CAPDESK - DATA Processor Agreement
Appendices to the Agreement
Appendix 1 Categories of personal data
Appendix 2 Technical and organisational security safeguards
Appendix 3 Documentation for compliance with obligations
Appendix 4 Controller's obligations
Appendix 5 Sub-processors
1.THE AGREEMENT AND THE PARTIES
1.1 This Data Processor Agreement (the "Processor Agreement", or just "the Agreement") and underlying appendices is an agreement between Capdesk ApS, DK-2200 Copenhagen N., Denmark, registration number: 36893621, ("the Processor", "we" or "Capdesk") and you or the entity you represent ("the Controller", or "you"), collectively referred to as the Parties and individually as a Party.
1.2 The Parties have agreed to the provision of certain services from the Processor to the Controller, as described in more detail in the Parties' separate agreement to this effect, the Controller's Customer Agreement with Capdesk, and possibly further service specific appendices. This agreement governs the Controller's usage of the Capdesk-provided services, such as usage of the Capdesk web application (the "Application") and the controller's consumption of services in relation hereto, hereafter referred to as the "Primary Services".
1.3 In this connection, the Processor processes personal data on behalf of the Controller, and for that purpose, the Parties have entered into this Agreement.
1.4 You enter into this Agreement when you enter into the Customer Agreement.
2. CHANGES TO THIS AGREEMENT
2.1 You agree that Capdesk may modify this Agreement at any time in its sole discretion and without prior notice to you. Any changes will be published online and will be effective upon such publishing. We will notify you directly in case of substantial changes to this Agreement and if possible, ahead of the changes taking effect, and at least 60 days ahead of adverse changes, or changes in our use of sub-processors, if possible. We encourage you to review this Agreement periodically to ensure familiarity with its then-current terms and conditions. Your continued use of the Services shall constitute your acceptance of this Agreement and your continued use of the Services following any modification of this Agreement shall constitute your acceptance to the Agreement, as amended.
You may object to any substantial change to this Agreement by terminating the Agreement for cause immediately upon notice, on condition that you provide such notice within 90 days of being informed of the change to this Agreement. This termination right is your sole and exclusive remedy if you object to any change in the Agreement.
2.2 This Agreement was last updated on June 24th, 2019.
3.1 The purpose of the Processor Agreement is to ensure that the Processor complies with the personal data regulations in force from time to time, including in particular the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, "GDPR") and the UK Data Protection Act 2018.
4.1 The Processor is authorised to process personal data on behalf of the Controller on the terms and conditions set out in the Processor Agreement.
4.2 The Processor may only process personal data subject to documented instructions from the Controller ("Instructions"). This Processor Agreement, including appendices, constitutes the Instructions at the date of agreement.
4.2.1 The Processor may process any personal data provided by the Controller as part of consuming the Primary Services. Restrictions apply to what categories of personal data the Controller may provide, cf. appendix 4.
4.2.2 The personal data provided by the Controller is kept by the Processor until the Controller requests its deletion as part of termination of this agreement, cf. clause 15.5.
4.2.3 The Processor can optimize the quality and usefulness of the Primary Services, as well as its communication to the Controller, by internally registering and analysing how the Controller and representatives of the Controller consume the Primary Services. To the extent that any personal data is part of such internal data processing, the processing of that data adheres to the obligations set out in this Agreement.
4.3 The Instructions may be changed or concretised at any time by the Controller, pursuant to the Change of Instruction process outlined in clause 11.
4.4 If at any time The Instructions are regarded by the Processor as unlawful (in breach of GDPR, other EU personal data protection regulation, or UK or EU member state national personal data protection regulation), the Processor shall notify the Controller without undue delay.
4.5 Unless explicitly agreed otherwise in writing, the Processor may use all relevant technical and non-technical aids, including IT systems, subject to their appropriate security level (for instance fulfilment of GDPR article 32).
4.6 Regardless of the termination of the Processor Agreement, clauses 13 (liabilities), 15.4 (termination window for processing) and 16 (dispute resolution) will remain in force after termination of the Processor Agreement.
