Data Processing Agreement

Data Processing Agreement

This document regulates the entire understanding of the parties according to GDPR data regulations and the processing of personal data.

  1. Definitions
      DPA - this document.
      GDPR - the General Data Protection Regulation (EU) 2016/679.
      Service - services provided by Innodia Ltd through the website (http://centriumcrm.com) and the software (https://app.centriumcrm.com).
      Terms of Service - the agreement between Innodia Ltd and the Customer for the use of the Service (http://centriumcrm.com/terms-of-service).
      Customer - same as in Terms of Service.
      Data Processor - Innodia Ltd.
      Data Controller - the Customer.
      Personal Data - same as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (as amended from time to time, or replaced by subsequent legislation).
      Data Subject - same as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (as amended from time to time, or replaced by subsequent legislation).
      Standard Contractual Clauses - the EU model clauses for Personal Data transfer from controllers to processors c2010-593 - Decision 2010/87EU.
      Sub-Processor - entity acting as a Data Processor, engaged by Processor in order to process Personal Data as part of the Service.
      Security Documentation - Appendix C of this document.
      Personal Data Breach - accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
  2. General
    1. This agreement (DPA) regulates the processing of personal data on behalf of the Customer (Data Controller) by Innodia Ltd, a company registered in England and Wales with number 07779992 (Data Processor).
    2. This DPA is subject to regulations and interpretation of legal regulations binding in the United Kingdom; therefore, each of the parties undertakes to subordinate to exclusive jurisdiction of the courts of England and Wales.
  3. Purpose
    1. The Data Processor has agreed to provide the Service to the Data Controller in accordance with the Terms of Service. In providing the Service, the Data Processor will process data submitted to the Service by the Customer. This data may contain Personal Data. The Data Processor will process, on behalf of Data Controller, such Personal Data in accordance with the terms of this DPA.
  4. Term
    1. For the duration of the provision of the Service until deletion of all Personal Data by The Data Processor in accordance with this DPA.
  5. Termination
    1. On termination, the Data Controller may request the return or deletion of Personal Data. This request must be made within 7 days of termination. Requested data will remain available for download in a machine readable format for the Data Controller by the Data Processor.
      After 7 days of termination, the Data Processor will delete the Personal Data from live production version of the Service.
    2. Following the deletion mentioned above, some data may reside on the Data Processor’s backup systems for a period of up to 31 days and logging systems for up to 90 days.
    3. The Data Processor’s processing of the Data Controller’s Personal Data in 90 days after the termination of this DPA shall be considered as being in accordance with the instructions from the Data Controller
    4. The Data Processor may continue to process the Personal Data after the termination of the DPA to the extent it is necessary for the establishment, exercise or defence of legal claims (Art. 17.3(e) of GDPR).
  6. Legislation
    1. This DPA shall ensure that the Data Processor complies with the Applicable Law regarding data protection and privacy, including in particular:
      • The European Parliament and the Council’s Regulation 2016/679 of 27 April 2016 (GDPR)
      • The European Parliament and the Council’s Directive 95/46/EC of 24 October 1995
  7. Obligations
    1. Data Processor obligations
      1. The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (such as activity or recorded action in the Service) with the purpose of delivering the Service as described in the Terms of Service and with compliance with this DPA.
      2. The Data Processor will implement the appropriate technical and organizational measures as set out in this DPA and in the Applicable Law, including in accordance with GDPR, article 32, to protect Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
      3. The Data Processor shall give notice without undue delay if the Data Processor considers the at the time being Instruction to be in conflict with the Applicable Law.
      4. The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees will treat all the Personal Data under this DPA with strict confidentiality.
      5. The Data Processor and its employees, agents, officers and contractors will treat all the Personal Data as strictly confidential, and are bound by the terms of this DPA and have received appropriate training.
      6. Where Personal Data relating to an EU Data Subject is transferred outside of the EEA it shall be processed only by entities which are located in a third country or territory recognised by the EU Commission to have an adequate level of protection or have appropriate safeguards in place, such as the EU-US Privacy Shield.
      7. Taking into account the nature of the processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights and the Data Controller’s compliance with GDPR.
    2. Data Controller obligations
      1. The Data Controller confirms that it will comply with the Terms of Service, this DPA and all Applicable Law regarding data protection and privacy, and confirms that all Personal Data transferred to the Data Processor is processed by the Data Controller in accordance with legislative requirements regarding lawfulness of processing and all Applicable Law.
      2. All entities and persons who use the Service shall comply with the obligations of the Data Controller set out in this DPA.
