TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 19:07:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(legal): Update to DPA and privacy policy documents (May 2025) (#9566)

Browse Source 
We are bringing our DPA and privacy policy document in line with our
changes to the corporate structure, changes to subprocessors, and new
cookie technologies.

This PR replaces #3055 which included more changes to terms of service.
The changes to terms of service will follow in a second step.

---------

Co-authored-by: Florian Forster <florian@zitadel.com>
This commit is contained in:
Maximilian
2025-05-07 17:58:21 +02:00
committed by GitHub
parent 21167a4bba
commit 577bf9c710
4 changed files with 490 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

274
docs/docs/legal/data-processing-agreement.mdx
View File

@@ -1,113 +1,277 @@
---
title: Data Processing Agreement
custom_edit_url: null
custom:
created_at: 2022-07-15
updated_at: 2023-11-16
---
import PiidTable from './_piid-table.mdx';
Last updated on November 15, 2023
Last updated on May 8, 2025
Within the scope of the [**Framework Agreement**](terms-of-service), the **Processor** (CAOS Ltd., also **ZITADEL**) processes **Personal Data** on behalf of the **Customer** (Responsible Party), collectively the **"Parties"**.
This Data Protection Agreement and its annexes (“**DPA**”) are part of the [Framework Agreement](./terms-of-service) between Zitadel, Inc. and it's affiliates ("**Zitadel**") and the Customer in respect of the provision of certain services, including any applicable statement of work, booking, purchase order (PO) or any agreed upon instructions (the "**Agreement**") and applies where, and to the extent that, Zitadel processes Personal Data as a Processor on behalf of the Customer under the Framework Agreement (each a “**Party**” and together the **Parties**”).
This Annex to the Agreement governs the Parties' data protection obligations in addition to the provisions of the Agreement.
All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
Any privacy or data protection related clauses or agreement previously entered into by Zitadel and the Customer, with regards to the subject matter of this DPA, will be superseded and replaced by this DPA.
No one other than a Party to this DPA, their successors and permitted assignees will have any right to enforce any of its terms.
## Subject matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects
This DPA shall become legally binding upon Customer entering into the Agreement.
This annex reflects the commitment of both parties to abide by the applicable data protection laws for the processing of Personal Data for the purpose of Processor's execution of the Framework Agreement.
## Definitions
The duration of the Processing shall correspond to the duration of the Agreement, unless otherwise provided for in this Annex or unless individual provisions obviously result in obligations going beyond this.
"**Applicable Data Protection Law**" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data, including, where applicable, EU/UK Data Protection Law and US Data Protection Laws (in each case, as amended, adopted, or superseded from time to time).
In particular, the following Personal Data are part of the processing:
<PiidTable />
“**Controller**,” “**collecting**,” “**processor**,” and “**processing**,” shall have the meanings given to them under Applicable Data Protection Law.
## Scope and responsibility
“**Business**,” “**service provider**,” “**contractor**,” “**selling**,” “**sharing**” and “**third party**” shall have the meanings given to them under applicable US Data Protection Laws.
Under this Agreement, the Processor shall process Personal Data on behalf of the Customer.
"**Customer Data**" means information, data and other content, in any form or medium, that is submitted, posted or otherwise transmitted by or on behalf of the Customer through the Zitadel Cloud or Services. For the avoidance of doubt, Customer Data includes Customer Personal Data.
This Annex applies to all processing of Customer's data (including data of the users of Customer's organization) with reference to persons ("**Personal Data**") which is related to the Agreement and which is carried out by the Processor, its employees or agents.
“**Customer Personal Data**” means, in any form or medium, all Personal Data that is processed by Zitadel or its sub-processors on behalf of Customer in connection with the Agreement.
The Customer shall be responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Processor as well as for the lawfulness of the data processing.
“**EU/UK Data Protection Law**” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, also known as the General Data Protection Regulation (“**GDPR**”); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdoms European Union (Withdrawal) Act 2018 (“**UK GDPR**”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection of 2020 and its Ordinance (“**Swiss FADP**”) and (v) any and all applicable national data protection laws and regulatory requirements made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
The Processor is responsible for taking appropriate technical and organizational protection measures so that its processing complies with the legal requirements and ensures the protection of the rights of the Data Subjects.
“**Personal Data**” shall have the meaning given to it, or to the terms “personally identifiable information” and “personal information” under applicable Data Protection Law, but shall include, at a minimum, any information related to an identified or identifiable natural person.
“**Restricted Transfer**” means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where UK-GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, in each case whether such transfer is direct or via onward transfer.
“**Security Incident**” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure or access to, Personal Data transmitted, stored or otherwise processed by Zitadel under or in connection with the Agreement.
“**Standard Contractual Clauses**” or “**SCCs**” means the contractual clauses annexed to the European Commissions Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“**sub-processor**” means any third-party processor engaged by Zitadel to process Customer Data (but shall not include Zitadel employees, contractors or consultants).
“**UK Addendum**” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
“**US Data Protection Laws**” means any relevant U.S. federal and state privacy laws (and any implementing regulations and amendment thereto) effective as of the date of this DPA and that applies to the processing of Customer Personal Data under the Agreement, which may include, depending on the circumstances and without limitation, (i) the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 along with its implementing regulations (“**CCPA**”), (ii) the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301 et seq.) (CPA), (iii) Connecticuts Data Privacy Act (CTDPA), (iv) the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.) (UCPA) and (v) the Virginia Consumer Data Protection Act VA Code Ann. §§ 59.1-575 et seq. (VCDPA).
## Processing of Personal Data
This DPA applies where and only to the extent that Zitadel processes Customer Personal Data in connection with the provision of the Services under the Agreement involving the processing of Personal Data protected by Applicable Data Protection Law.
This DPA reflects the commitment of both Parties to abide by Applicable Data Protection Law for the processing of Personal Data by Zitadel as a processor for the purpose of the Zitadel's provision of the Services and its execution of the Agreement.
This DPA will become effective on the date the Agreement enters into effect and will remain in force for the term of the Agreement, unless otherwise provided for in this DPA or unless individual provisions obviously result in obligations going beyond this.
For the avoidance of doubt, the terms of the Framework Agreement will continue in full force and effect; however, to the extent any term in any Agreement regarding either Partys obligations with respect to Customer Data is less restrictive than or is inconsistent with this DPA, the terms of this DPA shall supersede and control.
The Parties acknowledge that the following Customer Data will be processed as part of the Services:
import { PiiTable } from "../../src/components/pii_table";
<PiiTable />
## Scope
Under this Agreement, Zitadel shall process Customer Personal Data to perform its obligations under the Agreement and and strictly in accordance with the documented instructions of Customer (the “**Permitted Purpose**”), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law.
The Parties acknowledge and agree that for the purposes of this DPA, the Customer is the controller and appoints Zitadel as a processor to process the Customer Personal Data.