5.1 The Processor Agreement applies until either (a) termination of the agreement(s) on provision of the Primary Services or (b) termination of the Processor Agreement.
6.1 Technical and organisational security measures
6.1.1 The Processor is responsible for implementing necessary (a) technical and (b) organisational measures to ensure an appropriate security level to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. . The measures must be implemented with due regard to the current state of the art, costs of implementation and the nature, scope, context and purposes of the processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons. The Processor shall take the category of personal data described in appendix 1 into consideration in the determination of such measures.
6.1.2 Notwithstanding clause 6.1.1, the Processor shall implement the technical and organisational security measures as specified in (a) appendix 2 to this Processor Agreement.
6.1.3 The Processor shall implement suitable technical and organisational measures in such a manner that the processing by the Processor of personal data meets the requirements of the personal data regulation in force from time to the time of processing by the Processor.
6.1.4 The Parties agree that the provided safeguards as specified in appendix 2 are adequate at the date of conclusion of this Processor Agreement. The Processor shall, at own cost and initiative, maintain and elaborate on its technical and organizational measures as described in this clause 6, as time passes, industry practice changes, and supervisory authorities issue opinions.
6.2 Employee conditions
6.2.1 The Processor shall ensure that employees who process personal data for the Processor have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality.
6.2.2 The Processor shall ensure that access to the personal data is limited to those employees for whom it is necessary to process personal data in order to meet their obligations to the Controller.
6.2.3 The Processor shall ensure that employees processing personal data for the Processor only process such data in accordance with the Instructions.
6.3 Documentation for compliance with obligations
6.3.1 Upon written request, the Processor shall document to the Controller that the Processor:
a) meets its obligations under this Processor Agreement and the Instructions.
b) meets the provisions of the personal data regulation in force from time to time, in respect of the personal data processed on behalf of the Controller.
6.3.2 The Processor's documentation must be provided within reasonable time.
6.3.3 The specific content of the obligations under clause 6.3.1 is described in appendix 3 to this Processor Agreement.
6.4 Security breach
6.4.1 The Processor shall notify the Controller of any known personal data breach which may potentially lead to accidental or unlawful destruction, alteration, unauthorised disclosure of, or access to, personal data processed for the Controller ("Security Breach").
6.4.2 Security Breaches must be reported to the Controller without undue delay. A Security Breach report shall, to the extent this is possible at the time of reporting, provide the Controller with
a) information about the nature of the Security Breach, including the categories and volumes of personal data affected,
b) information about the potential consequences of the Security Breach,
c) contact information of a Processor representative where further information can be obtained,
d) a description of measures undertaken or planned by the Processor, if any, to mitigate consequences of the Security Breach.
In case of complex situations, the Processor may inform the Controller in steps, as more become known about the Security Breach, and in such situations, the Processor will report regularly to the Controller until all necessary information that can possibly and realistically be obtained regarding the Security Breach has been provided.
6.5.1 The Processor shall to the necessary and reasonable extent assist the Controller in the performance of its obligations in the processing of the personal data covered by this Processor Agreement, including in connection with:
a) responses to data subjects on exercise of their rights; (basic operations and support for performing such operations are available as part of the Services at no cost),
b) Security Breaches;
c) impact assessments; and
d) prior consultation of the supervisory authorities.
6.5.2 In this connection, the Processor shall obtain the information to be included in a notification to the supervisory authority provided that the Processor is best suited to do so.
6.5.3 The Processor may assist with any extra tasks as agreed in writing between the Processor and the Controller.
6.5.4 The Processor is entitled to payment for time spent (at an hourly rate of £100 150 ex. VAT, depending on the type of assistance) and materials consumed for assistance pursuant to this clause 6.5; however, to the extent assistance pursuant to 6.5.1 a) and b) is required by GDPR or other applicable law, such assistance will not entitle Processor to any payments.
7.1 The obligations of the Controller are set out in appendix 4.
8.1 As part of the Processor's delivery of the Primary Services, the Processor may use a third party for the processing of personal data for the Controller (a "Sub-Processor"). This Agreement constitutes the Processor's prior general and specific consent to the Processor's use of Sub-Processors.
