This Data Processing Agreement (the “Agreement”) forms a part of Stape Europe OÜ Terms and Conditions (the “Master Agreement”).
The Parties agree that execution of the Master Agreement shall constitute execution of this Agreement by both Parties on the same date as the Master Agreement.
The party that has entered into the Master Agreement by accepting it (the “Controller”), on the one part, and
Stape Europe OÜ, a company incorporated under the laws of the Republic of Estonia, with a registered address at Väike-Paala 2, Tallinn 11415, Estonia (the “Processor”), on the other part,
hereinafter collectively referred to as the “Parties” and each separately as the “Party”, have concluded this Agreement about the following:
(A) The Processor provides the Services to the Controller in accordance with the Master Agreement.
(B) Due to the scope and subject-matter of the Master Agreement, it is necessary for the Processor to Process the Personal Data on behalf of the Controller.
(C) This Agreement sets out the additional terms, requirements and conditions on which the Processor shall Process the Personal Data on behalf of the Controller under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the GDPR for contracts between data controllers and data processors.
The Parties acknowledge that, as per definitions in the Data Protection Legislation, the Controller is a controller and the Processor is a processor, unless otherwise explicitly stated in the Agreement or annexes hereto.
The terms used in this Agreement have the following meaning:
“Data Protection Legislation” means all privacy and data protection laws applicable to the Processing, including the GDPR and any applicable national implementing laws, regulations and secondary legislation relating to the Processing of the Personal Data and the privacy of electronic communications, as updated, amended or replaced from time to time.
“Data Subject” means an individual who is a subject of the Personal Data.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person that is Processed by the Processor as specified in Annex A hereto; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise Processed.
“Processing”, “Processes”, “Process” and “Processed” mean either any activity that involves the use of the Personal Data, or as the Data Protection Legislation may otherwise define, “processing”, “processes”, “process” or “processed”. The terms include any operation or set of operations performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as well as transferring the Personal Data to third parties.
“Regulation (EU) 2018/1725” means Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
“SCC” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
Any reference to “writing” or “written” includes faxes, email and electronic messaging services.
In the case of conflict or ambiguity between:
(a) any provision contained in the body of this Agreement and any provision contained in Annex A hereto, the provision in the body of this Agreement shall prevail;
(b) the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in Annex A hereto, the provision contained in Annex A hereto shall prevail.
2.1 The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consent, and for the Processing instructions it gives to the Processor.
2.2 Annex A hereto describes the subject-matter, duration, nature and purpose of the Processing, the Personal Data categories, the Data Subject categories in respect of which the Processor does the Processing, the Processor’s role, as well as the relevant security measures to be taken by the Processor.
3.1 The Processor shall only process the Personal Data in accordance with the Controller’s written instructions specified in Annex A hereto. The Processor shall not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Processor shall promptly notify the Controller if, in the Processor’s opinion, the Controller’s instructions would not comply with the Data Protection Legislation.
3.2 The Processor shall promptly comply with any of the Controller’s requests or instructions requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.
3.3 The Processor shall maintain the confidentiality of all the Personal Data and shall not disclose the Personal Data to third parties, unless the Controller or this Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Processor to process or disclose the Personal Data, the Processor shall first inform the Controller of the legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4 The Processor shall reasonably assist the Controller with meeting the Controller’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Processor’s Processing and the information available to the Processor, including in relation to the Data Subject’s rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
3.5 The Processor shall promptly notify the Controller of any changes to the Data Protection Legislation that may adversely affect the Processor’s performance of the Master Agreement.
3.6 The Processor shall ensure that all its employees with access to the Personal Data:
(a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken training on the Data Protection Legislation relating to handling the Personal Data and how it applies to their particular duties; and
(c) are aware of both the Processor’s obligations and their personal obligations under the Data Protection Legislation and this Agreement.
3.7 The Processor shall take reasonable steps to ensure the reliability, integrity and trustworthiness of the employees with access to the Personal Data and conduct their background checks consistent with applicable law.
4.1 The Processor shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful Processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Personal Data.
4.2 The Processor shall implement such measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk involved.
4.3 The Controller hereby confirms that organisational and technical measures specified in Annex A hereto are sufficient and appropriate under the Data Protection Legislation and this Agreement.