To the extent that the Parties are subject to the California Consumer Privacy Act (CCPA), the Customer is the business whereas Zitadel is a service provider to the Customer.
Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.
Each Party shall comply with its own obligations under Applicable Data Protection Law in respect of any Customer Personal Data processed under the Agreement.
## Customer's Responsibilities
The Customers instructions to Zitadel shall comply with Applicable Data Protection Law.
The Customer will have sole responsibility for the accuracy, quality and legality of the Customer Data, the means by which the Customer acquired the Customer Data, and the Customer's permissions to process the Customer Data pursuant to this DPA.
As required under Applicable Data Protection Law, the Customer will provide all necessary notices to data subjects and secure the applicable lawful grounds for processing Data under the DPA, including where applicable, all necessary permissions and consents from them. To the extent required under Applicable Data Protection Law, the Customer will receive and document the appropriate consent from the data subject(s).
The Customer represents and warrants that (i) it complies with Applicable Data Protection Law as relevant to the lawful processing by Zitadel of Customer Personal Data for the purposes contemplated by this DPA and the Agreement; and (ii) to the knowledge of the Customer, the processing of Customer Personal Data by Zitadel in accordance with the Customers instructions will not cause Zitadel to be in breach of any Applicable Data Protection Law.
The Customer shall not disclose any special categories of Personal Data or sensitive personal information (as these terms are defined under Applicable Data Protection Law) to Zitadel for processing.
## Obligations of the processor
### Bound by directions
### Bound by the Customer's directions and instructions
The Processor processes personal data in accordance with its privacy policy (cf. [Privacy Policy](/legal/policies/privacy-policy)) and on the documented directions of the Customer. The initial direction result from the Agreement. Subsequent instructions shall be given either in writing, whereby e-mail shall suffice, or orally with immediate written confirmation.
Customer hereby instructs Zitadel to process Customer Data for the Permitted Purpose.
If the Processor is of the opinion that a direction of the Customer violates the Agreement, the GDPR or other data protection provisions of the EU, EU Member States or Switzerland, it shall inform the Customer thereof and shall be entitled to suspend the Processing until the instruction is withdrawn or confirmed.
Zitadel processes Personal Data in accordance with its privacy policy (cf. [Privacy Policy](./policies/privacy-policy)) and upon the documented directions of the Customer (which includes the Agreement).
Subsequent instructions shall be given either in writing, whereby e-mail shall suffice, or orally with immediate written confirmation.
### Obligation of the processing persons to confidentiality
Zitadel shall promptly inform Customer if it becomes aware that such processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor compliance with Applicable Data Protection Law).
In such case, Zitadel shall be entitled to suspend the processing until the infringing instruction is withdrawn or confirmed.
The Processor shall ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality.
### Confidentiality obligations
Zitadel shall ensure that any person that it authorizes to process Customer Data (including Zitadels staff, agents and sub-processors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Customer Data that is not under such a duty of confidentiality.
Zitadel shall ensure that all Authorised Persons process the Customer Data only as necessary for the Permitted Purpose.
### Technical and organizational measures
The Processor has taken appropriate technical and organizational security measures, maintains them for the duration of the Processing and updates them on an ongoing basis in accordance with the current state of technology.
The technical and organizational security measures are described in more detail in the [annex](#annex-regarding-security-measures) to this appendix.
Zitadel shall implement appropriate technical and organizational measures to protect the Customer Data from a Security Incident, as described in Annex II to this DPA.
Such measures shall comply with all Applicable Data Protection Law and shall further have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Customer acknowledges that such measures are subject to technical progress and development and that Zitadel may update or modify such measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Customer Data, or of the Services under the Agreement.
### Involvement of subcontracted processors
A current and complete [list of involved and approved sub-processors](./subprocessors) can be found in our legal section.
Customer agrees that Zitadel may engage sub-processors to process Customer Data on Customers behalf. A current and complete [list of involved and approved sub-processors](https://zitadel.com/trust) can be found on our [Trust Center](https://zitadel.com/trust) (as may be updated from time to time in accordance with this DPA).
The Processor is entitled to involve additional sub-processors.
In this case, the Processor shall inform the Responsible Party about any intended change regarding sub-processors and update the list of involved an approved sub-processors.
The Customer has the right to object to such changes.
If the Parties are unable to reach a mutual agreement within 30 days of receipt of the objection by the Processor, the Customer may terminate the Agreement extraordinarily.
Zitadel will notify Customer by updating the list of sub-processors and, if Customer has subscribed to notices, via email.
If, within five (5) calendar days after such notice, Customer notifies Zitadel in writing that Customer objects to Zitadel's appointment of a new sub-processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith with a view to achieving a commercially reasonable resolution.
If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds and Customer will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering document.
The Processor obligates itself to impose on all sub-processors, by means of a contract (or in another appropriate manner), the same data protection obligations as are imposed on it by this Annex.
In particular, sufficient guarantees shall be provided that the appropriate technical and organizational measures are implemented in such a way that the processing by the sub-processor is carried out in accordance with the legal requirements.
Zitadel shall inform the Customer if it adds or replaces any sub-processor at least fifteen (15) days prior to any such change (including details of the processing it performs or will perform).
The Customer may object in writing to Zitadels engagement of a new sub-processor on reasonable grounds relating to the protection of Customer Personal Data by notifying Zitadel promptly in writing within fifteen (15) calendar days of receipt of Zitadels notice.
In such case, the parties shall discuss Customers concerns in good faith with a view to achieving a commercially reasonable resolution.
If such objection right is not exercised by Customer, silence shall be deemed to constitute an approval of the relevant sub-processor engagement.
Our websites and services may involve processing by third-party sub-processors with country of registration outside of Switzerland or the EU/EAA.
In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above.
The country of registration of a sub-processor may be different from the hosting location of the data. Please refer to the [list of involved and approved sub-processors](./subprocessors) for more details.
Where Zitadel appoints a sub-processor, Zitadel shall: (i) enter into an agreement with each sub-processor containing data protection terms that provide at least the same level of protection for Customer Data as those contained in this DPA, to the extent applicable to the nature of the services provided by such sub-processor; and (ii) remain responsible to the Customer for Zitadels sub-processors failure to perform their obligations with respect to the processing of Customer Data.
If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the customer for this as for its own conduct.
Taking into account the safeguards set forth in this DPA, Customer Data may be processed outside of Switzerland or the EU/EAA, such as in the United States or any country in which Zitadel or is sub-processors operate. Our [list of involved and approved sub-processors](https://zitadel.com/trust) provides additional details.
### Assistance in responding to requests
The Processor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise the data subject's rights (**"Data Subject Request"**).
The Processor will promptly notify the Customer if it receives a Data Subject Request.
The Processor will not respond to a Data Subject Request, provided that the Customer agrees the Processor may at its discretion respond to confirm that such request relates to the Customer.
