Data Processing Addendum
This Data Processing Addendum (“DPA”) is subject to the terms and conditions of the Agreement between Happeo (“Processor”) and the Customer entity that is a party to the Agreement for the purchase of Happeo Services (“Controller”).
This DPA and any schedules or appendices thereto, is incorporated into and form an integral part of the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (including the SCCs (where applicable), as defined herein).
In the course of providing the Services to Controller under the Agreement, Processor may process Personal Data on behalf of Controller, and the Parties agree to comply with the following provisions with respect to processing of Personal Data, each acting reasonably and in good faith.
“Agreement” means Happeo’s Terms of Service available at https://www.happeo.com/tos or other written or electronic agreement, which govern the provision of the Service to Controller, as such terms or agreement may be updated from time to time.
“Business”, “Consumer”, “Contractor”, “Personal Information”, “Sale” or “Selling”, “Service Provider”, and “Share” or “Shared” or “Sharing” have the meanings given to them in Data Protection Legislation;
“Data Protection Legislation” means, with respect to a Party all European Union, UK or United States data protection legislation, applicable to such Party’s processing of the Personal Data, including but not limited to the General Data Protection Regulation (EU 2016/679) the UK Data Protection Act 2018 (collectively and as applicable the “GDPR”) and, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CPRA”), each as may be amended or replaced from time to time;
“Controller” means the entity which determines the purposes and means of the processing of Personal Data and shall also mean Business, where applicable;
“Controller Data” means all Personal Data submitted into the Services by Controller or Authorized User and processed by Processor as data processor on behalf of Controller, acting as data controller, when providing the Services to Controller;
“Data Subject” means the identified or identifiable individual to whom Personal Data relates and shall also mean Consumer, where applicable;
“EEA” means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein and Norway.
“Personal Data” means any information relating to an identified or identifiable natural person and shall also mean Personal Information, where applicable;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Processor;
“Processor” means the entity that processes Personal Data on behalf of the Controller and shall also mean Service Provider or Contractor, where applicable;
“Security Measures” means physical, technical and organizational measures necessary to ensure the security of Controller Data, including without limitation the technical methods and organizational practices relating to data centres, premises, equipment, systems, programs and persons taking part in the processing of Controller Data;
“Standard Contractual Clauses” or “SCCs” mean the contractual clauses issued by the European Commission by implementing decision 2021/914 of 4th of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.
“Sub-processor List” means the list of sub-processors that the Processor has engaged for carrying out processing activities on behalf of the Controller at https://www.happeo.com/subprocessors.
“Third Country” means a country that is neither part of the EEA nor has been declared adequate by a decision of the European Commission according to the mechanism lined out in Article 45 GDPR.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. Terms defined in the Data Protection Legislation but not in this DPA shall have the meaning given to them in the Data Protection Legislation, or if not defined therein, in GDPR specifically. In the event of a conflict in the meanings of these terms, the meaning from the law applicable to processing of the Personal Data of the relevant Data Subject shall apply.
2. Roles and scope of processing
2.1 The Parties agree that in the course of provision of the Services,
(a) Controller is the data controller, as defined in the Data Protection Legislation, and shall define the purposes and means of the processing of Personal Data; and
(b) Processor shall process Controller Data as a data processor as set out in the Data Protection Legislation.
2.2 For the avoidance of doubt, this DPA does not apply to instances where Processor processes data as a data controller.
2.3 Each Party undertakes that it and its employees, agents, subcontractors and Sub-processors shall comply with the obligations of such Data Protection Legislation that specifically apply to its own operations.
3. Controller's responsibilities
3.1. Controller is responsible for the lawful collection, processing use and accuracy of Controller Data, as well as for preserving the rights of the individuals concerned (Data Subjects) as required by the Data Protection Legislation. If and to the extent required by applicable Data Protection Legislation, Controller shall inform the Data Subjects about the processing of their Personal Data by Processor and obtain consents of the Data Subjects.
