Esko.ai — operated by ZEF Ltd
Based on general IT2022 Terms and Conditions.
The Customer and the Supplier specified below have agreed in accordance with the Terms and Conditions of this Agreement on Services Delivered via Data Network (hereinafter "Software Service"). Unless particularly agreed otherwise in this agreement, the following appendixes shall apply:
1. IT2022 EHK – Special terms and conditions for the processing of personal data 2. IT2022 ETP – Special terms and conditions for services delivered via data network (cloud service) 3. IT2022 YSE – General terms and conditions
Accepting and maintaining this agreement is a condition of using the Software Service.
Customer: The customer is the legal entity that has acquired a license for the use of the software service from the Supplier and has accepted these ZEF Terms of Service and ZEF DPA.
Supplier: ZEF Ltd (Business identity code: 0640379-1). Supplier’s address: Elektroniikkatie 6, FI-90590 Oulu, Finland.
The nature and purpose of the processing of personal data is specified as follows: the Supplier processes the Customer's personal data for two groups:
1. Survey Creators, whose information has been imported to the Zeffi organization managed by the Customer 2. Survey Respondents, whose information the Customer has imported to invite respondents or which the respondents have themselves handed over to the software service as survey answers
At the date of approval of this addendum, Customer’s instructions to the Supplier are the processing of personal data only for providing the software service under the Agreement in accordance with the Addendum. The customer is the data controller and owns the data in their Zeffi organization.
The Supplier's personnel only processes data for customer service purposes, for example when responding to support requests by the Customer, in which case the data is only processed to the extent required by the support request.
For the sake of clarity, ZEF Ltd maintains that respondent data in the customer’s Zeffi organization is not used to train AI or for any other purpose not instructed by the Customer, and that survey respondent data is not processed or hosted outside the EU area.
4.1 Survey Creators
Personal data processed by the Supplier may include:
- Email address - Name (optional) - Phone number (optional) - Social media accounts (optional) - IP address used in signing in to the software service - Credit card and invoicing data (if applicable)
4.2 Survey Respondents
Personal data processed by the Supplier may include:
- Name - Email address - Home address - Phone number and other contact details (all optional) - Age - Date of birth - Employment details, education, and qualifications - Social media accounts (optional) - Other survey-specific information provided by a respondent and determined by Customer
The Customer may also choose to conduct a survey without any personal data being provided from the respondents. In this event, no personal data listed above will be collected or processed.
Data security has been agreed in accordance with the IT2022 Terms and Conditions annexed to this Agreement.
Backup procedures: The data generated during the Customer's use is stored on the Supplier's server during the contract period. As a logged-in user within the scope of the license, the Customer has access to the latest content, and in addition, previous survey versions are stored for 30 days in the backup archive.
The processing of personal data does not involve separate time-based fees on top of the license pricing. As described in section 3.4 of the IT2022 EHK Terms and Conditions, the Supplier has the right to invoice reasonable compensation according to its current price list for any work performed.
The detailed obligations of the customer as a data controller have been specified as follows:
7.1
The customer must designate an Owner for their Zeffi organization, who is responsible for keeping the Zeffi organization's access rights up to date. The Owner must revoke the access rights of users who no longer have the right to use the software service.
7.2
As stated in section 3.3 of the IT2022 EHK Terms and Conditions, the Customer is responsible for handling personal data in accordance with data protection legislation on their behalf in the process of transferring personal data to the Supplier.
The subject-matter and duration of the processing of personal data have been specified as follows:
8.1
As the data controller, the Customer determines the subject-matter and duration of the personal data processing in their Zeffi organization.
8.2
In terms of the subject-matter and duration of personal data processing, the Customer must ensure that the processing complies with data protection legislation in accordance with section 7.2 of this DPA.
8.3
The Supplier's role as a data processor is limited to the technical processing of data as a software service provider in accordance with the Customer's instructions.
8.4
In addition, the Supplier's personnel offers the Customer a technical support service. During the support process the data of the Customer's Zeffi organization can be processed to the extent required by the support request.
9.1
Regarding Survey Respondents, no personal data is transferred outside the EU/EEA area.
9.2
Regarding Survey Creators, in addition to the EU/EEA region, the personal data can also be processed in the US region. Data transfer takes place in accordance with the European Commission's model contract clauses.
9.3
The Supplier’s responsibilities related to any possible transfer of personal data outside the EU/EEA are defined in more detail as follows: the Supplier limits data transfers to as little as is needed for the provision of the software service. Necessary information for the service is the email and IP address processed in connection with login and authentication, as well as invoicing information.
