Last modified: 11 November 2024
This Data Processing Agreement ("Agreement") forms part of the Master Services Agreement ("Principal Agreement"), becomes a binding part of the Principal Agreement with effect from the date of execution of the Principal Agreement, and is entered into between you ("Company") and Filestage GmbH, with its registered office in Lautenschlagerstraße 16, 70173 Stuttgart, Germany ("Data Processor"), collectively referred to as the "Parties."
WHEREAS
A. The Company acts as a Data Controller.
B. The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
C. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework concerning data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
D. The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1. “Agreement” means this Data Processing Agreement and all Schedules.
1.1.2. “Company Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.1.3. “Company Personal Data” means any Personal Data Processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement and according to the Company’s instructions.
1.1.4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
1.1.5. “EEA” means the European Economic Area.
1.1.6. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.1.7. “GDPR” means EU General Data Protection Regulation 2016/679.
1.1.8. “Data Transfer” means:
1.1.8.1. a transfer of Company Personal Data from the Company to the Processor; or
1.1.8.2. an onward transfer of Company Personal Data:
1.1.8.2.1. from the Processor to a Subprocessor; or
1.1.8.2.2. between multiple establishments of the Processor or Subprocessor.
1.1.9. “Personal Data” means any information defined as “personal information” or “personal data” under Data Protection Laws, including data:
1.1.9.1. relating to an identified or identifiable natural person; or
1.1.9.2. that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, that may be:
1.1.9.2.1. processed at any time by the Processor in anticipation of, in connection with or incidental to the performance of the Services under the Principal Agreement and this DPA; or
1.1.9.2.2. derived by the Processor from such information.
1.1.10. “Services” means the services the Processor provides as agreed in the Principal Agreement.
1.1.11. "Standard Contractual Clauses" means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1.1.12. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.1.13. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Company Data
2.1. The Processor shall:
2.1.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
2.1.2. not Process Company Personal Data other than on Company’s documented instructions unless Processing is required by Applicable Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Laws, inform the Company of that legal requirement before the relevant Processing of that Personal Data;
2.1.3. maintain the confidentiality of all Personal Data, will not sell it to anyone, and will not disclose it to third parties unless the Company or this Agreement specifically authorizes the disclosure or as required by law. If a law requires the Processor to process or disclose Personal Information, the Processor must first inform the Company of the legal requirement and give the Company an opportunity to object or challenge the requirement unless the law prohibits such notice;
2.1.4. reasonably assist the Company with meeting the Company's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Processor's processing and the information available to the Processor;
2.1.5. promptly notify the Company of any changes to Privacy and Data Protection Requirements that may adversely affect the Processor's performance of the Principal Agreement and this Agreement; and
2.1.6. if additional Processing (including Transfer) requirements are necessary for any specific jurisdiction in order for the Processing by the Processor or its authorized Subprocessors to be compliant with Applicable Law, the Processor and the Company shall negotiate in good faith to amend this Agreement to include such requirements and implement these provisions accordingly.
2.2. The Company:
2.2.1. instructs the Processor (and authorizes the Processor to instruct each Subprocessor) to:
2.2.1.1. Process Company Personal Data; and
2.2.1.2 in particular, transfer Company Personal Data to any country or territory, provided it is to a country that provides an adequate level of protection as determined by the standard defined by applicable data protection laws or safeguards are in place to provide an adequate level of protection such as standard contractual clauses approved by the relevant Government or Commissioned bodies or the transfer is otherwise permitted under Data Protection Law,
to the extent and in such a manner as is reasonably necessary for the provision of the Services and consistent with the Principal Agreement;
2.2.2 warrants and represents that it is and, unless it provides written notice to the Processor to the contrary, will remain duly and effectively authorized to give the instruction set out in section 2.2.1 on behalf of each relevant Company Affiliate; and
2.2.3 retains control of the Company Personal Data and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.
3. Processor Personnel
3.1. The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, concerning the Company Personal Data establish, implement, and operate appropriate technical and organizational measures, as expressed in Annex 1 of this Agreement, to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, the Processor shall consider the risks presented by Processing, particularly from a Personal Data Breach.
