General Data Protection Regulation

Dear Customers,

Protection of personal data has always been a top priority for Templafy and we welcome the new General Data Protection Regulation (GDPR) that will come into effect on May 25th 2018. One GDPR requirement is that we must describe how we ensure GDPR compliance and commit to this in a data processor agreement with our customers.

Some of you already have individual data processor agreements with Templafy and for those who do not, the following Data Processor Agreement will govern this important part of our relationship.

Best regards,

Jesper Theill Eriksen
CEO, Templafy

Data Processing Agreement

BETWEEN

Templafy ApS

CVR No.: 25662946
Østergade 36, 3
1100 København
Denmark

(the “Data Processor”)

 

AND

Each individual Templafy Customer that Templafy ApS processes data for and that has not otherwise entered into a valid data processor agreement with Templafy ApS

(the “Data Controller”)

(hereinafter referred to individually as a “Party” or together as the “Parties”)

1. INTRODUCTION

 

This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations which arise from the Data Processor’s processing of personal data on behalf of the Data Controller under the quote, service agreement or other agreement between the Parties (“the Agreement”).

The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, the DPA will prevail.

 

2. PURPOSE, SCOPE AND RESPONSIBILITIES

 

2.1            The Data Processor shall only process personal data in accordance with the terms of this DPA.

2.2            The Data Processor shall process personal data for the limited purpose of performing the obligations set out under the Agreement.

2.3            Data processing by the Data Processor shall include such actions as may be specified in the Agreement.

2.4            The term of this DPA shall continue until the latter of the following; the termination of the Agreement, or the date at which the Data Processor ceases to process personal data for the Data Controller.

 

3. DATA FLOW

 

3.1.             The Data Processor is a software development company, assigned by the Data Controller to make available to the Data Controller software as a service for supporting the creation of business documents. The content of this DPA reflects the limited amount of personal data the Data Processor handles for the Data Controller.

3.2.             A general list of the data processed by the Data Processor can at every given time be required upon request to the Data Processor.

3.3.             In no event will the data processed by the Data Processor include (examples are not exhaustive):

  • Personal data as set out in art. 7 or 8 in the Danish Personal Data Protection Act,
  • Personal data as set out in art. 9 or 10 in Regulation 2016/679 of 27 April 2016
  • Financial data,
  • Personal data regarding criminal offences, or
  • Data regarding persons’ economy, taxes, debt, sick days, family relations, residential circumstances, car, personality tests, exams or CVs.

The Data Processor’s data flow is described in Exhibit 1 (the “Data Flow”).

 3.4          The Data Processor’s data flow is described in Exhibit 1 (the “Data Flow”).

 

4. OBLIGATIONS OF DATA PROCESSOR

 

The Data Processor warrants that the Data Processor will:

1) Comply with the Data Protection Legislation from time to time applicable to the Data Processor’s obligations under the Agreement (“Data Protection Legislation”),

2) process any personal data transferred to or collected by the Data Processor only as a ‘processor’, as such terms are defined in the Data Protection Legislation, on behalf of the Data Controller,

3) implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the applicable Data Protection Legislation and ensure the protection of the rights of the data subjects,

4) ensure that Sub-processors undertakes to process personal data in accordance with the Data Protection Legislation,

5) taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights according to the Data Protection Legislation,

6) in relevant extent assist the Data Controller in ensuring compliance with the requirements for security of person data,

7) make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for
and contribute to audits, including inspections to facilities under the control of the Data Processor, conducted by the controller or an auditor
mandated by the controller.

 

5.  TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

 

5.1.             The Data Processor will implement and maintain throughout the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements of Data Protection Legislation.

5.2.             The Data Processor will ensure that it and its Sub-processors involved in the processing of personal data at all times comply with the minimum data security requirements set out in Exhibit 2.

 

6.  PERSONNEL

 

6.1.             The Data Processor will procure that any personnel of the Data Processor required to access personal data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.

