INTERNATIONAL
Content
Data Processing Agreement
Contents
PREAMBLE
The Parties have concluded a Software as a Service Agreement regarding the Processor’s provision of his services that entail the Controller’s use of the Processor’s software and services ("Main Agreement"). In the course of rendering these services as per the Main Agreement ("Services"), it is necessary that the Processor processes personal data for which the Controller is responsible as per the applicable data protection laws ("Applicable Data Protection Laws"). In order to meet the requirements of Applicable Data Protection Laws, the Parties conclude the following DPA:
1. DEFINITIONS
For the purposes of this DPA, and unless otherwise indicated by the context, the terms used shall have the meanings given to them as per Applicable Data Protection Laws. Key terms of this DPA are defined below:
“personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member 1 Momos - DPA State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2. SCOPE / TERM
2.1 This DPA applies to the processing of all personal data (hereinafter also referred to as "data") which are processed by the Processor on behalf of the Controller. The scope, nature, purpose and further description of the processing are determined by the Main Agreement and are set out in Annex 1 (“Description of Data Processing”) to this DPA.
2.2 Unless otherwise stipulated in this DPA, the term and termination of this DPA shall be governed by the term and termination provisions of the Main Agreement. A termination of the Main Agreement automatically results in a termination of this DPA. An isolated termination of this DPA is excluded.
2.3 Unless otherwise specified in this DPA, all definitions provided in the Main Agreement shall apply to this DPA.
3. RESPONSIBILITY AND AUTHORITY TO ISSUE INSTRUCTIONS / PROTECTIVE MEASURES OF THE PROCESSOR
3.1 The Parties shall be responsible for compliance with the provisions of Applicable Data Protection Laws. The Controller may at any time instruct the Processor to release, correct, adapt, delete and restrict the data processed under this DPA.
3.2 The Processor shall process the data on behalf and in accordance with the instructions of the Controller as per Applicable Data Protection Laws. The Controller remains the controller in terms of Applicable Data Protection Laws.
3.3 In order to ensure the protection of the rights of the data subjects, the Processor shall provide appropriate support to the Controller, in particular, by ensuring appropriate technical and organizational measures (see Section 6). In the event a data subject contacts the Processor directly to act according to such data subject’s right, the Processor shall without undue delay forward that request to the Controller.
3.4 In the event the Processor considers an instruction as a violation of Applicable Data Protection Laws the Processor shall inform the Controller without undue delay. The Processor shall be 2 Momos - DPA entitled to suspend the execution of the relevant instruction until such instruction is confirmed or amended by the Controller.
3.5 The Processor may only process data in accordance with the Controller's instructions, unless the Processor is obliged to process data differently under the law of the Union or the Member State to which the Processor is subject (e.g. investigations by law enforcement or state security authorities); in such a case, the Processor must inform the Controller of these legal requirements prior to processing, unless the law in question prohibits such information for reasons of important public interest. The Controller's instructions are in principle conclusively regulated and documented in the provisions of this DPA. Individual instructions that deviate from the provisions of this DPA or impose additional requirements require the consent of the Processor and must be documented. Any additional costs incurred by the Processor as a result shall be borne by the Controller.
3.6 Changes to the object of processing shall be jointly agreed and documented. The Processor shall not use the data for any other purpose and shall, in particular, not be entitled to disclose such data to third parties. The Processor shall not be entitled to copy or duplicate any data without the knowledge of the Controller.
3.7 The Controller shall be responsible for his records of processing activities as per Applicable Data Protection Laws. At the request of the Controller, the Processor shall provide the Controller with information for such records of processing activities. The Processor shall keep records of all categories of processing activities carried out on behalf of the Controller in accordance with Applicable Data Protection Laws.
3.8 The Processor is obligated to inform the natural persons under his authority who have access to the data about the duty of confidentiality and ensures that they process the data only within the scope of the Controller's instructions.
4. CONTROLLER’S LEGAL OBLIGATIONS
4.1 The Controller is solely responsible for the permissibility of the processing of the data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of data in accordance with this DPA, the Controller shall indemnify the Processor from all such claims upon first request.
4.2 The Controller is responsible to provide the Processor with data in time for the rendering of Services according to the Main Agreement and he is responsible for the quality of the data. The Controller shall inform the Processor immediately and completely if during the examination of 3 Momos - DPA the Processor’s results he finds errors or irregularities with regard to Applicable Data Protection Laws or his instructions.
4.3 On request, the Controller shall provide the Processor with the information required to record the processing activities as per Applicable Data Protection Laws, insofar as it is not available to the Processor himself.
4.4 If the Processor is required to provide information to a governmental body or person when processing data or to cooperate with these bodies in any other way, the Controller is obliged at first request to assist the Processor in providing such information and in fulfilling other cooperation obligations.
5. PROCESSOR’S LEGAL OBLIGATIONS
5.1 The Processor shall ensure that the persons authorized to process the data are bound by confidentiality or are subject to an appropriate legal obligation of secrecy and shall provide evidence thereof to the Controller upon his request.