3.2. Controller ensures that it is entitled to transfer the Personal Data to Processor for processing and that Processor may lawfully process the Personal Data on behalf of Controller according to Controller’s instructions. Controller shall ensure that its instructions on data processing are reasonable, comply with this DPA and the Data Protection Legislation, at all times.
3.3. Controller acknowledges that due to the nature of the Services, Processor cannot control, and will not verify the accuracy of, Personal Data that Controller or its Authorized Users upload, insert or transfer in the Service and to Processor for processing on behalf of Controller in connection with their use of the Services.
3.4. Controller will not provide (or cause to be provided) to Processor any data that falls within the definition of “special categories of data” under applicable Data Protection Laws (“Sensitive Data”) for processing under the Agreement, and Processor will have no liability for such data. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
4. Processor's responsibities
4.1. Processor shall process Controller Data as further described in Annex 1 (Details of Personal Data Processing) in accordance with this DPA and only in accordance with Controller’s documented lawful instructions, or as otherwise agreed in writing by the Parties or as necessary to comply with applicable law. The Parties agree that the Agreement, including this DPA, together with Controller’s configuration or use of any settings or features that Controller may be able to modify within the Service from time to time constitute Controller’s instructions to Processor in relation to the processing of Controller Data.
4.2. Processor is not obliged to verify whether instructions given by Controller are consistent with the Data Protection Legislation. Processor shall however promptly inform Controller if it notices that, in its opinion, the instructions infringe the Data Protection Legislation. Processor may refrain from following any instructions it deems to be against Data Protection Legislation.
4.3. Processor shall ensure that its personnel processing Controller Data have committed themselves to confidentiality (whether a statutory or contractual duty). Processor, its employees, agents, subcontractors, and Sub-processors shall:
(a) provide the level of privacy protection required by the Data Protection Legislation; and
(b) understand and comply with this DPA.
4.4. Processor shall promptly notify Controller if it determines that it can no longer meet its obligations under applicable Data Protection Legislation. Upon receiving notice from Processor in accordance with this subsection, Controller may direct Processor to take reasonable and appropriate steps to stop and remediate unauthorized use of Controller Data.
4.5. As applicable and except as expressly permitted by the Data Protection Legislation, Processor shall not:
(a) use, retain, or disclose Controller Data for any purpose other than for rendering the Services or disclose Controller Data to any third parties (other than to Processor’s Sub-processors, as set out in Section 4), without Controller’s prior written approval;
(b) Sell or Share Controller Data or retain, use, or disclose Controller Data outside of the direct business relationship between Controller and Processor; and
(c) combine Controller Data with Personal Data obtained from, or on behalf of, sources other than Controller
4.6. Both Parties shall implement and maintain appropriate Security Measures to protect Controller Data within their area of responsibility as required by Article 32 of the GDPR. Processor’s Security Measures are detailed in Annex 1 to this DPA. Processor may modify the Security Measures from time to time but will not decrease the overall security of the Service provided to Controller.
4.7. If Controller receives a request from a Data Subject wishing to exercise their statutory rights, such as the Data Subject’s access or rectification rights or other rights set out in the applicable Data Protection Legislation, Processor undertakes to provide Controller with commercially reasonable assistance in responding, as appropriate considering the nature of the processing. Processor undertakes also to provide Controller with commercially reasonable assistance, considering the nature of the processing and the information available to Processor, in supporting Controller’s compliance with its obligations under the applicable Data Protection Legislation regarding, inter alia, data protection impact assessments and prior consultations with the supervisory authorities. In case such assistance requires extensive measures from Processor, Controller shall pay additional reasonable remuneration to Processor for handling such assistance requests.
4.8. In case any individual or supervisory authority makes a request for assistance directly to Processor concerning Controller Data, such as a request for access, rectification or erasure, Processor shall inform Controller of such request as soon as reasonably possible and as allowed by the applicable laws.
