Data Processing Agreement
This is us, Sleeknote, we process the data for you the controller
This is you, the Sleeknote user, that controls the data for the data subject
The visitor on your website who data is gathered about
1. Background and Purpose
The Controller has subscribed to services under the Processor’s subscription terms and conditions (the “Main Agreement”), and the Processor delivers an e-mail subscription service to the Controller by providing lead capture forms (“Sleeknotes”). When providing these services to the Controller, the Processor processes personal data for which the Controller is responsible, thus the Processor processes personal data on behalf of the Controller.
We provide you a service. In doing so, we handle personal data you’re responsible for (e.g. email addresses) on your behalf.
This Agreement constitutes an appendix to the Main Agreement entered into between the Parties. In the event of conflicts between the agreements, this Agreement shall take precedence.
We’ve added this Agreement to our Terms and Conditions. If the two agreements are in conflict, the processing agreement (DPA) will take precedence over the Terms and Conditions.
The Parties have entered into this Data Processor Agreement (“Agreement”) in order to fulfil the requirement of a written agreement between a data controller and a data processor of personal data as set out in section 28(3) of the EU General Data Protection Regulation 2016/679 (the “GDPR”).
EU General Data Protection Regulation (GDPR) regulations require a DPA is signed between you and us.
The scope of this Agreement is to govern the relationship between the Controller and the Processor.
The scope of this Agreement is to govern the relationship between the Controller and the Processor.
This agreement is for both of us and describes what we can and can’t do with your personal data.
3. Processing of Data
The Processor may only process personal data under the instructions of the Controller. The Controller’s instructions at the time of entry in to this Agreement is set forth in Appendix 1, thus the Processor may only process the categories of personal data and data regarding the data subjects as listed in Appendix 1.
We may only handle data under your instructions. The instructions and a description of the data is available are Appendix 1. We may only process the categories of personal data and data regarding the data subjects as listed in Appendix 1.
The Controller is responsible for obtaining the data subject’s consent to the processing of data in question in accordance with article 7 and article 8 of the GDPR.
It is up to you to get consent from your visitors on your website to collect and process the data.
The Processor is not entitled to process the Controller’s personal data for any other purposes than the ones set forth in Appendix 1, as amended from time to time, unless the Controller has given prior written consent to the processing in question.
We can’t use your data for anything else than described in Appendix 1. unless you give us written consent to the processing in question.
Upon written request from the Controller, the Processor must correct, block or delete personal data, which is incorrect or incomplete.
Upon written request from you, we must correct, block or delete personal data, which is incorrect or incomplete.
Upon written request from the Controller, the Processor must present the necessary documentation proving that the processing of personal data is carried out in accordance with the applicable data protection laws and the GDPR, thus the Processor must keep records of its processing activities.
If you write us asking for documentation that proves we handle data according to the GDPR, we will give that to you.
The Processor must assist the Controller in fulfilling its legal obligations under GDPR chapter 3 concerning the rights of the data subject. If the Processor receives a request from a data subject for access to the data subject’s registered personal data, or a data subject objects to the processing of his or her personal data, the Processor must inform the Controller of the request or objection without undue delay.
If one of your visitors wants to know what data you’ve collected about them, we must help you get it.
The Processor must delete personal data, copies and records thereof when it is no longer reasonable necessary to perform the Processor’s obligations under the Main Agreement. In any case the Processor deletes the personal data collected on behalf of the Controller when the data has been stored with the Processor for 3 months. If the Controller wishes for the Processor to keep processing the data past these 3 months, it rests with the Controller to provide the Processor with the necessary documentation proving a substantiated purpose for extended processing.
If you stop using Sleeknote, we must delete your data. In any case, we will delete your collected data after three months. If you don’t want us to delete collected data after three months, you have to provide us with documentation explaining why.
4. Use of Sub Processors
The Processor may only use sub processors when this is authorized by the Controller.
By signing this agreement, you agree that Sleeknote can use Amazon Cloud and Google Cloud services.
By signing this Agreement, you authorize us to use the sub processors listed in Appendix 1.
Before the Processor engages a new sub processor, the Processor shall notify the Control-ler thereof and provide information about the new sub processor’s name and location for processing. If the Controller has a reasonable basis to object to the Processor’s use of a new sub processor and therefore wishes to terminate this Agreement and the Main Agreement, the Controller shall notify the Processor within 10 business days after receipt of the Processor’s notice.
