Data Processing Addendum
This Data Processing Addendum (“DPA”), including its exhibits and the Standard Contractual Clauses (as defined below) attached hereto (collectively referred to as the “DPA”) is incorporated by reference to the Agreement governing the use of Woodpecker (Terms of Service and Privacy Policy) entered by and between the client (“Customer”, “you”) and Woodpecker (“Woodpecker”, “Company”, “We”) and is made as of the effective date of the applicable Customer’s acceptance of the Agreement or the effective date on which parties otherwise agreed to this DPA (“the Effective Date”).
DEFINITIONS
All terms defined in this Addendum shall have the meaning set forth in this Addendum.
Capitalized terms used but not defined herein shall have the meaning set forth in the Terms of Service and Privacy Policy (the Service Agreement).
All other terms introduced in the Addendum shall comply with the regular meaning enshrined in the GDPR.
- Customer’s Personal Data means any Personal Data (including Users’ and Prospects’ Personal Data) inserted into the Service by the Customer with relation to the Service usage.
- Service Agreement means Woodpecker Terms of Service and Privacy Policy supplemented by this DPA.
- Sub-processor means any person or entity (including any third party service provider but excluding an employee of the Provider or any of its subcontractors) appointed by or on behalf of the Provider to process Personal Data on behalf of the Customer under the Service Agreement.
- Standard Contractual Clauses means:
a. The Standard Contractual Clauses for the Transfer of Personal Data from EEA or Switzerland to Third Countries approved by the European Commission Decision of 4 June 2021 and attached to, and incorporated into this DPA in by reference (“EU Standard Contractual Clauses”).
b. Standard Contractual Clauses for UK data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”), incorporated by reference to this DPA (“UK Standard Contractual Clauses”)
- The terms Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processor, and Supervisory Authority shall have the meaning as given in the GDPR and shall be understood accordingly.
In the course of providing the Services to the Customer pursuant to the Service Agreement, the Provider processes the Customer’s Personal Data on behalf of the Customer and the Parties agree to comply with the following provisions with respect to the Customer’s Personal Data processing.
-
GENERAL TERMS
1.1. Except as modified below, the terms of the Service Agreement shall remain in full force and effect. In consideration of the mutual obligations set out herein, Parties hereby agree, that the terms and conditions set out below shall supplement the Service Agreement.
1.2. By using the Service provided by Woodpecker, the Customer accepts this DPA that reflects the parties’ agreement with regard to the Processing of the Customer’s Personal Data and you warrant and represent that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have the authority to bind the Customer on any other entity, please do not provide Customer Personal Data (as defined below) to us.
1.3 To be able to provide the Service Woodpecker may access the Customer’s system data to meet the requirements of the factual implementation of the Service. Woodpecker shall also have access to the Customer’s (including Prospects’ and/or Users’) Personal Data.
1.4 Woodpecker does not determine the scope and type of the data (including Personal Data) entered into the system by the Customer, nevertheless, Woodpecker reserves its right to warn and at the last instance delete data (including Personal Data) that violates the Terms of Service, Privacy Policy and/or Safety and Security policy. The types of Personal Data processed by Woodpecker when providing the Services include: (i) Personal Data that Customer elects to include in Customer Data and/or Services Data; and (ii) those expressly identified in Article 4 of the GDPR that may be generated, derived or collected by Woodpecker, including data sent to Woodpecker as a result of a Customer’s use of service-based capabilities. The types of Personal Data that Customer elects to include in Customer Data and Services Data may be any categories of Personal Data identified in records maintained by Customer acting as the controller pursuant to Article 30 of the GDPR.
1.5 The Customer hereby undertakes not to enter into the Service, and to ensure that others do not enter any sensitive data in the meaning of the GDPR.
1.6 The Customer shall observe Woodpecker’s Terms of Service and Privacy Policy further constituting Service Agreement.
1.7 This Addendum applies when Customer’s Personal Data is processed by the Provider. In this context, the Customer may act as “Data Controller” or “Data Processor” and the Provider may act accordingly as “Data Processor” or “sub-processor” with respect to Personal Data processing. Customer and Woodpecker agree that Customer is the controller of Personal Data and Woodpecker is the processor of such data, except when Customer acts as a processor of Personal Data, in which case Woodpecker is a subprocessor.