8.2 The Processor will ensure that each Sub-Processor adheres to an equivalent level of data protection obligations towards the Processor as those adhered to by the Processor towards the Controller (including in pursuance of this Processor Agreement).
8.3 Moreover, the Sub-Processor also acts only under the Instructions of the Controller.
8.4 The Processor is directly responsible for the Sub-Processor's processing of personal data in the same manner as had the processing been carried out by the Processor.
8.5 Upon request, the Processor shall provide the Controller with documentation of what Sub-Processors are used by the Processor. A list of Sub-Processors as of the Effective Date is included as an appendix to this Agreement.
9.Transfer to third countries and international organisations
9.1 The Processor may only transfer personal data to countries outside UK or EU, or international organisations, to the extent specified in:
a) Clause 9.3 of this Processor Agreement; or
b) Instructions from the Controller; or
c) prior written consent from Controller.
9.2 In any case, personal data may only be transferred to the extent permitted under the personal data regulation in force from time to time - and the Processor shall ensure that the Sub-Processor at any time is subject to a Supervisory Authority or EU Commission approved third country transfer legal mechanism. To the extent it's the EU Model Clauses, the Controller and Sub-Processor shall execute an unedited version of the EU Model Clauses, for it to be considered a valid third country transfer mechanism.
9.3 The Controller approves that the Processor, without further or prior notice, may transfer personal data to secure third countries (as defined in GDPR) and the USA (meeting GDPR requirements by virtue of the EU-U.S. Privacy Shield), as long as such transfers are part of data transfers to and from approved Sub-Processors and pursuant to the conditions in clause 9.2.
9.4 In the event that Britain leaves the EU, Capdesk will continue to consider the UK a secure country with respect to data processing, and will therefore allow customer data to flow between and be processed by both the UK and the EU. This data processing agreement will be updated at that point to reflect this.
10.Data processing outside the scope of the Instructions
10.1 The Processor may process personal data outside the scope of the Instructions in cases where required by EU law or national law to which the Processor is subject.
10.2 If personal data are processed outside the scope of the Instructions, the Processor shall notify the Controller of the reason. The notification must be made before processing is carried out and must include a reference to the legal requirements forming the basis of the processing.
10.3 Notification should not be made if such notification would be contrary to EU law or national law.
11.CHANGE of Instructions
11.1 Before any changes are made to the Instructions, the Parties shall to the widest possible extent discuss and, if possible agree on, the implementation of the changes, including time and costs of implementation.
11.2 Unless otherwise agreed, the following applies:
· Fundamental processing instructions such as access to, deletion of, or correction of data, or suspension of data processing, shall not be subject to discussion and require the Processor's response without undue delay, cf. also Section 6.5.
· The Processor shall, without undue delay, execute implementation of changes to the Instructions and ensure that such changes are implemented without undue delay in relation to the nature and scope of the change.
· Subject to exclusions and limitations of payment of fees for assistance stipulated in other sections of this Agreement, The Processor is entitled to payment of all costs directly related to changes to the Instructions, including costs of implementation and increased costs for the delivery of the Primary Services.
· An indicative estimate of the time and cost of implementation must be communicated to the Controller without undue delay.
· The changes to the Instructions are only considered to apply once the changes have been implemented, provided that the implementation is carried out in accordance with this clause 11.2 and unless the Controller explicitly communicates a deviation from this clause.
· Processors are exempt from liability for failure to deliver the Primary Services if (including in terms of time) delivery of the Primary Services would be contrary to the changed Instructions or delivery in accordance with the changed Instructions is not possible. This may be the case (i) where the changes cannot be technically, practically or legally implemented, (ii) where the Controller explicitly communicates that the changes have to apply before implementation is possible or (iii) during the period until the parties have made any necessary changes to the agreement(s) in accordance with the change procedures herein. Notwithstanding aforementioned, the Processor is never exempt from liability for failure to deliver the Primary Services if the changed Instructions relate to the implementation of appropriate technical and organizational measures as applicable from time to time arising out of law applicable to Processor.