5.1 The Processor shall promptly and without undue delay notify the Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Processor shall restore such Personal Data at its own expense.
5.2 The Processor shall immediately and without undue delay notify the Controller if the Processor becomes aware of:
(a) any accidental, unauthorised or unlawful Processing of the Personal Data; or
(b) any Personal Data Breach.
5.3 Where the Processor becomes aware of (a) and/or (b) of Clause 5.2 hereof, it shall, without undue delay, also provide the Controller with the following information:
(a) description of the causes and nature of (a) and/or (b) of Clause 5.2 hereof, including the categories and an approximate number of both the Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) description of the measures taken or proposed to be taken to address (a) and/or (b) of Clause hereof, including measures to mitigate the possible adverse effects.
5.4 Immediately, following any unauthorised or unlawful Processing of the Personal Data or the Personal Data Breach, the Parties shall coordinate with each other to investigate the matter. The Processor shall reasonably cooperate with the Controller in the Controller’s handling of the matter, including:
(a) assisting with any investigation;
(b) providing the Controller with physical access to any facilities and operations affected;
(c) facilitating interviews with the Processor’s employees, former employees and others involved in the matter;
(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all the Data Protection Legislation or as otherwise reasonably required by the Controller; and
(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or the unlawful Processing of the Personal Data.
5.5 The Processor shall not inform any third party of any Personal Data Breach without first obtaining the Controller’s prior written consent, except when required to do so by law.
5.6 The Processor agrees that the Controller has the sole right to determine:
(a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Controller’s discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to the affected Data Subjects, including the nature and extent of such remedy.
5.7 The Processor shall cover all reasonable expenses associated with the performance of the obligations under Clauses 5.2 and 5.4 hereof, unless the matter arose from the Controller’s specific instructions, negligence, wilful default or breach of this Agreement, in which case the Controller shall cover all reasonable expenses.
6.1 The Controller hereby authorises the Processor to transfer or otherwise process the Personal Data outside the European Economic Area (the “EEA”) subject to conditions laid down in this Agreement.
6.2 The Processor may only process, or permit the Processing of, the Personal Data outside the EEA under one of the following conditions:
(a) the Processor Processes the Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The Processor shall identify in an additional annex hereto the territory that is subject to such an adequacy finding;
(b) the Processor takes, where appropriate, one of the safeguards specified by the Data Protection Legislation, notably by Article 46 GDPR.
6.3 If any Personal Data transfer between the Controller and the Processor requires the execution of the SCCs in order to comply with the Data Protection Legislation (where the Controller is the entity exporting the Personal Data to the Processor outside the EEA), the Parties shall complete all relevant details and take all other actions required to legitimise the transfer.
7.1 The Processor may not authorise a third party (subprocessor) to Process the Personal Data, unless all of the following conditions are met:
(a) the Controller has given a specific or general written authorisation to the engagement of the subprocessor(s);
(b) the Processor enters into a written contract with each of the authorised subprocessors that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures;
(c) at the Controller’s request, the Processor shall provide to the Controller a copy of such an agreement with the subprocessor and any subsequent amendments. To the extent necessary to protect a business secret or other confidential information, including the Personal Data, the Processor may redact the text of the agreement prior to sharing the copy;
(d) the Processor maintains control over all the Personal Data it entrusts to the subprocessor(s).
7.2 The Controller hereby gives a general authorisation to involve subprocessors to Process the Personal Data under this Agreement. In case the Processor intends to update the list of subprocessors engaged, the Processor shall inform the Controller in advance and provide the Controller with the information necessary to enable the Controller to exercise the right to object. The list of the authorised subprocessors is provided in Annex A to the Agreement.
7.3 Where the subprocessor fails to fulfil its obligations under such written agreement, the Processor remains fully liable to the Controller for the subprocessor’s performance of its obligations.
7.4 Where the Processor fails to fulfil its guarantees under Clause 7.1 hereof, the Processor shall indemnify all of the Controller’s arising direct and indirect damages.
