Data Processing Agreement (DPA)

1.     BACKGROUND

1.1.   The Customer and Chattermill Analytics Limited ("Chattermill", "we", "our" or "us") entered into a pricing plan (or statement of work) incorporating our terms and conditions (together, the "Agreement").

1.2.   This DPA is between Chattermill and the Customer (each a "Party" and collectively the "Parties"), pursuant to the Agreement.

1.3.   In the event that we Process any Authorised User Data and/or Customer End User Data (each as defined below) of individuals located in the EEA, or of any Customer who is established in the EEA, this Data Processing Agreement (the "DPA") shall be supplemental to the Agreement and apply to the Processing of such Authorised User Data and/or Customer End User Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

2.    DEFINITIONS

2.1.   Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following capitalised terms used in this DPA shall be defined as follows:

"Authorised User" means the Customer's employees; any contract staff who are working for the Customer; and any other person working with, or on behalf of, the Customer who are granted access to the Services exclusively on the Customer's behalf and with the Customer's prior authorisation.

"Authorised User Data" means the "personal data" (as defined in the GDPR) described in Appendix 1 and any other personal data that we process on behalf of the Customer in relation to each Authorised User in connection with our provision of the Services.

"Controller" has the meaning given in the GDPR.

"Customer End User" means an end user of the Customer.

"Customer End User Data" means the "personal data" (as defined in the GDPR) described in Appendix 1 and any other personal data that we process on behalf of the Customer in relation to any Customer End User in connection with our provision of the Services.

"Data Protection Laws" means the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

"Data Subject" has the meaning given in the GDPR.

"European Economic Area" or "EEA" means the Member States of the European Union
together with Iceland, Norway, and Liechtenstein.

"Processing" has the meaning given in the Directive, and "Process" will be interpreted accordingly.

"Processor" has the meaning given in the GDPR.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Authorised User Data and/or Customer End User Data.

"Services" means the Services as described in the Agreement.

"Standard Contractual Clauses" means the Standard Contractual Clauses (Processors) approved by European Commission Decision 2010/87/EU or any subsequent version thereof released by the European Commission (which will automatically apply).


"Sub-processor" means any sub-processor engaged by us who agrees to receive from us Authorised User Data and/or Customer End User Data.

"Supervisory Authority" has the meaning given in the GDPR.

"UK Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679) (the "GDPR"); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

3.     DATA PROCESSING

3.1.   Customer as Controller. The Customer and Chattermill acknowledge that for the purpose of Data Protection Laws, the Customer is the Controller and Chattermill is the
Processor.

3.2.   Customer Compliance. The Customer retains control of the personal data and remains responsible for its compliance obligations under applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Chattermill.

3.3.   Nature and Purpose of Processing. Annex A describes the subject matter, duration, nature and purpose of processing and the personal data categories and Data Subject types in respect of which Chattermill may process personal data in order to provide the Services and fulfill it's obligations under the Agreement.

3.4.   Instructions for Data Processing. We will only Process Authorised User Data and/or Customer End User Data in accordance with the Customer’s written instructions, unless Processing is required by European Union or Member State law to which we may be subject, in which case we shall, to the extent permitted by European Union or Member State law, inform the Customer of that legal requirement before Processing such data. The Agreement (subject to any changes to the Services agreed between the Parties) and this DPA shall be the Customer’s complete and final instructions to us in relation to the processing of such data.

3.5.  Additional processing. Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and us on additional instructions for Processing.

3.6.   Required consents. Where required by applicable Data Protection Laws, Customer will ensure that it has obtained/will obtain all necessary consents for the Processing of Authorised User Data and/or Customer End User Data by us in accordance with the Agreement.

4.     TRANSFER OF PERSONAL DATA

4.1.  Authorised Sub-processors. The Customer agrees that we may use the Sub-processors set out in Annex B.

4.2.  Subcontractors. The Customer agrees that we may use these Sub-processors to fulfil our contractual obligations under the Agreement. We shall notify the Customer from time to time of the identity of any Sub-processors we engage. If the Customer (acting reasonably) does not approve of a new Sub-processor, then without prejudice to any right to terminate the Agreement, the Customer may request that we move the Authorised User Data and/or Customer End User Data to another Sub-processor and we shall, within a reasonable period of time following receipt of such request, use all reasonable endeavours to ensure that the original Sub-processor does not Process any of the Authorised User Data and/or Customer End User Data.

