Data Processing Addendum



This Data Processing Addendum (the “DPA”) supplements any agreement between ZS and Customer which references this DPA (the “Agreement”). For purposes of this DPA, “Customer” means the Customer entity identified in the Agreement.

 

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement. In case of conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

 

ZS may update these terms from time to time with or without notice. ZS will publish the updated DPA terms on its website.

 

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

 

1. Definitions

 

1.1  “Brazil SCCs” means the Brazilian standard contractual clauses, as adopted by the National Data Protection Authority (“ANPD”) under Resolution n. 19/2024 (including its Annex II adopted on August 23, 2024), for the transfer of personal data to third countries.

 

1.2  “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.

 

1.3  “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing the Personal Data, and for the purpose of this DPA, includes the term “Business” as defined under the CCPA and similar U.S. State Privacy Laws, to the extent that such laws apply to the Processing of Personal Data.

 

1.4  “Customer Personal Data” means any Personal Data provided to ZS by or at the direction of Customer.

 

1.5  “Data Protection Authorities” means the independent public authorities responsible for monitoring compliance with Data Protection Laws.

 

1.6  “Data Protection Laws” means all laws applicable to the Processing of Personal Data under this DPA, including without limitation the laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, the United States, Brazil, Japan, and Singapore.

 

1.7  “Data Security Incident” shall mean accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

 

1.8  “Data Subject” means an identified or identifiable natural person.

 

1.9  “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council.

 

1.10  “Instructions” means the Agreement, or with respect to ZS acting as a Controller, ZS’s written instructions to the Customer concerning the Processing of ZS Personal Data.

 

1.11  “Personal Data” means any information that constitutes “personal data,” “personal information,” “personally identifiable information” or similar term defined in Data Protection Laws.

 

1.12  “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means (such as collection, recording, utilization, storage, disclosure, transmission, dissemination or otherwise making available, erasure, or destruction).

 

1.13  “Processor” means a natural or legal person, public authority, agency or other body that Processes Personal Data on behalf of a Controller.

 

1.14  “EU SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council according to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

 

1.15  “Services” means the products and/or services that ZS provides to Customer pursuant to the Agreement.

 

1.16  “Sub-Processor” means any Processor engaged by ZS when it is acting as a Processor for the Customer to assist in fulfilling its obligations with respect to the provision of the Services under the Agreement.

 

1.17  “ZS Personal Data” means any Personal Data that ZS provides to Customer.

 

2. Customer’s Obligations

 

2.1  Customer will comply with all Data Protection Laws applicable to its performance of obligations or exercise of rights under this DPA. In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it will be solely responsible for:

 

2.1.1  The accuracy, quality, and legality of Customer Personal Data and the lawful basis by which Customer acquired Customer Personal Data;

 

2.1.2  Complying with all necessary transparency and lawfulness requirements under Data Protection Laws, including obtaining any necessary consents and authorizations;

 

2.1.3  Ensuring it has the right to transfer Customer Personal Data to ZS in accordance with the terms of the Agreement (including this DPA); and

 

2.1.4  Ensuring that its Instructions to ZS regarding the Processing of Customer Personal Data comply with applicable laws, including Data Protection Laws.

 

Customer will inform ZS without undue delay if it is not able to comply with its responsibilities under this section.

 

2.2  The parties agree that the Agreement (including this DPA) together with Customer’s use of the Services constitute Customer’s complete and final Instructions to ZS in relation to the Processing of Personal Data, and any additional Instructions shall require prior written agreement between ZS and Customer.

 

3. ZS’s Obligations

 

3.1  ZS will Process Customer Personal Data in accordance with the Agreement and shall not Process Customer Personal Data on Customer’s behalf other than (1) as necessary to perform and improve the Services, and (2) to the extent it is otherwise required by applicable law.

 

3.2  ZS will notify Customer if it becomes aware, or reasonably believes, that Customer’s Instructions violate applicable Data Protection Laws.

 

3.3  ZS will not “sell” or “share” Customer Personal Data within the meaning of applicable Data Protection Laws.

 

3.4  ZS has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality, integrity and availability of Customer Personal Data as described in Annex 2 to this DPA (“Security Measures”). Notwithstanding any provision to the contrary, ZS may modify or update the Security Measures at its discretion provided that such modification or update does not materially decrease the overall security of the Services.

 

3.4.1  ZS will ensure that any personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations and training with respect to Personal Data.