8.1 The Processor shall, at no additional cost, take such technical and organisational measures as may be appropriate and promptly provide such information to the Controller, as the Controller may reasonably require, to enable the Controller to comply with:
(a) the rights of the Data Subjects under the Data Protection Legislation, including the Data Subjects’ access rights, the rights to rectify and erase the Personal Data, object to the Processing and automated Processing of the Personal Data, and restrict the Processing of the Personal Data; and
(b) information or assessment notices served on the Controller by any supervisory authority under the Data Protection Legislation.
8.2 The Processor shall notify the Controller immediately and without undue delay if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.
8.3 The Processor shall notify the Controller immediately and without undue delay when the Processor receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
8.4 The Processor shall provide the Controller with the Processor’s full cooperation and assistance in responding to any complaint, notice, communication or the Data Subject request in connection with the Personal Data Processed.
8.5 The Processor shall not disclose the Personal Data to any Data Subject or to a third party other than at the Controller’s request or instructions, as provided for in this Agreement or as required by law.
This Agreement shall remain in full force and effect so long as:
(a) the Master Agreement remains in effect, or
(b) the Processor retains any Personal Data related to the Master Agreement in the Processor’s possession or control (the “Term”).
10.1 Without prejudice to any provisions of the GDPR and/or the Regulation (EU) 2018/1725, in the event that the Processor is in breach of its obligations under this Agreement, the Controller may instruct the Processor to suspend the Processing of the Personal Data until the Processor complies with its obligations under this Agreement or the Agreement is terminated.
10.2 The Controller shall be entitled to terminate the Agreement if:
(a) the Processing of the Personal Data by the Processor has been suspended by the Controller pursuant to Clause 10.1 hereof and if compliance with the obligations under this Agreement is not restored within a reasonable time and in no event later than within 1 (one) month following suspension;
(b) the Processor is in substantial or persistent breach of its obligations under this Agreement or its obligations under the GDPR and/or the Regulation (EU) 2018/1725;
(c) the Processor fails to comply with a binding decision of a competent court or a competent supervisory authority regarding its obligations pursuant to this Agreement or the GDPR and/or the Regulation (EU) 2018/1725.
10.3 The Processor shall be entitled to terminate the Agreement where, after having informed the Controller that the Controller’s instructions infringe applicable legal requirements in accordance with Clause 3.1 hereof, the Controller insists on compliance with the instructions.
10.4 Any provision of this Agreement, which expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data, shall remain in full force and effect.
10.5 If a change in any Data Protection Legislation prevents either Party from fulfilling all or part of its Master Agreement obligations, the Parties shall suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Processing of the Personal Data into compliance with the Data Protection Legislation within 2 (two) months, a Party may terminate the Master Agreement on written notice to the other Party.
11.1 At the Controller’s request, the Processor shall give the Controller a copy of or access to all or part of the Controller’s Personal Data in its possession or control in the format and on the media reasonably specified by the Controller.
11.2 Upon termination of the Master Agreement for any reason or expiry of its term, the Processor shall securely delete or destroy or, if directed in writing by the Controller, return and not retain all or any Personal Data related to this Agreement in the Processor’s possession or control.
11.3 If any law, regulation, or governmental or regulatory body requires the Processor to retain any documents or materials that the Processor would otherwise be required to return or destroy, the Processor shall notify the Controller in writing of that retention requirement, giving details of the documents or materials that the Processor shall retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
11.4 Upon the request from the Controller, the Processor shall certify in writing that the Processor has destroyed the Personal Data.
12.1 If the Controller is required to show its compliance with the Data Protection Legislation, or the Controller reasonably believes that a Personal Data Breach occurred or is occurring, or the Processor is in breach of any of its obligations under this Agreement or any Data Protection Legislation, the Processor shall permit an assigned and eligible third-party representative of the Controller to audit the Processor’s compliance with its obligations under this Agreement on at least 15 (fifteen) days’ notice during the Term. The Processor shall give the third-party representative of the Controller all necessary assistance reasonably required to conduct such audits. The assistance may include, but is not limited to:
(a) physical access to, remote electronic access to any information held at the Processor’s premises or on systems storing the Personal Data;
(b) access to and meetings with any of the Processor’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
(c) necessary inspection of all infrastructure, electronic data or systems, facilities, equipment or application software used to store, process or transfer the Personal Data.