5. Subprocessing
5.1. The Company authorizes the Processor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
5.2. The Company authorizes each appointed Subprocessor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
5.3. The Processor may continue to use those Subprocessors referenced in Annex 2 and add new Subprocessors, subject to meeting the obligations set out in sections 5.4 and 5.5 as soon as practicable in each case.
5.4. The Processor shall ensure that each Subprocessor performs the obligations under the applicable sections of this Agreement as they apply to the Processing of Company Personal Data carried out by that Subprocessor as if it were party to this Agreement in place of the Processor.
5.5. Before replacing or adding a new Subprocessor, the Processor shall give the Company reasonable notice of such replacement or addition, providing the Company an opportunity to object.
6. Data Subject Rights
6.1. Taking into account the nature of the Processing, the Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfil the Company's obligations, as reasonably understood by the Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. The Processor shall:
6.2.1. promptly notify the Company if the Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2. ensure that the Processor does not respond to that request except on the documented instructions of the Company or the relevant Company Affiliate or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Laws inform the Company of that legal requirement before the Processor responds to the request.
6.3. The Company shall:
6.3.1. promptly notify the Processor if the Company receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;
6.3.2. assist the Processor as necessary to fulfil the Data Subject’s request.
7. Personal Data Breach
7.1. The Processor shall notify the Company without undue delay upon the Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing the Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2. The Processor shall cooperate with the Company and take reasonable commercial steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
7.3. The Company shall cooperate with the Processor and take reasonable commercial steps as directed by the Processor to assist in the investigation, mitigation, and remediation of each such Personal Data Breach as necessary.
8. Data Protection Impact Assessment and Prior Consultation
8.1. The Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Company reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely concerning Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
9. Deletion or Return of Company Personal Data
9.1. Subject to sections 9.2 and 9.3, the Processor shall promptly, after the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data unless otherwise required by applicable Data Protection Laws or other regulations.
9.2. Subject to section 9.3, the Company may, in its absolute discretion, by written notice to the Processor within 30 days of the Cessation Date, require the Processor to:
9.2.1. securely return a complete copy of all Company Personal Data to the Company in such format as is reasonably notified by the Company to Processor; and
9.2.2. delete and procure the deletion of all other copies of Company Personal Data Processed by the Processor. The processor shall comply with any such written request within 30 days of the Cessation Date unless otherwise required by applicable Data Protection Laws or other regulations.
9.3. The Processor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that the Processor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.4. If requested in writing by the Company, the Processor shall provide written certification to the Company that it has fully complied with this section 9 within 30 days of the Cessation Date.
10. Audit Rights
10.1. Within thirty (30) business days of the Company’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement, the Processor shall make available to the Company (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate the Processor’s compliance with the obligations set forth in this Agreement.
11. Data Transfer
11.1. The Processor may transfer or authorize the transfer of Company Personal Data to countries outside the EU and/or the European Economic Area (EEA). If Company Personal Data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Processor shall ensure that the Company Personal Data has an adequate level of protection as determined by the standard defined by applicable data protection laws or safeguards are in place to provide an adequate level of protection such as standard contractual clauses approved by the relevant Government or Commissioned bodies or the transfer is otherwise permitted under Data Protection Law.
12. General Terms
12.1. Confidentiality
Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
12.1.1. disclosure is required by law;
12.1.2. at the time of disclosure, the relevant information is, or thereafter becomes, generally available to and known by the public other than as a result of, directly or indirectly, any violation of this Agreement by the Recipient or any of its Representatives;
12.1.3. at the time of disclosure, the relevant information is, or thereafter becomes, available to the Recipient on a non-confidential basis from a third-party source, provided that such third party is not and was not prohibited from disclosing such Confidential Information to the Recipient by a legal, fiduciary, or contractual obligation to the Disclosing Party;
12.1.4. the relevant information was known by or in the possession of the Recipient or its Representatives, as established by documentary evidence, before being disclosed by or on behalf of the Disclosing Party under this Agreement; or
12.1.5. the relevant information was or is independently developed by the Recipient, as established by documentary evidence, without reference to or use of, in whole or in part, any of the Disclosing Party's Confidential Information.