5.1. General authorization. Controller gives its general authorization to allow Processor to engage Processor’s affiliated companies and subcontractors as sub-processors to process Controller Data in connection with the provision of the Services (“Sub-processors”). Sub-processors authorized by Controller are listed in the Sub-processor List. Processor ensures that Sub-processors are properly qualified, under a data processing agreement with Processor, and will comply with data processing provisions that provide at least the same level of protection for Controller Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor. Processor shall be liable towards Controller for the processing of Controller Data by Processor’s Sub-processors.
5.2. Change of Sub-processor. Processor may change and engage new Sub-processors during the term of the DPA. Processor shall inform Controller of such changes to Sub-processors on the Sub-processor List at least 10 days in advance, thereby giving Controller sufficient time to be able to object to such changes, within said 10 days. If Controller has reasonable grounds to object to the added or replaced Sub-processor within the said time frame, Controller may request Processor to discard the Sub-processor in question. If Processor is not willing to or cannot discard the Sub-processor Controller has objected to, both Controller and Processor shall have the right, notwithstanding anything to the contrary in the Agreement to unilaterally terminate the provision of the Services and the Agreement effective immediately. Parties’ obligations upon termination are governed by the Agreement.
6. Location and international transfer of personal data
6.1. The primary processing location for Controller Data is in the EEA.
6.2. Standard Contractual Clauses between Processor and Controller. If the Controller is located outside the European Economic Area (“EEA”), the provision of the Service may by default involve transfer of Personal Data of Authorized Users outside EEA. To the extent Processor is the recipient of Personal Data protected by GDPR, and Controller is located in a country which has not been declared adequate by a decision of the European Commission, Module Four (Processor to Controller) of the Standard Contractual Clauses issued by the European Commission by implementing decision 2021/914 of 4 June 2021, shall be deemed to apply, and are incorporated by this reference into the Agreement with the Customer as ‘data importer’ and the Processor as ‘data exporter’. The SCCs shall be filled out as follows:
(a) Clause 7 shall not apply.
(b) Cause 17: the Clauses shall be governed by the laws of Finland.
(c) Clause 18: Any dispute shall be resolved by the Courts of Finland.
(d) Annex I and II shall be populated by the information found in this DPA.
(e) Annex III shall be populated with the Sub-processor List.
6.3. Transfers to Sub-processors. Controller accepts that to provide Services, Processor may have Controller Data processed and accessible by its Sub-processors also in Third Countries. By agreeing to this DPA, the Controller shall be deemed to have authorised the processing in the locations specified on the Sub-processor List. In case the Processor transfers Personal Data to a Sub-processor in a Third Country, the Processor shall ensure that such transfer is carried out in accordance with Chapter V GDPR. To the extent the applied Personal Data transfer mechanism is not specified in the Sub-processor List, the applied transfer mechanism shall be deemed to be the Standard Contractual Clauses. The Processor shall use Module Three (Transfer Processor to Processor) of the Standard Contractual Clauses for transfers of Personal Data to its Sub-processors.
7.1. Upon the reasonable request of Controller, Processor shall make available to Controller all information in Processor’s possession necessary to demonstrate Processor’s compliance with Section 4.3. Controller also has the right to take reasonable and appropriate steps to ensure that Processor uses Controller Data consistent with Controller’s obligations under applicable Data Protection Legislation.
7.2. The Processor shall allow for, and contribute to, audits, including inspections, conducted by the Controller or an auditor mandated by the Controller in accordance with the following procedures:
(a) Upon the Controller’s request, the Processor will provide the Controller or its auditor with the most recent certifications and/or summary audit report(s), which the Processor has procured to regularly test, assess and evaluate the effectiveness of the physical, technical and organizational Security Measures;
(b) The Processor shall reasonably cooperate with the Controller by providing available additional information concerning the physical, technical and organizational Security Measures, to help the Controller better understand such measures;
7.3. If, and to the extent, the above measures are not sufficient to conduct a statutory audit right set out in the Data Protection Legislation, Controller can engage an independent third party auditor to audit the processing activities of Processor under this DPA to examine the Security Measures and level of protection applied to the Personal Data processed under this DPA.