1.8 The Parties acknowledge and agree that Provider will engage Sub-processors to provide and maintain the Service to the Customer.
1.9 While providing the Service Woodpecker processes Customer’s (including Prospects’ and/or Users’) Personal Data on behalf of the Customer and in line with its instructions. The Customer acknowledges and agrees that he is the Data Controller of all the Personal Data inserted into the Service and Woodpecker is the Data Processor of this Personal Data, which means that Woodpecker processes the Customer’s Personal Data on behalf of the Controller.
1.10 Provider’s processing of Customer’s Personal Data shall be limited to the purpose of the provision of the Services under the Service Agreement and in accordance with Customer’s instructions which shall be consistent with the terms of the Service Agreement and the GDPR, unless the processing is required by Data Protection Laws to which the Provider (or the applicable Sub-processor) is subject to. In such a case Provider shall, to the extent permitted by the Data Protection Laws, inform the Customer of that legal requirement before the relevant processing of that Customer’s Personal Data.
1.11 Notwithstanding the foregoing limits on updates, when Woodpecker introduces any new features, offerings, supplements, or related software that are new (i.e., that were not previously included with the Services), Woodpecker may provide terms or make updates to the DPA that apply to Customer’s use of those new features, offerings, supplements or related software.
-
PROVIDER’S OBLIGATIONS
2.1 Woodpecker will only process Customer’s Personal Data on behalf of the Customer and only to the extent that is necessary for the purpose of providing the Service and in accordance with this Addendum, Terms of Service and Privacy Policy. This Addendum shall be deemed Customer’s instructions as to the Customer’s Personal Data processing under the Service Agreement between Parties. The Customer’s instructions, if different than the Service usage, shall be documented in the applicable order, support ticket, or other written communication. Woodpecker shall inform the Customer whenever there is a reasonable ground that the Customer’s instruction is contrary to either applicable law and regulation and/or the provisions of the Service Agreement or this Addendum.
2.2 Woodpecker shall implement and maintain appropriate technical and organizational measures to protect Customer’s Personal Data. The Customer acknowledges and agrees that those technical and organizational measures detailed in the subsection below are appropriate:(i) Woodpecker shall maintain and implement only those security practices which are at least as strong as the minimum security practices detailed at https://woodpecker.co/terms-of-service/(ii) The Provider shall limit the access to its infrastructure (including Personal Data) only to the qualified personnel who ought to have the access due to proper functioning of the Service. Access allowance is clearly and precisely defined in the Provider’s structure (confidentiality obligations) and confirmed by internal documentation (non-disclosure agreements and authorization for data processing).
2.3 The Provider shall:
- promptly notify the Customer in writing, to the extent legally permitted, of any request from the Data Subject to exercise the Data Subject’s right of access, rectification, restriction, erasure, data portability, object to the processing, and any complaint about the processing of Customer’s Personal Data;
- to the extent not prohibited by law notify the Customer in writing of any other judicial or administrative order or proceeding seeking access to Customer’s Personal Data, or disclosure of Customer’s Personal Data;
- notify the Customer in writing, without undue delay, after becoming aware of any unlawful or accidental destruction, alteration, damage, loss, unauthorized disclosure of or access to Customer’s Personal Data Processed by Woodpecker or its Sub-processors, as required to help Customer in ensuring compliance with its obligations to notify their customer’s or Supervisory Authority. The obligations mentioned above shall not apply to incidents caused by the Customer or its Users or Prospects;
- upon a reasonable Customer’s request related to the Service, provide the Customer with rational assistance needed to fulfill the Customer’s obligation under the GDPR;
- as the duration of the Personal Data processing under this Addendum is determined by the Customer, Provider shall, depending on the Customer’s choice, return Customer’s Personal Data to the Customer and to the extent allowed by applicable law and technical possibilities, delete Customer’s Personal Data within 90 days unless the further retention of the Customer’s Personal Data is required from Woodpecker according to the applicable laws. The Provider reserves the right to retain the Customer’s Personal Data for the time exceeding 90 days in legally justified situations required by the law of the Provider or to secure further (or potential) claims against the Provider. In case of such a prolonged data retention period, the Provider is obliged to limit processing to the minimum. In such a case the Customer’s Personal Data shall be processed on a basis of Woodpecker’s legitimate interest.
