DATA PROCESSING AGREEMENT
- This data processing agreement (the “Data Processing Agreement”) specifies the data protection obligations of the Parties which arise in connection with the provision of the Services whilst the Customer is using the services provided by ContentApp. It applies to all activities performed in connection with the Customer use of the Services in which Processor and, if and insofar permissible, a third party acting on behalf of Processor may come into contact with personal data of the Customer.
- The relevant types of personal data, the individuals these personal data refer to and the types of processing of personal data being undertaken are set out below:
Users details including the name and contact details are stored to provide access to the system and personalisation. The mobile telephone number is used for interaction and notifications, while the email is additionally used to identify the user in the system. Where jobs are shared, the email may be used to provide a call to action or application path. All connections to 3rd party systems made by the user are made through official APIs and 3rd party tokens are stored.
- This Data Processing Agreement shall remain in force for such time as the Customer is using the Services.
- For the purposes of this Data Processing Agreement, both parties hereby acknowledge and confirm that the Customer is the Data Controller, (hereinafter “Controller”) and ContentApp Limited is the Data Processor, (hereinafter “Processor”).
- “Data Protection Legislation” means the EU General Data Protection Regulation and all other applicable laws and regulations relating to the processing of personal data and privacy.
- “Personal Data” means any information relating to an identified or identifiable natural individual as defined by applicable Data Protection Legislation.
- “Processing” means processing of Personal Data on behalf of Controller as defined by applicable Data Protection Legislation.
- “Instruction” means a written instruction, issued by Controller to Processor, and directing Processor to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). These instructions may from time to time or case to case thereafter, be amended, amplified or replaced by Controller in separate written Instructions (individual Instructions).
- “Services” shall be software provided by ContentApp Limited to the Customer
- “Customer” shall be the entity named on the order form completed when signing up for the Services.
Scope and responsibility
- Both parties shall assist each other in complying with its applicable obligations under the Data Protection Legislation. Each Party shall at all times comply with the Data Privacy Applicable Laws and Regulatory Requirements with regards to the provision of the Services under this Order and shall under no circumstances make the other Party in breach with these laws, rules or regulations.
- Processor shall Process Personal Data on behalf of Controller and always in accordance with the Data Protection Legislation and codes of practice applying to the Processor.
Obligations of Processor
- Processor shall Process Personal Data only within the scope of Controller’s Instructions.
Processors interpretation of those instructions in so far as it applies to the Services is set out below:
Personal Data is held to enable the service to personalise messaging and to communicate with the user for notifications, system updates and support.
Controller hereby acknowledges that the processing specified above comprise it’s instructions to the Processor. If Processor is required to Process the Personal Data for any other purpose by applicable law, Processor will inform the Controller of this legal requirement, to the extent permitted to do so by the applicable law. Processor shall not Process Personal Data for its own purposes and shall keep Controller’ Personal Data logically separate to data processed on behalf of any third party.
- Processor shall notify Controller immediately if, in Processor’s reasonable opinion, an Instruction breaches the Data Protection Legislation.
- Processor shall take appropriate technical and organizational measures to adequately protect Controller’s Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure taking into account the nature of the Processing, The processor has set out below a summary of those measures adopted in the provision of the services:
Passwords are encrypted, alongside offsite backups and the service itself can only
be accessed by a secure protocol (https). All authentication methods to end channels
(social media) are done so using official methods and APIs, with ContentApp never seeing
the user’s credentials.
The Controller acknowledges that the technical and organizational measures set out above are subject to technical progress and development. Processor may implement without advance notification to the Controller adequate alternative measures, providing these are no less adequate than the level of security provided by those they replace. Updated measures shall be incorporated into this data processing agreement and made available on the website of ContentApp Limited.
- If Processor becomes aware of known or suspected breaches of security leading to or which may have led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that Processor has Processed (“Personal Data Breach”). Processor shall provide Controller with a description of the Personal Data Breach, the types of data that was the subject of the Personal Data Breach and the identity of each affected person as soon as such information can be collected or otherwise becomes available, as well as any other information Controller may reasonably request relating to the Personal Data Breach. In the event of a Personal Data Breach, Processor will without undue delay (i) take action immediately to investigate the Personal Data Breach and to identify, prevent recurrence and make reasonable efforts to mitigate the effects of any such Personal Data Breach and (ii) to carry out any recovery or other action necessary to remedy the Personal Data Breach. Processor shall not release or publish any filing, communication, notice, press release or report concerning any Personal Data Breach in respect of Controller’s Personal Data without Controller’s prior written approval.
- Controller agrees that an unsuccessful security incident will not be subject to disclosure as per clause 14. An unsuccessful Security incident is one that does not lead to any unauthorised access to Personal Data of the Controller or to any of the hardware or facilities of the Processor used for storing Personal Data of the Controller. This includes but is not limited to port scans, denial of service attacks, pings and other such broadcast attacks on firewalls and unsuccessful log-on attempts.
- The Processor shall ensure that all personnel who have access to Personal Data belonging to Controller under the terms of this Data Processing Agreement maintain confidentiality, such obligations are contractually imposed. Processor shall ensure that access to Controller’s Personal Data is limited to those persons who need access in order to meet the Processor’s obligations under this Data Processing Agreement and that such access is only granted to such parts of the Controller’s Personal Data as is strictly necessary in relation to that person’s particular duties. Processor shall ensure that all personnel who have access to the Personal Data are reliable and have undertaken training appropriate to their role in relation to the handling of Personal Data and applicable Data Protection Legislation.
