ChatShipper - Data Processing Agreement
- The parties agree as follows:
- Annex 1
This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions and
principal place of business at Lytse Súdein 19, Uitwellingerga “ChatShipper” or
Client Company name :
Having its place of business :
The parties agree as follows:
1. Application of the agreement
All capitalized terms not defined herein shall have the meaning set forth below.
- “Data Breach” means the exposure of Personal Data due to loss or unlawful processing, as a result of which it cannot be ruled out that personal data has been lost or been processed.
- “Data Controller” means the entity which alone, or together with others, determines the purposes and means of the Processing of Personal Data.
- “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
- “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the individual to whom Personal Data relates.
- “DPA” means this Data Processing Agreement.
- “Employee” means any employee, agent, contractor, or any other person working under the direct authority of the Data Processor.
- “GDPR”: General Data Protection Regulation (Regulation (EU) 2016/679).
- “Information Security Controls Summary” means the summary of the Information Security Policy of Data Processor, which, in its form as of the time of signing of this DPA is included in Annex 1 to this DPA, and of which any updates will be accessible via the link in Annex 1.
- ¨Main Agreement” as defined in the heading of this DPA.
- “Personal Data” means any information relating to an identified or identifiable person inputted by Controller, or Processor on the Controller's behalf, for the performance of the Main Agreement or this DPA.
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
- “Subcontractor” means any Data Processor engaged by Data Processor or a member of the Data Processor group company, to carry out any or all of its obligations under this Agreement.
- “Third Party” means any party, not being either: (i) the Data Subject, (ii) the Controller, (iii) the Data Processor, or (iv) any natural person or entity authorized by the Controller or Data Processor to process Personal Data.
2. Commercial Terms
Describe the Purpose(s) of data processing
Processor provides and and operates a web-based chat service (ChatShipper Platform) for processing inquiries from prospective customers (Chat Participants) on the websites and content operated by the Controller. The inquiries generally relate to the offers of the Controller and to general information about the Controller, whereby Chat Participants are likely to provide their own data.
Categories of Data Subjects that the Processing relates to:
Customers and prospective Customers
Categories of Personal Data that the Processing relates to:
Please indicate which sensitive data are processed, if any:
No sensitive data are processed
Please describe all steps in the Processing activities.
Controller receives through, transmits to or enters into the ChatShipper Platform, data, information, content, records, and files that Controller or any of its Chat Participants loads, or otherwise provides to ChatShipper, and any data, information, content, records and files that the ChatShipper platform obtains from Controller’s servers or systems or from third parties on Controller’s behalf.
Please describe the envisaged time limits for the erasure of the processed data
Controller can set preferences, default value 18 months
Where (which locations) does the
Processing take place?
EU, Google DataCenters in Belgium and The Netherlands
Which law shall apply to this DPA?
All disputes arising out of or related to
this DPA shall be submitted exclusively to the competent court in
3. Obligations Processor
3.1. Controller instructs Data Processor to Process the Personal Data as detailed in Article 2 of this DPA. Processor shall notify Controller immediately if, in its opinion, a Controller instruction infringes Data Protection Laws. Processor is not obliged to actively monitor instructions for infringements of Data Protection Laws. Any request by Controller to Process Personal Data outside the scope of this DPA must be agreed in writing by Processor and shall become part of this DPA.
3.2. Data Processor shall Process Personal Data for and on behalf of Controller, under Controllers’ responsibility and only in accordance with Controllers’ instructions, unless the exception in Art. 28 (3) (a) of the GDPR applies. This means that Processor shall not transfer Personal Data to or grant access to a Third Party unless a) it has received the explicit consent of the Controller or b) subject to a court order or an order of a competent authority.
3.3. Data Processor shall treat Personal Data as confidential information. Data Processor shall only grant its Employees access to the Personal Data insofar as this is required for the performance of its obligations under the Main Agreement or this DPA.
3.4. Data Processor shall keep a record of any Processing of Personal Data it carries out on behalf of Controller. At Controller’s request and sole expense, Data Processor shall provide to Controller a copy of all Personal Data held by it under the Agreement in a commonly used and machine-readable format.