The Customer acknowledges and agrees that the Services include features which will allow the Customer to manage Data Subject Requests directly through the Services without additional assistance from the Processor.
If the Customer does not have the ability to address a Data Subject Request, the Processor will, upon the Customers written request, provide reasonable assistance to facilitate the Customers response to the Data Subject Request to the extent such assistance is consistent with applicable law; provided that the Customer will be responsible for paying for any costs incurred or fees charged by the Processor for providing such assistance.
Zitadel shall provide all reasonable and timely assistance (which may include by appropriate technical and organizational measures) to the Customer to enable the Customer to respond to: (i) any request from a data subject to exercise any of their rights under Applicable Data Protection Law ("**Data Subject Request**"); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Customer Personal Data.
The Processor, unless prohibited from doing so by applicable law, will promptly notify the Customer of any requests from a regulator or any other authority in relation to Personal Data that is being processed on behalf of the Customer, given that request resulted in disclosure of Personal Data to the regulator or any other authority.
In the event that any such request, correspondence, enquiry or complaint is made directly to Zitadel, Zitadel shall promptly inform the Customer providing full details of the same.
Zitadel will not respond to a Data Subject Request, however the Customer acknowledges and agrees that Zitadel may at its discretion respond to confirm that such request relates to the Customer.
### Further support for the customer
The Customer hereby acknowledges and agrees that the Services include features which will allow the Customer to manage Data Subject Requests directly through the Services without additional assistance from the Processor.
If the Customer does not have the ability to address a Data Subject Request, Zitadel will, upon the Customers written request, provide reasonable assistance to facilitate the Customers response to such Data Subject Request to the extent such assistance is consistent with Applicable Data Protection Law; provided that the Customer will be responsible for paying for any reasonable costs incurred or fees charged by Zitadel for providing such assistance.
The Processor shall, taking into account the nature of the processing and the information available to it, assist the Customer in complying with its obligations in connection with the security of the processing, any notifications of [Security Incidents](#security-incidents), and any data protection impact assessments.
Zitadel, unless prohibited from doing so by applicable law, will promptly notify the Customer of any requests from a regulator, law enforcement authority or any other relevant and competent authority in relation to the Customer Personal Data that is being processed on behalf of the Customer, to the extent that the request may result in the disclosure of Customer Personal Data to such regulator, law enforcement authority or any other relevant and competent authority.
### Cooperation and support for the Customer
Zitadel shall provide the Customer with all such reasonable and timely assistance as Customer may require in order to enable it to conduct a data protection impact assessment (or equivalent document) where required by Applicable Data Protection Law, including, if necessary, to assist Customer to consult with its relevant data protection or other regulatory authority.
### Security incidents
The Processor will notify the Customer of any incident, meaning breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data covered under this (***Security Incident"**) without undue delay, and will promptly provide the Customer with all reasonable information concerning the Security Incident insofar as it affects the Customer.
If possible, the Processor will promptly implement measures proposed in the notification.
Insofar required the Processor will assist the Customer in notifying any applicable regulatory authority.
Upon becoming aware of a Security Incident, Zitadel shall inform Customer without undue delay and provide all such timely information and cooperation as Customer may require for the Customer to fulfil its data breach or cybersecurity incident reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.
Customer shall further take all such measures and actions as are reasonable and necessary to investigate, contain, and remediate or mitigate the effects of the Security Incident, to the extent that the remediation is within Zitadel's control, and shall keep Customer informed of all material developments in connection with the Security Incident.
Notwithstanding anything to the contrary, Zitadel's notification of or response to a Security Incident under this section will not be construed as an acknowledgment by Zitadel of any fault or liability with respect to such Security Incident.
### Deletion or destruction after termination
Upon Customer's request, the Processor shall delete personal data received after the end of the agreement, unless there is a legal obligation for the Processor to store or further process such data.
Upon termination or expiry of the Agreement, Zitadel shall (at the Customers election) destroy or return to the Customer all Customer Data (including all copies of the Customer Data) in its possession or control (including any Customer Data subcontracted to a third party for processing).
This requirement shall not apply to the extent that Zitadel is required by any applicable law to retain some or all Customer Data, in which case Zitadel shall isolate and protect the Customer Data from any further processing except to the extent required by such law until deletion is possible.
### Information and control rights of the customer
### Customer's information and audit rights
The Processor shall provide the Customer with all information necessary to demonstrate compliance with the obligations set forth in this annex or to respond to requests from an applicable supervisory authority, subject to the confidentiality terms in the Framework Agreement.
The Processor shall enable and contribute to audits, including inspections, carried out by the Customer or an auditor appointed by the Customer.
To the extent required under Applicable Data Protection Law and on written request from the Customer, Zitadel shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by the Customer related to its processing of Customer Personal Data as necessary to confirm Zitadel's compliance with this DPA.
The Customer shall not exercise this right more than once in any twelve (12)-month rolling period, except (i) if and when required by instruction of a competent data protection or other regulatory authority; or (ii) if Zitadel has experienced a Security Incident where Customer was directly impacted.
The procedure to be followed in the event of directions that are presumed to be unlawful is governed by the section [Bound by directions](#bound-by-directions) of this Appendix.
Nothing in this section shall be construed to require Zitadel to document or provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Zitadels confidentiality obligations, contractual obligations, or applicable law; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Zitadels infrastructure, networks, systems, algorithms or data.
## Annex regarding security measures
### Service Optimization
The Processor has taken the following organizational and technical security measures to ensure a level of protection of the Personal Data processed that is appropriate to the risk:
Where permitted by Applicable Data Protection Law, Zitadel may process Customer Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
Zitadel may: (i) compile aggregated and/or de-identified information in connection with the provision of the Services, provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use such Aggregated and/or De-Identified Data for its lawful business purposes in accordance with Applicable Data Protection Law.
### Data Transfers
Where either Party intends to transfer Personal Data cross-border and Applicable Data Protection Law requires certain measures to be implemented prior to such transfer, each Party agrees to implement such measures to ensure compliance with Applicable Data Protection Law.
To the extent that the transfer of Personal Data from Customer to Zitadel involves a transfer of Personal Data outside the European Economic Area (EEA), Switzerland, or the United Kingdom to a jurisdiction which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable) that covers such transfer, then the SCCs are hereby incorporated by reference and form an integral part of the DPA.
