Data processing addendum

Download a PDF version of our Data Processing Addendum (DPA):

Data Processing Addendum

This Data Processing Addendum (hereinafter referred to as the “Addendum”) and its applicable Exhibit apply to the processing of personal data by Syskit on behalf of the Customer (hereinafter: Customer Personal Data) subject to the General Data Protection Regulation 2016/679 (GDPR) and any other data protection laws applicable to Syskit (referred together as “Data Protection Laws”) in order for Syskit to provide services (Services) to the Customer pursuant to the agreement between Customer and Syskit.
This Addendum is incorporated by this reference into the End User License Agreement & Support concluded between Syskit and the Customer (hereinafter: “Agreement”). Any capitalized terms not defined in this Addendum shall have the definitions set forth the Agreement. In the event of conflict, the DPA Exhibit prevails over the DPA which prevails over the Agreement, except where explicitly set out in the Agreement identifying the relevant Section of the DPA over which it prevails.

1. PROCESSING

1.1 Customer is: (a) a controller of Customer Personal Data; or (b) acting as a processor on behalf of other controllers and has been instructed by and obtained the authorization of the relevant controller(s) to agree to the processing of Customer Personal Data by Syskit as Customer’s subprocessor as set out in this Addendum. Customer appoints Syskit as processor to Process Customer Personal Data. If there are other controllers, Customer will identify and inform Syskit of any such other Controllers prior to providing their Personal Data, in accordance with this Addendum.

1.2 A list of categories of Data Subjects, types of Customer Personal Data, special categories of personal data, processing activities, applicable technical and organizational measures is set out in the attached Exhibit. The duration of the processing corresponds to the duration of the Service, unless otherwise stated in the Exhibit. The purpose and subject matter of the processing is the provision of the Service as described in the Agreement.

1.3 Syskit will Process Customer Personal Data according to Customer’s documented instructions. The scope of Customer’s instructions for the processing of Customer Personal Data is defined by the Agreement, and, if applicable, Customer’s and its authorized users’ use and configuration of the features of the Service. Customer may provide further legally required instructions regarding the processing of Customer Personal Data (Additional Instructions) as described in Article 9.2. If Syskit notifies Customer that an Additional Instruction is not feasible, the parties shall work together to find an alternative. If Syskit notifies the Customer that neither the Additional Instruction nor an alternative is feasible, Customer may terminate the affected Service, in accordance with any applicable terms of the Agreement. If Syskit believes an instruction violates the Data Protection Laws, Syskit will immediately inform Customer, and may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form.

1.4 Customer shall serve as a single point of contact for Syskit. As other controllers may have certain direct rights against Syskit, Customer undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other controllers. Syskit shall be discharged of its obligation to inform or notify another Controller when Syskit has provided
such information or notice to Customer. Similarly, Syskit will serve as a single point of contact for Customer with respect to its obligations as a processor under this Addendum.

1.5 Syskit will comply with all Data Protection Laws in respect of the Services applicable to Syskit as processor. Syskit is not responsible for determining the requirements of laws or regulations applicable to Customer’s business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Customer is responsible for the lawfulness of the processing of the Customer Personal Data. Customer will not use the Services in a manner that would violate applicable Data Protection Laws.

2. TECHNICAL AND ORGANIZATIONAL MEASURES

2.1 Customer and Syskit agree that Syskit will implement and maintain the technical and organizational measures set forth in the applicable Exhibit (TOMs) which ensure a level of security appropriate to the risk for Syskit’s scope of responsibility. TOMs are subject to technical progress and further development. Accordingly, Syskit reserves the right to modify the TOMs provided that the functionality and security of the Services are not degraded.

3. DATA SUBJECT RIGHTS AND REQUESTS

3.1 Syskit will inform Customer of requests from data subjects exercising their data subject rights (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Syskit regarding Customer Personal Data. Customer shall be responsible to handle such requests of data subjects. Syskit will reasonably assist Customer in handling such data subject requests in accordance with Article 9.2 of this Addendum.

3.2 If a data subject brings a claim directly against Syskit for a violation of their data subject rights, Customer will reimburse Syskit for any cost, charge, damages, expenses, or loss arising from such a claim to the extent that Syskit has notified Customer about the claim and given Customer the opportunity to cooperate with Syskit in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from Syskit damages resulting from data subject claims for a violation of their data subject rights caused by Syskit’s breach of its obligations under this Addendum and the Exhibit.

4. THIRD PARTY REQUESTS AND CONFIDENTIALITY

4.1 Syskit will not disclose Customer Personal Data to any third party, unless authorized by the Customer or required by law, government or a supervisory authority.