7.4. Controller shall give Processor a reasonable advance notice of no less than fourteen (14) days before an audit, and such audit shall not be carried out more than once a year. Controller shall ensure that the audit is conducted expediently and without undue disturbance to Processor’s business activities and that the third party conducting the audit is committed to confidentiality obligations at least as stringent as those in the Agreement. Each Party shall bear its own costs for any audit under this Section 7.
8. Personal data breaches
8.1. Processor shall, without undue delay after having become aware of it, inform Controller in writing about any Personal Data Breach relating to Controller Data. Processor’s notification about the Personal Data Breach to Controller (“Breach Notification”) shall include at least the following:
(a) description of the nature of the Personal Data Breach and likely consequences thereof;
(b) description of the measures taken by Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
(c) name and contact details of Processor’s contact person who can give more information on the incident.
9. Data retention
9.1. During the provision of the Services to Controller, Processor shall not take any action to erase any Controller Data, without Controller’s explicit request.
9.2. Processor will upon termination of the Agreement for thirty (30) days, provide Controller with the ability to export Controller Data from the platform at Processor’s then-current rates.
9.3. Processor shall, within a reasonable time after termination or expiry of the Agreement, however no later than within six (6) months), to the fullest extent technically feasible delete all Controller Data in its possession or control pursuant to its then-current retention policy and shall upon Controller’s request, confirm the deletion of data. This obligation shall not, however apply to the extent Processor is required under a statutory obligation or otherwise pursuant to applicable laws to retain such Controller Data, or to the extent Controller Data is archived on backup systems (e.g. in the form of audit logs), which will be deleted pursuant to separate retention policies.
10. Other terms
10.1. This DPA shall be governed by the terms and conditions of the Agreement, including without limitations its liability limitations and clauses relating to applicable law and jurisdiction. This DPA will remain in force as long as the Processor processes Personal Data on behalf of the Controller under the Agreement.
10.2. Processor may with at least 45 days’ prior written notice amend this DPA if it is required as a result of a change in, or a decision of a competent authority under the applicable Data Protection Legislation. Processor may also update the description of processing in Annex 1 from time to time to reflect new products, features or functionality within the Services.
10.3. In the event of any conflict or inconsistency between the terms and conditions of this DPA and any terms or conditions set forth in the Agreement, the terms and conditions set forth in the DPA shall prevail, but solely to the extent Personal Data processing is concerned..
Annex 1: Details of Personal Data Processing
Nature and purpose of the processing
Processor will process Personal Data on behalf of Controller in order to provide the Services to Controller under the Agreement, including but not limited to processing to deploy and provide Controller a solution for enterprise communications on the Happeo platform (“Happeo Platform”) and services relating thereto.
Specification of the processing operations to be carried out:
- Collection, organization, aggregation, structuring, storage, retrieval and making available in order to provide, maintain and improve the Services described in the Agreement
- Disclosure to the extent permitted by the Agreement and/or applicable law
- Erasure as instructed by Controller or its Authorized Users via the Service.
If Controller chooses to use the Advanced Analytics service, Processor will also process Personal Data of the Authorized Users in order to analyse the usage of the Service and to provide Controller with such usage related data.
If Controller chooses to use the Federated Search service, Processor will process Personal Data (such as user ID) on behalf of the Controller to authenticate the User and enable the connection between the Service and the third party tool, as well as process related search data.
Categories of Data Subjects
The categories of Data Subjects include Controller’s employees or other individuals to whom the Controller has provided access to the Services, by default, Controller’s all Authorized Users (“User(s)”).
