Data Act Addendum for EU Established Customers
Last Updated: January 6, 2026
Background
This Addendum is incorporated by reference in the Agreement (defined in the EUSA). Capitalized terms not defined herein will have the meanings assigned to such terms in the Agreement. This Addendum applies only where a Customer is established in an EU member state but does not apply to any Evaluation Products provided for testing and evaluation purposes for a limited period.
1. Definitions
“Agreement” means any agreement between Zscaler and a specific customer or between a specific customer and a Zscaler-authorized partner under which Products are provided by Zscaler and/or a Zscaler-authorized partner to that customer. Such an agreement may have various titles, such as “Order Form”, “Quotation”, “Purchase Order”, “End User Subscription Agreement”, or “Master Services Agreement”.
"Data Act" means Regulation (EU) 2023/2854.
"Data Processing Services" means as defined in Article 2(9) Data Act.
"Data Retrieval Period" means 30 days from the end of the Transitional Period.
"Destination Provider" means the destination provider of Data Processing Services to which Customer might export its Exportable Data and Digital Assets.
"Digital Assets" means as defined in Article 2(32) of the Data Act.
"Exportable Data" means, to the extent retained by Zscaler, Customer Data, data input into the Software and SaaS, and data output from the Software and SaaS which is subject to Switching, including metadata, directly or indirectly generated, or cogenerated, by Customer’s use of such Software or SaaS, excluding any assets or data protected by intellectual property rights, or constituting a trade secret, of Zscaler or a third party other than the Customer.
"Logs" means the transaction logs stored by Zscaler as further defined in the Documentation.
"On-Premises ICT Infrastructure" means as defined in Article 2(33) of the Data Act.
"Successful Switch" means the completion of the attempted data export by Customer of its Exportable Data in a manner that has maintained the integrity and completeness of the Exportable Data as they were prior to export.
"Switching" means the process involving Zscaler, Customer and, where relevant, a Destination Provider, whereby Customer changes from using the Software or SaaS (or individual products within the SaaS) to using one or more other Data Processing Services or to an On-Premises ICT Infrastructure, including extracting, transforming, and uploading the Exportable Data.
"Switching Notice" has the meaning given in Section 2.1 of this Addendum.
"Switching Notice Period" means a two-month period starting on Zscaler’s receipt of the Switching Notice.
"Termination Fee" means the full amount of Fees for the remaining unused Subscription Term for the terminated Software and SaaS as at the date of termination.
"Transitional Period" means 30 days beginning on the day after the Switching Notice Period ends or such extended period as permitted by Section 3.3.
1. Information
1.1 Customer acknowledges that before placing the order for the Products, Zscaler has provided Customer with access to the Documentation which contains information about:
1.1.1 how Customer may import Customer Data into the SaaS;
1.1.2 how Customer may export its Exportable Data from the SaaS; and
1.1.3 the tools and interfaces made available by Zscaler to assist Customer with import and export from the SaaS.
1.2 Annex 1 (Further Information) includes:
1.2.1 details of the categories of Exportable Data that can be exported by Customer;
1.2.2 an exhaustive specification of categories of data specific to the internal functioning of the Software and SaaS that cannot be exported as Exportable Data;
1.2.3 an estimate of the time needed to export and transfer the Exportable Data out of the SaaS;
1.2.4 information about data structures and formats, relevant standards, and open interoperability specifications for Exportable Data; and
1.2.5 the websites where Customer can find information about the jurisdiction of data processing facilities and technical, organizational and contractual measures for the Software and SaaS relating to international government access.
1.3 Zscaler confirms and Customer acknowledges that there are no Digital Assets.
1.4 Zscaler shall be entitled to update Annex 1 (Further Information) if required because of changes to the Software or SaaS that are either agreed by the Parties or permitted by the Agreement.
1.5 For the purposes of Art 25(2)(a)(iii), there are no additional risks to the continuity of the SaaS that would be caused by Customer exporting its Exportable Data.
1.6 The Documentation contains information on procedures for exporting Exportable Data, including methods and formats, restrictions and technical limitations, including those arising from storage of Exportable Data outside of the EU, procedures, instructions, documentation, as well as when applicable, best practices and capabilities. Zscaler shall ensure the Documentation explains how to export all Exportable Data in a coherent and consistent way, such that a competent person with relevant experience could achieve an effective Successful Switch.
2. Switching process
2.1 If Customer wishes to initiate Switching, Customer shall give Zscaler two months’ notice (the “Switching Notice”).
2.2 Customer shall in any Switching Notice inform Zscaler of:
2.2.1 whether at the end of the Switching Notice Period Customer intends:
(i) to switch to different providers of Data Processing Services;
(ii) to switch to an On-Premises ICT Infrastructure of Customer; or
(iii) not to switch but only requires erasure of its Exportable Data; and
2.2.2 which Software and SaaS, and Exportable Data Customer wishes to switch from and its preferred timeframe or details of which Exportable Data Customer wishes to have erased.