5.2 The Parties shall support each other in proving and documenting their accountability with regard to the principles relating to data processing as per Applicable Data Protection Laws, including the implementation of the necessary technical and organizational measures. If required, the Processor shall provide the Controller with the relevant information.
5.3 To the extent required by Applicable Data Protection Laws, the Processor shall appoint a data protection officer who shall carry out his/her activities in accordance with Applicable Data Protection Laws. The contact details of the data protection officer shall be provided to the Controller for the purpose of direct contact.
5.4 The Processor shall inform the Controller without undue delay of any audits and measures taken by the supervisory authorities or if a supervisory authority requests, investigates or otherwise makes enquiries to the Processor.
6. TECHNICAL AND ORGANIZATIONAL MEASURES
6.1 The Parties agree on the specific technical and organizational security measures set out in Annex 3 (“Technical and organizational measures”) to this DPA. Annex 3 forms an integral part of this DPA.
6.2 Technical and organizational measures are subject to technical progress. In this respect, the Processor shall be permitted to implement alternative but adequate measures according to the 4 Momos - DPA provisions of Applicable Data Protection Laws and this DPA. Significant changes to such measures shall be documented.
6.3 At the request of the Controller, the Processor shall demonstrate compliance with the technical and organizational measures specified in Annex 3 to the Controller by providing suitable evidence in accordance with the requirements.
7. CONTROL RIGHTS
7.1 The Controller shall be entitled to regularly verify compliance with the provisions of this DPA – in particular with regard to the implementation and effectiveness of the technical and organizational measures pursuant to Annex 3. For this purpose, the Controller may request information from the Processor, review existing expert opinions, certifications, or the results of internal audits, or inspect the implemented technical and organizational measures during normal business hours.
7.2 The Controller shall inform the Processor in good time (generally two weeks in advance) of all circumstances associated with the performance of the audit. The Controller shall conduct audits only to the extent necessary (generally one audit per calendar year) and with due consideration for the Processor’s business operations. The Parties shall coordinate in advance regarding the timing and manner of the audit.
7.3 If the Controller commissions a third party to carry out the audit, the Controller shall obligate the third party in writing the same way as the Controller is obliged to the Processor according to this Section 7 of this DPA. In addition, the Controller shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Processor, the Controller shall immediately submit to him the commitment agreements with the third party. The Controller may not commission any of the Processor’s direct competitors to carry out the audit.
7.4 The Controller shall document the results of any audit and share the report with the Processor. If errors or irregularities are identified during the audit, the Controller shall notify the Processor without undue delay. Where the audit reveals circumstances requiring adjustments to existing procedures in order to prevent recurrence, the Controller shall inform the Processor of the necessary procedural changes without undue delay.
8. NOTIFICATION OBLIGATIONS OF THE PROCESSOR
The Processor shall without undue delay inform the Controller in the event of serious disruption of his operations, suspected breaches and breaches of this DPA and of Applicable Data Protection Laws or other irregularities in the processing of the Controller’s data. This applies, in particular, to the obligation to report data breaches to relevant authorities and affected data subjects as required by Applicable Data Protection Laws. The Processor shall provide appropriate support to the Controller in fulfilling his data breach notification duties as per Applicable Data Protection Laws. The Processor may only carry out notifications related to data breaches for the Controller after receiving prior instructions in accordance with Section 3 of this DPA.
9. ERASURE AND RETURN OF DATA
9.1 Upon termination of the Main Agreement or at the request of the Controller, the Processor shall, without undue delay, return to the Controller all documents, data, and data carriers provided to him, or – where no statutory retention obligations exist – fully and irrevocably delete them at the Controller’s request. This obligation also applies to all copies of the data, including backup copies.
9.2 The Processor may store documentation that serves as evidence of data processing in accordance with this DPA and applicable laws. For such retained data, the obligations set out in Section 9.1 shall apply accordingly after the expiry of any applicable retention periods.
9.3 Upon request, the Processor shall confirm the complete deletion of the data to the Controller in writing. 9.4 Any right of retention is excluded.
10. SUB-PROCESSORS
10.1 The current sub-processors engaged for the performance of this DPA and agreed between the Parties are specified in detail in Annex 2 (“List of Sub-Processors”).
10.2 If the Processor intends to subcontract further sub-processors for the processing of data, the Processor shall inform the Controller of the intended change or replacement of sub-processors. In individual cases, the Controller may object to such changes within 14 days after the respective notification. If this notification period expires without objection from the Controller, the proposed sub-processor shall be deemed approved. Should the Controller raise a justified objection to the new sub-processor within the notification period, the Parties shall cooperate in 6 Momos - DPA good faith to find an alternative solution. If no mutually acceptable alternative is confirmed by the Controller, the Processor shall have the right to terminate the Main Agreement and this DPA without notice, if the Services cannot be performed without the engagement of the new sub-processor.
