Common Questions, Platform Compatibility & Privacy Information

Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into between Humblytics, 14985427 CANADA INC., (the “processor”) and the customer (the “controller”) as an addendum to the Humblytics Terms of Service (“Principal Agreement”). It reflects the parties’ obligations regarding the processing of personal data under the EU General Data Protection Regulation (GDPR). In case of conflict between this DPA and the Principal Agreement, this DPA will prevail. 

For the processing of personal data on the instructions of the controller by the processor in order to comply with the requirements of Art. 28 (3) and (4) GDPR, the current standard contractual clauses, based on the Implementing Decision of the EU Commission (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors pursuant to Art. 28 (7) GDPR, (EU-SCC).

The official EU SCC (EU-EEA) are available at 

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915&qid=1722242703169 

subject to the following conditions:

Clause 1 (a) applies OPTION 1 (Article 28 (3) and (4) GDPR).

Clause 5 will not apply.

In clause 7.7, OPTION 2 will apply, and the time period for prior notification of subprocessor changes is set at 14 days.

In clause 8 lit. c) no. 4), option 1 is applied.

In clause 9.1.b) and clause 9.1.c) and clause 9.2, OPTION 1 is applicable in each case.

In the event of a transfer of personal data to a third country, the current standard contractual clauses based on the Implementing Decision of the EU Commission (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council apply.

The official EU SCC (Third Country) are available at 

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914

subject to the following conditions:

Module Two (Controller to Processor) or Module Three (Processor to Processor) will apply (as applicable): 

1. in Clause 7, the optional docking clause will not apply; 

1. in Clause 9, Option 2 will apply, and the time period for prior notification of subprocessor changes is set at 14 days; 

1. in Clause 11, the optional passage will not apply; 

1. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by German law; 

1. in Clause 18 (b), disputes shall be resolved before the courts of Germany; 

Annexes I-IV are part of this Data Processing Agreement.

ANNEX I AND ANNEX II (SCC EU-EEA), ANNEX I (SCC THIRD COUNTRY) LIST OF PARTIES, DESCRIPTION OF THE PROCESSING, DESCRIPTION OF TRANSFER AND COMPETENT SUPERVISORY AUTHORITY

A. LIST OF PARTIES

The parties are determined by the main contract (Principal Agreement).

B. DESCRIPTION OF THE PROCESSING AND DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is processed: Website visitors

Categories of personal data processed: IP-Address, user device characteristics

Nature of the processing: Technical processing of access data for statistical web analytics; data are pseudonymised or anonymised at the earliest possible stage

Purpose(s) for which the personal data is processed on behalf of the controller: Analysis of website usage to improve functionality and user experience

Description of the Transfer: Personal data are in principle processed within the European Union. Should any processing involve a transfer to a third country, such transfer will take place on the basis of these Standard Contractual Clauses (SCC Third country).

COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority pursuant to Clause 13 is the lead supervisory authority of the Data Exporter as determined under Art. 56 GDPR.

ANNEX III (SCC EU-EEA) Annex II (SCC THIRD COUNTRY) - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

Physical Access Control  

• Access control system, badge reader  

• Door locks  

• Security doors / windows 

• Alarm system  

• Video surveillance 

• Special protective measures for the storage of back-ups and/or other data carriers 

Digital Access Control 

• Personal and individual user log-in when logging on to the system or company network  

• Authorization process for access permissions  

• Limitation of authorized users  

• Single sign-on 

• Password procedure (specification of password parameters in terms of complexity and update interval) 

• Electronic documentation of passwords and protection of this documentation against unauthorized access  

• Personalized smart cards, tokens, PIN/TAN, etc.  

• Logging the access  

• Additional system log-in for certain applications  

• Automatic locking of clients after a certain period of time without user activity (also password-protected screen saver or automatic pause)  

• Firewall 

Data Access Control 

• Management and documentation of differentiated authorizations  

• Conclusion of contracts for commissioned data processing for the external care, maintenance and repair of data processing systems, insofar as the processing of personal data, i.e. the handling of personal data, is the subject of the service in the case of remote maintenance.  

• Evaluations/logging of data processing operations  

• Authorization process for permissions  

• Approval routines 

• Non-reversible erasure of data carriers  

• Privacy films for mobile data processing systems 

4. Transfer Control  

• Encryption of email or email attachments 

• Secured file transfer 

• Secure data transport 

• Electronic signature  

• Secured WLAN 

• Data Loss Prevention (DLP) System  

• Regulation on handling mobile storage media  

• Logging of data transmission or data transport  

• Logging of read accesses  

• Logging the copying, modification, or removal of data 

5. Input Control  

• Access rights  

• System-side logging  

• Document Management System (DMS) with change history  

• Security / logging software  

• Functional responsibilities, organizationally defined responsibilities  

• Multi-eye principle  

• Data Loss Prevention (DLP) System 

6. Order Control  

• Agreement on commissioned processing with regulations on the rights and obligations of the contractor and client 

• Process for issuing and/or following instructions  

• Determination of contact persons and/or responsible employees  

• Control/verification of order execution according to instructions  

• Training/instruction of all employees with access rights at the contractor's premises 

• Obligation of employees to maintain data secrecy 

7. Availability Control  

• Security concept for software and IT applications  

• Back-Up Procedure  

• Storage process for back-ups (fire-protected safe, separate fire compartment, etc.)  

• Ensuring data storage in the secured network 

• Fire and/or extinguishing water protection of the server room  

• Fire and/or extinguishing water protection of the archiving premises  

• Virus protection  

• Firewall 

8.  Separation Control  

• Storage of data records in physically separate databases  

• Processing on separate systems  

• Access permissions according to functional responsibility 

• Multi-client capability of IT systems  

• Use of test data, Separation of development and production environment 

9. Pseudonymization 

• Personal data will be pseudonymized or anonymized at the earliest possible point in time 

10. Procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures. 

a) Data protection management 

• Appointment of a data protection officer  

• Obligation of employees to data secrecy 

• Sufficient training of employees in data protection matters  

• Keeping an overview of processing activities (Art. 30 GDPR) 

b) Incident response management 

• Data Protection Breach Notification Process pursuant to Art. 4 No. 12 of the GDPR vis-à-vis the Supervisory Authorities (Art. 33 of the GDPR)  

• Data breach notification process pursuant to Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)  

• Data Protection Breach Notification Process Pursuant to Art. 4 No. 12 of the GDPR vis-à-vis Contracting Authorities (Art. 28 (3) sentence 2 f) of the GDPR) 

ANNEX IV (SCC EU-EEA) ANNEX III (SCC THIRD COUNTRY)– LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

1. Name, Adress: Render Services Inc., 525 Brannan Street, Suite 300, San Francisco, CA 94107

Description of Processing: Hosting application servers & PostgreSQL DB, User accounts, app config, session tokens, Location: EU, DPA, EU-SCC, Certified under data privacy framework.

1. Name, Adress: Tinybird, Inc., 41 East 11th Street, 11th floor, New York, NY 10003, USA

Description of Processing: Analytics metrics database, aggregated event data, anonymized IDs, Location: EU, DPA, EU-SCC.

1. Name, Adress: Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 München

Description of Processing: DNS, CDN, screenshot storage for heatmaps, website screenshot data, Location: EU.