4.3.  Sub-processors. Save as set out in clauses 4.1 and 4.2, we shall not permit, allow or otherwise facilitate Sub-processors to Process Authorised User Data and/or Customer End User Data without the prior written consent of the Customer and unless we enter into a written agreement with the Sub-processor which imposes the same obligations on the Sub-processor with regard to their Processing of Authorised User Data and/or Customer End User Data, as are imposed on us under this DPA.

4.4.   Liability of Sub-processors. We will at all times remain responsible for compliance with our obligations under the DPA and will be liable to the Customer for the acts and omissions of any Sub processor approved by the Customer as if they were our acts and omissions.

4.5.   Prohibition on Transfers of Personal Data. To the extent that the Processing of Authorised User Data and/or Customer End User Data by us involves the export of such personal data to a country or territory outside the EEA, other than a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of personal data as determined by the European Commission, (an "International Transfer"), such transfer shall be governed by the Standard Contractual Clauses or such other legally recognised transfer method in force. In the event of any conflict between any terms in the Standard Contractual Clauses, this DPA and the Agreement, the Standard Contractual Clauses shall prevail.

5.     DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

5.1.   Chattermill Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out at Annex C.

5.2.  Compliance. Upon request by the Customer, we will make available all information reasonably necessary to demonstrate compliance with this DPA.

5.3.  Audit. Chattermill will permit the Customer and its third-party representatives to audit Chattermill’s compliance with its obligations, on at least 30 days’ notice, during the term of the Agreement. Chattermill will give the Customer and its third-party representatives only such assistance as is necessary to conduct such audits.

5.4.   Security Incident Notification. If we or any Sub-processor become aware of a Security Incident we will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.

5.5.   Chattermill Employees and Personnel. We will treat the Authorised User Data and Customer End User Data as the Confidential Information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Authorised User Data and Customer End User Data.

6.    ACCESS REQUESTS AND DATA SUBJECT RIGHTS

6.1.  Data Subject Requests. Save as required or where prohibited (as applicable) under applicable law, we will notify the Customer of any request received by us or any Sub-processor from a Data Subject in respect of personal data included in the Authorised User Data or Customer End User Data, and will not respond to the Data Subject. The Customer shall be solely responsible for responding substantively to any such Data Subject Request or communications involving personal data.

6.2.  Changes. We will provide the Customer with the ability to correct, delete, block, access or copy the Authorised User Data or Customer End User Data in accordance with the functionality of the Services.

6.3.   Government Disclosure. We will notify the Customer of any request for the disclosure of Authorised User Data or Customer End User Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

6.4.   Data Subject Rights. Where applicable, and taking into account the nature of the Processing, we will use all reasonable endeavours to assist the Customer by implementing any other appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subject rights set out in the GDPR.

7.     DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

7.1.  To the extent required under applicable Data Protection Laws, we will provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Authorised User Data or Customer End User Data and taking into account the nature of the Processing and information available to us.

8.     TERMINATION

8.1.  This DPA will remain in full force and effect so long as the Agreement remains in effect.

8.2.  This DPA will terminate immediately upon termination of the Agreement.

8.3.  On termination of this DPA, howsoever caused, Chattermill will immediately cease processing Authorised User Data and Customer End User Data and, at the Customer’s option or direction, arrange for the prompt and safe return and/or destruction of all Authorised User Data and Customer End User Data.



ANNEX A

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Data Exporter: Customer

Data Importer: Chattermill


Subject matter of Processing: The processing is needed in order to enable the provision of Services pursuant to the Agreement.

Duration of Processing: For the duration of the Agreement, unless otherwise agreed in writing.

Nature of Processing: Storage, transmission and use in order to provide the Services.

Business Purpose: For the provision of Services, pursuant to the Agreement.

Personal Data Categories: Name, email and online identifiers (such as IP address) or such other data collected by the Customer and provided to Chattermill.

Data Subjects: Authorised User and Customer End User.

