Data Processing Addendum

Last updated

Jan 12, 2023

This data processing addendum and its Annexes (“DPA”) forms part of the Subscription Agreement or other written or electronic agreement between Happy Team Apps OÜ (“Happy Team”) and Customer for the purchase of the Happy Team Products (“Agreement”) to reflect the parties agreement with regard to the Processing of Personal Data. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

In the course of providing the Products to Customer pursuant to the Agreement, Happy Team may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data. This DPA shall replace any comparable or additional rights relating to the Processing of Customer Data contained in the Agreement (including any existing data processing addendum to the Agreement).

The parties agree as follows:

1. Definitions

”Controller” means an entity that determines the purposes and means of the processing of Personal Data.

“Customer Data” means any and all Personal Data that Happy Team processes as a Processor on behalf of the Customer in course of providing the Products under the Agreement.

”Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Customer Data under the Agreement, including, where applicable, EU Data Protection Law.

”EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector, and applicable national implementations of (i) and (ii) (in each case, as may be amended, superseded or replaced).

“EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time

”Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.

”Processor” means an entity that processes Personal Data on behalf of the Controller.

”Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.

”Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Happy Team and/or its Sub-processor’s in connection with the provision of the Products.

”Sub-processor” means any Processor engaged by Happy Team to assist in fulfilling its obligations with respect to providing the Products pursuant to the Agreement or this DPA.

“UK SCCs” means the Standard Contractual Clauses for controller to processor transfers set forth in the European Commission’s decision (C(2010)593) of 5 February 2010.

2. Scope and Applicability of this DPA

2.1 Scope. This DPA applies where and only to the extent that Happy Team processes Customer Data as a Processor on behalf of the Customer in the course of providing the Products and such Customer Data is subject to Data Protection Laws.

2.2 Role of the Parties. As between Happy Team and Customer, Customer is the Controller of Customer Data, and Happy Team shall process Customer Data only as a Processor on behalf of Customer. Nothing in the Agreement or this DPA shall prevent Happy Team from using or sharing any data that Happy Team would otherwise collect and process independently of Customer’s use of the Products. Any processing of Personal Data under the Agreement shall be performed in accordance with applicable Data Protection Laws. However, Happy Team is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to Happy Team as a service provider.

2.3 Customer Obligations. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Happy Team; and (ii) it has provided notice and obtained (or shall obtain) all consents (where required) and rights necessary under Data Protection Laws for Happy Team to process Customer Data and provide the Products pursuant to the Agreement and this DPA.

2.4 Happy Team Processing of Customer Data. As a Processor, Happy Team shall process Customer Data only for the following purposes: (i) processing to provide the Products in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; (iii) processing initiated by Users in their use of the Products; and (iv) processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of this Agreement (individually and collectively, the “Purpose”) and only in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement (including this DPA) set out the Customer’s complete and final instructions to Happy Team in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Happy Team.

2.5 Details of Data Processing. The subject matter of the processing of Customer Data by Happy Team is the Purpose. Unless otherwise agreed in writing between the parties, the duration of processing, the nature and purpose of the processing, the types of Customer Data and the categories of data subjects processed under the Agreement are further specified in Annex A (Description of the Processing Activities) to this DPA.

3. Subprocessing

3.1 Authorized Sub-processors. Customer agrees that Happy Team may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Happy Team and authorized by Customer are listed here https://rotation.app/dpa/#subprocessors. Happy Team shall notify Customer if it adds or removes Sub-processors at least 10 days prior to any such changes.

3.2 Sub-processor Obligations. Happy Team shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Happy Team to breach any of its obligations under this DPA.

3.3 Objection to Sub-processors. Customer may object in writing to Happy Team’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g. if making Customer Data available to the Sub-processor may violate applicable Data Protection Law or weaken the protections for such Customer Data) by notifying Happy Team promptly in writing within five (5) calendar days of receipt of Happy Team’s notice in accordance with Section 3.1. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution.

4. Security and Audits

4.1 Security Measures. Happy Team shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data. Such measures shall, at a minimum, include the measures identified in Annex B (“Security Measures”). Happy Team shall ensure that any person who is authorized by Happy Team to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.2 Security Incident Response. Upon becoming aware of a Security Incident, Happy Team shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

4.3 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Happy Team may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Products purchased by the Customer.

4.4 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Products, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Products and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Products.