If we want to use another service like Amazon Cloud, we must notify you and tell you who they are and where they’re based. If you don’t want us to use a new service, you have 10 days to say so and to stop using Sleeknote as a service.
The Processor does not use sub processors established outside the EU/EEA.
We do not use services that are outside of EU.
The Processor ensures, that any sub processor engaged by the Processor to carry out specific processing activities on behalf of the Controller, is bound by data protection ob-ligations no less stringent than the ones set forth in this Agreement. If the sub processor fails to fulfil its data protection obligations, the Processor is liable to the Controller for the performance of the sub processor’s obligations.
We ensure, that any sub processor we use to carry out specific processing activities on behalf of you, is bound by data protection obligations as stringent as the ones outlined in this Agreement. If the sub processor fails to fulfill its data protection obligations, we are liable to you for the performance of the sub processor’s obligations.
Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the sub processors engaged by the Processor have taken the necessary technical and organizational security measures.
You can request us to provide documentation that Amazon and Google have necessary security.
All employees employed by the Processors receive appropriate training, adequate instruc-tions and guidelines for processing personal data.
The Processor must limit access to personal data to the relevant employees and ensure that these are authorized to process the personal data.
The Processor must ensure that the employees of the Processor, who process personal data, are bound by adequate confidentiality obligations. Such obligations shall survive the termination of this Agreement.
We train all Sleeknote employees to handle your personal data right.
Only relevant Sleeknote employees have access to your data. This includes case managers in Customer Success and senior developers in Development.
We must ensure that all Sleeknote employees treat your data with confidentially—even if you are not using Sleeknote anymore.
The Controller is entitled to, at its own cost, take proportionate and commercially rea-sonable measures to validate the Processor’s compliance with this Agreement, either by itself or by using a third party to conduct the audit.
You can audit us to ensure we’re living up to this agreement.
If the Controller takes on a third party to conduct the audit on behalf of the Controller, the Controller must ensure that the third party carrying out the audit enters into a non-disclosure agreement and that such third party takes necessary security measures when conducting the audit.
If you pay a third party to conduct an audit, you have to make sure that they are under a non-disclosure agreement (NDA). Further, they need to handle your data securely when performing the audit.
Audits must be conducted during the Processor’s business hours and the Processor must be notified of planned audits within reasonable time prior to the audit. The audit shall not grant the Controller access to the Processor’s trade secrets or proprietary information unless this is required in order for the Controller to comply with the applicable data pro-tection law.
The audit has to happen between 08:00 and 16:00 on work days. Further, you need to inform us about the audit within a reasonable time. You will not get access to our business secrets unless they regard your data. Those are for our eyes only.
7. Data Transfer
The Processor is not entitled to transfer or hand over data to third parties or sub proces-sors without prior written instruction hereto from the Controller, unless such transfer or handing over is provided by law.
We are not entitled to transfer or hand over data to third parties or sub processors without your prior written instruction, unless such transfer or handing over is provided by law.
The Processor does not transfer personal data to countries outside the EU/EEA.
Your data is not transferred to countries outside the EU.
8. Security Measures
The Processor must take the necessary technical and organizational security measures to ensure a level of security in accordance with the GDPR and appropriate to the risk pre-sented to the processing and the nature of the personal data to be protected, having re-gard to the state of the art and the cost of their implementation. The measures shall take into account the requirements set out in article 32 of the GDPR and include but not be limited to
- 8.1.1 safeguarding personal data against being destroyed accidentally or illegally, lost, altered, damaged or made known to unauthorized persons, misused or in any other way illegally processed,
- 8.1.2 taking measures to prevent transfers to any unauthorized person or entity,
- 8.1.3 ensuring that records are maintained of access to personal data, and
- 8.1.4 taking measures to ensure personal data remains available.
We have to make sure your data is not destroyed, lost, altered, or accessed by unauthorized persons.
And that your data is not transferred to unauthorized persons, that we log access to data and that your data remains available to you.
Security measures taken by the Processor are stated in Appendix 2.
You can read more about what we do to protect your data in Appendix 2.
The Processor shall periodically asses data security risks related to the provisioning of the services to the Controller.
We will always search for security risks in our service.
Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the Processor has taken the necessary tech-nical and organizational security measures.
You can ask for documentation for what steps we are taking to secure your data.
