Data Processing Agreement (DPA)
This DPA constitutes Duuoo's (the "Processor") and Customer's (the "Controller") rights and obligations regarding data processing and is an integrated part of the Agreement. Capitalized terms used but not defined in this DPA will have the meaning assigned to them in the TC or the Order.
Appendices to the Processor Agreement
Appendix 1 Primary service
Appendix 2 Documentation for compliance with obligations
Appendix 3 Sub-processors
- Background and Purpose
- The Parties have agreed to the provision of certain services from the Processor to the Controller, as described in more detail in the Agreement and appendix 1 to this DPA (the "Primary Services").
- In this connection, the Processor processes personal data on behalf of the Controller, and for that purpose, the Parties have entered this
- The purpose of the DPA is to ensure that the processing activities comply with the personal data regulations in force from time to time, including in particular: the Danish Act on Processing of Personal Data (Act 2000-05-31 no. 429, as amended) until 25th May 2018 [and the Danish Executive Order on Security Measures for Protection of Personal Data (Executive Order 2000-06-15 no. 528, as amended) until 25th May 2018]the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) when this takes effect 25th May 2018.
- The Processor is authorised to process personal data on behalf of the Controller on the terms and conditions set out below.
- The Processor may only process personal data subject to documented instructions from the Controller ("Instructions"). The Agreement including this DPA, , constitutes the Instructions at the date of signature of the Agreement.
- Unless otherwise specified, the Processor may use all relevant technical aids, including IT systems in the processing activities.
- The DPA applies until the Processor has fulfilled his processing obligations under the Agreement including this DPA.
- Processor's obligations
- Technical and organisational security measures
- The Processor is responsible for implementing necessary (a) technical and (b) organisational measures to ensure an appropriate security level. The measures must be implemented with due regard to the current state of the art, costs of implementation and the nature, scope, context and purposes of the processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons. The Processor shall take the category of personal data described in appendix 1 into consideration in the determination of such measures.
- The Processor shall implement the suitable technical and organisational measures in such a manner that the processing by the Processor of personal data meets the requirements of the personal data regulation in force from time to time.
- Employee conditions
- The Processor shall ensure that employees who process personal data for the Processor have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality.
- The Processor shall ensure that access to the personal data is limited to those employees for whom it is necessary to process personal data in order to meet their obligations to the Controller and fulfil the Agreement.
- The Processor shall ensure that employees processing personal data for the Processor only process such data in accordance with the Instructions.
- Documentation for compliance with obligations
- Upon written request, the Processor shall within reasonable time make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- The specific content of the obligations under clause 4.3.1 is described in appendix 2 to this DPA.
- Security breach
- The Processor shall without undue delay notify the Controller of any personal data breach leading to accidental or unlawful destruction, alteration, unauthorised disclosure of, or access to, personal data processed for the Controller by the Processor.
- The Processor shall maintain a record of all personal data breached. The record must as a minimum document the following:
- the facts relating to the personal data breach;
- the effects of the personal data breach; and
- the remedial measures taken.
- Upon written request, the record must be made available to the Controller or the supervisory authorities.
- The Processor shall upon written request, taking into account the nature of the processing activities conducted by the Processor, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the General Data Protection Regulation;
The Processor shall also upon written request assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation, taking into account the nature of processing and the information available to the Processor
- Finally, the Processor shall assist with the tasks specified in appendix 2.
- The Processor is entitled to payment for time spent and materials consumed for assistance pursuant to this clause 4.5.
- Controller's obligations
The Controller has the following obligations:
- The Controller is responsible for the processing of personal data within the scope of the data protection regulations in force towards data subjects and the authorities.
- The data controller is responsible for the existence of a legal basis for the processing activities which the Controller has instructed the Processor to perform.
- The data controller is responsible for complying with the principles relating to processing of personal data.
- The Processor has the Controller's general written authorisation to engage another processor (sub-processor) to carry out specific processing activities on behalf of the Controller. the Processor shall inform the Controller of any intended changes concerning the addition or replacement of a sub-processor, thereby giving the Controller the opportunity to object to such changes. If any objections are received, the Processor shall ensure that the sub-processor does not process personal data on behalf of the Controller. The Processor shall thereafter be exempted from its obligations to perform the services under the Agreement and the Controller may terminated the Agreement with the agreed notice. The obligation for the Processor to pay any agreed amounts shall not be exempted.The Processor intends - at the time of entering the Agreement - to engage the sub-processors set out in appendix 3.
- The Processor and the Sub-Processor shall conclude a written agreement imposing the same data protection obligations on the Sub-Processor as those of the Processor (including in pursuance of this Processor Agreement).
- Where the Sub-Processor deliver its services to the Processor on the Sub-Processors own terms, such terms shall be deemed approved by the Controller, when reference to such terms are made in appendix 3.