12.1 The regulation of breach in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof. If this is not considered in the agreement(s) on delivery of the Primary Services, the general remedies for breach laid down in applicable law will apply to this Processor Agreement.
13.Liability and limitation of liability
13.1 The regulation of liability and limitation of liability in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.
13.2 The following are not covered by the limitation of liability in this clause 13:
a) Expenses and resource consumption in connection with the performance of a Party's obligations in relation to a supervisory authority or the data subject, including compensation to a data subject, to the extent that these are caused by a breach by the other Party.
14.1 The regulation of force majeure in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.
15.1 Termination for cause or breach or without cause
15.1.1 The Processor Agreement may only be terminated according to the provisions on termination in the agreement(s) on delivery of the Primary Services.
15.2 Effects of termination
15.3 The Processor's authority to process personal data on behalf of the Controller lapses on termination of the Processor Agreement for whatever reason.
15.4 The Processor may continue to store personal data for up to three months and process personal data for up to one month after the termination of the Processor Agreement to the extent that this is necessary to take the required statutory measures. During the same period, the Processor is entitled to let the personal data be included in the Processor's usual backup procedure. The processing by the Processor during this period is assumed to comply with the Instructions.
15.5 The Processor and any Sub-Processors shall return all personal data processed by the Processor under this Processor Agreement to the Controller on termination of the Processor Agreement; if the Controller is already in possession of aforementioned personal data, the Parties may agree to skip this procedure. Then, the Processor will without undue delay delete all personal data from the Controller, and the Controller may request adequate documentation about such deletion, except where such a deletion contradicts record-keeping or other lawful obligations on the Processor in force from time to time.
16.1 The regulation of dispute resolution, including governing law and venue, in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.
17.1 In the event of any discrepancies between this Processor Agreement and the agreement(s) on delivery of the Primary Services, this Processor Agreement takes precedence.
18.CONTACT AND NOTICE
18.1 The contact information of the Parties and the regulation of notice in the agreement(s) on delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof.
CATEGORIES OF PERSONAL DATA
1.CATEGORIES OF Personal data
1.1 The categories of personal data considered in the context of this Agreement:
a) General Personal Data, including any data about an identified or identifiable data subject, except for those mentioned in point a) and b), also including civil/social registration numbers. Examples of such data include, but are not limited to, first name, middle names, last name, title, emails, phone numbers, addresses, IP-addresses, un-hashed cookies, civil/social security numbers, other personal identifiers, birthday, sex.
b) Sensitive Personal Data, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sex life or sexual orientation, genetic data and biometric data.
c) Other Personal Data, relating to criminal offences and serious social problems.
2.CATEGORIES OF PERSONAL DATA PROCESSED
2.1 According to The Instructions, the Processor will process General Personal Data provided by the Controller.
3.CATEGORIES OF REGISTERED DATA SUBJECTS PROCESSED
3.1 According to The Instructions, the Processor may process personal data for the Controller concerning the following categories of registered data subjects:
a) the Controller's and its affiliated companies' end users, if any,
b) the Controller's and its affiliated companies' employees,
c) the Controller's and its affiliated companies' contact persons,
d) the Controller's and its affiliated companies' direction and board,
e) the Controller's and its affiliated companies' shareholders, optionholders, warrantholders, debtholders, and other stakeholder with a commercial, financial or other interest in or relation to the Controller,
f) the Controller's and its affiliated companies' customers and customers' end users,
g) the Controller's and its affiliated companies' customers' employees
h) the Controller's and its affiliated companies' customers' contact persons
TECHNICAL AND ORGANISATIONAL
1.Specific technical and organisational security SAFEGUARDS:
1.1 The following specific safeguards are made for the Processor's physical security:
a) Access control to physical facilities,
b) Password-protection of physical equipment and outsourced systems (including databases) by suitably strong passwords, specifically, passwords no less than 10 characters and of at least alphanumerical symbol variance,
c) Only authenticated, encrypted traffic for administrative access to systems (including databases),
d) Data center redundancy of all critical infrastructure, eliminating physical risks to equipment such as fire, power failure, or similar,
e) Periodical monitoring for known vulnerabilities, e.g. scans against OWASP top 10, and established process(es) for addressing such vulnerabilities without undue delay.