      3. The Data Controller has his own obligations to implement appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons ( GDPR article 32)
      4. The Data Controller will make sure that anyone acting under the authority of the Data Controller who has access to Personal Data will not process the Personal Data except on and following instructions from the Data Controller.
      5. The Data Controller is responsible to independently establish and recall persons authorized to use the Service and to manage the accounts of persons authorized to use the Service so that unauthorized persons do not have access to Personal Data or the possibility of submitting data processing instructions to the Data Processor.
  8. Sub-processors
    1. The Data Controller agrees that the Data Processor may engage another external processor (Sub-Processor) for carrying out specific processing activities on behalf of the Data Controller with the purpose of delivering the Service.
    2. All Sub-processors who process Personal Data in the provision of the Services to the Data Controller shall comply with the obligations of the Data Processor similar to those set out in this DPA.
    3. The Data Processor is at the time of entering into this Data Processor Agreement using the Sub-Processors listed in Appendix B. In case of adding or replacing a Sub-Processor, the Data Processor will notify the Data Controller via email 30 days before the change. If the Data Controller does not agree to a new or replacement Sub-Processor, the Data Controller may terminate the Terms and Conditions as it might be not possible to provide the Service without the new or replacement Sub-Processor.
    4. Where Sub-processors are located outside of the EEA, we confirm that such Sub-processors: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with us; or (iii) have other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.
  9. Data breach notification
    1. In case of any Personal Data Breach, the Data Processor, without undue delay, will notify the Data Controller of the Personal Data Breach and provide the Data Controller with details of the breach.
    2. The Data Processor’s notification of, or response to, a Personal Data Breach will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.
    3. The Data Controller is solely responsible for complying with data breach notification laws applicable to the Data Controller and fulfilling any notification obligations related to Personal Data Breaches. The Data Processor will not assess the content of the Data Controller’s data in order to identify information subject to any specific Personal Data Breach.
    4. If the Data Controller becomes aware of a Personal Data Breach in connection with the use of the Service, it will without undue delay notify the Data Processor of the Personal Data Breach and provide the Data Processor with details of the Personal Data Breach.
  10. Liability
    1. The limitations on liability set out in the Terms of Service (14.1, 14.2, 14.3) apply to all claims made pursuant to any breach of the terms of this DPA.
    2. The Data Processor will be liable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions for any breach of this DPA.
    3. The Data Controller will be liable for any breaches of this DPA caused by the acts and omissions or negligence of its employees and other users of the Service as if such acts, omissions or negligence had been committed by the Data Controller.
    4. The Data Controller shall not be entitled to recover more than once in respect of the same claim.
  11. Audit
    1. The Data Processor shall make available to the Data Controller all information reasonably necessary to demonstrate compliance with its processing obligations and will contribute to and allow for audits and inspections.
    2. In case the Data Controller will require an independent audit, the Data Controller will give at least 4 weeks prior notice of such request. The Data Controller will ensure that all information obtained during the audit will be kept strictly confidential. Any audit inspection will be undertaken during normal business hours in England, and will not cause any disruption to Data Processor’s day-to-day business. Data Processor reserves the right to object to any third party auditor appointed by Data Controller if the auditor is not suitably qualified or independent in the Data Processor’s opinion to conduct such audit. The Data Controller understands that the Data Processor may charge a fee (based on time and costs) for assisting with the audit.
    3. The Data Controller agrees that any audit will be limited in scope to matters specific to the Data Controller and this DPA.
  12. Compliance and cooperation
    1. Data Processor shall maintain, written records of all categories of processing activities carried out on behalf of the Data Controller, in accordance with applicable Data Protection Laws.
    2. In case the Data Controller needs assistance from the Data Processor in replying to requests from data subject to exercise data subject’s rights under the Applicable Law, the Data Processor will assist the Data Controller by providing the necessary information and documentation in reasonable time in accordance with the Applicable Law. The Data Controller agrees that the Data Processor might charge additional fees for assisting the Data Controller requests pursuant to this DPA. In such case the Data Processor will notify the Data Controller about the cost of such assistance in advance.
    3. In case the Data Processor receives a data subject’s request for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor will, without undue delay forward the request to the Data Controller and will not respond to the person directly.
    4. The Data Controller and the Data Processor agree that they will cooperate, on request, with the supervisory authority in the performance of its tasks with their obligations under this DPA.