10.3 For the purpose of this provision, sub-processing services are not considered to be services that the Processor purchases from third parties as ancillary services in support of the performance under this DPA, for example telecommunications services.
10.4 If sub-processors are engaged by the Processor, the Processor shall ensure that his contractual agreements with the sub-processor comply with the level of data protection equivalent to that agreed between the Controller and the Processor and that all contractual and legal requirements are complied with; this shall apply, in particular, with regard to the use of appropriate technical and organizational measures to ensure an adequate level of security of the data processing.
11. LIABILITY
11.1 The Processor’s liability under this DPA shall be governed by the disclaimers and limitations of the liability provided for in the Main Agreement. As far as third parties assert claims against the Processor which are caused by the Controller’s culpable breach of this DPA or one of his obligations as the controller in terms of Applicable Data Protection Laws, the Controller shall upon first request indemnify and hold the Processor harmless from these claims.
11.2 The Processor shall also be liable to the Controller for any breaches by engaged sub-processors.
11.3 The Controller undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Controller’s part of responsibility for the infringement sanctioned by the fine.
12. FINAL PROVISIONS
12.1 In the event of any inconsistency, the provisions of this DPA shall prevail over those of the Main Agreement.
12.2 Should any provisions of this DPA be invalid or unenforceable, the validity of the remaining provisions shall not be affected.
ANNEX 1: DESCRIPTION OF DATA PROCESSING
Section | Description |
|---|---|
Nature and purpose of processing | The Processor will process data in order to provide the Services in accordance with the Main Agreement and this DPA. The Processor shall only process data for the following purposes: (i) processing to perform its obligations under the Main Agreement; and (ii) processing to comply with any other reasonable instructions provided by the Controller that are consistent with the terms of the Main Agreement. |
Type of data processing | Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Categories of personal data | Customer contact information to send post-order surveys: |
Data subjects | End-customers of the Controller. |
Frequency and duration of data processing | The frequency of the processing activities is continuous. The Processor will process the data until the expiration or termination of the Main Agreement in accordance with its terms. |
Criteria used to determine the period for which the personal data will be retained | The retention period criteria are described in Section 9 of this DPA. |
Transfers to Sub-processors | The Processor will transfer data to sub-processors as permitted in Section 10 of this DPA. |
ANNEX 2: LIST OF SUB-PROCESSORS
Provider Name | Address | Purpose and Description of Data Processing | Location of Data Processing |
|---|---|---|---|
Amazon Web Services | Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA | Cloud hosting provider | USA |
Auth0 | Auth0, LLC, 100 First Street, Floor 6, San Francisco, CA 94105, USA | Identity and authentication provider | USA |
Mixpanel | Mixpanel Inc., One Front Street, 28th Floor, San Francisco, CA 94111, USA | Product analytics for application | USA |
GitHub | GitHub Inc., 88 Colin P Kelly Jr. Street, San Francisco, CA 94107, USA | Version control management | USA |
Databricks | Databricks Inc., 160 Spear Street, 15th Floor, San Francisco, CA, USA | Data lake analytics platform provider | USA |
Datadog | Datadog, Inc., 620 8th Avenue, Floor 45, New York, NY 10018, USA | Application log management | USA |
OpenAI | OpenAI, Inc., 3180 18th Street, San Francisco, CA, USA | Foundational model provider | USA |
Twilio | Twilio Inc., 101 Spear Street, Fifth Floor, San Francisco, CA, USA | SMS sender service | USA |
SendGrid | SendGrid, Inc., 801 California Street, Suite 500, Denver, CO 80202, USA | Email sender service | USA |
Google Cloud Platform | Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Push notification cloud messaging provider and GitHub runner compute provider | USA |
Drata | Drata Inc., 4660 La Jolla Village Drive, San Diego, CA, USA | Compliance management platform | USA |
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 183 100" xmlns="http://www.w3.org/2000/svg"><path d="M 152.452 37.349 C 136.442 20.842 115.98 6.325 93.049 1.892 C 86.081 0.534 76.773 0.163 71.407 5.736 C 64.565 13.035 70.499 30.487 81.481 29.6 C 87.433 29.072 89.698 22.162 87.042 17.439 C 85.631 14.617 83.027 12.629 80.168 11.079 C 56.02 -2.764 23.38 -4.862 0 11.844" fill="transparent" height="37.34868528749147px" id="rGpqSnR8J" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="4.97" stroke="rgb(0, 0, 0)" transform="translate(3.219 19.212)" width="152.45224485148515px"/><path d="M 0 11.619 C 7.071 11.39 33.491 21.738 40.35 21.268 C 38.499 18.19 37.116 14.915 35.507 11.625 C 33.7 7.867 32.587 3.926 31.702 0" fill="transparent" height="21.28391189647101px" id="I9fuJaf7q" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="round" stroke-width="4.97" stroke="rgb(0, 0, 0)" transform="translate(139.727 55.754)" width="40.34950693069311px"/></svg>)