12.2. Notices
12.2.1. All notices and communications given under this Agreement must be in writing. They will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
12.3. Governing law and jurisdiction
12.3.1. The Parties to this Agreement hereby submit to the choice of jurisdiction stipulated in the Principal Agreement concerning any disputes or claims howsoever arising under this Agreement, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.3.2. this Agreement and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
12.4. Order of Precedence
12.4.1. Nothing in this Agreement reduces the Processor's obligations under the Principal Agreement regarding the protection of Company Personal Data or permits the Processor to Process (or permit the Processing of) Company Personal Data in a manner prohibited by the Principal Agreement. In case of any conflict or inconsistency between this Agreement and the Principal Agreement, the Principal Agreement shall prevail.
12.4.2. Subject to section 12.4.1., with regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.
12.5. Changes in Data Protection Laws, etc.
12.5.1. The Company may propose any other variations to this Agreement which the Company reasonably considers to be necessary to address the requirements of any Data Protection Law.
12.5.2. If the Company gives notice under section 12.5.1, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the Company's notice as soon as is reasonably practicable.
12.5.3. Neither the Company nor the Processor shall require the consent or approval of any Company Affiliate to amend this Agreement pursuant to this section 12.5 or otherwise.
12.6. Severance
12.6.1. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either:
12.6.1.1. amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible,
12.6.1.2. construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.7. Language
12.7.1. Regardless of any language into which this Agreement may be translated, the official, controlling and governing version of this Agreement shall be exclusively the English language version.
Annex 1: Technical and Organizational Controls
Organizational Controls
An information privacy and security (IPS) policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
IPS roles and responsibilities shall be defined and allocated.
Conflicting duties and conflicting areas of responsibility shall be segregated.
Management shall require all personnel to apply IPS in accordance with the established IPS policy, topic-specific policies, and procedures.
Contact with authorities shall be established and maintained.
Contact with special interest groups or other specialist security forums and professional associations shall be established and maintained.
Information relating to IPS threats shall be collected and analyzed to produce threat intelligence.
IPS shall be integrated into project management.
An inventory of information and other associated assets, including owners, shall be developed and maintained.
Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
Personnel and other interested parties, as appropriate, shall return all Filetage assets in their possession upon change or termination of their employment, contract or agreement.
Information shall be classified according to Filestage’s IPS needs, based on confidentiality, integrity, availability and relevant interested party requirements.
An appropriate set of procedures for information labeling shall be developed and implemented in accordance with the information classification scheme.
Information transfer rules, procedures, or agreements shall be in place for all types of internal and external transfers.
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and IPS requirements.
The full life cycle of identities shall be managed.
Allocation and management of authentication information shall be controlled by a management process, including advising personnel on the appropriate handling of authentication information.
Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the topic-specific policy on and rules for access control.
Processes and procedures shall be defined and implemented to manage the IPS risks associated with the use of supplier’s products or services.
Relevant IPS requirements shall be established and agreed with each supplier based on the type of supplier relationship.
Processes and procedures shall be defined and implemented to manage the IPS risks associated with the ICT products and services supply chain.
Changes in supplier IPS practices and service delivery shall be regularly monitored, reviewed, evaluated, and managed.
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with IPS requirements.
Management of IPS incidents shall be planned and prepared for by defining, establishing and communicating IPS incident management processes, roles and responsibilities.
IPS events shall be assessed and a decision made on whether they are to be categorized as IPS incidents.
IPS incidents shall be responded to in accordance with the documented procedures.
Knowledge gained from IPS incidents shall be used to strengthen and improve the IPS controls.
Procedures for the identification, collection, acquisition and preservation of evidence related to IPS events shall be established and implemented.
Maintaining IPS at an appropriate level during disruption shall be planned for.
ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Legal, statutory, regulatory and contractual requirements relevant to IPS and the approach to meet these requirements shall be identified, documented and kept up to date.
Appropriate procedures to protect intellectual property rights shall be implemented.
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
Requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements shall be identified and fulfilled.
The approach to managing IPS and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
Compliance with the IPS policy, topic-specific policies, rules and standards shall be regularly reviewed.
Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
People Controls
Background verification checks on all candidates to become personnel shall be carried out prior to employment and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Employment contractual agreements shall state the personnel’s and Filestage’s responsibilities for IPS.