5. AUDIT

5.1 Syskit shall allow for, and contribute to, audits, including inspections, conducted by the Customer or another auditor mandated by the Customer in accordance with the following procedures:

a. Syskit will reasonably cooperate with Customer by providing available additional information concerning the TOMs, to help Customer better understand such TOMs.

b. If further information is needed by Customer to comply with its own or other controllers’ audit obligations or a competent supervisory authority’s request, Customer will inform Syskit in writing to enable Syskit to provide such information or to grant access to it.

c. To the extent it is not possible to otherwise satisfy an audit right mandated by applicable law or expressly agreed by the parties, only legally mandated entities (such as a governmental regulatory agency having oversight of Customer’s operations), the Customer or its mandated auditor may conduct an onsite visit of the Syskit facilities used to provide the Service, during normal business hours and only in a manner that causes minimal disruption to Syskit’s business, subject to coordinating the timing of such visit and in accordance with any audit procedures described in the Exhibit in order to reduce any risk to Syskit’s other customers.

5.2 Any other auditor mandated by the Customer shall not be a direct competitor of Syskit regarding the Services and shall be bound to an obligation of confidentiality.

5.3 Each party will bear its own costs in respect of paragraph a. of Article 6.1, otherwise Article 9.2 applies accordingly.

6. DATA BREACH

6.1 Syskit will notify Customer without undue delay after becoming aware of a personal data breach with respect to the Services. Syskit will promptly investigate the personal data breach if it occurred on Syskit infrastructure or in another area Syskit is responsible for and will assist Customer as set out in Article 9 of this Addendum.

7. SUBPROCESSORS

7.1 Customer authorizes the engagement of other processors to process Customer Personal Data (Subprocessors). A list of the current Subprocessors is set out in the Exhibit. Syskit will notify Customer in advance of any addition or replacement of the Subprocessors as set out in the respective Exhibit. Within 30 days after Syskit’s notification of the intended change, Customer can object to the addition of a Subprocessor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer’s objection shall be in writing and include Customer’s specific reasons for its objection and options to mitigate, if any. If Customer does not object within such period, the respective Subprocessor may be commissioned to Process Customer Personal Data. Syskit shall impose substantially similar but no less protective data protection obligations as set out in this Addendum on any approved Subprocessor prior to the Subprocessor initiating any processing of Customer Personal Data.

7.2 If Customer legitimately objects to the addition of a Subprocessor and Syskit cannot reasonably accommodate Customer’s objection, Syskit will notify Customer. Customer may terminate the affected Services as set out in the Agreement, otherwise the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.

8. TRANSBORDER DATA PROCESSING

8.1 In the case of a transfer of Customer Personal Data to a country not providing an adequate level of protection pursuant to the General Data Protection Regulation, the parties shall
cooperate to ensure compliance with the General Data Protection Regulation as set out in the following Sections of this DPA. If the Customer believes the measures are not sufficient to satisfy the legal requirements, Customer shall notify Syskit and the parties shall work together to find an alternative.

8.2 By entering into the Agreement, Customer and Syskit are entering into EU Standard Contractual Clauses as set out in the applicable DPA Exhibit (EU SCC) if Customer, Syskit, or both are located in a Non-Adequate Country. If the EU SCC are not required because both parties are located in a country considered adequate by the General Data Protection Regulation, but during the Service the country where Syskit or Customer is located becomes a Non-Adequate Country, the EU SCC will apply. The parties acknowledge that the applicable module of the EU SCC will be determined by their role as Controller and/or Processor under the circumstances of each case and are responsible for determining the correct role undertaken in order to fulfil the appropriate obligations under the applicable module.

8.3 Customer agrees that the EU SCC, including any claims arising from them, are subject to the terms set forth in the Agreement, including the limitations of liability. In case of conflict, the EU SCC shall prevail.

8.4 Syskit will enter into the EU SCC with each Subprocessor located in a Non-Adequate Country as listed in the respective DPA Exhibit.

9. ASSISTANCE

9.1 Syskit will assist Customer by technical and organizational measures for the fulfillment of Customer’s obligation to comply with the rights of data subjects and in ensuring compliance with Customers obligations relating to the security of processing, the notification and communication of a personal data breach and the data protection impact assessment, including prior consultation with the responsible supervisory authority, if required, taking into account the nature of the processing and the information available to Syskit.

9.2 Customer will make a written request for any assistance referred to in this Addendum. Syskit may charge Customer no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a quote and agreed in writing by the parties. If Customer does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process under the Agreement.