4.5 Security Reports and Audits. Happy Team audits its compliance against recognized data protection and information security standards on a regular basis. Such audits are conducted by independent, experienced personnel, and may include Happy Team’s internal audit team and/or third party auditors engaged by Happy Team. Upon request, Happy Team shall supply (on a confidential basis) a summary copy of its then-current audit report(s) (“Report”) to Customer, so that Customer can verify Happy Team’s compliance with this DPA. Happy Team shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Data, including responses to information security and audit questionnaires that are necessary to confirm Happy Team’s compliance with this DPA, and allow for and contribute to audits at a mutually agreeable time following reasonable written notice, provided that Customer shall not exercise this right more than once per year, except that this right may also be exercised in the event Customer is expressly requested or required to provide this information to a data protection authority, or Happy Team has experienced a Security Incident, or other reasonably similar basis.

5. International Transfers

5.1 Processing Locations. Happy Team may transfer and process Customer Data to and in the United States and anywhere else in the world where Happy Team or its Sub-processors maintain data processing operations. Happy Team shall at all times ensure appropriate safeguards to protect the Customer Data processed, in accordance with the requirements of Data Protection Laws.

5.2 With respect to Customer Data originating from the European Economic Area (“EEA”) or Switzerland that is transferred from Customer to Happy Team, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference.

5.3. For purposes of the EU SCCs the parties agree that:

5.3.1. Customer shall act and comply with the obligations, and shall have the rights, of the “data exporter” under the EU SCCs, and Happy Team shall act and comply with the obligations of the “data importer” under the EU SCCs;

5.3.2. In Clause 7, the optional docking clause will not apply;

5.3.3. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-processor changes will be as set forth in Section 3.1 of this DPA;

5.3.4. In Clause 11, the optional language will not apply;

5.3.5. For the purpose of Clause 17, the EU SCCs shall be governed by the laws of Ireland;

5.3.6. For the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;

5.3.7. For the purposes of Annex I, Section A (List of Parties), (i) Customer’s and Happy Team’s contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller and Happy Team is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Products pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA;

5.3.8. For the purposes of Annex I, Section B (Description of Transfer): (i) Annex A to this DPA describes Happy Team’s Processing of Customer Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Products); (iii) Customer Data will be retained in accordance with Clause 8.5 of the EU SCCs, Clause 12 of the UK SCCs, and this DPA; (iv) Happy Team uses Sub-processors to support the provision of the Products. A list of Sub-processors and the nature of the Processing activities can be found at https://rotation.app/dpa/#subprocessors.

5.3.9. For the purposes of Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Happy Team. If Customer does not communicate a competent supervisory authority to Happy Team, the competent supervisory authority shall be the Irish Data Protection Commission.

5.3.10. For the purposes of Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Data as described at Annex B.

5.4. If the transfer of Customer Data is subject to the Swiss Federal Act on Data Protection, the following provisions apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the EU SCCs will not be interpreted in such a way as to exclude Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Customer Data is subject to the Swiss Federal Act on Data Protection.

5.5. With respect to transfers from Customer to Happy Team of Customer Data originating from the United Kingdom, the parties agree to comply with the UK SCCs, which are incorporated herein by reference. The parties agree that, for the purposes of the UK SCCs: (i) Customer shall act as and comply with the obligations of the “data exporter”, and Happy Team shall act as and comply with the obligations of the “data importer”; (ii) all references to the “Directive 95/46/EC” and its provisions shall be deemed to refer to the relevant provisions of the UK GDPR and the Data Protection Act 2018 of the United Kingdom; (iii) all references to the “Commission” shall be deemed to refer to the Information Commissioner; (iv) all references to the “European Economic Area” or the “European Union” shall be deemed to refer to the United Kingdom; (v) for the purposes Appendix 1 to the UK SCCs, information about the exporter and importer, the categories of Data Subjects, types of Personal Data and type of Processing operations are as set out in Annex A to this DPA; and (vi) for the purposes Appendix 2 to the UK SCCs, the security measures are as described at Annex B. The parties acknowledge that the Information Commissioner’s Office has not yet approved new standard contractual clauses under the UK GDPR. The UK SCCs will apply only until such time as the Information Commissioner’s Office issues new standard contractual clauses under the UK GDPR. Once approved, the parties shall work together, in good faith, to enter into an updated version of the UK SCCs or negotiate an alternative solution to enable transfers of Customer Data in compliance with Data Protection Laws.