Personnel and relevant interested parties shall receive appropriate IPS awareness, education and training and regular updates of the IPS policy, topic-specific policies and procedures, as relevant for their job function.
A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an IPS policy violation.
IPS responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
Confidentiality or non-disclosure agreements reflecting the needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.
IPS measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored remotely.
A mechanism for personnel to report observed or suspected IPS events through appropriate channels in a timely manner shall be provided.
Physical Controls
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the classification scheme and handling requirements.
Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.
Technical Controls
Information stored on, processed by or accessible via user endpoint devices shall be protected.
The allocation and use of privileged access rights shall be restricted and managed.
Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
Read and write access to source code, development tools and software libraries shall be appropriately managed.
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Protection against malware shall be implemented and supported by appropriate user awareness.
Information about technical vulnerabilities of information systems in use shall be obtained, and exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Data masking shall be used in accordance with the topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analyzed.
Networks, systems and applications shall be monitored for anomalous behavior and appropriate actions taken to evaluate potential IPS incidents.
The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
Procedures and measures shall be implemented to securely manage software installation on operational systems.
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
Groups of information services, users and information systems shall be segregated into respective networks.
Access to external websites shall be managed to reduce exposure to malicious content.
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Rules for the secure development of software and systems shall be established and applied.
IPS requirements shall be identified, specified and approved when developing or acquiring applications.
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.
Secure coding principles shall be applied to software development.
Security testing processes shall be defined and implemented in the development life cycle.
The organization shall direct, monitor and review the activities related to outsourced system development.
Development, testing and production environments shall be separated and secured.
Changes to information processing facilities and information systems shall be subject to change management procedures.
Test information shall be appropriately selected, protected and managed.
Annex 2: Subprocessors
1. Amazon Web Services, Inc.
Name: Amazon Web Services, Inc.
Service/Tool: Amazon Web Services (AWS)
Usage: Application hosting.
Headquarters: 410 Terry Ave N, Seattle, WA 98109-5210, United States
Data Center: European Union (EU)
Transfer Mechanism: N/A
IPS Documentation: Data Processing Agreement (DPA), Privacy Notice, Trust Center
2. Auth0, Inc.
Name: Auth0, Inc.
Service/Tool: Auth0
Usage: User authentication.
Headquarters: 10800 NE 8th St #700, Bellevue, WA 98004, United States
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA. Privacy Notice, Trust Center
3. Celonis, Inc.
Name: Celonis, Inc.
Service/Tool: Make
Usage: Custom integrations.
Headquarters: Menclova 2538/2, 180 00 Praha, 8-Palmovka, Czechia
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice, Trust Center
4. ChartMogul GmbH & Co. KG
Name: ChartMogul GmbH & Co. KG
Service/Tool: ChartMogul
Usage: Customer Relationship Management (CRM) and subscription analysis.
Headquarters: c/o WeWork, Kemperplatz 1, 10785 Berlin, Germany
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice, Trust Center
5. Cloudflare, Inc.
Name: Cloudflare, Inc.
Service/Tool: Cloudflare
Usage: Domain name server.
Headquarters: 101 Townsend Street, San Francisco, CA 94107, United States
Data Center: United States (US)
Transfer Mechanism: Adequacy Decision (EU-U.S. Data Privacy Framework (EU-U.S. DPF)), Standard Contractual Clauses (SCCs)
IPS Documentation: DPA, Privacy Notice, Trust Center
6. Domo, Inc.
Name: Domo, Inc.
Service/Tool: Domo
Usage: Analytics.
Headquarters: 802 E 1050 S, American Fork, UT 84003, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
7. Gleap, GmbH
Name: Gleap, GmbH
Service/Tool: Gleap
Usage: CRM and analytics.
Headquarters: Dr. Walter Zumtobel Straße 2, 6850 Dornbirn, Austria
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice, Trust Center
8. Google, LLC.
Name: Google, LLC.
Service/Tool: Google Analytics
Usage: Analytics.
Headquarters: 1600 Amphitheatre Parkway in Mountain View, California, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
9. Fullstory, Inc.
Name: Fullstory, Inc.
Service/Tool: Fullstory
Usage: Analytics.