10. TERM OF THE ADDENDUM

10.1 This Addendum is concluded for the period for which the Agreement referred to in Article 1 of this Addendum has been concluded. The termination of the Agreement referred to in Article 1 of this Addendum implies the termination of this Addendum, except in the part in which Syskit, based on legal or regulatory provisions, or its legitimate interests, is obliged to continue to store Customer Personal Data.

11. FINAL PROVISIONS

11.1 Any breach of this Addendum will be deemed a material breach under the Agreement.

11.2 This Addendum shall be governed by the laws of UK without regard to conflict of law principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply to transactions under the Agreement. Nothing in the Addendum affects statutory rights of consumers that cannot be waived or limited by contract.

11.3 In the event of a dispute with regards to this Addendum, the parties agree that they will try to resolve it amicably, otherwise they agree on the jurisdiction of the court with subject matter jurisdiction in UK.

11.4 Parties agree that any amendments to this Addendum shall be made in writing.

11.5 In the event that any provision of this Addendum is invalid or becomes invalid, it shall not affect the validity of the remaining provisions. Parties shall, without delay, replace any invalid provision of this Addendum with a valid one.

DATA PROCESSING ADDENDUM
EXHIBIT FOR HOSTING SERVICES

This Data Processing Addendum Exhibit (Exhibit) specifies additional details of the processing under the Data Processing Addendum concluded between Syskit and the Customer (Addendum). In the event of conflict, the Exhibit prevails over the Addendum which prevails over the rest of the Agreement.

1. PROCESSING

1.1. Duration of Processing

Syskit will delete Customer Personal Data after 21 days (Retention Period) following expiration of the contractual relationship between the Customer and Syskit for any reason.

1.2. Data Actions

Syskit’s data actions based on Customer’s instructions are:

● Collection
● Data collection from Customer
● Creation of new data by analytics, inference or analysis
● Creation of new data via aggregation, combination or matching
● Transformation
● Manipulation (parsing, formatting or transformation) of data
● Reading data only
● Presenting, accessing, using or copying data
● Storage of data including backups

1.3. Processing Activities

The nature of Processing consists of the following Syskit Processing activities based on the Customer’s instructions:

● Monitoring – Applications, networks, systems, or infrastructure logging or monitoring
● Customer Support – Help desk or other technical support
● Operations – Provision, maintenance, or management (including security management) of applications, networks, systems, or infrastructure
● Hosting – Storage or other computing resources

2. CUSTOMER PERSONAL DATA

2.1. Categories of Data Subjects

The following lists the Categories of Data Subjects whose Personal Data are Processed within the Service:

the Service:
● Customer’s employees (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants)
● Customer’s affiliates employees (including temporary or casual workers, volunteers, assignees, trainees, retirees, pre-hires and applicants)
● Customer’s (potential) customers (if those (potential) customers are individuals) Employees of Customer’s (potential) customers
● Customer’s business partners (if those business partners are individuals)
● Employees of Customer’s business partners
● Customer’s suppliers and subcontractors (if those suppliers and subcontractors are individuals)
● Customer’s agents, consultants and other professional experts (contractors)

2.2. Types of Personal Data

The following lists the types of Customer Personal Data that will be processed within the Service:

● Identity of the Individual
● Online Access and Authentication Credentials
● Online Connection and Network Connectivity Data
● Online Identifier
● Person Name
● Technology Identifiers
● Telephony
● Location of the Individual
● Appointments, Schedules, Calendar Entries
● Environment of the Individual
● Physical Location of the Individual

2.3. Special Categories of Personal Data

The following lists the special categories of Customer Personal Data that will be processed within the Service:

– None

2.4. General

The above lists, in this Section 2, are information about the categories of data subjects, the types of Customer Personal Data, and special categories of Personal Data that are processed within the Service. Syskit will process Customer Personal Data and special categories of Customer Personal Data of the identified categories of Data Subjects listed above in accordance the Addendum and this Exhibit. Given the nature of the Services, Customer acknowledges that Syskit is not able to verify or maintain the above lists, therefore, Customer will notify Syskit of any required changes to the above lists by emailing dpo@syskit.com. If changes to the above lists require changes of the agreed processing, Customer shall provide Additional Instructions to Syskit as set out in the Addendum.