#### EEA Transfers
To the extent that Customer Personal Data is subject to the GDPR, and the transfer would be a Restricted Transfer, the SCCs apply as follows:
1) the Customer is the data exporter and Zitadel is the data importer;
2) the Module Two terms (Transfer controller to processor) apply;
3) in Clause 7, the optional docking clause does not apply;
4) in Clause 9, Option 2 (General Authorization) applies and the time period for prior notice of sub-processor changes is set out in this DPA;
5) in Clause 11, the optional language does not apply;
6) in Clause 17, Option 1 applies, and the SCCs are governed by German law;
7) in Clause 18(b), disputes will be resolved before the courts of Hamburg in Germany;
8) in Annex I, the details of the parties and the transfer are set out in the Agreement;
9) in Clause 13(a) and Annex I, the Hamburg data protection authority will act as competent supervisory authority;
10) in Annex II, the description of the technical and organizational security measures is set out in Annex 2 of this DPA or, if not set out therein, the applicable statement of work; and
11) in Annex III, the list of sub-processors is set out at the address [https://zitadel.com/trust](https://zitadel.com/trust) or, if not set out therein, applicable statement of work.
#### Swiss Transfers
To the extent that Customer Personal Data is subject to Swiss law, and the transfer would be a Restricted Transfer, the SCCs apply as set out above with the following modifications:
1) references to Regulation (EU) 2016/679 are interpreted as references to the Swiss FADP or any successor thereof;
2) references to specific articles of Regulation (EU) 2016/679 are replaced with the equivalent article or section of the Swiss FADP,
3) references to EU, Union and Member State are replaced with Switzerland,
4) Clause 13(a) and Part C of Annex 2 is not used and the competent supervisory authority is the Swiss Federal Data Protection Information Commissioner (“**FDPIC**”) or, if the transfer is subject to both the Swiss FADP and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss FADP) or the DPC (insofar as the transfer is governed by the GDPR),
5) references to the competent supervisory authority and competent courts are replaced with the FDPIC and competent Swiss courts,
6) in Clause 17, the SCCs are governed by the laws of Switzerland,
7) in Clause 18(b), disputes will be resolved before the competent Swiss courts, and
8) the SCCs also protect the data of legal entities until entry into force of the revised Swiss FADP.
#### UK Transfers
To the extent that Customer Personal Data is subject to Applicable Data Protection Law of the United Kingdom, and the transfer would be a Restricted Transfer, the SCCs as set out above shall apply as amended by Part 2 of the UK Addendum, and Part 1 of the UK Addendum is deemed completed as follows:
1) in Table 1, the details of the parties are set out in the Agreement or, if not set out therein, the applicable statement of work;
2) in Table 2, the selected modules and clauses are set out in Section 6.3 of this DPA;
3) in Table 3, the appendix information is set out in the annexes to this DPA or, if not set out therein, the applicable statement of work; and
4) in Table 4, the Exporter is selected.
#### Alternative Transfer Mechanism
In the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data, or Zitadel adopts an alternative data transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to the standard contractual clauses (“Alternative Transfer Mechanism”), the Customer agrees to fully co-operate with Zitadel to agree an amendment to this DPA and/or execute such other documents and take such other actions as may be necessary to remedy such non-compliance or give legal effect to such Alternative Transfer Mechanism.
### Additional Provisions under US Data Protection Laws
The Parties agree that all Customer Personal Data that is subject to US Data Protection Laws (including the CCPA) is disclosed to Zitadel by the Customer for the Permitted Purpose and its use or sharing by the Customer with Zitadel is necessary to perform such Permitted Purpose.
Zitadel agrees that it will not:
1. sell or share any Customer Personal Data to a third party for any purpose other than than for the Permitted Purpose;
2. retain, use, or disclose any Customer Personal Data (i) for any purpose other than for the Permitted Purpose, including for any commercial purpose, or (ii) outside of the direct business relationship between the Parties, except as necessary to perform the Permitted Purpose or as otherwise permitted by US Data Protection Laws; or
3. combine Customer Personal Data received from or on behalf of Customer with Personal Data received from or on behalf of any third party or collected from Zitadels own interaction with individuals or data subjects, except to perform a Permitted Purpose in accordance with the CCPA, the Agreement and this DPA.
The Parties acknowledge that the Customer Personal Data that Customer discloses to Zitadel is provided only for the limited and specified purposes set forth as the Permitted Purpose in the Agreement and this DPA.
Zitadel shall provide the same level of protection to Customer Personal Data as required by the CCPA and will: (i) assist the Customer in responding to any request from a data subject to exercise rights under US Data Protection Laws; and (ii) immediately notify the Customer if it is not able to meet the requirements under the CCPA.
The Customer may take such reasonable and appropriate steps as may be necessary (a) to ensure that the Customer Personal Data collected is used in a manner consistent with the businesss obligations under the CCPA; and (b) to stop and remediate any unauthorized use of Customer Personal Data, and (b) to ensure that Customer Personal Data is used in a manner consistent with the CCPA.
### Miscellaneous
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions set out in the Agreement, unless required otherwise by Applicable Data Protection Law.
Any liability owed by one party to the other under this DPA shall be subject to the limitations of liability set forth in the Agreement.
This DPA shall terminate upon the earlier of (i) the termination or expiry of all Agreement under which Customer Data may be processed, or (ii) the written agreement of the Parties.
Any notices shall be delivered to a Party in accordance with the notice provisions of the Agreement, unless otherwise specified hereunder.
## Annex 1: Description of Processing Activities / Transfer
### List of Parties
| Data Exporter | Data Importer |
| :---- | :---- |
| Name: The Party identified as the Customer in the Agreement. | Name: The Party identified as Zitadel in the Agreement. |
| Address: As identified in the Agreement. | Address: As identified in the Agreement. |
| Contact Person's Name, position and contact details: As identified in the Agreement. | Contact Person's Name, position and contact details: As identified in the Agreement. |
| Activities relevant to the transfer: See below | Activities relevant to the transfer: See below |
| Role: Controller | Role: Processor |
### Description of processing / transfer
| | Description |
| :---- | :---- |
| **Categories of data subjects:** | As described in the section "Processing of Personal Data" of the DPA |
| **Categories of personal data:** | As described in the section "Processing of Personal Data" of the DPA |
| **Sensitive data:** | None. |
| **If sensitive data, the applied restrictions or safeguards** | N/A |
| **Frequency of the transfer:** | Continuous |
| **Nature and subject matter of processing:** | The Services described in the Agreement. |
| **Purpose(s) of the data transfer and further processing:** | As set forth in the Agreement. |
| **Retention period (or, if not possible to determine, the criteria used to determine that period):** | The personal data may be retained until termination or expiry of the DPA. |
### Competent supervisory authority
The competent supervisory authority in connection with Customer Personal Data protected by the GDPR, is the Hamburg data protection authority.
If this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
In connection with Customer Personal Data that is protected by UK-GDPR, the competent supervisory authority is the Information Commissioners Office (the "ICO").