3.5. Data Processor takes appropriate technical and organizational measures to protect Personal Data against loss or any other form of unlawful processing. These measures ensure an appropriate level of security, taking into account the state of the art and the nature of the Personal Data Processed by the Data Processor.
3.6. The technical and organizational measures are described in the Information Security Controls Summary in Annex 1 hereto. Controller has knowledge of these technical and organizational measures and agrees that they provide an appropriate level of protection for the Personal Data to be Processed. Processor may update or modify the measures listed in Annex 1 from time to time, provided that such updates or modifications do not result in any material reduction of the security of the Personal Data.
3.7. Data Processor shall not transfer the Personal Data to a third country or an international organization as referred to in Article 44 of the GDPR, without the explicit prior written consent of the Controller.
3.8. Data Processor shall inform Controller of a detected or suspected Data Breach to which the Personal Data has been exposed without undue delay and no later than 24 hours of becoming aware of the breach.
3.9. Data Processor shall reasonably provide all necessary information and cooperation to enable the Controller to ascertain the cause, extent and consequences of the Data Breach and to take steps to minimize potential damage caused by the Data Breach and inform Data Subjects.
3.10. Data Processor shall notify Controller of all Data Subject requests relating to the rights to access, modify, correct, erase or restrict the use of Personal Data. Data Processor will only respond to such a request at the instruction of Controller.
3.11. In the event of any loss or damage to Personal Data, Data Processor shall use commercially reasonable endeavors to restore the lost or damaged Personal Data from the latest back-up of such Personal Data maintained by Data Processor in accordance with its standard archiving procedures.
3.12. If the Processor becomes aware of circumstances or changes in the Applicable Privacy Act, which substantially complicate the fulfillment of his obligations under the DPA, he will report this as soon as possible to the Controller.
4. Obligations Controller
4.1. Controller shall be responsible for the legality of its instructions to Processor, including but not limited to the legality of any instruction regarding the transfer of personal data to a third party or a third country.
4.2. Controller shall be responsible for the integrity, quality and legality of the Personal Data, and, insofar as the Personal Data have been provided by or on behalf of Controller, for the ways in which the Controller has gathered the Personal Data and the obtained required consents. Data Processor is under no duty to investigate the completeness, accuracy or sufficiency of the Personal Data
4.3. Controller will immediately inform Data Processor of a Data Subject request which would have the effect of no longer allowing or restricting the Processing of Personal Data subject to this DPA or the Main Agreement, in particular any request of opposition, deletion or erasure, or restriction of the data processing.
5. Audit and compliance
5.1. At Controller’s request, Data Processor makes available to Controller the information necessary to demonstrate compliance with the Data Protection Laws, in a commonly used and machine-readable format.
5.2. In case of an audit undertaken by a competent supervisory authority or a claim of a Data Subject against Data Processor or Controller, parties shall provide reasonable assistance to each other (insofar as not prohibited by law) with regard to the verification or defense of a claim or fine and compliance with any instructions of the competent supervisory authority.
5.3. In the event of an official request by a competent supervisory authority, or, in case Controller has reasonable grounds to assume that a Data Breach has taken place, Controller may, subject to a 15-day notice period, audit Data Processor’s compliance with this DPA, including the security measures. The audit shall be carried out on behalf of and at the cost of Controller by a neutral third party with adequate expertise and experience and shall cover all processing services provided by the Data Processor in the 12 months preceding the audit, unless a longer period is reasonably justified. The audit shall be performed according to a general standard, such as the ISAE 3402 standards and shall result in an audit report.
5.4. Within 2 weeks of completion of the audit, Controller provides a confidential and complete copy of the audit report. Data Processor shall ensure that any shortcomings and issues reported in the audit report are addressed adequately and in a timely manner.
5.5. Controller shall ensure that the auditor is bound by confidentiality of its findings vis-à-vis third parties. Controller shall ensure that its auditors are reasonably committed to limiting any interruption of the business processes of Data Processor to a minimum.
5.6. If the Processing under the DPA, or the Main Agreement, is deemed unlawful by a supervisory authority, or has become unlawful as a result of a change in the law or the interpretation thereof, both parties shall promptly take steps to ensure compliance with applicable Data Protection Law.
