1. Background and Interpretation
1.1. The Supplier will upon performance of the Agreement when providing its Service process personal data on behalf of the Subscriber, in the capacity of Subscriber’s processor. The Supplier will process personal data for which Subscriber is the controller.
1.2. This Data Processing Agreement (the "DPA") forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.
1.3. Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the European Parliament and the Council Regulation (EU) 2016/679 (the "GDPR") and otherwise in accordance with the Agreement, unless otherwise clearly indicated by the circumstances.
1.4. In light of the above, the Parties have agreed as follows:
2. Instructions and Responsibilities
2.1. The type of personal data and categories of data subjects processed by the Supplier under this DPA and the purpose, nature, duration and objects of this processing, are described in the instructions on processing of personal data in Appendix 2A or the written instructions that Subscriber provides from time to time. The Supplier shall not process additional categories of personal data or personal data in relation to other data subjects than those specified in Appendix 2A.
2.2. Subscriber is responsible for complying with the GDPR. Subscriber shall in particular:
a) be contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;
b) ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR and maintain a record of processing activities under its responsibility;
c) provide the Supplier with documented instructions for the Supplier’ processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;
d) immediately inform the Supplier of changes that affect the Supplier’ obligations under this DPA;
e) immediately inform the Supplier if a third party takes action or lodges a claim against Subscriber as a result of the Supplier’ processing under this DPA; and
f) immediately inform the Supplier if anyone else is joint controller with Subscriber of the relevant personal data.
2.3. When processing personal data, the Supplier shall:
a) only process personal data in accordance with Subscriber’s documented instructions, which at the time of the Parties entering into this DPA are set out in Appendix 2A;
b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) maintain an adequate level of security for the personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in section 3 below;
d) respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-processor;
e) taking into account the nature of the processing, assist Subscriber by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of Subscriber’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
f) assist Subscriber in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the Supplier;
g) at the choice of Subscriber, delete or return all the personal data to Subscriber after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and
h) make available to Subscriber all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by Subscriber or another auditor agreed upon by the Parties.
2.4. The Supplier shall notify Subscriber without undue delay, if, in the Supplier’ opinion, an instruction infringes the GDPR. In addition, the Supplier is to immediately inform Subscriber of any changes affecting the Supplier’ obligations pursuant to this DPA.
3.1. The Supplier shall implement technical and organisational security measures in order to protect the personal data against destruction, alteration, unauthorised disclosure and unauthorised access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The Supplier may amend its technical and organisational measures.
3.2. The Supplier shall notify Subscriber of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that the Supplier has committed any wrongful act or omission, or that the Supplier shall become liable for the personal data breach.
3.3. If Subscriber during the term of this DPA requires that the Supplier takes additional security measures, the Supplier shall as far as possible meet such requirements provided that Subscriber pays and takes responsibility for any and all costs associated with such additional measures.
4. Sub-processors and Transform to Third Countries
4.1. Subscriber hereby grants the Supplier with a general authorisation to engage sub-processors. Sub-processors are listed in the list of sub-contractors in Appendix 2B. The Supplier shall enter into a data processing agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor.
4.2. The Supplier shall inform Subscriber of any intended changes concerning the addition or replacement of sub-processors, thereby giving Subscriber the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after the Supplier has informed Subscriber about the intended changes. If Subscriber objects to the Supplier engaging a sub-processor and the Parties cannot agree, within reasonable time, on the new sub-processor’s engagement in the processing of personal data, the Supplier can terminate the Agreement.
4.3. If the Supplier and/or sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. The Supplier shall keep Subscriber informed about the legal grounds for the transfer.
5. Compensation and Limitation of Liability
5.1. The Supplier is not entitled to any additional compensation for the processing of personal data in accordance with this DPA, instead the compensation provided pursuant to the Agreement also encompasses the measures in this DPA.
5.2. Each Party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.
5.3. Notwithstanding any limitation of liability in the Agreement, each Party’s liability under this DPA shall be limited to direct damages. In addition, the Supplier’ liability shall be limited to an amount corresponding to the fees paid by Subscriber to the Supplier under the Agreement for a period of six (6) months before the damage occurred.
6. Term and Termination
6.1. This DPA becomes effective when the Agreement has been entered into.
6.2. Upon termination of the Agreement, the Supplier shall at the choice of Subscriber, delete all the personal data or return it to Subscriber, and ensure that each sub-processor does the same.
6.3. This DPA remains in force as long as the Supplier processes personal data on behalf of Subscriber, including deletion or returning of personal data according to section 6.2 above. This DPA shall thereafter cease to apply. Sections 5 and 6.2 shall continue to apply even after this DPA has been terminated.
7.1. If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions or regulations regarding the application of the GDPR during the term of this DPA, with the result that this DPA does not meet the requirements for a data processing agreement, the Parties shall change this DPA to meet the requirements.
7.2. Any other changes to this DPA than following from section 7.1 above or changes in Subscriber’s documented instructions, shall be made in writing and signed by the Parties’ authorized representatives, to be binding.
8.1. In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regard to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA, notwithstanding anything to the contrary in the Agreement.
8.2. This DPA supersedes and replaces all data processing agreements between the Parties potentially existing prior to this DPA.
Instructions on Processing of Personal Data
The Supplier processes personal data in order to fulfil the Agreement. This means that the Supplier processes personal data for the following purposes:
Provide the Service to End-Users,
Authenticate and authorize End-Users,
Handle customer support cases,
Provide self-service license management features,
Communicate relevant information with End-Users, and
Provide additional information to key End-Users.
Categories of personal data
Categories of personal data that will be processed by the Supplier include:
Unique identifier of the device using the Service, and
Information about how the Service is used.
Categories of data subjects
Personal data about End-Users using a trial version of the Service will be stored for three months after the trial period has ended. In other cases, the personal data will be processed for as long as the End-User continues to actively use the Service and for six (6) months thereafter.
The Supplier process the personal data of End-Users in the following ways.
Technically enable the Service to be used by End-Users.
End-Users contact details are used to provide relevant information, e.g. regarding any updates of the system.
End-user name and email address are used for authentication when End-Users are using the ActionableAgile Analytics (SaaS offering).
End-user unique identifiers are used for authorization when End-Users log in to the following products:
ActionableAgile Analytics (SaaS offering), and
ActionableAgile for Azure DevOps
Subscriber name and/or e-mail address is used to identify active access to support the following products:
ActionableAgile Analytics (SaaS offering), and
ActionableAgile for Azure DevOps
End-Users name and e-mail address is collected in order to provide customer support when customers open a support request via e-mail or via the Supplier’ support portal.
The name and e-mail address regarding key End-Users of strategic customers are manually stored in the Supplier’ CRM system by Customer Success Specialists in order to provide customer success related communications.
Information Security Measures
Change log for this appendix
June 2, 2022 - Initial publish