2.3 To make the Switching effective, enable timely transfer of Exportable Data, and maintain the continuity of the Products until the Software and SaaS is terminated in accordance with the Agreement, the parties shall cooperate in good faith.
2.4 Customer may use the Support Services for technical support during Switching.
3. Transitional Period
3.1 If a Successful Switch cannot be completed within the Transitional Period because this is not technically feasible, Zscaler shall:
3.1.1 notify Customer in writing including by adequate electronic means, within 14 working days after receiving the Switching Notice;
3.1.2 indicate an alternative Transitional Period, which must not exceed seven months; and
3.1.3 give proper justification for the technical unfeasibility.
3.2 Customer shall confirm the receipt of such extension notice within five working days.
3.3 Customer may by giving notice to Zscaler, extend the Transitional Period once, for a period it considers more appropriate for its own purpose, for no longer than 90 days.
4. Obligations of Zscaler during Switching
4.1 During the Transitional Period Zscaler shall:
4.1.1 provide reasonable assistance to Customer and third parties authorized by Customer through the provision of certain self-export and extraction tools within the SaaS (such as download and export functionality within the SaaS and tools and interfaces as described in the Documentation), and the Support Services, to enable the export of the Exportable Data so that Customer can achieve a Successful Switch;
4.1.2 act with due care to maintain business continuity in accordance with the Agreement and continue to provide access to the Software, SaaS and Support Services under the Agreement;
4.1.3 maintain the level of security set out in the Security Measures throughout Switching, for the security of the Exportable Data during their transfer.
4.2 If customer requires assistance beyond that set out in Section 4.1 above, Customer may request that Zscaler provides further services, which will be provided at Zscaler’s then current professional services rates. Customer shall promptly engage with Zscaler to scope such services and ensure that Zscaler receives a purchase order for such services so that such services can begin promptly to enable a Successful Switch as soon as possible.
5. Customer’s obligations
5.1 Customer shall provide all reasonable assistance to Zscaler and take all reasonable measures to achieve a Successful Switch during the Transitional Period.
5.2 Notwithstanding any other obligations of Zscaler under this Addendum, Customer shall be responsible for the import and implementation of Exportable Data in its own systems or in the systems of any destination provider. Accordingly, Customer acknowledges that Zscaler shall have no liability to Customer as a result of:
5.2.1 the Customer's use of any Zscaler provided tools and interfaces used for Switching outside the instructions provided by Zscaler;
5.2.2 any acts or omissions of any party involved in Switching, other than Zscaler; or
5.2.3 Customer’s use of any third-party tools, interfaces and systems used in respect of Switching that are not provided by Zscaler (including the Destination Provider(s)'s systems).
5.3 Customer shall, and shall ensure that third parties authorized by Customer, respect the Intellectual Property Rights of any materials provided by Zscaler during Switching. Customer shall provide access to and if necessary to sublicense the use of these materials to third parties only insofar as necessary to complete a Successful Switch.
6. Data retrieval and erasure of data
6.1 Zscaler shall provide read only access for Customer to the SaaS during the Data Retrieval Period to enable Customer to export its Exportable Data.
6.2 Subject to Section 6.2 below, at the end of:
6.2.1 the Data Retrieval Period, if there has been a Successful Switch, where the Customer has elected to Switch; or
6.2.2 on expiry of the Switching Notice Period, where the Customer elects to erase its Exportable Data,
Zscaler shall erase Customer’s Exportable Data in accordance with its standard data retention policies, which for Logs can be found at https://help.zscaler.com/logs-fair-use. Zscaler shall confirm on request by Customer that it has carried out such erasure. Customer may also at any time delete any Exportable Data that it has imported into the SaaS from third-party tools.
6.3 Zscaler will not have to erase any Exportable Data which Zscaler is required to store under mandatory laws.
7. Charges for the Switching
7.1 Subject to Section 7.2 below, Customer acknowledges that:
7.1.1 prior to the Effective Date, Customer has been provided with information (including applicable charges) relating to Zscaler’s Log streaming services that would allow continuous export of certain Log files during the Subscription Term;
7.1.2 the charges for any services for assisting Customer with Switching depend on the volume and nature of Exportable Data needed to be exported at the end of the Subscription Term.
7.2 Until 12th January 2027, the charges to be paid by Customer for services under Section 7.1.2 will be at cost.
8. Termination
8.1 Customer’s subscription to the specific Software and SaaS referenced in its Switching Notice, or the entire Agreement if Customer’s Switching Notice references all Software and SaaS Customer has purchased, will be considered terminated between the parties when one of the following events has occurred:
8.1.1 where applicable, once a Successful Switch has occurred; or
8.1.2 at the end of the Switching Notice Period where Customer does not wish to switch but to erase its Exportable Data.
8.2 Should termination occur under Section 8.1 before the end of the Subscription Term, then Partner or Zscaler (as applicable) shall be entitled to the Termination Fees.