## Annex 2: Technical and organizational measures
Zitadel has implemented an information security program, that is designed to protect the confidentiality, integrity and availability of Customer Data. Zitadel's information security program includes the following organizational and technical security measures to ensure a level of protection of the Personal Data processed that is appropriate to the risk:
### Pseudonymization / Encryption
The following measures for pseudonymization and encryption exist:
1. All communication is encrypted with TLS &gt;1.2 with PFS
1. All communication is encrypted with TLS >1.2 with PFS
2. Critical data is exclusively stored in encrypted form
3. Storage media that store customer data are always encrypted
4. Passwords are irreversibly stored with a hash function

229
docs/docs/legal/policies/privacy-policy.mdx
View File

@@ -2,22 +2,44 @@
title: Privacy Policy
custom_edit_url: null
---
import PiidTable from '../_piid-table.mdx';
Last updated on March 07, 2024
Last updated on 20 March, 2025
This privacy policy applies to CAOS Ltd., the websites it operates (including zitadel.ch, zitadel.cloud and zitadel.com) and the services and products it provides (including ZITADEL). This privacy policy describes how we process personal data for the provision of this websites and our products.
This privacy policy describes how ZITADEL Inc. and its wholly owned subsidiaries and affiliates (collectively, "**ZITADEL**", “**CAOS**", "**we**" or "**us**") collect, use, disclose and otherwise process your personal data in connection with the management of our business and our relationships with customers, visitors and event attendees.
If any inconsistencies arise between this Privacy Policy and the otherwise applicable contractual terms, framework agreement, or general terms of service, the provisions of this Privacy Policy shall prevail. This privacy policy covers both existing personal data and personal data collected from you in the future.
This privacy policy explains your rights and choices related to the personal data we collect when:
The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is
* You interact with our websites, including zitadel.com, zitadel.cloud and zitadel.ch as well any other websites that we operate and that link to this privacy policy (our “**Sites**”)
**CAOS AG**
* You visit, interact with, or use any of our offices, events, sales, marketing or other activities; and
* You use our platform, including ZITADEL and our software, mobile application, and other products and services (the “**Services**”).
This privacy policy does not cover:
* **Organizational Use**. When you use our Services on behalf of an organization (your employer), your use is administered and provisioned by your organization under its policies regarding the use and protection of personal data. If you have questions about how your data is being accessed or used by your organization, please refer to your organization's privacy policy and direct your inquiries to your organization's system administrator.
* **Third Parties**. Our Sites include links to websites and/or applications operated and maintained by third parties (e.g. GitHub, LinkedIn, etc.). This privacy policy does not apply to any products, services, websites, or content that are offered by third parties and/or have their own privacy policy.
If any inconsistencies arise between this privacy policy and the otherwise applicable contractual terms, framework agreement, or general terms of service, the provisions of this privacy policy shall prevail (where applicable). This privacy policy covers both existing personal data and personal data which may be collected from you in the future.
ZITADEL determines the purposes for and means of the processing (i.e., we are the data controller) of your personal data as described in this privacy policy, unless expressly specified otherwise. The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is:
**Zitadel Inc.**
Data Protection Officer
Four Embarcadero Center, Suite 1400
San Francisco, CA 94111-4164
United States of America
[legal@zitadel.com](mailto:legal@zitadel.com)
**CAOS AG (Affiliate of Zitadel, Inc.)**
Data Protection Officer
Lerchenfeldstrasse 3
9014 St. Gallen
Switzerland
[legal@zitadel.com](mailto:legal@zitadel.com)
Switzerland
[legal@zitadel.com](mailto:legal@zitadel.com)
Our representative in the EU is
@@ -41,15 +63,13 @@ This website uses TLS encryption for security reasons and to protect the transmi
We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :
- Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
- When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
- To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
- For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
- If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
* Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
* When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
* To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
* For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
* If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
We will retain personal data for the period of time necessary for the particular purpose for which it was collected.
Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
We will retain personal data for the period of time necessary for the particular purpose for which it was collected and where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
### Processing of personal data when using the website, contact forms and in connection with newsletters
@@ -57,45 +77,49 @@ Our websites can generally be visited without registration. Each time one of our
This data is processed to enable correct delivery and functioning of the website. In addition, we use the data to optimize the website and to ensure the security of our systems.
Personal data, in particular name, address or e-mail address are collected as far as possible on a voluntary basis, for example when you contact us via a contact form or by e-mail. Without your consent, the data will not be passed on to third parties, unless shown in this privacy policy.
Personal data, in particular name, address or e-mail address are collected as far as possible on a voluntary basis, for example when you contact us via a contact form or by e-mail. Without your consent, the data will not be passed on to third parties, unless otherwise stated in this privacy policy.
If you send us inquiries via contact form, your data from the form, including any data you provided, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent, except insofar as this is shown in this privacy policy.
If you would like to receive newsletters offered on our websites, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information and do not pass it on to third parties, except as described in this privacy policy.
If you would like to receive newsletters offered on our Sites, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. Further data will not be collected. We use this data exclusively for sending the requested information and do not pass it on to third parties, except as described in this privacy policy.
You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe link" in the newsletter.
### Processing of personal data in connection with the use of our products
### Processing of personal data when applying for a job with us
Our Sites can generally be visited without registration. If you apply for a job with us, we may collect and process according to the [Privacy policy for the ZITADEL employer branding and recruitment](https://jobs.zitadel.com/privacy-policy). You may request and delete your data with the links on our [data & privacy page](https://jobs.zitadel.com/data-privacy).
### Processing of personal data in connection with the use of our Services
The use of our services is generally only possible with registration. During registration and in the course of using the services, we collect and process various personal data.
In particular, the following personal data are part of the processing:
<PiidTable />
import { PiiTable } from "../../../src/components/pii_table";
<PiiTable />
Unless otherwise mentioned, the nature and purpose of the processing is as follows:
The data is uploaded by customers in our services or collected by us based on requests from users. The personal data is processed by us exclusively for the provision of the requested services or the use of the agreed services.
The data is uploaded by customers in our Services or collected by us based on requests from users. The personal data is processed by us exclusively for the provision of the requested Services or the use of the agreed Services.
The fulfillment of the contract includes in particular, but is not limited to, the processing of personal data for the purpose of:
- Authentication and authorization of users
- Storage and processing of user actions in the audit trail
- Processing of personal data and login information
- Verification of communication means
- Communication regarding service interruptions or service changes
* Authentication and authorization of users
* Storage and processing of user actions in the audit trail
* Processing of personal data and login information
* Verification of communication means
* Communication regarding service interruptions or service changes
## Disclosure to third parties
### Third party sub-processors
We use third-party services to provide the website and our offers. An up-to-date list of all the providers we use and their areas of activity can be found on our [list of involved and approved sub-processors](../subprocessors).
We use third-party services to provide the website and our offers. An up-to-date list of all the providers we use and their areas of activity can be found on our [Trust Center](/trust).
### External payment providers
This website uses external payment service providers through whose platforms users and we can make payment transactions. For example via
- [Stripe](https://stripe.com/ch/privacy)
- [Bexio AG](https://www.bexio.com/de-CH/datenschutz)
This Site uses external payment service providers through whose platforms users and we can make payment transactions. For example, via [Stripe](https://stripe.com/ch/privacy).