5.6 Alternative Transfer Mechanism. The parties agree that the data export solution identified in this Section 5 shall not apply if and to the extent that Happy Team adopts an alternative data export solution for the lawful transfer of Customer Data (as recognized under applicable Data Protection Law) outside of the EU (“Alternative Transfer Mechanism”), in which event, the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism extends to the territories to which Customer Data is transferred).

6 . Return or Deletion of Data

6.1 Upon termination or expiration of the Agreement, Happy Team shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Happy Team is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Happy Team shall securely isolate and protect from any further processing, except to the extent required by applicable law.

7. Rights of Data Subjects and Cooperation

7.1 Data Subject Request. To the extent that Customer is unable to independently access the relevant Customer Data within the Products, Happy Team shall (at Customer’s expense) taking into account the nature of the processing, provide reasonable cooperation to assist Customer by appropriate technical and organisational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Agreement. In the event that any such request is made directly to Happy Team, Happy Team shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Happy Team is required to respond to such a request, Happy Team shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

7.2 Subpoenas and Court Orders. If a law enforcement agency sends Happy Team a demand for Customer Data (for example, through a subpoena or court order), Happy Team shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Happy Team is legally prohibited from doing so.

7.3 Data Protection Impact Assessment. To the extent Happy Team is required under EU Data Protection Law, Happy Team shall (at Customer’s expense) provide reasonably requested information regarding Happy Team’s processing of Customer Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

8. Reserved

9. Limitation of Liability

The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with this Addendum will be limited to the liability limitations or other liability caps agreed to by the parties in the Agreement. Notwithstanding the foregoing, nothing in this Section 10 will affect any party’s liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent the limitation of such rights is prohibited by Privacy Laws or Local Data Protection Laws, where applicable.

10. Miscellaneous

10.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

10.2 With effect from the effective date of this DPA, this DPA shall be deemed a part of and incorporated into the Agreement so that references in the Agreement to “Agreement” shall be interpreted to include this DPA.

10.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

10.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Annex A

Details of Processing

(a) Duration. The duration of the processing under this DPA is determined by the Agreement.

(b) Categories of data subjects.

Users – Customer’s employees, personnel and other staff that are authorized to use the Products under the Customer’s account.

(c) Categories of data: Identification and contact data (name, address, e-mail address, telephone number, company name); order information; IT related data (IP addresses, Product usage with timestamps); and any other Personal Data Customer configures the Products to collect. Happy Team only collects Slack user ID, and does not store any PII.

(d) Special categories of data (if appropriate). Happy Team and/or its Sub-processors contractors do not intentionally collect or process any special categories of data in connection with the provision of the Products under the Agreements.

(e) Purposes of Processing: For the Purposes (as defined in this DPA).

(f) Processing operations: The Customer Data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:

storage and other processing necessary to provide, maintain and improve the Products provided to Customer
to provide Customer and technical support to the Customer; and
disclosures in accordance with the Agreement and as compelled by law.

Annex B

Security Measures

Happy Team will implement and maintain technical and administrative safeguards to protect Customer Data against Security Incidents, including by taking the following security measures:

Network protection

Have in place a current network diagram with all connections to personal data, including any wireless networks.
Access to web administration interfaces must be encrypted or disabled. All administrative access made on a non-console must be encrypted.
Configuration files must be secure and synchronized.
The firewalls must be configured to not be alterable by its users, including on mobile and employee-owned devices. The firewall, regardless of its installed location, must be enabled at all time.
Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered being insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
Create a firewall configuration that restricts connections between approved networks and all the components of the system in the environment of personal data. Need to examine the rules of firewalls and routers at least every six months. A rule “blocks all” must still apply in the end. Firewalls must be used at least at every endpoint connecting to the Internet, including mobile and employee-owned devices.
Prohibit direct public access between Internet and any component of the system in the environment of personal data. Disable all services and protocols not required (services and protocols not directly needed to perform the specified function of the device).
Encrypt all administrative access with the use of technologies such as SSH, VPN, or SSL/TLS for Web-based management and other administrative access.
Validation of secure communications.
Restrict physical access to publicly accessible network jacks.
Restrict physical access to the gateways, mobile handheld devices and wireless access points.
Use intrusion detection systems and/or intrusion prevention systems to monitor all traffic in the data environment and report to staff all suspicions relating to potential alterations. Keep all detection and intrusion prevention engines updated.
When you access personal data through remote access technologies, prohibit copying, moving and storing of personal data on local hard drives and removable electronic media.
Network architecture and its segmentation approach must be setup to permit: isolation, control, supervision and optimization of information flow and control. Those zones must consider internal and external users, privilege levels, business partners, service providers, customers and the general public.
The firewall and antivirus logs should be reviewed daily.
All firewall rules must be reviewed at least every six months.
When necessary, ACLs can be implemented in routers, but firewalls must be given priority at all times (for ACL).
Account passwords should be configured using the ‘secret” command replacing the “Password” command (if equipment allows).
When configuring a service that doesn’t offer encrypted and strong authentication, the use of a “high port” is mandatory.
Mandatory strong (double) authentication for establishing remote connection over the network.
Secure communications must be validated / tested before being put into production.

