Close this search box.
Horizon 2024 is here! Join hundreds of procurement visionaries in Miami on May 15-17, 2024. Register Now!

Zycus and GDPR

GDPR roles and definitions relating to Zycus:

GDPR applies to both Controllers and Processors that are established in the EU and also to any Controller and Processor not located in the EU, where the processing activities are related to either the offering of goods or services to data subjects in the EU (irrespective of whether a payment is required) or the monitoring of the behavior of individuals as far as such behavior takes place within the EU.
GDPR is quite specific about the duties of the Controller and the Processor and indeed Article 28 (3) of GDPR stipulates that there must be a contract in writing between the Controller and Processor which clearly sets out the subject matter of the processing and its duration as well as the nature and purposes of processing, the types of personal data, and the obligations and rights of both parties.

Article 4 EU GDPR defines data controllers and data processors as below:

  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

In other words, the data controller determines the purposes for which and the means by which personal data is processed and the data processor processes personal data only on behalf of the controller. The data processor is usually a third-party external to the company.

In general, the controller assumes responsibility for all personal data collected and must ensure that rights of the data subject and the controller’s own legal obligations are also covered by the processor.

The Data Processing Agreement is important, so that both parties understand their responsibilities and liabilities. When it comes to Zycus, our customers are data controllers when they use Zycus applications (Source to Pay suite of procurement performance solutions). Zycus is a data processor on behalf of the customer by means of Data Processing Addendum.


Zycus is committed to have such Data Processing Agreement executed with its customers. You can find Zycus’ Data Processing Agreement (DPA) here.

Zycus’ Data Processing Agreement terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure). By having such DPA in place with the required terms, we are ensuring that we are complying with the GDPR.


GDPR roles and definitions relating to Zycus:

At Zycus we have state-of-the-art security to ensure that data from our prospects and customers is never compromised. We know that security is crucial to you; therefore, security is our top priority and it is fundamental to successful operation of Zycus. We devote significant resources to continually improve our world-class security infrastructure. The result: unsurpassed security and privacy for our customers’ information.

Standards and Specifications

Zycus rely on SSAE 16 and SOC 1 & 2 Type II audits and reports to build trust and confidence. The SOC 1 Type II report provides reasonable assurance over the effectiveness of the controls at Zycus which are directly or indirectly relevant to our customers financial reporting and SOC 2 type II report provides reasonable assurance over the controls that are relevant to the Trust Service Principals of Service Organization Control (security, availability and confidentiality). The SOC 2 Type II report also describes the operating effectiveness of these controls and it is the most comprehensive type of report. With our SOC1 & 2 audit reports, we can assure our customers that we meet the most demanding requirements for the security, availability and confidentiality of their information.”

Also, Zycus follows ISO 27001:2013 ISMS standard and we have developed our policies and procedures based on this framework. Zycus is in the process of incorporating GDPR compliance management structure in our current ISMF, which is cross-functional and represents all key areas within the business. The current ISMS risk management process is also under review to incorporate privacy risk management.

Key pointers surrounding GDPR pertaining to Zycus



Consent to obtain personal data is done through acceptance of Zycus’ privacy policy, which includes the purpose, the categories of personal data, and other relevant considerations.


Access to Data

Personal data can be accessed only by a user who has been authorized by Zycus authorization mechanisms


Right to Rectification

Zycus has the right to edit or correct customer’s personal data in the user profile during the contract period.


Erasure of Data

Zycus deletes all customer data which, upon termination / expiry of contract.


Authorization and Disclosure control

Customers can manage authorization, authentication and role based access in Zycus’ solution.


Privacy by Design and by Default

For development of any feature Zycus considers GDPR regulations and standard security guidelines.


Data Breach Notification

Zycus services are obligated to notify, within 72 hours, in case of any data breach without any undue delay.


Subprocessor Compliance

Zycus ensures ongoing subprocessor compliance using corporate standard purchasing processes by subprocessor contract vetting and assessment of security risks. This is in accordance with the DPA.



Zycus services keep the records of processing activities in accordance with GDPR requirements for data processors to aid customers to fulfill their obligations.



Zycus will deliver all the ongoing accountability activities such as regular risk assessment and security assessment of applications, network, and IT infrastructure; documented security programs and policies; and regular security trainings with guaranteed assurance.


Data Subject Rights

Zycus has the provision to help the customers with privacy related questions and assist the customers when they have any query towards the security of personal information.

Personal Data Processing

  • Zycus (a cloud solution provider) executes all the suitable terms of accountability and technology. This includes maintaining the records of all the activities being processed, assessments of the impact on privacy.
  • ‘Zycus abides by the Data Processing addendum (DPA) as a significant part of the customer contract. These agreements incorporate data protection assurances to the customer by including standard contractual clauses included in the contract.
  • Zycus employees are obligated to pass the data protection and privacy/ security awareness trainings annually. These trainings will cover privacy principles and security topics.
  • Zycus solutions are protecting the confidentiality, integrity and availability of their data and provide the above accountability continuously.
Scroll to Top