 

3.4.2  ZS will notify Customer without undue delay after it becomes aware of any Data Security Incident. 

 

3.4.3  At Customer’s request, ZS will delete or return all Customer Personal Data as documented in the Agreement.

 

4. Data Protection Impact Assessments

 

4.1  Where required by Data Protection Laws, each party shall provide reasonable assistance to the other in conducting data protection impact assessments and seeking prior consultation from Data Protection Authorities.

 

5. Audits and Inspections

 

5.1  ZS will make all information reasonably necessary to demonstrate compliance with this DPA available to Customer and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA.

 

6. International Transfers

 

6.1  Customer acknowledges and agrees that ZS may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and that Personal Data will be transferred to and Processed by ZS in the United States and India and other jurisdictions where ZS and its Processors and Sub-Processors have operations. ZS will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

 

6.2  EU/EEA

 

6.2.1  Where Personal Data subject to GDPR is transferred, the EU SCCs are hereby incorporated into this DPA by reference as follows:

 

6.2.1.1  Module 1 (Controller to Controller) applies where ZS and Customer act as joint or independent controllers of ZS Personal Data or Customer Personal Data; Customer shall be deemed “data exporter” or “data importer” as applicable, and ZS shall be deemed “data importer” or “data exporter” as applicable.

 

6.2.1.2  Module 2 (Controller to Processor) applies where ZS acts as Processor and Customer acts as Controller of Customer Personal Data; Customer shall be deemed “data exporter,” and ZS shall be deemed “data importer.”

 

6.2.1.3  Module 4 (Processor to Controller) applies where ZS acts as Processor and Customer acts as Controller of Customer Personal Data; Customer shall be deemed “data importer,” and ZS shall be deemed “data exporter.”

 

6.2.2  EU SCC Modules 1, 2, and 4, as applicable, shall be considered duly executed between the parties upon entering into force of this DPA, and the parties agree to observe the terms of the EU SCCs, as applicable, without modification.

 

6.2.3  Modules 1 and 2 of the EU SCCs, as applicable, shall apply to Customer and each subsidiary of Customer established within the EEA who uses the Services provided by ZS under the Agreement, and for which ZS processes Personal Data under the applicable Agreement.

 

6.2.4  Module 4 of the EU SCCs, as applicable, shall apply to Customer and each subsidiary of Customer established outside of the EEA who uses the Services provided by ZS under the Agreement, and for which ZS processes Personal Data under the applicable Agreement.

 

6.2.5  In the event that the EU SCCs are (i) amended, replaced or repealed by the European Commission or the European Commission approves a new set of standard contractual clauses for the transfer of personal data to third countries, (ii) declared invalid by a court of competence, or (iii) otherwise terminated, annulled, replaced or repealed under Data Protection Laws, the parties shall work together in good faith to enter, as applicable, into any updated version of the EU SCCs or other appropriate successor transfer mechanisms or agreements required by Customer or ZS.

 

6.2.6  Where the EU SCCs identify optional provisions or provisions with multiple options, the following options are selected in the EU SCCs:

 

6.2.6.1  Clause 7 shall apply;

 

6.2.6.2  Option 2 of Clause 9(a) shall apply with regard to the use of Sub-Processors in accordance with Section 8 of this DPA;

 

6.2.6.3  The optional provision within Clause 11(a) shall not apply;

 

6.2.6.4  In Clauses 17 and 18, Ireland shall apply.

 

6.2.6.5  Annexes 1 and 2 of the EU SCCs are the Annexes to this DPA.

 

6.3  UK

 

6.3.1  To the extent that the Parties rely on the EU SCCs for Personal Data transfers that include the United Kingdom, the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under Section 119A(1) of Data Protection Act 2018 (the “UK Addendum”) is hereby incorporated into this DPA, and the EU SCCs shall be considered as amended as specified in the UK Addendum with regard to applicable Personal Data transfers.

 

6.4  Switzerland

 

6.4.1  To the extent that the Parties rely on the applicable modules of the EU SCCs for transfers that include transfers from Switzerland, the EU SCCs shall be deemed to be amended as follows with regard to any data transfer from Switzerland:

 

6.4.1.1  Clause 6 Description of the transfer(s) of the EU SCCs is replaced with: "The details of the transfer(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I where Swiss Data Protection Laws apply to the Processing".

 

6.4.1.2  References to "Regulation (EU) 2016/679", "that Regulation" or “GDPR” are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of Swiss Data Protection Laws. For the purposes of Swiss Data Protection Laws references to the "Union", "EU" and "EU Member State" are all replaced with the "Switzerland".