Trainings

Have in place security and privacy awareness training, inclusive of acknowledgment and agreement to abide by organizational security policies, for all personnel upon hire and annually thereafter.

Access Control

Limit access to system components and Customer data to only those individuals whose job requires such access.
Assignment of privileges is based on individual personnel’s job classification and function.
Requirement for a documented approval by authorized parties specifying required privileges.
Implementation of an automated access control system.
Defining a system of access control for the components of systems with multiple users that restricts access to only users that need access to data and which is set to “deny all access” unless they are explicitly allowed.
Assign all users a unique ID before allowing them to access system components.
In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: password or two-factor authentication.
Integrate authentication with two factors for the remote access (access to the network from outside the network level) employees, administrators, and third parties to the network.
Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
Ensure that proper management of passwords and user authentication is implemented for non-consumer users and administrators.
Control the addition, removal, and modification of user IDs, credentials and other objects identifier.
Set initial passwords unique to each user and change immediately after the first use.
Immediately revoke access for any user who no longer works for the company.
Remove/disable inactive user accounts at least every 90 days.
Do not use group, shared, or generic accounts and passwords, or other authentication methods.
Change the passwords at least every 90 days.
Requiring passwords with at least eight characters.
Define passwords with alphanumeric characters.
Prohibit a user to submit a new password identical to one of its last four passwords.
Limit repeated access attempts by locking out the user ID after six attempts.
Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID
If a session is inactive for more than 15 minutes, require the user to re-enter his password to re-activate the terminal.
Authenticate all access to any database containing personal data. This includes access by applications, administrators, and all other users. Restrict user direct access or queries to databases to database administrators.
Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
All actions taken by any individual with root or administrative privileges
Automatic disconnect of sessions of remote access technologies after a specific idle period.

Data Retention

Keep data storage to a minimum.
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.

Secure Application Development

Validation of all input to prevent XSS (Cross-Site Scripting) attacks, attacks by injection, the execution of malicious files, etc.
Validation of proper error handling.
Validation of secure cryptographic storage.
Separate development/test and production environments.
Separate obligations between development/test and production environments.
Deleting data and the test accounts before production systems become active.
Deletion of custom application accounts and the names of user and password before enabling applications or making them available to customers.
In order to identify any potential coding vulnerability, review of custom code prior to placing it into production or at the disposal of clients.
Operational functionality testing.
Develop all Web applications (internal and external, including Web administrative access) on the basis of secure coding best practices such as those described in the OWASP (Open Web Application Security Project). Prevent common coding vulnerabilities in software development processes.

System Monitoring

Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
Ensure that all anti-virus mechanisms are current, running and capable of generating audit logs.
Install critical security patches within one month of release.
Define a process for the identification of new security vulnerabilities.
For public-oriented Web applications, address new threats and vulnerabilities on a regular basis.
Access to all audit trails.
Invalid logical access attempts.
Use of identification and authentication mechanisms.
Initialization of the audit logs.
Creation and deletion of system-level objects.
Record at least the following audit trail entries for all system components for each event
Synchronize all critical system clocks and hours.
Protect audit logs so that they cannot be changed.

Change Management Policy

Formal approval process and test all network connections and changes to the configurations of firewalls and routers.
Check that the network diagram is updated.
Test all security patches, as well as any system or software configuration changes before deployment.
Documentation of impact.
Validation of the management by the appropriate parties.
Removal procedures.

Incident Response

Implement an incident response plan. Be prepared to respond immediately to a system breach.

Secure Disposal of IT Equipment and Information

Render data on electronic media unrecoverable so that data cannot be reconstructed.

HTTPS & data encryption

We use TLS (1.2+) - TLS certificate to encrypt data in transit, free on every plan.
We use AES-256 - We encrypt all data at rest with the highest security standard..

Annex C

Subprocessors

Happy Team uses the following subprocessors, all of which are GDPR and CCPA compliant:

AWS - For all services, storing and processing of data
Paddle - Payment handling