Appendix A - Personal Data processing details and activities

This Appendix A includes details of the Processing of Personal Data as required by Article 28(3) GDPR.

Subject:

The subject of processing of Personal Data is described in the Terms of Service and in this DPA.

Duration:

The duration of processing of Personal Data is described in the Terms of Service and in this DPA.

Purpose of processing:

The sole purposes of Personal Data processing by the Data Processor is to deliver the Service and / or provide technical support to the Data Controller or it’s users.

Categories of data subjects:

Individuals about whom Personal Data is provided to Data Processor via the Service by or at the direction of the Data Controller.

Types of processed data:

Personal Data relating to individuals that is provided to the Data Processor by using the Service by or at the direction of the Data Controller including without limitation names, addresses, contact details,online identifiers (including IP addresses) and login details.

Data transfer and processing limitations:

No sensitive or special categories of Personal Data are allowed to be transferred and cannot be contained in the content of attachments or files added to the Service.

Appendix B - Sub-Processor list

This Appendix B lists all Sub-Processors to whom Personal Data may be transferred in accordance with the Terms of Service and this DPA.

  • Linode, LLC -New Jersey, United States
  • Freshworks, Inc. - San Bruno, CA, United States
  • Mailgun Technologies, Inc. - San Francisco, CA, United States
  • The Rocket Science Group LLC d/b/a MailChimp - Atlanta, GA, United States
  • Google LLC - Menlo Park CA, United States
  • Pusher Ltd - London, United Kingdom

Appendix C - Security Documentation

This Appendix C describes the security measures taken by the Data Processor when processing Personal Data.

Data Encryption

The processed data is encrypted in transfer, both between Data Processor and Data Controller (and persons authorized, by the Data Controller, to use the Service) and between the Data Processor and its Sub-Processors using strong, up-to-date ciphers and algorithms following latest industry security standards.

Data Center Security

We use a globally renowned leader in hosting services - Linode. All data is hosted in London, UK. Linode takes data security extremely seriously - enforces multiple layers of security via a variety of technological and human measures. All equipment is in locked cages.

Only few trusted Innodia Ltd. employees have remote access to the production environment including databases and applications. All traffic between Centrium and the datacenter is carried using a secure encrypted connection.

Who can access your data

Data Controller can choose who to invite to the Service account and the permissions they have. Data Processor does not have access to login to neither Data Controller’s nor it’s users’ accounts. Data Controller has the option to control which users can access specific personal data. The Service also includes a list of recent logins and activities on user’s account allowing monitoring of the access to account’s data (this list includes IP addresses, browser types, version and hostnames).

Backups

Automatic backups are done daily and stored on separate servers, to ensure your data is always safe. Before taking any action on the production servers by authorized staff, an additional backup is created before the operation.

Updates

Production servers are regularly updated with the latest security updates and patches. Because of the fact that Centrium is a hosted on our servers, and we update Centrium regularly, all users have access to the latest version of Centrium.