 

6.4.1.3  Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the “FDPIC".

 

6.4.1.4  Clause 17 of the EU SCCs is replaced to state "These Clauses are governed by the laws of Switzerland".

 

6.4.1.5  Clause 18 of the EU SCCs is replaced to state: "Any dispute arising from these Clauses shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts."

 

6.5  Brazil

 

6.5.1  The Brazil SCCs apply to the Processing of Customer Personal Data subject to the Brazil General Data Protection Law (Federal Law n. 13.709/2018 – Lei Geral de Proteção de Dados Pessoais) where either party to the transfer is located in a country not deemed adequate by the ANPD for the specific transfer. The parties incorporate the Brazill SCCs by reference as follows:

 

6.5.1.1  The parties’ roles (controller and/or processor) will be determined based on the circumstances of each transfer.

 

6.5.1.2  Information required for Clauses 1 (Identification of the Parties) and 2 (Object) of the Brazil SCCs is provided in Annex 1 to this DPA. The designated data subject contact is the notice contact specified in the Agreement or, for ZS, dataprivacy@zs.com

 

6.5.1.3  For Clause 3 (Onward Transfers) of the Brazil SCCs, Option B applies and is completed in accordance with the details set out in Annex 1.B to this DPA.

 

6.5.1.4  For Clause 4 (Responsibilities of the Parties): (a) where Customer is Controller of Customer Personal Data, Customer is the “Designated Party” for Clauses 14 (Transparency), 15 (Data Subject Rights), and 16 (Incident Reporting); (b) where Customer acts as a Processor on behalf of a third-party Controller, Option B applies and the relevant Third-Party Controller is identified based on the information provided under Annex 1 to this DPA.

 

6.5.1.5  Information required to complete Section 3 (Security Measures) of the Brazil SCCs is set forth in Annex 2 to this DPA.

 

6.5.1.6  In accordance with Clause 24 of the Brazil SCCs, the Parties agree that the governing forum for the Brazil SCCs is Sao Paulo.

 

7. Data Subjects

 

7.1  ZS shall promptly notify Customer if ZS receives a request related to Customer Personal Data from a Data Subject to exercise the Data Subject’s rights under Data Protection Laws; for example, the right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or the right not to be subject to automated individual decision making. Taking into account the nature of the Processing, ZS shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to a Data Subject request.

 

8. Sub-Processors

8.1  Customer provides general authorization for ZS to engage Sub-Processors to Process Customer Personal Data. ZS has currently appointed, as Sub-Processors, ZS affiliates and third parties listed here.

 

8.2  Where ZS engages Sub-Processors, it will enter into a written agreement with each Sub-Processors that provides at least the same level of protection for Personal Data as those in this DPA. ZS will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause ZS to breach any of its obligations under this DPA.

 

8.3  ZS will notify Customer if ZS adds or removes Sub-Processors prior to any such changes, if Customer opts-in to receive such email notifications by completing the form available here. Customer may object to ZS’s use of a new Sub-Processor by notifying ZS promptly in writing within thirty (30) days after receipt of ZS’s notice by emailing dataprivacy@zs.com. In the event Customer objects in good faith to a new Sub-Processor, ZS will use reasonable efforts to avoid Processing of Personal Data by such Sub-Processor; however, if ZS is unable to make available such change within a reasonable period of time, Customer, as its sole and exclusive remedy, may terminate the applicable Services by providing written notice to ZS.

Annex 1 to Module One



Controller to Controller



A. LIST OF PARTIES

 

Data Exporter or Importer as applicable, Name, Address & Contact Person’s Details:

 

Customer, as defined in the Agreement. The Customer’s business name and address are as listed in the Agreement. The Contact Person may be reached in the manner specified for giving notice in the Agreement.

 

Activities relevant to the data transferred under these Clauses: The activities relevant to the data transferred are as described in the Agreement as specifically related to the Services.

 

Role: Controller

 

Data Importer or Exporter as applicable, Name, Address & Contact Person’s Details:

 

ZS’s DPOs can be contacted at dataprivacy@zs.com.

 

Activities relevant to the data transferred under these Clauses: The activities relevant to the data transferred are as described in the Agreement as specifically related to the Services.