ANNEX B

SUB-PROCESSORS

Authorised User Data:

#Sub-processor Address Jurisdiction ProcessingFramework
1.IntercomIntercom, London 80 Great Eastern Street, London, UKEC2A 3JLUKName, email address and IP address of each Authorised User.N/A
2. Amazon Web ServicesAmazon Web Services UK Limited, 15 St Botolph St, London EC3A 7DTUK Name, email address and IP address of each Authorised User.N/A
3.SegmentSegment Technologies Ireland, Limited, 3rd Floor, Kilmore House, Spencer Dock, Dublin 1 D01 YE64EUName, email address and IP address of each Authorised User.N/A
4.RollbarRollbar, Inc. 51 Federal Street Suite 401 San Francisco, California 94107USName, email address and IP address of each Authorised User.EU-US Privacy Shield Framework
5.LogrocketLogRocket, Inc. 87 Summer Street Boston, Massachusetts 02110USName, email address and IP address of each Authorised User.EU-US Privacy Shield Framework
6.HubspotHubSpot, Inc. 25 First St., 2nd floor Cambridge, Massachusetts 02141USName, email address and IP address of each Authorised User.EU-US Privacy Shield Framework
7.AmplitudeAmplitude, Inc. 631 Howard Street, Floor 5 San Francisco, California 94105USName, email address and IP address of each Authorised User.EU-US Privacy Shield Framework
8.Google (Google Cloud Platform)Google Ireland Limited Gordon House Barrow Street Dublin 4 IrelandEUName and email address of each Authorised User.N/A
9.Auth0Auth0, Inc.- d 10800 NE 8th St, Suite 700 Bellevue, Washington 98004USName, email address and IP address of each Authorised User.EU-US Privacy Shield Framework
10.FullstoryFullStory, Inc. 120 Ottley Drive Suite 100, Atlanta GA 30324 1745 Peachtree Street, Suite G Atlanta, Georgia 30309USName, email address and IP address of each Authorised User.EU-US Privacy Shield Framework
11.Vitally1 Broadway Cambridge, MA 02142 United StatesUSName, email address and IP address of each Authorised User.Standard Contractual Clauses

Customer End User Data:

#Sub-processor AddressJurisdictionProcessing Framework
12.Google (Google Cloud Platform)Google Ireland Limited Gordon House Barrow Street Dublin 4 IrelandEUInformation contained in any feedback/comments collected by the Customer, in relation to each Customer End User.N/A

ANNEX C

TECHNICAL AND ORGANISATIONAL MEASURES

Introduction

We maintain internal policies and procedures, or procure that our Sub-processors do so, which are designed to:

a.    secure any personal data Processed by us against accidental or unlawful loss, access or disclosure;

b.    identify reasonably foreseeable and internal risks to secure and unauthorised access to the personal data Processed by us;

c.     minimise security risks, including through risk assessment and regular testing.

We will conduct periodic reviews of the security of our network and the adequacy of our information security program as measured against industry security standards and our policies and procedures (including our security policy), and will use all practical efforts to procure that our Sub-processors do so as well.

We will periodically evaluate the security of our network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews, and will use reasonable efforts to procure that our Sub-processors do so as well.

Access controls

We limit access to personal data by implementing appropriate access controls.

Availability and back-up of personal data

We regularly back-up . Back-ups are stored separately and are encrypted at rest.

Disposal of IT equipment

We have in place processes to securely remove all personal data before disposing of IT systems (for example, by using appropriate technology to purge equipment of data and/or
destroying hard disks).

Encryption

We use encryption technology where appropriate to protect personal data held electronically.

Transmission or transport of personal data

We will implement appropriate controls to secure personal data during transmission or transit.

Device hardening

We will remove unused software and services from devices used to process personal data. Default passwords that are provided by hardware and software producers will not be used.

Physical security

We implement appropriate physical security measures to safeguard personal data.

Staff training and awareness

We carry out staff training on data security and privacy issues relevant to their job role and ensure that new starters receive appropriate training before they start their role.

Staff are subject to disciplinary measures for breaches of our policies and procedures relating to data privacy and security.




Last updated: 26 October 2020








TechCrunchTechCrunch
TelegraphTelegraph
UKTNUKTN
TechNationTechNation
ResearchLiveResearchLive