12.2 If a Personal Data Breach occurred or is occurring, or the Processor becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, the Processor shall:
(a) promptly conduct its own audit to determine the cause;
(b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
(c) provide the Controller with a copy of the written audit report; and
(d) promptly remedy any deficiencies identified by the audit.
12.3 The Processor shall promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Processor’s management.
12.4 The Controller shall cover all reasonable expenses incurred by the Processor in connection with performing its obligations under Clause 12.1 hereof.
This Agreement shall be governed by, construed and interpreted in accordance with the laws of the Republic of Estonia.
to the Data Processing Agreement
Personal Data Processing Purposes and Details
The Processor provides the Services to the Controller in accordance with the Master Agreement.
The nature of the Processing activities implies the set of operations, such as collection, recording, organisation, structuring, usage, storage, erasure or destruction of data.
Duration of the Processing: duration of the Master Agreement, unless otherwise agreed in writing.
The Personal Data shall be Processed as necessary to provide the Services pursuant to the Master Agreement as instructed by the Controller, including:
The Personal Data submitted in the course of using the Services provided under the Master Agreement, the extent of which is determined and controlled by the Controller, and which may include, but is not limited to, the Personal Data relating to the following categories of the Data Subjects:
The Personal Data submitted in the course of using the Services provided under the Master Agreement, the extent of which is determined and controlled by the Controller, and which may include, but is not limited to, the Personal Data relating to the following categories of the Personal Data:
a) Access Control
i) Preventing Unauthorised Product Access
The outsourced Processing: the Services hosted with outsourced cloud infrastructure providers. Additionally, contractual relationships are maintained with vendors in order to provide the Services in accordance with the contractual agreements. The Processor relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data Processed or stored by these vendors.
Physical and environmental security: the Processor hosts its product infrastructure with multi-tenant, outsourced infrastructure providers.
Authentication: the Processor implements a uniform password policy intended for the Controller’s proper authentication. The Processor uses a centrally managed SSO solution with 2FA support. The system enforces personal and individual login user credentials with strong password rules.
Authorization: the Controller’s data is stored in multi-tenant storage systems.
The Processor implements industry standard access controls and detection capabilities for the internal networks that support its Services.
Access controls: network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include security group assignment and traditional firewall rules.
b) Transmission Control
In-transit: the Processor makes HTTPS encryption (also referred to as “TLS”) available on every one of its login interfaces. HTTPS implementation uses industry standard algorithms and certificates.
At-rest: the Processor stores user passwords following policies that follow industry standard practices for security.
c) Input Control
Response and tracking: the Processor maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, the Processor will take appropriate steps to minimise damage or unauthorised disclosure. Notification to the Controller will be in accordance with the terms of the Agreement.
d) Availability Control
Infrastructure availability: the Processor shall at all times, during the Term of the Master Agreement, provide the Services to meet or exceed the Service Level Performance Measure as it indicated in the SLA.
Fault tolerance: backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. The Controller’s data is backed up to multiple durable data stores and replicated across multiple availability zones.
Replicas and backups: data is automatically backed up in regular intervals to physically separated systems and can be restored on demand. Due to the backup storage, a quick recovery is ensured.
Updates: all systems in the Processor’s infrastructure are updated to the current versions and monitored with the help of a software-based system.
e) Testing Сontrol
The Processor uses an automated testing system for new releases, which verifies the correctness of the changed component. Components that fail these tests will not be deployed to a production environment.
|Scaleway S.A.S.||Cloud computing and web hosting||France|
|Cloudflare, Inc.||Optional. Used when CDN is enabled.||USA|
Third party services we use:
When you visit our websites, or purchase products or services, we use the following third party services which may collect personal data. These service providers do not have access to the Personal Data of the Controller’s website visitors.
|Stripe, Inc.||Payment processing||USA|
|Klaviyo, Inc.||Email marketing automation||USA|
|Sendgrid (Twilio Inc.)||Email delivery automation||USA|
|Zendesk, Inc.||Customer support SaaS||USA|
|Cookiebot (Usercentrics A/S)||Cookies consent management||Denmark|