 

Role: Controller

 

B.   DESCRIPTION OF TRANSFER

 

Categories of Data Subjects whose Personal Data is Transferred

  • Prospects, customers, business partners, and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners, and vendors (who are natural persons)
  • Employees, agents, advisors, freelancers of Customer or ZS (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services
  • Healthcare professionals or patients
  • Any other category of data subject that is necessary to perform the Services

Categories of Personal Data Transferred

  • First and last name
  • Title
  • Position
  • Employer
  • Professional Contact Information (email address, phone number, physical business address)
  • Professional life data
  • Personal life data
  • Under certain Services, precise location data
  • IP address
  • Any other category of personal data that is necessary to perform the Services

Sensitive data transferred

 

Under certain Services, health data may be transferred.

 

The Frequency of the Transfer

 

Personal data will be processed for the duration of the Services.

 

Nature and Purpose of Processing

 

The Parties will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in any applicable licenses, schedules, or SOWs entered into as part of the Agreement.

 

The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period:

 

As set forth in the Agreement.

 

Transfer to Sub-Processors

 

See Section 8 of this DPA.

 

C. COMPETENT SUPERVISING AUTHORITY

 

The competent supervisory authority shall be the supervisory authority applicable to the parties in their EEA country of establishment or, where they are not established in the EEA, in the EEA country where their respective representatives have been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.

Annex 1 to Module Two



Controller to Processor



A. LIST OF PARTIES

 

Data Exporter, Name, Address & Contact Person’s Details:

 

Customer, as defined in the Agreement. The Customer’s business name and address are as listed in the Agreement. The Contact Person may be reached in the manner specified for giving notice in the Agreement.

 

Activities relevant to the data transferred under these Clauses: The activities relevant to the data transferred are as described in the Agreement as specifically related to the Services.

 

Role: Controller

 

Data Importer, Name, Address & Contact Person’s Details:

 

ZS’s DPOs can be contacted at dataprivacy@zs.com.

 

Activities relevant to the data transferred under these Clauses: The activities relevant to the data transferred are as described in the Agreement as specifically related to the Services.

 

Role: Processor

 

B.   DESCRIPTION OF TRANSFER

 

Categories of Data Subjects whose Personal Data is Transferred

  • Prospects, customers, business partners, and vendors of Customer (who are natural persons)
  • · Employees or contact persons of Customer’s prospects, customers, business partners, and vendors (who are natural persons)
  • Employees, agents, advisors, freelancers of Customer or ZS (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services
  • Healthcare professionals or patients
  • Any other category of data subject that is necessary to perform the Services

Categories of Personal Data Transferred

  • First and last name
  • Title
  • Position
  • Employer
  • Professional Contact Information (email address, phone number, physical business address)
  • Professional life data
  • Personal life data
  • Under certain Services, precise location data
  • IP address
  • Any other category of personal data that is necessary to perform the Services

Sensitive data transferred

 

Under certain Services, health data may be transferred.

 

The Frequency of the Transfer

 

Personal data will be processed for the duration of the Services.

 

Nature and Purpose of Processing

 

The Importer will Process Personal Data as necessary to perform the Services under the Exporter’s instructions pursuant to the Agreement, as further specified in any applicable licenses, schedules, or SOWs entered into as part of the Agreement.

 

The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period:

 

As set forth in the Agreement.

 

Transfer to Sub-Processors

 

See Section 8 of this DPA.

 

C. COMPETENT SUPERVISING AUTHORITY

 

The competent supervisory authority shall be the supervisory authority applicable to the Customer in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.

Annex 1 to Module Four



Processor to Controller



A. LIST OF PARTIES

 

Data Exporter, Name, Address & Contact Person’s Details:

 

ZS’s DPOs can be contacted at dataprivacy@zs.com.

 

Activities relevant to the data transferred under these Clauses: The activities relevant to the data transferred are as described in the Agreement as specifically related to the Services.

 

Role: Processor

 

Data Importer, Name, Address & Contact Person’s Details:

 

Customer, as defined in the Agreement. The Customer’s business name and address are as listed in the Agreement. The Contact Person may be reached in the manner specified for giving notice in the Agreement.

 

Activities relevant to the data transferred under these Clauses: The activities relevant to the data transferred are as described in the Agreement as specifically related to the Services.

