Sleeknote DPA

Data Processing Agreement

Below you will find each section in our Data Process Agreement and our attempt to humanly translate the legal talk. Do note that the Humanly translated sections are not what is legally binding. That is still the legal talk and you should still read and understand the DPA in its original form. This is our attempt to help you understand the DPA, but we are not lawyers.

To help you further understand the DPA, there are 3 words you will need to understand:

Processor
This is us, Sleeknote, we process the data for you the controller

Controller
This is you, the Sleeknote user, that controls the data for the data subject

Data Subject
The visitor on your website who data is gathered about

1. Background and Purpose

Humanly translated

We provide you a service. In doing so, we handle personal data you’re responsible for (e.g. email addresses) on your behalf.

Humanly translated

We’ve added this Agreement to our Terms and Conditions. If the two agreements are in conflict, the processing agreement (DPA) will take precedence over the Terms and Conditions.

Humanly translated

EU General Data Protection Regulation (GDPR) regulations require a DPA is signed between you and us.

2. Scope

Humanly translated

This agreement is for both of us and describes what we can and can’t do with your personal data.

3. Processing of Data

Humanly translated

We may only handle data under your instructions. The instructions and a description of the data is available are Appendix 1. We may only process the categories of personal data and data regarding the data subjects as listed in Appendix 1.

Humanly translated

It is up to you to get consent from your visitors on your website to collect and process the data.

Humanly translated

We can’t use your data for anything else than described in Appendix 1. unless you give us written consent to the processing in question.

Humanly translated

Upon written request from you, we must correct, block or delete personal data, which is incorrect or incomplete.

Humanly translated

If you write us asking for documentation that proves we handle data according to the GDPR, we will give that to you.

Humanly translated

If one of your visitors wants to know what data you’ve collected about them, we must help you get it.

Humanly translated

If you stop using Sleeknote, we must delete your data. In any case, we will delete your collected data after three months. If you don’t want us to delete collected data after three months, you have to provide us with documentation explaining why.

4. Use of Sub Processors

Humanly translated

By signing this Agreement, you authorize us to use the sub processors listed in Appendix 1.

Humanly translated

If we want to use another service like Amazon Cloud, we must notify you and tell you who they are and where they’re based. If you don’t want us to use a new service, you have 10 days to say so and to stop using Sleeknote as a service.

Humanly translated

We do not use services that are outside of EU.

Humanly translated

We ensure, that any sub processor we use to carry out specific processing activities on behalf of you, is bound by data protection obligations as stringent as the ones outlined in this Agreement. If the sub processor fails to fulfill its data protection obligations, we are liable to you for the performance of the sub processor’s obligations.

Humanly translated

You can request us to provide documentation that Amazon and Google have necessary security.

5. Confidentiality

Humanly translated

We train all Sleeknote employees to handle your personal data right.
Only relevant Sleeknote employees have access to your data. This includes case managers in Customer Success and senior developers in Development.
We must ensure that all Sleeknote employees treat your data with confidentially—even if you are not using Sleeknote anymore.

6. Audits

Humanly translated

You can audit us to ensure we’re living up to this agreement.

Humanly translated

If you pay a third party to conduct an audit, you have to make sure that they are under a non-disclosure agreement (NDA). Further, they need to handle your data securely when performing the audit.

Humanly translated

The audit has to happen between 08:00 and 16:00 on work days. Further, you need to inform us about the audit within a reasonable time. You will not get access to our business secrets unless they regard your data. Those are for our eyes only.

7. Data Transfer

Humanly translated

We are not entitled to transfer or hand over data to third parties or sub processors without your prior written instruction, unless such transfer or handing over is provided by law.

Humanly translated

Your data is not transferred to countries outside the EU.

8. Security Measures

Humanly translated

We have to make sure your data is not destroyed, lost, altered, or accessed by unauthorized persons.
And that your data is not transferred to unauthorized persons, that we log access to data and that your data remains available to you.

Humanly translated

You can read more about what we do to protect your data in Appendix 2.

Humanly translated

We will always search for security risks in our service.

Humanly translated

You can ask for documentation for what steps we are taking to secure your data.

9. Breach of Data Security

Humanly translated

If we detect security breaches like hacking or that our service has become unavailable, we have to inform you within 24 hours. That is unless we can show that the issue is unlikely to have an impact on the people you control the data for.

Humanly translated

We have to notify you about the data, who, what, how much and possible consequence of a data breach. You will also get contact info about the person you should talk to about this. We will also describe what we are doing to address the breach.

If we cannot give you the information at the same time, we can give it in parts as soon as they are ready.

Humanly translated

We will document any security breaches. The documentation will only include information to prove we abide by the law and the supervisory law, Datatilsynet in Denmark.

Humanly translated

You must inform Datatilsynet in Denmark about any security breaches.

10. Limitation of Liability

Humanly translated

We are only liable for damage caused by processing where we have not complied with obligations of the GDPR specifically directed to us or where we has acted outside or contrary to this Agreement.

Humanly translated

We are not responsible for damage if we can prove that we are not responsible.

Humanly translated

If we are responsible, we can be required to pay up to 12 months of your subscription back to you.

11. Indemnification

Humanly translated

You cannot use Sleeknote to collect sensitive personal data. If you do so, you will be held responsible for Sleeknote’s losses caused by such collection.

12. Amendments

Humanly translated

If anything changes with this agreement, then those changes also have to be in writing and signed.

13. Term and Termination

Humanly translated

This Agreement will enter into force on the date you sign it. Further, it will remain in force for as long as we process personal data on your behalf.

Humanly translated

If you end your subscription with Sleeknote, it will also cancel this agreement.

Humanly translated

If any of us breach the agreement, the other can end the contract within 10 days.

Humanly translated

If you end your Sleeknote subscription, you must inform us to also delete your data. (This will also happen automatically after three months). We are then obliged to delete your data unless required by law not to. If you ask us to delete the data, it can take up to 30-days.

14. Governing Law and Disputes

Humanly translated

If we end up disputing this agreement, the courts in Aarhus, Denmark will handle the dispute.