Headquarters: 1745 Peachtree Rd NW Suite N, Atlanta, GA 30309, United States
Data Center: EU, US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
10. Headway App, Inc.
Name: Headway App, Inc.
Service/Tool: Headwayapp
Usage: Public changelog.
Headquarters: 440 N Barranca Ave #4399, Covina, CA 91723, United States
Data Center: US
Transfer Mechanism: N/A - Company Personal Data is not transferred.
IPS Documentation: Privacy Notice, Trust Center
11. HubSpot, Inc.
Name: HubSpot, Inc.
Service/Tool: HubSpot
Usage: CRM and analytics.
Headquarters: Two Canal Park, Cambridge, MA 02141, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
12. Intercom, Inc.
Name: Intercom, Inc.
Service/Tool: Intercom
Usage: Customer support.
Headquarters: KPMG Building, 55 2nd St, San Francisco, CA 94105, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
13. Luzmo, NV.
Name: Luzmo, NV.
Service/Tool: Luzmo
Usage: In-app insights dashboards.
Headquarters: Tiensevest 102 box 201, B-3000 Leuven, Belgium
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice
14. MongoDB, Inc.
Name: MongoDB, Inc.
Service/Tool: MongoDB Atlas
Usage: User database.
Headquarters: 499 Hamilton Ave, Palo Alto, CA 94301, United States
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice, Trust Center
15. Paddle.com Market Ltd.
Name: Paddle.com Market Ltd.
Service/Tool: ProfitWell Metrics
Usage: Revenue reporting.
Headquarters: 3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803, United States
Data Center: US
Transfer Mechanism: SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
16. Peaberry Software, Inc.
Name: Peaberry Software, Inc.
Service/Tool: Customer.io
Usage: Marketing communications automation.
Headquarters: 9450 SW Gemini Dr, Suite 43920 Beaverton, Oregon 97008-7105, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
17. Productboard, Inc.
Name: Productboard, Inc.
Service/Tool: Productboard
Usage: Analytics
Headquarters: 333 Bush Street, 20th Floor San Francisco, CA 94104, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust center
18. Pusher, Ltd.
Name: Pusher, Ltd.
Service/Tool: Pusher
Usage: API management.
Headquarters: 160 Old St, London EC1V 9BW, United Kingdom
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice, Trust Center
19. Recrea Systems, SLU.
Name: Recrea Systems, SLU.
Service/Tool: Quaderno
Usage: Invoice management.
Headquarters: Bravo Murillo 34 - 35003, Las Palmas, Spain
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice
20. Rocket Science Group, LLC.
Name: Rocket Science Group, LLC.
Service/Tool: Mailchimp
Usage: Email communication
Headquarters: 2015 Main St, Vancouver, BC V5T 3C2, Canada
Data Center: US
Transfer Mechanism: SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
21. Startdeliver, AB.
Name: Startdeliver, AB.
Service/Tool: Startdeliver
Usage: CRM and analysis.
Headquarters: c/o The Works, Klarabergsgatan 60, 111 21, Stockholm, Sweden
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice, Trust Center
22. Stripe, Inc.
Name: Stripe, Inc.
Service/Tool: Stripe
Usage: Payment processing.
Headquarters: 510 Townsend Street, San Francisco, CA 94103, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Policy, Trust Center
23. Transloadit-II, GmbH.
Name: Transloadit-II, GmbH.
Service/Tool: Transloadit
Usage: File transcoding.
Headquarters: Waßmannsdorfer Chaussee 39 A, 12355 Berlin, Germany
Data Center: EU
Transfer Mechanism: N/A
IPS Documentation: DPA, Privacy Notice
24. Twilio, Inc.
Name: Twilio, Inc.
Service/Tool: Segment
Usage: Analytics.
Headquarters: 100 California Street, Suite 700, San Francisco, CA 94111, United States
Data Center: US
Transfer Mechanism: Adequacy Decision (EU-U.S. DPF), SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center
25. YNOT Partners, Inc.
Name: YNOT Partners, Inc.
Service/Tool: Userguiding
Usage: In-app product tours.
Headquarters: 112 Capitol Trail, Suite A199 Newark, Delaware 19711, United States
Data Center: US
Transfer Mechanism: SCCs
IPS Documentation: DPA, Privacy Notice, Trust Center