Two Leaf LogoTwo overlapping leaves on a teal background, representing sustainability and growth. CSRD Pro

Data Processing Agreement (DPA)

Last updated: October 10, 2025

Table of Contents

Data Processing Agreement (DPA)

Last updated: 10 October 2025

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service and Privacy Policy between Zula Group, LLC (“we”, “us”, or “our”) and any individual or organisation (“Customer”, “you”, or “your”) using the CSRD Pro platform or related services (the “Services”).

This Agreement sets out how we process and protect personal data on your behalf, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and other applicable data protection laws.

1. Roles and Responsibilities

  1. Data Controller: You are the Data Controller of all personal data that you upload to, or otherwise provide through, the Services.
  2. Data Processor: We act as your Data Processor and process personal data solely on your documented instructions, for the purpose of providing, maintaining, and improving the Services.
  3. Sub-processors: We may engage carefully selected third-party sub-processors to support the Services (for example, infrastructure and monitoring providers). Each sub-processor is bound by a written agreement imposing data protection obligations equivalent to those in this Agreement.

2. Data Location and Access

  1. All production data is hosted within the European Union (France) using GDPR-compliant cloud infrastructure.
  2. Limited, secure access may be granted to authorised engineers based in the United States for maintenance, debugging, or technical support.
  3. Any such access is governed by the European Commission’s Standard Contractual Clauses (2021/914/EU), ensuring an adequate level of protection for the transferred data.

3. Security Measures

We implement appropriate technical and organisational measures to safeguard personal data, including:

  • Encryption of data in transit and at rest;
  • Role-based and least-privilege access controls;
  • Secure VPN access for authorised personnel;
  • Logging and monitoring of administrative access; and
  • Regular security reviews and vulnerability management.

All staff and contractors are subject to confidentiality obligations.

4. Sub-processors

A current list of authorised sub-processors is maintained at: www.csrdpro.com/en/legal/subprocessors

We will notify customers in advance of any intended changes to this list where required by law.

5. International Data Transfers

Where personal data is accessed or otherwise processed outside the EEA, UK, or Switzerland, such transfers are protected through:

  • The European Commission’s Standard Contractual Clauses (and UK Addendum, where applicable);
  • Supplementary safeguards such as encryption, strict access limitation, and audit logging; and
  • Compliance with the principles of data minimisation and purpose limitation.

6. Data Subject Rights

We assist you, as the Controller, in fulfilling your obligations to respond to requests from data subjects under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, and objection).

7. Incident Notification

In the event of a personal data breach, we will notify you without undue delay after becoming aware of it and provide all reasonably available information necessary for you to meet your legal reporting obligations.

8. Data Retention and Deletion

Upon termination or expiry of the Services, all personal data processed on your behalf will be deleted or irreversibly anonymised within twelve (12) months, unless retention is required by applicable law or legitimate business necessity (e.g. backup integrity).

9. Audit and Compliance

Upon reasonable notice, and no more than once per year, you may request confirmation of our compliance with this Agreement. We may satisfy this obligation by providing independent audit certificates or summaries of security reviews.

10. Governing Law and Jurisdiction

This Agreement is governed by the laws of the Netherlands. Any dispute shall be resolved under the Rules of the Netherlands Arbitration Institute (NAI), with the seat of arbitration in Amsterdam, and proceedings conducted in English.

11. Contact

Questions regarding this Agreement or data protection may be directed to our Data Protection Officer (DPO):

Zula Group, LLC Data Protection Officer 400 West Broadway Street, STE 101-351 Missoula, MT 59802, United States 📧 data@csrdpro.com

Annex: Standard Contractual Clauses (Summary)

This Annex provides a summary of the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) for international transfers of personal data to third countries, where such transfers are not otherwise covered by an adequacy decision.

Annex I – Details of the Processing

A. Parties

  1. Data Exporter: The Customer, acting as the Data Controller, who uses the CSRD Pro Services and transfers personal data to Zula Group, LLC.

  2. Data Importer: Zula Group, LLC, a company established in the United States, acting as a Data Processor on behalf of the Data Exporter.

B. Description of the Transfer

CategoryDescription
Subject MatterProvision, maintenance, and support of the CSRD Pro Services.
Nature and PurposeSecure hosting, storage, and processing of sustainability-related data uploaded by the Customer.
DurationFor the term of the Customer’s account and up to twelve (12) months after termination, as defined in the DPA.
Types of Personal DataNames, email addresses, contact preferences, login identifiers, and any personal data the Customer chooses to include in uploaded materials.
Data SubjectsEmployees, contractors, and representatives of the Customer and its clients or suppliers, as relevant.

C. Competent Supervisory Authority

For transfers originating from the EEA, the competent authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

For transfers originating from the UK, the Information Commissioner’s Office (ICO) serves as the competent authority, and the UK Addendum to the SCCs applies.

Annex II – Technical and Organisational Security Measures

Zula Group, LLC maintains security measures consistent with Article 32 GDPR, including:

  1. Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  2. Access Controls – least-privilege access, multi-factor authentication, and role segregation.
  3. Network Security – firewalls, intrusion detection, and VPN-only administrative access.
  4. System Logging and Monitoring – audit logs for privileged access and key system actions.
  5. Data Integrity – regular backups and secure replication within the EU data centre region.
  6. Personnel Security – confidentiality agreements and annual data-protection training.
  7. Incident Response – documented procedures for breach detection, notification, and remediation.

Annex III – Authorised Sub-processors

Zula Group, LLC engages only sub-processors that offer adequate safeguards and are bound by written contracts mirroring these obligations. A current list is maintained at:

www.csrdpro.com/en/legal/subprocessors

Each sub-processor processes data solely to support the delivery and maintenance of the Services.

Additional Notes

  • Where data transfers are made to the United States, the Module Two (Controller → Processor) SCCs apply.
  • These Clauses form part of the binding agreement between the Data Exporter and Data Importer and ensure continuity of protection for personal data transferred outside the EEA or UK.
  • Copies of the full text of the SCCs can be found at the European Commission website.

If you have questions about this document, please contact us at legal@csrdpro.com