject to the same deletion obligations.

9.3 Ohrus may retain copies of data for the minimum period required by legal obligation, notifying the Customer of the categories of data retained and the retention period.

9.4 Confirmation of deletion can be requested by the Customer via privacy@ziett.co.

10. Audits and Inspections

10.1 Ohrus will make available to the Customer, upon request, all information necessary to demonstrate compliance with the obligations established in this Addendum.

10.2 Ohrus will permit and contribute to audits and inspections conducted by the Customer or by an auditor mandated by the Customer, subject to:

  • Prior notice at least 30 days in advance;
  • Execution of an appropriate confidentiality agreement;
  • Conducting the audit during normal business hours, in a non-disruptive manner;
  • The costs of the audit being borne by the Customer, unless the audit reveals material non-compliance by Ohrus.

10.3 Ohrus may satisfy the Customer's audit right by providing third-party security audit reports (such as ISO 27001, SOC 2, or equivalent), provided they cover the relevant scope.

11. International Data Transfers

11.1 Data processing under this Addendum may involve personal data transfers to third countries through Subsequent Sub-processors (see list of sub-processors).

11.2 For transfers of data of subjects in the EU/EEA or the United Kingdom:

  • Ohrus guarantees that such transfers are carried out based on appropriate legal mechanisms, including Standard Contractual Clauses (SCC) approved by the European Commission, or other mechanisms recognized under the GDPR;
  • SCCs are incorporated by reference into contracts with relevant Subsequent Sub-processors.

11.3 For transfers of data of subjects in Brazil (LGPD):

  • Transfers are carried out under appropriate safeguards, including standard contractual clauses approved by the ANPD, when available, or other safeguards provided for in Art. 33 of the LGPD.

11.4 Customers who require specific documentation regarding transfer mechanisms should contact privacy@ziett.co.

12. Duration and Termination

12.1 This Addendum enters into force upon acceptance of the Terms of Use and remains in force for the duration of the Agreement between the parties.

12.2 The termination of the Addendum shall not affect the rights and obligations which, by their nature, are intended to survive termination, including obligations of confidentiality, security, data deletion, and liability.

12.3 In the event of a conflict between this Addendum and the Terms of Use regarding personal data protection, this Addendum shall prevail.

13. Applicable Law

13.1 This Addendum is governed by the laws of the Republic of Angola, without prejudice to the application of mandatory data protection rules of the jurisdictions of the data subjects.

13.2 For customers in the EU/EEA, the Addendum shall be interpreted in accordance with the GDPR and the guidelines of the European Data Protection Board (EDPB).

13.3 For customers in Brazil, the Addendum shall be interpreted in accordance with the LGPD and the guidelines of the ANPD.

14. Contact

For questions regarding this Addendum, requests for a signed DPA, or the exercise of rights:

  • Email: privacy@ziett.co
  • Suggested Subject: "DPA Request — Company Name"
  • Legal Entity: Ohrus Labs - Service, Lda — NIF: 5002714485
  • Address: Casa 1, Rua da ENDE, Fubu, Município do Camama, Luanda, Angola
  • Phone: +244 955 577 430

© 2026 Ohrus Labs - Service, Lda. All rights reserved.