9. Breach of Data Security
The Processor must notify the Controller of personal data security breaches, operational malfunctions or suspected security breaches relating to the processing of personal data without undue delay and within 24 hours after the security breach has been discovered, unless the Processor is able to demonstrate that the data security breach is unlikely to result in a risk to the rights and freedoms of data subjects.
If we detect security breaches like hacking or that our service has become unavailable, we have to inform you within 24 hours. That is unless we can show that the issue is unlikely to have an impact on the people you control the data for.
9.2 The notification in clause 9.1 must (if relevant) contain:
- 9.2.1 a description of the data security breach including the categories and approximate amount of data and data subjects concerned,
- 9.2.2 the name and contact details of the Processor’s data protection officer,
- 9.2.3 a description of the likely consequences of the data security breach,
- 9.2.4 a description of the measures taken or proposed to be taken by the Controller to address the data security breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
We have to notify you about the data, who, what, how much and possible consequence of a data breach. You will also get contact info about the person you should talk to about this. We will also describe what we are doing to address the breach.
If we cannot give you the information at the same time, we can give it in parts as soon as they are ready.
The Processor shall document any data security breaches. The documentation shall only include information necessary for the Controller to verify compliance with the applicable data protection law to the relevant supervisory authority.
We will document any security breaches. The documentation will only include information to prove we abide by the law and the supervisory law, Datatilsynet in Denmark.
The Controller is responsible for notifying the relevant supervisory authority about the data security breach.
You must inform Datatilsynet in Denmark about any security breaches.
10. Limitation of Liability
Pursuant to article 82(2) of the GDPR, the Processor shall only be liable for damage caused by processing where the Processor has not complied with obligations of the GDPR specifically directed to processors or where the Processor has acted outside or contrary to this Agreement.
We are only liable for damage caused by processing where we have not complied with obligations of the GDPR specifically directed to us or where we has acted outside or contrary to this Agreement.
The Processor shall be exempt from liability if it proves that it is not in any way respon-sible for the event giving rise to the damage.
We are not responsible for damage if we can prove that we are not responsible.
The Processor’s cumulative liability to the Controller or any other party for any loss or damages resulting from claims, demands or actions arising out of relating to this Agree-ment shall not exceed the total paid-in fee from the Controller to the Processor within the 12 months previous to the date the claim is first brought against the Processor.
If we are responsible, we can be required to pay up to 12 months of your subscription back to you.
If the Controller, against the regulations set forth in Appendix 1, collects sensitive per-sonal data and thus makes the Processor process such information, the Controller under-takes to indemnify and hold the Processor harmless for any and all damages and losses incurred by the Processor due to the Controller’s breach of the Agreement.
You cannot use Sleeknote to collect sensitive personal data. If you do so, you will be held responsible for Sleeknote’s losses caused by such collection.
Any amendments to this Agreement must be in writing and signed by the Parties in order to be binding.
If anything changes with this agreement, then those changes also have to be in writing and signed.
13. Term and Termination
This Agreement shall enter into force on the date of signing and shall remain in force for as long as the Processor processes personal data on behalf of the Controller.
This Agreement will enter into force on the date you sign it. Further, it will remain in force for as long as we process personal data on your behalf.
Upon termination of the Main Agreement, this Agreement will be terminated accordingly.
If you end your subscription with Sleeknote, it will also cancel this agreement.
If one of the Parties is in breach of this Agreement, the other Party shall be entitled to terminate this Agreement with a written notice of 10 business days. If the Party in breach has not remedied the breach within 10 business days, the Party not in breach is entitled to terminate the Agreement on the date stated in the 10 day-notice.
If any of us breach the agreement, the other can end the contract within 10 days.
Upon termination of this Agreement, the Controller must notify the Processor to delete or return the personal data. The Processor is obliged to destroy or return the personal data as requested, unless legislation imposed upon the Processor prevents it from destroying or returning all or parts of the personal data. The Controller must allow for a period of 30 days in order for the Processor to complete the full deletion of personal data.
If you end your Sleeknote subscription, you must inform us to also delete your data. (This will also happen automatically after three months). We are then obliged to delete your data unless required by law not to. If you ask us to delete the data, it can take up to 30-days.
14. Governing Law and Disputes
Any disputes arising from this Agreement must be resolved and governed as agreed in section 12 of the Main Agreement, the only amendment being that this Agreement is gov-erned by the GDPR in addition to Danish law.
If we end up disputing this agreement, the courts in Aarhus, Denmark will handle the dispute.