List of Esko.ai personal data subprocessors
"EU SCC" = European Union Commission model contract clauses
| # | Sub-processor | Location of personal data | Transfer mechanism | Purpose of the data processing | Note |
|---|---|---|---|---|---|
| 9 | PipeDrive | EU | – | ZEF uses PipeDrive for customer service, contacting and support (not used in Zeffi/Esko.AI) | Data controller in this regard is ZEF |
| 10 | Vainu | EU | – | ZEF uses Vainu to gather public B2B data for sales purposes (not used in Zeffi/Esko.AI) | Data controller in this regard is ZEF |
| 11 | GetAccept | EU | – | ZEF uses GetAccept to handle sales materials and contract signing (respondent data is not processed) | Data controller in this regard is ZEF |
| 12 | Quaderno | EU | – | ZEF uses Quaderno for VAT management (respondent data is not processed) | Data controller in this regard is ZEF |
| 13 | Stripe | US | EU SCC | ZEF processes data related to license fees in Stripe (respondent data is not processed) | Data controller in this regard is ZEF |
| 14 | Accountor Finago | EU | – | ZEF uses Accountor Finago for invoicing and credit card transactions (not used in Zeffi/Esko.AI) | Data controller in this regard is ZEF |
| 15 | Chartmogul | EU | – | ZEF uses Chartmogul in quality assurance, research and development (not used in Zeffi/Esko.AI) | Data controller in this regard is ZEF |
| 16 | Google Workspace | EU, US | EU SCC | ZEF uses Google Workspace as an email, calendar, and meeting solution (not used in Zeffi/Esko.AI) | Data controller in this regard is ZEF |
| 17 | Microsoft Office 365 | EU, US | EU SCC | ZEF uses MS Teams 365 mainly as a meeting solution (not used in Zeffi/Esko.AI) | Data controller in this regard is ZEF |
| 18 | HubSpot | EU, US | EU SCC | ZEF uses HubSpot to maintain customer data (not used in Zeffi/Esko.AI) | Data controller in this regard is ZEF |
| # | Sub-processor | Location of personal data | Transfer mechanism | Purpose of the data processing | Groups of registered users |
|---|---|---|---|---|---|
| 1 | Google Cloud Platform (GCP) | EU, US | EU SCC (US) | ZEF utilizes Google Cloud Platform (GCP) for Zeffi and Esko.AI hosting and data storage | Survey creators and respondents |
| 2 | Mailgun | EU | – | ZEF uses the Mailgun service to send email through Zeffi | Survey respondents |
| 3 | GatewayAPI | EU | – | ZEF uses GatewayAPI to send SMS invitations to surveys | Survey creators |
| 4 | Lingsoft | EU | – | ZEF uses Lingsoft's service to enrich textual responses in Finnish, Swedish, Norwegian and Danish, if the Customer utilizes a language technology package | Survey respondents |
| 5 | Google Analytics | EU, US | EU SCC (US) | ZEF uses Google Analytics to collect website usage data (respondent data is not processed) | Survey creators |
| 6 | Segment | US | EU SCC | ZEF uses Segment to collect user data to improve the user experience (respondent data is not processed) | Survey creators |
| 7 | Microsoft Azure OpenAI | EU | – | ZEF utilizes the MS Azure OpenAI service in the artificial intelligence interview and analysis functionalities, if the Customer chooses to use the feature | Survey respondents |
| 8 | Bright Data | EU | – | ZEF uses Bright Data if user instructs Survey Creator feature to crawl public website data (respondent data is not processed) | Survey creators |
Liability for damages of the processing of personal data has been specified in the IT2022 EHK Special Terms and Conditions for the Processing of Personal Data in section 9.
12.1
The Supplier ensures that all persons participating in the processing of personal data in its organization are committed to comply with the confidentiality obligation or are subject to the appropriate statutory confidentiality obligation and, in addition, that the personal data is processed only in accordance with this DPA, ZEF Terms of Service, and the Customer's instructions.
12.2
The Supplier assists the Customer, with appropriate technical and organizational measures, in fulfilling its obligations regarding the exercise of registered rights, as well as informing the Customer of any requests received from registered users.
12.3
The Supplier assists the Customer in possible impact assessments regarding the data protection of the software service, information security breach notifications, and requests for preliminary hearings made to the authorities.
12.4
This ZEF DPA enters into force on July 1st, 2025 and is valid until further notice.
This DPA is an integral part of the agreement between the Customer and the Supplier. The ZEF Terms of Service takes precedence over this ZEF DPA.
The following annexes are an integral part of this ZEF DPA (freely accessible at it-ehdot.fi/briefly-in-english/):
- IT2022 EHK Special terms and conditions for the processing of personal data - IT2022 YSE General terms and conditions