As an alternative, we offer customers the option to pay by invoice instead of using external payment providers. However, this may require a positive credit check in advance.
@@ -105,91 +129,166 @@ For payment transactions, the terms and conditions and the data protection notic
### Law enforcement
We disclose personal information to law enforcement agencies, investigative authorities or in legal proceedings to the extent we are required to do so by law or when necessary to protect our rights or the rights of users.
We disclose personal data to law enforcement agencies, investigative authorities or in legal proceedings to the extent we are required to do so by law or when necessary to protect our rights or the rights of users.
## Cookies
Our websites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.
Our Sites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our Services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.
In particular, we use the following cookies to provide our services:
When you use our services, we may collect information about your visit, including via cookies, beacons, invisible tags, and similar technologies (collectively “cookies”) in your browser and on emails sent to you.
This information may include Personal Information, such as your IP address, web browser, device type, and the web pages that you visit just before or just after you use the services, as well as information about your interactions with the services, such as the date and time of your visit, and where you have clicked.
When you use our Services, we may collect information about your visit, including via cookies, beacons, invisible tags, and similar technologies (collectively “cookies”) in your browser and on emails sent to you. This information may include personal data, such as your IP address, web browser, device type, and the web pages that you visit just before or just after you use the Services, as well as information about your interactions with the Services, such as the date and time of your visit, and where you have clicked.
### Necessary cookies
Some cookies are strictly necessary to make our services available to you.
We cannot provide you with our services without this type of cookies.
Some cookies are strictly necessary to make our Services available to you. We cannot provide you with our Services without this type of cookies.
Necessary cookies provide basic functionality such as:
- Session Management
- Single Sign-On
- Rate Limiting
- DDoS Mitigation
- Remembering Preferences
* Session Management
* Single Sign-On
* Rate Limiting
* DDoS Mitigation
* Remembering Preferences
### Analytical cookies
We also use cookies for website analytics purposes in order to operate, maintain, and improve the services for you.
We use Google Analytics 4 to collect and process certain analytics data on our behalf.
Google Analytics helps us understand how you engage with the services and may also collect information about your use of other websites, apps, and online resources.
We don't use google analytics on customer instances of ZITADEL, only on our public websites and customer portal.
We also use cookies for website analytics purposes in order to operate, maintain, and improve the Services for you. We use Google Analytics 4 and PostHog to collect and process certain analytics data on our behalf. Google Analytics and PostHog helps us understand how you engage with the Services and may also collect information about your use of other websites, apps, and online resources.
You can learn about Googles practices by going to https://www.google.com/policies/privacy/partners/ and opt out by managing your cookie consent through our services or an third-party tool of your choice.
You can learn about the analytics providers' practices by going to
If you do not want us to use cookies during your visit, you can disable their use in your browser settings.
In this case, certain parts of our website (e.g. language selection) may not function or may not function fully.
Where required by applicable law, we obtain your consent to use cookies.
* [https://www.google.com/policies/privacy/partners/](https://www.google.com/policies/privacy/partners/)
* [https://posthog.com/privacy](https://posthog.com/privacy)
* [https://legal.hubspot.com/privacy-policy](https://legal.hubspot.com/privacy-policy)
* [https://www.commonroom.io/privacy-policy/](https://www.commonroom.io/privacy-policy/)
and opt out by managing your cookie consent through our Services or a third-party tool of your choice.
If you do not want us to use cookies during your visit, you can disable their use in your browser settings. In this case, certain parts of our Sites (e.g. language selection) may not function or may not function fully. Where required by applicable law, we obtain your consent to use cookies.
## How we protect personal data
Personal data is maintained on our servers or those of our service providers, and is accessible by authorized employees, representatives, and agents as necessary for the purposes described in this privacy policy.
We maintain a range of physical, electronic, and procedural safeguards designed to help protect personal data. While we attempt to protect your personal data in our possession, we cannot guarantee at all times the security of the data as no method of transmission over the internet or security system is perfect.
If you choose to remain logged in, you should be aware that anyone with access to your device will be able to access your account and we therefore strongly recommend that you take appropriate steps to protect against unauthorized access to, and use, of your account. Please also notify us as soon as possible if you suspect any unauthorized use of your account or password.
## Rights of data subjects
Depending on your location and subject to applicable law, you may have the following rights regarding the personal data we process:
### Right to information
Any person affected by the processing has the right to obtain information from the responsible data processor at any time about the personal data stored about him or her.
You have the right to know what personal data we hold and process about you and to access such personal data.
### Right to rectification
Every person affected by the processing has the right to demand the correction of inaccurate personal data concerning him or her. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking into account the purposes of the processing.
You have the right to request the correction of inaccurate personal data concerning you.
### Right to erasure (right to be forgotten)
Any person affected by the processing has the right, in certain cases, to request from the responsible data processor to delete the personal data concerning him or her.
You have the right to request the deletion or erasure of the personal data concerning you.
### Right to restrict processing
Every person affected by the processing has the right in certain cases to request from the responsible data processor to restrict the processing.
You have the right to request to restrict the processing of your personal data in certain cases.
### Right to data portability
Every person affected by the processing has the right to receive the personal data concerning him or her in a structured, common and machine-readable format. He or she also has the right to have this data transferred to another data processor if the legal requirements are met.
You have the right to receive the personal data concerning you in a structured, common and machine-readable format, and to have this data transferred to another data processor if the legal requirements are met.
### Right to object
Every person affected by the processing has the right to object to the processing of personal data concerning him or her, insofar as we base the processing of his or her personal data on a balancing of interests. This is the case if the processing is not necessary, for example, to fulfill a contract or a legal obligation.
Depending on the circumstances, you have the right to object to the processing of personal data concerning you, insofar as we base the processing of your personal data on a balancing of interests. This is the case if the processing is not necessary, for example, to fulfill a contract or a legal obligation.
To exercise such an objection, the data subject must explain his or her reasons why we should not process his or her personal data as we have done. We will then review the situation and either stop or adjust the data processing or show the data subject our reasons for continuing the processing.
To exercise such an objection, please indicate your reasons why we should not process your personal data as we have done. We will then review the situation and either stop or adjust the data processing or explain our reasons for continuing the processing.
### Right to revoke consent under data protection law
Insofar as our processing is based on consent, the data subject has the right to revoke this consent at any time with effect for the future.
Insofar as our processing is based on consent, you have the right to revoke your consent at any time with effect. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
### Assertion of rights by the data subjects
If you wish to exercise your rights, you may do so by contacting the above-mentioned contact person.