- Processor shall maintain records of all Personal Data Processing activities carried out on behalf of Controller containing the information prescribed in applicable Data Protection Legislation (including but not limited to the type of Personal Data Processed and the purposes for which they are processed). The Processor has made these records available a:
- Processor will immediately notify Controller of any monitoring, auditing or control activities and measures undertaken by a supervisory authority.
- The Personal Data will be processed and used by Processor exclusively within the territory of a member state of the European Union or the European Economic Area. Any transfer of Personal Data to a third country requires the prior written consent of Controller.
- Processor acknowledges and agrees that all right, title and interest in Controller’s Personal Data (including all intellectual property rights subsisting therein) shall vest solely in Controller.
- Processor shall permit a supervisory authority to access its premises, computer and other information systems, records, documents and records (where permitted by applicable Data Protection Legislation) to enable the supervisory authority to satisfy themselves that Processor is complying with its obligations under this Data Processing Agreement and applicable Data Protection Legislation.
- During the term of the Order the Controller is authorised to audit the technical and organisational measures taken by the processor (hereinafter “Audit”) in order to ensure Processor complies with its obligations under this Data Processing Agreement.
All Audits are defined by the Controller, who shall be responsible for all costs. Audits may be carried out by (i) Controllers suitably qualified employees, (ii) External auditors of the Controller, (iii) regulators of the Controller, (iv) independent consultants appointed by the Controller and /or (v) voluntary disclosures from the Processor.
Should the Controller wish the Audit to be performed by an external auditor or an independent consultant, the Controller must inform the Processor to allow it to raise the potential situation of conflicts of interest with the proposed external auditor or this independent Consultant. The absence of an issue raised by Processor within 5 days following the date of notice will amount to a tacit approval.
During the Audit, Processor will provide with no undue delay information, reasonable assistance and access to its premises as may be necessary in order that those conducting the Audit may fully and promptly carry out each Audit. Where Controller intends to access the premises of the Processor it shall provide the latter with a prior written notice a minimum of ten (10) working days before the beginning of the Audit.
The Controller acknowledges that due to security constraints physical access to the subcontracted hosting facilities utilized by Processor may not be possible and this will not be considered a breach of the Controllers right to audit:
Obligations of Controller
- Controller and Processor shall each be responsible for complying with their applicable obligations under the Data Protection Legislation.
- Controller is responsible for securing data subject’s rights.
- Any additional reasonable costs arising in connection with the return or deletion of Personal Data after the termination or expiration of this Order shall be borne by Controller.
- Controller is solely responsible for securing ALL necessary consents from any Data Subjects in respect of the Personal Data it collects and requires the Processor to Process. Controller hereby indemnifies Processor against all claims, and other applicable actions brought by any Data Subject/s where Controller has failed to obtain the correct and necessary consents.
Enquiries by Data Subjects to Controller
- Where Controller is obliged, under the Data Protection Legislation, to provide information to an individual or a government, regulatory or supervisory authority about the Processing of his or her Personal Data, Processor shall assist Controller in making this information available promptly and no later than 10 working days from receipt of such written request from the Controller.
- If a data subject should apply directly to Processor to request access to, or the rectification, erasure, restriction or portability of, his personal data, or to object to the Processing of his Personal Data, Processor will forward this request to Controller without delay, and no later than 5 working days after receipt. Processor will only correct, delete or block the Personal Data Processed on behalf of Controller when instructed to do so in writing by the Controller.
- The engagement of subcontractors by Processor requires Controller’s prior written consent.
A list of subcontractors used by the Processor in the Processing of Controllers data is set out below:
Intercom – https://www.intercom.com
Tarsnap – https://www.tarsnap.com
MailJet – https://www.mailjet.com
VooDoo SMS – https://voodoosms.com
Twilio – https://www.twilio.com/
Digital Ocean – https://www.digitalocean.com/
Cloudinary – https://cloudinary.com
CloudFlare – https://www.cloudflare.com/
RiteKit – https://ritekit.com/
In signing this order form Controller hereby gives consent to Processor to use these subcontractors.
- Where Processor engages subcontractors with consent of Controller, Processor shall contractually require such subcontractors to comply with obligations that are substantially similar to those set forth herein, including in particular, but not limited to, the contractual requirements for confidentiality, data protection and data security. Processor shall restrict subcontractor’s access to Personal Data of the Controller to the extent necessary for them to provide their services.
- For the avoidance of doubt, where a subcontractor fails to fulfil its obligations under any sub-processing agreement, Processor will remain fully liable to Controller for the fulfilment of its obligations under this Data Processing Agreement.
Deletion and/or return of data and data retention
- Within 15 days of the Controller ceasing to be a Customer of the Processor the Controller will delete the Personal Data of the Controller in compliance with the Data Protection Legislation.
- The processor will retain all personal data of the Controller whilst the controller maintains a contractual relationship with the Processor and utilises the Services of the Processor.
Duties to Inform, Mandatory Written Form
- In the event that Processor (i) is required by law, court order, warrant, subpoena, or other legal judicial process to disclose any of Controller’s Personal Data to any person other than Controller or (ii) receives any inquiry, communication, request or complaint from any governmental, regulatory or supervisory authority, Processor shall immediately notify Controller in writing and shall furnish all reasonable assistance in a timely manner to Controller to enable it to respond or object to, or challenge any such inquiries, communications, requests, or complaints and to meet applicable statutory or regulatory deadlines.
- No change of or amendment to this Data Processing Agreement or any of its requirements, including any commitment issued by Processor, shall be valid and binding unless made in writing and unless they make express reference to being a change or amendment to this Data Processing Agreement. Any waiver of any provision of this Data Processing Agreement shall be recorded in written form.