6.2.             The Data Processor will procure that all personnel of the Data Processor required to access personal data are informed of the confidential nature of the personal data and the security procedures applicable to the processing of or access to the personal data.

6.3.             The Data Processor’s personnel’s undertaking to abide by such confidentiality requirements will continue after the end term of this DPA.

 

7.  ADDITIONAL RESPONSIBILITIES OF THE DATA PROCESSOR

 

7.1   To the extent possible, the Data Processor will:

7.1.1.         Notify the Data Controller without undue delay of any monitoring activities and measures undertaken by a supervisory authority pursuant to Data Protection Legislation, if such monitoring activities and measures pertains to the data processed under the Agreement;
7.1.2          Notify the Data Controller in writing within five (5) business days if it receives (i) a request from a data subject to have access to that person’s personal data; or (ii) a complaint or request relating to the Data Controller’s obligations under the Data Protection Legislation.

 

8.  SUB-PROCESSORS

 

8.1.             The sub-processors approved at the signing of this DPA are listed in Exhibit 3.

8.2.             The Data Processor is authorized to engage further or other sub-processors if deemed relevant or necessary by the Data Processor for the purpose of performing the Data Processor’s obligations under the Agreement. In such case, the Data Processor will ensure to notify the Data Controller at least 30 days prior to the engagement of further or other sub-processors. The Data Controller may object to such new Sub-processor for justified reasons. In the case of justified objection, the Parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and the Data Processor decides to proceed with such sub-processor, the Data Controller can terminate the Agreement with a notice of 30 days. Neither of the Parties shall be considered in breach of contract in the event of such termination;

8.3.             Where the Data Processor sub-contracts its obligations, as described above, it shall do so only by way of a written agreement with the sub-processor which imposes the sub-processors to comply with the obligations of the Data Protection Legislation.

8.4.             The Data Processor may only transfer personal data within the EU/EEA or within countries that have been recognized by the EU Commission to ensure an adequate level of data protection. The Data Processor may not transfer data outside these countries without the prior written approval of the Data Controller. In the event such approval is granted, the Data Processor undertakes to comply with the requirements after the Data Protection Legislation for transfer out of the EU/EEA, e.g. by use of the Commission’s model contracts, Privacy Shield Institute, consent from the data subjects or similar, to the extent applicable.

8.5.             At the signing of this DPA, approval for transfer of personal data out of the EU/EEA, cf. section 8.4, has been given for transfer to the sub-contractors listed in Exhibit 3.

8.6.             A list of the Sub-processors engaged by the Data Processor and a copy of the data processing agreement(s) between the Data Processor and the Sub-processors can at every given time be required either upon request to the Data Processor.

 

9.  OBLIGATIONS OF THE DATA CONTROLLER

 

9.1.             The Data Controller and the Data Processor will be separately responsible for conforming with the Data Protection Legislation as applicable to them.

9.2.             The Data Controller will inform the Data Processor in writing without undue delay following the Data Controller’s discovery of a failure to comply with Data Protection Legislation with respect to processing of personal data in accordance with this DPA.

 

10.  NOTIFICATION OF DATA BREACH

 

10.1.             The Data Processor shall without undue delay in writing notify the Data Controller in case of any identified or potential breach of personal data processed under the DPA.

10.2.             The notification referred to in section 10.1. must, to the extent possible, contain:

a) describe the nature of the personal data breach including where possible (e.g. loss, theft, copying), the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,

b) communicate the name and contact details of the person with the Data Processor where more information can be obtained,

c) describe the likely consequences of the personal data breach, and

d) describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

11.  DELETION OF PERSONAL DATA

 

11.1.             Following the end term or termination of the Agreement, the Data Processor will destroy all personal data processed for the Data Controller that is in the Data Processors possession or control, unless requirements arising from the Data Protection Legislation requires storage of the personal data.