6.1. Controller consents that Data Processor shall be entitled to subcontract Data Processor’s obligations to Subcontractors specified in this DPA. Controller approves the Subcontractors listed that are currently used by Data Processor (See Subprocessors)
6.2. Prior to adding new Subcontractors or replacing existing Subcontractors, Data Processor shall inform Controller thereof and provide a reasonable deadline to Controller to object for important reasons. If Controller does not object within the deadline, the consent to add or replace Subcontractors shall be deemed to be given.
6.3. Data Processor undertakes in the Subcontractor agreement to provide for the same level of protection for Personal Data as set out in this DPA.
7.1. The limitation of liability agreed between the Parties in the Main Agreement shall also apply to this DPA, unless otherwise expressly agreed. Damages covered by the agreed limitation of liability also cover fines imposed under Data Protection Laws. In the event the Main Agreement contains no such limitation of liability, the Processors liability shall be limited to the sums paid by Controller in the 12 months prior to the event giving rise to the liability.
7.2. Controller acknowledges that Data Processor is relying on Controller’s instructions for direction as to the extent to which Data Processor is entitled to use and process Personal Data. Consequently, Data Processor will not be liable for any claims or fines arising from any act or omission by Data Processor, to the extent that such act or omission resulted directly from Controller’s instructions.
8.1. This DPA has been entered into for an indefinite period of time and ends at the time of termination of the Main Agreement or, as far as necessary in order to comply with the terms of the DPA and / or, if agreed upon in the Main Agreement, at a later agreed date.
8.2. Unless otherwise agreed between the Parties, in the event of termination of this DPA, the Data Processor will promptly return all the Personal Data provided to it by Controller and safely destroy all digital copies of Personal Data.
8.3. If, in the reasonable opinion of the Data Processor, a statutory obligation of the Data Processor prohibits or limits the entire or partial return or destruction of the Personal Data by Data Processor, it shall notify the Controller in writing as soon as possible of the statutory obligation, providing all relevant information reasonably required by Controller to determine if this obligation applies.
8.4. In the event of a prohibition to delete data entirely or partially, the Data Processor will continue to care for the confidentiality of the Personal Data and will not process the Personal Data except in compliance with its above-mentioned statutory obligation or upon written instruction from the Controller.
9.1. If one or more provisions of this DPA prove to be invalid, this rest of the DPA will remain in force. The parties will in mutual consultation replace the invalid provisions with valid provisions that approach the meaning of the replaced provision as much as possible.
9.2. If changes to the Processed Personal Data and / or the controls listed in Annex 1 mandate a change in the agreed provisions of this DPA or the Main Agreement, the Parties shall, by mutual agreement, amend the applicable provisions. The remainder of this DPA shall stay in force.
9.3. In the event of a conflict between the DPA and the Main Agreement, the provisions of this DPA shall prevail.
EXECUTES by and on behalf of:
Name :Peter de Vos
Role : CTO
Email : firstname.lastname@example.org
Date : July 15, 2020
EXECUTED by and on behalf of:
Company name :
Information Security Controls Summary
This Annex forms part of the DPA.
ChatShipper currently observes the Security Measures described in this Annex 1. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: ChatShipper hosts its Service with outsourced cloud infrastructure providers. Additionally, ChatShipper maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. ChatShipper relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: ChatShipper hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: ChatShipper implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
ii) Preventing Unauthorized Product Use
ChatShipper implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: ChatShipper implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in ChatShipper’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: ChatShipper maintains relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of ChatShipper’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Compliance: All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: ChatShipper makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the ChatShipper products. ChatShipper’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: ChatShipper stores user passwords following policies that follow industry standard practices for security. ChatShipper has implemented technologies to ensure that stored data is encrypted at rest.
c) Input Control
Detection: ChatShipper designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. ChatShipper personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: ChatShipper maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, ChatShipper will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to the Customer will be in accordance with the terms of the DPA or Agreement.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.5% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
ChatShipper’s products are designed to ensure redundancy and seamless fail-over. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists ChatShipper operations in maintaining and updating the product applications and backend while limiting downtime.