Categories of Personal Data
The categories of Personal Data processed are:
Full User profiles and Personal Data included therein by the Customer, and synchronized from Controller’s IdP directory. This includes:
- User identity provider ID (such as GoogleID)
- User name
- User email(s)
- User phone number(s)
- User address(es)
- User work address(es)
- User organisation profile (title, cost centre, manager, office address)
- Profile pictures (if included in the User profile) (not considered sensitive or special category Personal Data)
Other Data processed by Processor:
- Happeo assigned User ID
- Happeo assigned Customer organisation ID
- Customer Content containing Personal Data added by Controller to the Happeo Platform.
- Full indexing of Customer Content generated by Users and all Personal Data they might contain
No special categories of Personal Data will be processed by the Processor on behalf of the Controller.
Duration of the processing
Personal Data will be processed and retained for as long as necessary taking into account the purpose of the processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Legislation.
Applicable Security Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing carried out by Processor hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Such measures shall include, where appropriate and relevant for each processing action:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Certifications and frameworks
Processor has the ISO 27001 information security certification. Processor as a data processor is subject to the Finnish Data Protection Act 1050/2018 and to the GDPR. Happeo Platform is developed with the awareness of the OWASP Top 10.
The Happeo Platform is hosted in Google Cloud, and consequently physical security (including hardware hardening) is managed by Google as a part of their cloud services. Processor’s internal policies prohibit copying of Controller Data from the Happeo Platform to removable storage devices.
Network security for the Happeo Platform is managed by Google Cloud as a part of their Cloud Services.
All network communication to the Happeo Platform is encrypted. All unsecured connections to the Happeo Platform are redirected to secure connections and internet attack surface to the Happeo Platform has been minimised to the extent reasonably possible.
Processor relies on Google Cloud to ensure all servers are available, patched, hardened, secured, behind firewalls, and monitored from unauthorised access or modifications.
The devices used by Processor’s personnel to develop, maintain, and support the Happeo Platform are encrypted and password-locked. Processor uses an endpoint protection solution with a signature and heuristics based malware protection as well as an Endpoint Detection and Response functionality. Where available, Processor uses an endpoint protection solutions to find and automatically patch application vulnerabilities for common applications, like Google Chrome and Windows OS.
All data on the Happeo Platform is encrypted at rest and in transit on the internet and secured in processing.
The Happeo Platform is hosted by Google Cloud, and Processor relies on Google Cloud to ensure physical availability of the infrastructure. To ensure the overall availability of the Service, the Happeo Platform is load balanced and distributed. All code commits are peer-reviewed and tested in a staging environment to ensure the availability of the Happeo Platform. Processor performs normal application maintenance in a non-disruptive way. Processor aims to keep disturbances from emergency maintenance as short as possible and does not provide prior notification on them.
Penetration Tests and Internal Audits
Processor performs annual penetration tests to Happeo Platform. Processor promptly corrects unacceptable or intolerable risks, and threats that have a value of 7 or higher from the Common Vulnerability Scoring System (CVSS). Lower scores are evaluated individually and fixed with lower priority.
Processor performs internal audits as well as annual audits by an external independent auditor as required by the ISO 27001 standard.
Processor logs all requests to the Happeo Platform. Processor monitors the availability of the Happeo Platform on a continuous basis.
Happeo Platform is backed up regularly and can be restored with a maximum of 24 hours of data loss in case of the total destruction of the Cloud Service Provider’s data centre.
Processor employees and contractors have access to service account passwords or other authentication information only when necessary for the performance of the Services. Service accounts are only used for the specific purpose they have been created for. Service accounts are restricted and follow the minimum viable permission model.
Employees and contractors,
All employees and contractors have signed a non-disclosure agreement or are under a statutory requirement of confidentiality. Contractors are subject to Processor’s internal security policies, where relevant.
Processor’s employees and contractors have access only to such applications and tools they need for their work. All access requests or updates thereto are handled according to relevant Processor’s internal access control policies. Processor conducts regular review of access rights. Privileged accesses are granted only based on business needs, and may be subject to execution of additional confidentiality obligations, such as separate NDAs.