A data subject also has the right to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch). The competent data protection authorities of EU countries can be viewed at this link: [https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index\_en.htm](https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm)
You can opt out of receiving marketing emails from us by following the unsubscribe link in the emails or by emailing us. If you choose to no longer receive marketing information, we may still communicate with you regarding such things as your security updates, product functionality, responses to service requests, or other transactional, non-marketing purposes.
## Note on data transfer abroad
If you have a concern about how we collect and use personal data, please contact us using the contact details provided at the beginning of this privacy policy. You also have the right to contact your local data protection authority if you prefer, such as:
Our websites and services make use of tools from companies based in countries outside of Switzerland or the EU/EEA, namely those based in the USA. When these tools are active, your personal data may be transferred to the servers of the respective companies abroad. We would like to point out that some of these countries, namely the USA, are not a safe third country in the sense of Swiss and EU data protection law. In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above.
* Data protection authorities in the European Economic Area (EEA): [https://edpb.europa.eu/about-edpb/board/members\_en](https://edpb.europa.eu/about-edpb/board/members_en);
* Swiss data protection authorities: [https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html](https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html);
* UK data protection authority: [https://ico.org.uk/global/contact-us/](https://ico.org.uk/global/contact-us/).
## Additional Information for U.S. Residents
Categories of personal data we collect and our purposes for collection and use
You can find a list of the categories of personal data that we collect in the section above titled “Processing of personal data, legal basis, storage period”. In the last 12 months, we collected the following categories of personal data depending on the Services used:
* Identifiers and account information, such as the username and email address;
* Commercial information, such as information about transactions undertaken with us;
* Internet or other electronic network activity information, such as information about activity on our Site and Services.
* Geolocation information based on the IP address.
* Audiovisual information in pictures, audio, or video content that you may choose to submit to us.
* Professional or employment-related information or demographic information, but only if you explicitly provide it to us, such as by filling out a survey or by applying for a job with us.
* Inferences we make based on other collected data, for purposes such as recommending content and analytics.
For details regarding the sources from which we obtain personal data, please see the “Processing of personal data, legal basis, storage period” section above.
We collect and use personal data for the business or commercial purposes described in the “Processing of personal data, legal basis, storage period” section above.
Categories of personal data disclosed and categories of recipients
We disclose the following categories of personal data for business or commercial purposes to the categories of recipients listed below:
* We disclose identifiers with businesses, service providers, and third parties, such as analytics providers and social media networks.
* We disclose Internet or other network activity with businesses, service providers, and third parties, such as analytics providers and social media networks.
* We disclose geolocation information with businesses, service providers, and third parties such as advertising networks, analytics, and social media.
* We disclose payment information with businesses and service providers who process payments.
* We disclose commercial information with businesses, service providers, and third parties, such as analytics providers and social media networks.
* We disclose audiovisual information with businesses and service providers who help administer customer service and fraud or loss prevention services.
* We disclose inferences with businesses and service providers who help administer marketing and personalization.
### Privacy rights
Right to Opt-Out of Cookies and Sale/Sharing: Although we do not sell personal data for monetary value, our use of cookies and automated technologies may be considered a “sale” / “sharing” in certain states, such as California. Visitors to our US website can opt out of such third parties by clicking the “Manage cookie preferences” link at the bottom of our Site. The categories of personal data disclosed that may be considered a “sale” / “sharing” include identifiers, device information, Internet or other network activity, geolocation data, and commercial data.
The categories of third parties to whom personal data was disclosed that may be considered “sale”/ “sharing” include data analytics providers and social media networks.
We do not have actual knowledge that we sell or share the personal data of individuals under 16 years of age.
If you are a resident of the State of Nevada, Chapter 603A of the Nevada Revised Statutes permits a Nevada resident to opt out of future sales of certain covered information that a website operator has collected or will collect about the resident. Although we do not currently sell covered information, please contact us to submit such a request.
Right to Limit the Use of Sensitive Personal Information: We only collect sensitive personal information, as defined by applicable privacy laws, for the purposes allowed by law or with your consent. We do not use or disclose sensitive personal information except to provide you the Services or as otherwise permitted by law. We do not collect or process sensitive personal information for the purpose of inferring characteristics.
Right to Access, Correct, and Delete Personal Data: Depending on your state of residence in the U.S., you may have:
(i) the right to request access to and receive details about the personal data we maintain and how we have processed it, including the categories of personal data, the categories of sources from which personal data is collected, the business or commercial purpose for collecting, selling, or sharing personal data, the categories of third parties to whom personal data is disclosed, and the specific pieces of personal data collected;
(ii) the right to delete personal data collected, subject to certain exceptions;
(iii) the right to correct inaccurate personal data.
When you make a request, we will verify your identity by asking you to sign into your account or if necessary by requesting additional information from you. You may also make a request using an authorized agent. If you submit a rights request through an authorized agent, we may ask such agent to provide proof that you gave a signed permission to submit the request to exercise privacy rights on your behalf. We may also require you to verify your own identity directly with us or confirm to us that you otherwise provided such agent permission to submit the request. Once you have submitted your request, we will respond within the time frame permitted by the applicable law.
If you have any questions or concerns, you may reach us by contacting using one of the contact details listed at the beginning of this privacy policy.
Depending on your state of residence, you may be able to appeal our decision to your request regarding your personal data. To do so, please contact us by using one of the contact details listed at the beginning of this privacy policy. We respond to all appeal requests as soon as we reasonably can, and no later than legally required.
We do not discriminate against customers who exercise any of their rights described in our privacy policy.
California Shine the Light: Customers who are residents of California may request information concerning the categories of personal data (if any) we disclose to third parties or affiliates for their direct marketing purposes. If you would like more information, please submit a written request to us by using one of the contact details listed at the beginning of this privacy policy.
Do Not Track signals: Most modern web browsers give you the option to send a 'Do Not Track' signal to the sites you visit, indicating that you do not wish to be tracked. However, there is currently no accepted standard for how a site should respond to this signal, and we do not take any action in response to this signal.
## Note on international data transfers
Our Sites and Services make use of tools from companies based in countries outside of Switzerland or the EU/EEA, namely those based in the USA. When these tools are active, your personal data may be transferred to the servers of the respective companies abroad. If you are using the Site or Services from outside the United States, your personal data may be processed in a foreign country, where privacy laws may be less stringent than the laws in your country. In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above. By submitting your personal data to us you agree to the transfer, storage, and processing of your personal data in a country other than your country of residence including, but not necessarily limited to, the United States.
We actively try to minimize the use of tools from companies located in countries without equivalent data protection, however, due to the lack of alternatives, this is currently not always feasible without major inconvenience. If you have any concerns, please contact us directly and we will try to find a mutual solution for your needs.
## Changes
## Children's Privacy
We may amend this privacy policy at any time without prior notice. Always the current version published on our website applies to users and customers of our website and services. Insofar as the data protection declaration is part of an agreement with you, we will inform you of the change by e-mail or other suitable means in the event of an update.