2. TECHNICAL AND ORGANIZATIONAL MEASURES

The technical and organizational measures (TOMs) applicable to the Service are the following:

  • Control of physical access – Protection against unauthorized access to data processing equipment, such as magnetic or chip cards, keys, electronic door opening, security personnel, alarm systems, video/CCTV systems;
  • Control of electronic access – Protection against unauthorized use of data processing and storage systems, such as (security) passwords (including application of appropriate policy), automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/data storage media;
  • Control of internal access – Preventing unauthorized reading, copying, changing or deleting of data within systems, such as standard authorization profiles of persons who need it for business reasons (need-to-know principle), standard procedures for granting authorization, keeping access logs, periodical review of assigned authorizations, including, among others, administrative user accounts;
  • Controls for separate processing – Separate processing of data collected for different purposes, such as multi-Customer support, “sandboxing” and similar;
  • Controls of the concept of technical deletion – for data and meta data, for example log files, etc.;
  • Control of data transfers – Preventing unauthorized reading, copying, alteration or deletion of data during electronic transmission or transport via measures such as encryption, virtual private networks (VPN), electronic signature;
  • Control of data entry – Checking whether, and by whom, personal data is entered, changed or deleted in the data processing system via measures such as recording, document management;
  • Control of availability – prevention of accidental or intentional destruction or loss of data via measures such as a back-up strategy (online/offline; on-site/off-site), firewall,
    procedures for reporting and intervention plans for dealing with emergency situations; security checks at the level of infrastructure and applications, multi-stage backup concept including encrypted externalization of backup copies to a backup data center, standard procedures for cases of employee change or departure from the company
  • Procedures for regular testing, assessment and evaluation:
  • Data protection management, including regular training of employees;
  • Procedures for responding to security incidents;

4. DELETION AND RETURN OF CUSTOMER PERSONAL DATA

Customer will be able to delete and/or make a copy of Customer Personal Data until the expiration or termination of the Service. Syskit hereby certifies that all Customer Personal Data are deleted at the end of the Retention Period specified in the Section 1.1. of this Exhibit.

5. SUB-PROCESSORS

This Article provides important information about the identity, location and role of each Sub-Processor.

INFRASTRUCTURE SUB-PROCESSORS

Syskit may engage and use these third-party data processors („Sub-Processors“) to provide services to our customers. These Sub-Processors may have access to personal data provided directly by our clients or to which we may have access in order to perform the contracted services or to enable requested features related thereto (“Customer Data”). In order to be able to provide services to our Customers, we need to disclose Customer’s Tenant Data with these Infrastructure Sub-Processors. However, we specifically note here that Customer’s Microsoft Tenant data is protected by Syskit’s Data Protection Policy from unauthorised third-party access.

We currently use the below list of Sub-Processors to support our infrastructure. By agreeing to DPA, you agree all of these Sub-Processors may process Customer Data.

Sub-Processor
Purpose
Applicable Service
Sub-Processor data location
Microsoft Azure

Cloud service provider

Customer data hosting

US, EU, Australia, based on Customers choice

OTHER INFRASTRUCTURE SUB-PROCESSORS

We specifically note here that Customer’s Microsoft Tenant data is not disclosed with Other Infrastructure Sub-Processors.

Sub-Processor
Purpose
Applicable Service
Sub-Processor data location
Zendesk, Inc.

Customer service solution

Product support

EU

Cloudflare, Inc.

Content delivery network

DNS and Domain hosting

Data Centers located all around the world. Traffic will be automatically routed to the nearest data center

Stripe

Payment processing platform

Product purchase

US

Octopus Deploy

DevOps automation

Infrastructure information

EU

OTHER SUB-PROCESSORS

Syskit may engage the following Sub-Processors to perform other functions and operations in Syskit. These Sub-Processors may have access Customers provided Data. We specifically note here that Customer’s Microsoft Tenant data is not disclosed with Other Sub-Processors.

Sub-Processor
Purpose
Applicable Service
Sub-Processor data location
Microsoft Dynamics

Customer relationship management

Account management

EU

Marketo

Marketing automation platform

Lead handling and Email marketing solution

EU

Citrix Go to Webinar

Webinar hosting solution

Webinar signup, webinar hosting

US

HotJar

User behavior analysis tool

Tracking

US

Salesloft

Sales automation platform

Meeting scheduling, Email communication

EU

Marketo Measure

User analysis tool

Tracking

US

Calendly

Meeting scheduling

Sales communication

US

Zapier

Services connector

Automation Workflow

US

Kinsta

Web hosting

Web hosting, security

US

Google

Analytics tool

Website activity

EU

Aircall

Cloud based voice platform

Sales communication

US

Cookiebot

Cookie consent management

Cookie consent

EU

LiveChat

Sales communication

Cloud based chat functionality

US

6. DATA PROTECTION OFFICER AND OTHER CONTROLLERS

Customer is responsible for providing complete, accurate and up-to-date information about its Data Protection Officer, and EU Representative if applicable, if any by contacting privacy@syskit.com along with the contract date and Customer´s name.

7. SYSKIT PRIVACY CONTACT

The Syskit privacy contact can be reached at privacy@syskit.com