8.3 Customer shall notify Zscaler within two business days of completion of a Successful Switch.
8.4 Following notification from Customer under Section 8.3, Zscaler shall notify Customer promptly of the termination of the individual subscriptions or the Agreement (as applicable). If Customer does not notify Zscaler under Section 8.3 that a Successful Switch has occurred, then:
8.4.1 if Zscaler has justified grounds based on its internal systems and log data to believe that a Successful Switch has occurred, Zscaler may notify Customer of termination of the Agreement; or
8.4.2 Zscaler may require Customer to confirm whether a Successful Switch has taken place. If Customer does not confirm within ten business days from such request, it will be deemed that there was no Successful Switch. In such case, the relevant subscriptions or the Agreement (as applicable) will not terminate in accordance with Section 8.1 and will continue until termination or expiry in accordance with the terms of the Agreement.
8.5 If the Subscription Term would expire or is otherwise terminated by Customer
(i) before a Successful Switch has occurred (where Customer has requested to Switch); or
(ii) before expiry of the Switching Notice Period (where Customer has requested its Exportable Data to be erased), then:
8.5.1 the Subscription Term will be deemed to continue until termination in accordance with Section 8.1; and
8.5.2 Customer shall continue to pay the Fees until such termination.
The termination rights in this Section 8 do not affect any other rights or remedies a party may have available towards the other party that are set out elsewhere in the Agreement.
9. Order of precedence
This Addendum forms an integral part of the Agreement. In the event of any conflict or inconsistency between this Addendum and any other applicable contractual arrangements, terms, conditions or other (parts of) applicable agreements – including any policies, information, documentation, schedules, exhibits, annexes or the like pertaining to them – this Addendum will take precedence.
Annex 1
Further Information
1. Categories of Exportable Data
The below table details the categories of Exportable Data customers can obtain from Zscaler and the Software and SaaS. For further information, please refer to the Documentation.
For the purposes of the below table:
“Infrastructure and Operations Data” includes information such as technical performance metrics, system resource utilization, network measurements; geographic, network routing information, infrastructure identification, technical resource data.
“Policy and Configuration Data” includes information related to security policies, access controls, compliance rules, system configurations, network configuration data, infrastructure-as-code templates, operational settings, administrative controls, reports and analytics data, risk assessments; includes policy rule names, outcomes, security controls, DLP policies, policy violations, enforcement actions.
“Transaction Log Data” includes information such as timestamps, identifiers, state and system changes; includes authentication events, security events, connection events covering connection establishment, termination, and status changes, transaction records, requests and responses and protocol interactions, and configuration changes.
| Product | Data Categories |
| Airgap | Asset related data, Policy and Configuration Data, Transaction Log Data |
| AI Scanning | Probe and target configurations, test conversations. |
| Business Insights | Infrastructure and Operations Data, Transaction Log Data |
| Cyber Protection | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Data Fabric | Metadata provided by Customer encompassing various data types from the Customer organisation but primarily data from security tools and business systems
Note: Data Fabric is not a standalone product but rather is a technology stack with capabilities that empower applications operations using the architecture. |
| Experience Center | Policy and Configuration Data, Transaction Log Data |
| Risk 360 | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| SOC Workbench | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Unified Vulnerability Management | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Zscaler Asset Exposure Management | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| ZCellular | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Zscaler Connectors | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Zidentity | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Zscaler Internet Access | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Zscaler Private Access | Infrastructure and Operations Data, Policy and Configuration Data, Transaction Log Data |
| Zscaler Posture Control | Infrastructure and Operations Data, Policy and Configuration Data |
| Z-SDK for Mobile Apps | Infrastructure and Operations Data, Transaction Log Data |
| Zscaler Threat Hunting | Report on results of Threat Hunt services |
Exportable Data can be exported in various common formats including CEF/LEEF, CSV, JSON, PDF, TSV depending on the nature of the Exportable Data.
2. Digital Assets
There are no Digital Assets.
3. Categories of data specific to the internal functioning of Zscaler’s Software and SaaS, with risk of a breach of Zscaler’s trade secrets, which are exempted from Switching
None
4. Data protected by the intellectual property rights of Zscaler or third parties, which are exempted from Switching
None
5. Data related to the integrity and security of the Software or SaaS, the export of which will expose Zscaler or any of its services to cybersecurity vulnerabilities, which are exempted from Switching
None
6. Information on procedures for Switching with the use of the tools and interfaces made available by Zscaler
Please refer to the Documentation or raise a support ticket.
7. Estimate of the time needed to export and transfer Exportable Data:
It is difficult to give an estimate as this will depend on the volume of data being exported as well as Internet speeds. An estimate can be provided at the time on request.
8. Further information about data structures and formats, relevant standards, and open interoperability specifications for Exportable Data
Please refer to the Documentation or raise a support ticket.
9. Websites for further information – Jurisdiction of Processing and Technical, Organizational and Contractual Measures
Data Center Map: https://trust.zscaler.com/zscaler.net/data-center-map
Transparency Report: https://www.zscaler.com/privacy/transparency-report
Security Certifications: https://www.zscaler.com/compliance/overview
Contractual Security Commitments: https://www.zscaler.com/legal/security-measures
Transfer Impact Assessment: https://www.zscaler.com/privacy/transfer-impact-assessment-tia