1.2 The following specific safeguards are made for the Processor's technical security:
a) at an application-level, the Application requires authentication via user / password combination and has a fine-grained access and authorization engine for controlling resource access,
b) on a network communication level, any communication with the Application is encrypted, as is application-database traffic,
c) as for data storage, the Application uses state of the art data centres for storage of database data and documents, which means that data is safe, encrypted at rest, backed up, and roll-backable in case of incidents,
d) data center redundancy, backups (including at least daily backups of Controller's data), deployment and rollout methods and contingency plans enable suitable and timely recovery of the entire Application (in case of a major incident),
e) all Application activity (including database activity) is logged for accountability,
f) the Processor's internal data networks are secured by expert third parties.
1.3 The following specific safeguards are made for the Processor's organisational security:
a) All relevant Processor employees are briefed regularly on the Processor's security matters and how to respond to security incidents,
b) All the Processor's employees follow the Processor's internal Employee Code of Conduct, which spells out relevant best practice employee security behaviour, such as keeping passwords personal, strong and secret.
c) The Processor undertakes regular security reviews to secure a constantly sufficient level of security and develops and implements its business using the principles of privacy by design and privacy by default.
1.4 The following specific safeguards are made for the Processor's deletion of personal data:
a) The Processor keeps a digital record of what personal data is stored where on behalf the Controller, so when deleting data is mandated, The Processor knows which data to delete,
b) The Processor maintains a standard procedure to delete such data,
c) The Processor has procedures to identify personal data that must be deleted due to age.
DOCUMENTATION FOR COMPLIANCE
As part of the Processor's demonstration to the Controller of compliance with its obligations according to clause 6.3 of the Processor Agreement, the following points must be completed and observed.
1.General documentation to the Controller
1.1 Upon written request, the Processor is obliged to submit the following general documentation to the Controller:
a) A declaration from the Processor's management specifying that, during the processing of personal data on behalf of the Controller, the Processor continuously ensures compliance with its obligations under this Processor Agreement.
b) A description of the practical measures, both technical and organisational, implemented by the Processor to ensure compliance with its obligations under the Processor Agreement. The description may include a presentation of established and implemented management systems for information security and for processing of personal data as well as a description of other initiatives taken. As part thereof, the Processor is also obliged to participate in follow-up meetings with the Controller.
A description of the control measures taken and implemented by the Processor for measurement and control of the effect of the established management system for information security and processing of personal data and performance measurements thereof.
1.2 Upon written request, the Processor will further assist with non-general documentation, documenting any other measures and controls as the Controller may request.
1.3 The general documentation must be provided no later than 14 working days after the Controller has made its written request to the Processor, or such shorter notice as required by government. The Processor shall prepare general documentation for its own account; preparation of non-general documentation and participation in meetings may be subjected to a separate payment of a fee to the Processor, as agreed on a request by request basis and negotiated between the Parties.
2.Statement of assurance
2.1 Upon request and against separate payment of a fee, the Processor shall arrange for the preparation and submission of statements of assurance regarding the Processor's information security level and the measures taken by the Processor. Scope and payment of such undertakings shall be agreed in more detail on a request by request basis.
Upon request, the Processor shall participate in a physical meeting at the premises of the Processor or the Controller. At the meeting the Processor must be able to give an account of compliance and how compliance is ensured. A request for a meeting must be made subject to at least 14 working days' notice. Scope and payment related to preparation, execution and follow-up shall be agreed in more detail on a request by request basis.
4.1 Upon written request, the Processor shall contribute to and give access to audit.
4.2 The Processor is entitled to payment for time spent and materials consumed for assistance pursuant to this clause 4; the hourly rate for time spent is set to £100 - £150 ex. VAT, depending on the nature of the assistance.
4.3 The Processor is not entitled to payments if an audit shows substantial non-compliance with the obligations under this Agreement or data protection law.
5.1 The above points should not be considered exhaustive, and the Processor therefore undertakes to take any such actions and measures as are necessary for the demonstration of the Processor's obligation under clause 6 of the Processor Agreement.