Our Site is not intended for or directed to children under the age of 14. We do not knowingly collect personal data directly from children under the age of 14 without parental consent. If we become aware that a child under the age of 14 has provided us with personal data, we will delete the information from our records.
## Questions about data processing by us
## Changes to this Privacy Policy
If you have any questions about our data processing, please email us or contact the person in our organization listed at the beginning of this privacy statement directly.
We may revise this privacy policy from time to time and will post the date it was last updated at the top of this privacy policy. We will provide additional notice to you if we make any changes that materially affect your privacy rights.
## Contact us
If you have any questions about our data processing, please email us or contact us by using the contact details listed at the beginning of this privacy notice.

106
docs/src/components/pii_table.jsx Normal file
View File

@@ -0,0 +1,106 @@
import React from "react";
export function PiiTable() {
const pii = [
{
type: "Basic data",
examples: [
'Names',
'Email addresses',
'User names'
],
subjects: "All users as uploaded by Customer."
},
{
type: "Login data",
examples: [
'Randomly generated ID',
'Passwords',
'Public keys / certificates ("FIDO2", "U2F", "x509", ...)',
'User names or identifiers of external login providers',
'Phone numbers',
],
subjects: "All users as uploaded and feature use by Customer."
},
{
type: "Profile data",
examples: [
'Profile pictures',
'Gender',
'Languages',
'Nicknames or Display names',
'Phone numbers',
'Metadata'
],
subjects: "All users as uploaded by Customer"
},
{
type: "Communication data",
examples: [
'Emails',
'Chats',
'Call metadata',
'Call recording and transcripts',
'Form submissions',
],
subjects: "Customers and users who communicate with us directly (e.g. support, chat)."
},
{
type: "Payment data",
examples: [
'Billing address',
'Payment information',
'Customer number',
'Support Customer history',
'Credit rating information',
],
subjects: "Customers who use services that require payment. Credit rating information: Only customers who pay by invoice."
},
{
type: "Analytics data",
examples: [
'Usage metrics',
'User behavior',
'User journeys (eg, Milestones)',
'Telemetry data',
'Client-side anonymized session replay',
],
subjects: "Customers who use our services."
},
{
type: "Usage meta data",
examples: [
'User agent',
'IP addresses',
'Operating system',
'Time and date',
'URL',
'Referrer URL',
'Accepted Language',
],
subjects: "All users"
},
]
return (
<table className="text-xs">
<tr>
<th>Type of personal data</th>
<th>Examples</th>
<th>Affected data subjects</th>
</tr>
{
pii.map((row, rowID) => {
return (
<tr>
<td key={rowID}>{row.type}</td>
<td><ul>{row.examples.map((example) => { return ( <li>{example}</li> )})}</ul></td>
<td>{row.subjects}</td>
</tr>
)
})
}
</table>
);
}

162
docs/src/components/subprocessors.jsx
View File

@@ -1,162 +0,0 @@
import React from "react";
export function SubProcessorTable() {
const country_list = {
us: "USA",
eu: "EU",
ch: "Switzerland",
fr: "France",
in: "India",
de: "Germany",
ee: "Estonia",
nl: "Netherlands",
ro: "Romania",
}
const processors = [
{
entity: "Google LLC",
purpose: "Cloud infrastructure provider (Google Cloud), business applications and collaboration (Workspace), Data warehouse services, Content delivery network, DDoS and bot prevention",
hosting: "Region designated by Customer, United States",
country: country_list.us,
enduserdata: "Yes"
},
{
entity: "Datadog, Inc.",
purpose: "Infrastructure monitoring, log analytics, and alerting",
hosting: country_list.eu,
country: country_list.us,
enduserdata: "Yes (logs)"
},
{
entity: "Github, Inc.",
purpose: "Source code management, code scanning, dependency management, security advisory, issue management, continuous integration",
hosting: country_list.us,
country: country_list.us,
enduserdata: false
},
{
entity: "Stripe Payments Europe, Ltd.",
purpose: "Subscription management, payment process",
hosting: country_list.us,
country: country_list.us,
enduserdata: false
},
{
entity: "Bexio AG",
purpose: "Customer management, payment process",
hosting: country_list.ch,
country: country_list.ch,
enduserdata: false
},
{
entity: "Mailjet SAS",
purpose: "Marketing automation",
hosting: country_list.eu,
country: country_list.fr,
enduserdata: false
},
{
entity: "Postmark (AC PM LLC)",
purpose: "Transactional mails, if no customer owned SMTP service is configured",
hosting: country_list.us,
country: country_list.us,
enduserdata: "Yes (opt-out)"
},
{
entity: "Vercel, Inc.",
purpose: "Website hosting",
hosting: country_list.us,
country: country_list.us,
enduserdata: false
},
{
entity: "Agolia SAS",
purpose: "Documentation search engine (zitadel.com/docs)",
hosting: country_list.us,
country: country_list.in,
enduserdata: false
},
{
entity: "Discord Netherlands BV",
purpose: "Community chat (zitadel.com/chat)",
hosting: country_list.us,
country: country_list.us,
enduserdata: false
},
{
entity: "Statuspal",
purpose: "ZITADEL Cloud service status announcements",
hosting: country_list.us,
country: country_list.de,
enduserdata: false
},
{
entity: "Plausible Insights OÜ",
purpose: "Privacy-friendly web analytics",
hosting: country_list.de,
country: country_list.ee,
enduserdata: false,
dpa: 'https://plausible.io/dpa'
},
{
entity: "Twillio Inc.",
purpose: "Messaging platform for SMS",
hosting: country_list.us,
country: country_list.us,
enduserdata: "Yes (opt-out)"
},
{
entity: "Mohlmann Solutions SRL",
purpose: "Global payroll",
hosting: undefined,
country: country_list.ro,
enduserdata: false
},
{
entity: "Remote Europe Holding, B.V.",
purpose: "Global payroll",
hosting: undefined,
country: country_list.nl,
enduserdata: false
},
{
entity: "HubSpot Inc.",
purpose: "Customer and sales management, Marketing automation, Support requests",
hosting: country_list.eu,
country: country_list.us,
enduserdata: false
},
]
return (
<table className="text-xs">
<tr>
<th>Entity name</th>
<th>Purpose</th>
<th>End-user data</th>
<th>Hosting location</th>
<th>Country of registration</th>
</tr>
{
processors
.sort((a, b) => {
if (a.entity < b.entity) return -1
if (a.entity > b.entity) return 1
else return 0
})
.map((processor, rowID) => {
return (
<tr>
<td key={rowID}>{processor.entity}</td>
<td>{processor.purpose}</td>
<td>{processor.enduserdata ? processor.enduserdata : 'No'}</td>
<td>{processor.hosting ? processor.hosting : 'n/a'}</td>
<td>{processor.country}</td>
</tr>
)
})
}
</table>
);
}