 

Role: Controller

 

B.   DESCRIPTION OF TRANSFER

 

Categories of Data Subjects whose Personal Data is Transferred

  • Prospects, customers, business partners, and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners, and vendors (who are natural persons)
  • Employees, agents, advisors, freelancers of Customer or ZS (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services
  • Healthcare professionals or patients
  • Any other category of data subject that is necessary to perform the Services

Categories of Personal Data Transferred

  • First and last name
  • Title
  • Position
  • Employer
  • Professional Contact Information (email address, phone number, physical business address)
  • Professional life data
  • Personal life data
  • Under certain Services, precise location data
  • IP address
  • Any other category of personal data that is necessary to perform the Services

Sensitive data transferred

 

Under certain Services, health data may be transferred.

 

The Frequency of the Transfer

 

Personal data will be processed for the duration of the Services.

 

Nature and Purpose of Processing

 

The Exporter will Process Personal Data as necessary to perform the Services under the Importer’s instructions pursuant to the Agreement, as further specified in any applicable licenses, schedules, or SOWs entered into as part of the Agreement.

 

The period for which the personal data will be retained, or if that is not possible, the criteria uses to determine that period:

 

As set forth in the Agreement.

 

Transfer to Sub-Processors

 

See Section 8 of this DPA.

 

C. COMPETENT SUPERVISING AUTHORITY

 

The competent supervisory authority shall be the supervisory authority applicable to ZS in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.

Annex 2 to the Standard Contractual Clauses



TECHNICAL AND ORGANISATIONAL MEASURES

 

1. SCOPE

 

These technical and organizational measures apply to all Personal Data which Data Importer Processes under this DPA.

 

2. GUIDING PRINCIPLES

 

Data Importer protects the confidentiality, integrity and availability of Personal Data under its control. Specifically, Data Importer implements reasonable and appropriate safeguards to ensure (a) Personal Data are protected against unauthorized use, loss, destruction, and release, (b) Data Importer systems are secure from unauthorized access, and (c) Data Importer meets all applicable laws, regulations and industry standards.

 

3. IDENTIFICATION, AUTHENTICATION AND ACCESS CONTROL

 

3.1 Prior to allowing Data Importer users access to Personal Data, Data Importer obtains and verifies required information about the individual.

 

3.2 Data Importer assigns unique user IDs to Data Importer users and uses multi-factor authentication to enable access to Data Importer systems.

 

3.3 Access rights are provided following the principles of least privilege and need to know. Data Importer performs periodic review of user accounts to reassess access levels when job functions change or during organizational changes. Exporter shall control all access to Data Importer applications, software or tools, on the Exporter’s system.

 

4. SECURITY CONTROLS

 

4.1 All data stored on Data Importer endpoints and mobile devices is encrypted. The use of USB data storage devices is disabled for read and write operations on all Data Importer laptops.

 

4.2 Firewall rules are reviewed at least annually. Data Importer performs an annual third-party penetration and vulnerability assessment of its externally facing systems. Vulnerability scans are performed on internal infrastructure periodically.

 

4.3 Data Importer utilizes a secure email gateway.

 

4.4 Personal Data are protected by the use of appropriate encryption technologies.

 

5. HR SECURITY

 

5.1 Background screenings are performed on all candidates for employment, in accordance with relevant laws, regulations and ethics.

 

5.2 Data Importer requires all new employees to review and sign a confidentiality agreement at the start of employment.

 

5.3 All Data Importer employees and contractors must undergo an annual information security and data privacy training.

 

6. PHYSICAL SECURITY

 

6.1 Data Importer restricts access to its offices in a manner to comply with the Guiding Principles herein.

 

6.2 Access to Data Importer data centers or computer rooms is strictly limited to only those who need access to perform their job duties.

 

7. DATA BACKUPS AND DISASTER RECOVERY

 

7.1 Data is backed up in an encrypted format, in accordance with Data Importer’s internal backups policies and procedures.

 

7.2 Data Importer maintains a disaster recovery plan that includes among other things procedures for recovery of processing functions following a disaster.

 

8. MONITORING, REVIEWS AND AUDITS

 

8.1 Data Importer creates and maintains logs to monitor system security.

 

8.2 Data Importer regularly works with its security tool vendors to perform internal assessments.

 

8.3 Internal and external audits are conducted annually.

 

9. REPORTING

 

9.1 Data Importer maintains a process for reporting information protection incidents to Exporter.

 

9.2 The Data Importer IT Technology Support group is available 24 hours-per-day, seven days-per-week, and will route problems to the appropriate group or individuals.

 

10. MANAGEMENT STRUCTURE AND RESPONSIBILITY

 

Data Importer maintains appropriate committees who are responsible for overall company direction on all security and data privacy initiatives across Data Importer.