5.2 The Processor is not obliged to follow a request from the Controller according to this appendix 3 if the request is in violation of the personal data regulation. The Processor shall notify the Controller if the Processor finds that this is the case.
1.1 The Controller has the following obligations
a) To ensure that any personal data provided to the Processor is controlled by the Controller on a lawful basis, and are kept accurate, minimized, complete, and up-to-date,
b) Ensure that any obligations towards data subjects relating the right to be informed about the Controller's controlling of that data subjects' data are met,
c) To not provide the Processor with any personal data that are not General Personal Data as defined in Appendix 1 (thus excluding the disclosure or provision of any Sensitive Personal Data, or data relating to criminal offences, or data relating to serious social problems).
d) To ensure that the Instructions are lawful in relation to the personal data regulation in force from time to time.
2.1y agreeing to the Processor Agreement, the Controller agrees that the Processor has given sufficient and relevant guarantees regarding the technical and organisational safeguards related to securing the registered data subject's rights and personal data, at the time of signing this Agreement. Notwithstanding aforementioned, Controller and Processor agree that the Processor is expected to implement changes that will be required to meet what is considered "appropriate technological and organizational measures", as technology evolves, implementation cost of technology changes, and/or directions from supervisory authorities change.
1.1 The Processor and its affiliates engage the following third party entities to assist them in connection with delivering the Primary Services.
1.2 APPLICATION AND DATA STORAGE
These third party sub-processors provide us with virtual application infrastructure and data storage:
1.2.1 Salesforce.com EMEA Limited (London, England). Provides us with a cloud application platform (Heroku) for running the Application and leveraging platform extensions for error analysis, mail sending, and more. Data processing in UK, EU and USA.
1.2.2 Amazon Web Services, Inc. (Seattle, USA). File storage for Application file data (AWS), backups of system data, and backup of general company data. Data processing in EU and USA.
1.2.3 CloudConvert (München, Germany). Online service for securely converting files between file formats. Data processing in the EU.
1.2.4 DocuSign (San Fransisco, USA). Electronic signing of documents. Data processing in EU and USA.
1.3 CUSTOMER SUPPORT AND ONBOARDING
These third party sub-processors provide systems that allows us to provide customer support and to help us onboard customers and deliver the Primary Services generally.
1.3.1 Zendesk Group (Delaware, USA). Provides a customer support system (Zendesk) for handling and processing support tickets from end users. Such tickets may contain personal data. Data processing in EU and USA.
1.3.2 Microsoft Ireland Operations Ltd. (Dublin, Ireland). Cloud-based business intelligence system (PowerBI) for gathering and analyzing usage statistics for continuous application optimization. Data processing in data centers in EU.
1.3.3 Google LLC (California, USA). Provides a cloud-based file system (G Suite), where we store customer data as necessary to deliver the Primary Services, such as to assist with onboarding. Data processing in EU and USA.
1.3.4 HubSpot Ireland Ltd. (Dublin, Ireland). Provides a cloud-based customer relationship management system, where we store customer contact data as necessary to deliver and improve the Primary Services. Data processing in the European Economic Area ("EEA"), Switzerland and USA, and as necessary to provide services in specific cases, third countries for which the European Commission has issued an adequacy decision or for which HubSpot ensures that a legal mechanism achieving adequacy is in place.
1.4 PAYMENTS AND KYC
These third-party sub-processors provide systems that allow us to handle customer subscriptions and card payments.
1.4.1 Stripe (San Fransisco, USA). Handling of subscriptions, email invoicing and credit card payments: Data processing in the European Economic Area ("EEA"), Switzerland and USA, and as necessary to provide services in specific cases, third countries for which the European Commission has issued an adequacy decision or for which Stripe ensures that a legal mechanism achieving adequacy is in place.
These third-party sub-processors provide systems that allow us to perform KYC (know your customer)-checks on companies and natural persons as well as execute security transactions transacting money via escrow accounts:
1.4.2 ShieldPay Ltd (London, UK). Perform KYC-checks and transact money via escrow-accounts. Data processing in the European Economic Area ("EEA").