11.2.             Upon the Data Controller’s request, the Data Processor shall certify in writing the destruction of the personal data.

 

 

12.  SIGNATURES

 

Signed for and on behalf of the Data Processor

Date: April 30, 2018


Name: Jesper Theill Eriksen

Title: CEO

EXHIBIT 1: DATA FLOW

 

This Exhibit 1 sets out the data flow between the Data Controller and the Data Processor under the DPA.

The Data Processor is a global and generic multi-tenant Software-as-a-Service solution, that is hosted in the Microsoft Azure Cloud.

The Data Processor’s data flow can be illustrated as follows:

 


 
 

EXHIBIT 2: DESCRIPTION OF MINIMUM DATA SECURITY

 

The Data Processor will by itself, and shall ensure that all of its Sub-processors, at all times complies with the following minimum security requirements:

1.1.1.  Availability

Data Processor has implemented the necessary security measures to ensure that data is available, e.g. through use of anti-virus and DDOS mitigation technologies etc

1.1.2.  Integrity

Data Processor has implemented the necessary security measures to ensure that data is authentic and has not been maliciously or accidentally altered during processing, storage or transmission, e.g. backup and authentication codes and signatures.

1.1.3.  Confidentiality

Data Processor has implemented the necessary security measures to ensure the confidentiality of personal data, including, e.g. encryption technologies, training programs, authorization, contractual clauses etc.

1.1.4  Isolation (purpose limitation)

Data Processor has implemented the necessary procedures and controls to ensure that personal data is only accessed and used for legitimate purposes, e.g. through access management, division of roles and responsibilities etc.

1.1.5.  Portability

Data Processor has ensured the portability of personal data, e.g. use of standardised or open data formats and interfaces.

1.1.6.  Accountability

Data Processor has implemented the necessary technical and organisational measures to ensure accountability and traceability of the processing of personal data, e.g. through use of logging, self-auditing etc.

1.1.7.  Physical security

Data Processor’s business is cloud based and Data Processor does not use or provide physical storage of personal data. Such locations are provided by Sub-processors, as described in Exhibit 3.

 

EXHIBIT 2: DESCRIPTION OF MINIMUM DATA SECURITY

 

This Exhibit 3 sets out the Data entailed by the Data Processor’s and its Sub-processors’ processing of personal data under the DPA.

 

 

Name
Personal data types
Description
Microsoft Azure

Microsoft Ireland Operations Ltd, Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18, Ireland

Data processing at Azure Data Centers in Dublin, Ireland and Amsterdam, the Netherlands

  • External Company IP Address
  • Work Company
  • Work e-mail address

 

+ other properties that the Data Controller configures Templafy to process e.g.:

 

  • Name
  • Work Title
  • Work Phones
  • Work Location
  • etc.

Templafy uses available features and services of Microsoft Azure to process and store the mentioned data types.

The Microsoft Azure platform is trusted by US Military and 85% of Fortune 500 companies for core IT infrastructure. Microsoft data centres are state of the art with regards to security processes.

Please refer to https://azure.microsoft.com/en-us/support/trust-center/ for more information on Microsoft Azure certifications, compliance and security processes.

Microsoft is part of the EU/US Privacy Shield and complies with international data protection laws regarding transfers of customer data across borders.

Microsoft PowerBI

Microsoft Ireland Operations Ltd, Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18, Ireland

Data processing at Azure Data Centers in Dublin, Ireland and Amsterdam, the Netherlands

  • External Company IP address
  • Work company
  • Anonymized Work e-mail address

Templafy uses Microsoft PowerBI for usage statistics.

PowerBI is a Microsoft Service running on Microsoft Azure.

Please refer to https://www.microsoft.com/en-us/trustcenter/cloudservices/powerbi for more information on Microsoft PowerBI certifications, compliance and security processes.

Microsoft is part of the EU/US Privacy Shield and complies with international data protection laws regarding transfers of customer data across borders.