- All communication with the Sub-Processor is handled by the Processor, unless otherwise specifically agreed.
- Transfer to third countries and international organisations
- The Processor may transfer personal data to third countries or international organisations to the extent the Processor ensure that there is a legal basis for the transfer. .
- If personal data are transferred to a third country, the Controller shall assist the Processor free of charge in connection with the conclusion of necessary agreements, or the Controller shall authorise the Processor to conclude the required agreements on behalf of the Controller.
- Data processing outside the scope of the Instructions
- The Processor may process personal data outside the scope of the Instructions in cases where required by EU law or national law to which the Processor is subject.
- If personal data are processed outside the scope of the Instructions, the Processor shall notify the Controller of the reason. The notification must be made before processing is carried out and must include a reference to the legal requirements forming the basis of the processing.
- Notification should not be made if such notification would be contrary to EU law or national law.
- Changes to the DPA of Instructions
- The Parties may agree to changes to the DPA or the Instruction under the agreed change process in the Agreement.The Controller may at any time recall its Instructions and the Processor shall thereafter without undue delay stop any processing activities (except for storing data until data has either been returned or deleted according to the Controller's instructions).The Processor shall in such situations be exempted from its obligations to perform services under the Agreement until the Agreement is terminated or the Parties have agreed on a new instruction. The Controller's obligations to make payments under the Agreement shall not be exempted.
- Liability and limitation of liability
The Parties assumes liability in accordance with the Agreement. For compensation and liability towards any person who has suffered material or non-material damage because of unlawful processing, the principles in the General Data Protection Regulation art. 82 shall apply.For fines, the principles in the General Data Protection Regulation art. 83 shall apply
APPENDIX 1 - PRIMARY SERVICE
- Primary Service
- The Primary Service consists of the following: Duuoo is a people management system that helps managers run 1-on-1 conversations, document notes and outcome/agreements and give a historical overview of this data to employee, managers and HR. Duuoo will process these meeting notes and agreement data to provide insight &, education content to all managers and HR.
- Personal data
- Types of personal data processed in connection with the delivery of the Primary Service:
- General personal data, including: Full name, Email (work), Title, Profile Picture, Team/Department.
- Service data, Duuoo stores data during the use of the service, this is needed to provide the service. This data includes: Meeting metadata (Date/time, time spent, attendees), Notes (These are free text form), Agreement (Agreed next steps, these incl. Data like: owner, category, goal in free text ), Team data (members of the team, manager of the team), ACL (who has a access to what time, part of the service).
- Categories of data subjects
The Controller has informed that the processing relates to the following categories of data subjects:
- Current Employees
- Previous Employees
APPENDIX 2 - DOCUMENTATION FOR COMPLIANCE WITH OBLIGATIONS
As part of the Processor's demonstration to the Controller of compliance with its obligations according to clause 4.3, the following points must be completed and observed.
- Physical meeting at the Processor's premises
- Upon request, the Processor shall participate in a physical meeting at the premises of the Processor or the Controller. At the meeting the Processor must be able to give an account of compliance and how compliance is ensured. A request for a meeting must be made subject to at least 45 days' notice.
- Upon written request, the Processor shall contribute to and give access to audit.
- The audit must be conducted by an independent third party selected by the Controller and approved by the Processor. The Processor may not reject a suggested third party without reasonable cause. The independent third party must accept a general confidentiality agreement with the Processor. A request for audit must be made subject to at least 45 days' notice.
- The Processor is entitled to payment for time spent and materials consumed for assistance.
APPENDIX 3 - SUB-PROCESSORS
- The Controller hereby acknowledges that the Processor at the time of entering the Agreement uses the following Sub-Processors
- Intercom - 55 2nd St, 4th Fl. San Francisco, CA 94105, United States
- Hubspot - One Dockland Central, Dublin 1, Ireland,
- Google - 1600 Amphitheatre Parkway, Mountain View, CA, United States
- FullStory Inc - 120 Ottley Dr NE, Atlanta, GA 30324, USA
- Segment.io - 100 California St Suite 700, San Francisco, CA 94111, USA
- Mixpanel - San Francisco 405 Howard Street, Floor 2. San Francisco, CA 94105.
- Hotjar - Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta
- Zapier Inc - 243 Buena Vista Avenue, Suite 508, Sunnyvale, CA 94086, United States
- Cronofy - 20 Ropemaker Street, London, EC2Y 9AR, UK
- Stripe inc - 185 Berry Street, Suite 550, San Francisco, CA 94107, USA
- Sendgrid Inc - 1801 California Street, Denver, CO 80202, USA
- Papertrail Inc - 1425 Broadway, Suite 20-4242, Seattle, WA 98122, United States
- ChartMogul Ltd - Invalidenstraße 35, 10115 Berlin, Germany
- Heroku Inc - The Landmark @ 1 Market St., Suite 300, San Francisco, CA, 94105, USA