2.4 Provider declares that it has conducted necessary employee training and informed its workers about data protection restrictions and the requirements to maintain the highest security and safety standards.
2.5 By implementing appropriate technical and organizational measures, and to a reasonable extent, the Provider shall assist the Customer, with the fulfillment of the Customer’s obligations towards Data Subjects and exercise Data Subject rights set forth by GDPR. The Customer shall be responsible for any costs arising from the Provider’s provision of such assistance.
2.6 Woodpecker will not disclose or provide access to any Processed Data except:
- as Customer directs;
- as described in this DPA, especially with regard to the Subprocessing (section 4); or
- as required by law.
-
CUSTOMER’S OBLIGATIONS
3.1 The Customer is obliged to comply with its obligations as a Data Controller or Data Processor under applicable Data Protection Laws in respect of its processing of Customer’s Personal Data and any processing instructions it issues to the Provider.
3.2 The Customer is responsible for the legality of the data (including any Personal Data) entered into the Service provided by Woodpecker in line with requirements set forth in Article 6 of the GDPR. The Customer acknowledges that he has the legal basis for processing all of the Personal Data entered into the Service and entrusted to the Provider. Woodpecker shall, under no circumstances, be liable for any infringement towards personal data processing due to the lack of legal basis or legality of data processed by the Customer.
3.3 The Customer confirms that it has been instructed and throughout the duration of the Personal Data processing will instruct the Provider to process Personal Data only on the Customer’s behalf and in accordance with the GDPR.
3.4 The Customer is solely responsible for implementing and maintaining security measures and other technical and organizational measures appropriate to the nature and the volume of Personal Data that the Customer stores or otherwise processes with the Service usage. The Customer is also responsible for the use of the Service by any of its employees, Users, any person the Customer authorizes to access or use the Service, and any person who gains access to the Customer’s Personal Data or other services as a result of Customer’s failure to use reasonable security precautions, even if such use was not authorized.
-
SUBPROCESSING
4.1 In accordance with the Service Agreement and this Addendum the Customer grants a general authorization to Woodpecker to engage Sub-processors for the performance of Woodpecker’s obligations under the Terms of Service and Privacy Policy.
4.2 Woodpecker may need to engage Sub-processors when necessary to provide and maintain the Service and support to the Customer. Woodpecker may give that Sub-processors access to the Customer’s Personal Data due to legitimate business purposes and the Customer hereby agrees to such disclosure.
4.3 The Customer’s Personal Data disclosed to the Sub-processor shall be the minimum of the Personal Data required to reach the purpose of processing.
4.4 All of the Sub-processors used by the Woodpecker for processing Customer’s Personal Data shall be enlisted and the list shall be updated regularly.
4.5 The up-to-date list of Sub-processors shall be available to the Customer upon request. The list shall also be available to the Customer via the applicable Website.
4.6 Woodpecker requires that Sub-processors maintain security and confidentiality practices that are consistent with the Service Agreement and the GDPR.
4.7. If the Customer’s Personal Data is sent outside of the European Economic Area Provider shall guarantee that such transfer shall be secured by appropriate security measures (such as Standard Contractual Clauses in line with the EU Commission Decision 2021/914/EU of 4 June 2021 or an adequacy decision or other required by the applicable Data Protection Law). By entering into this Addendum the Customer agrees on the Customer’s Personal Data transfer also outside the European Economic Area and the European Union.
-
AUDIT AND COMPLIANCE ASSISTANCE
Provider, upon Customer’s written request, make available to Customer information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR regarding Service provided by Provider and allows for and contributes to audits, including inspections, conducted by Customer or another auditor mandated by Customer. The scope of the audit shall be determined only by the compliance of the Service disclosed by the Provider with the Security Measures set forth in this Addendum as well as the Privacy Policy and Security Policy available via the following links https://woodpecker.co/privacy-policy/, https://woodpecker.co/safety-security/. Customer shall inform the Provider about any planned audit with at least a one-month notice period. Provider shall assist the Customer only to the extent required by law to demonstrate compliance with the GDPR and to the extent that is justified from the business perspective. All information disclosed by the Provider that assists the Customer in compliance demonstration is considered to be confidential.
All costs of third-party providers or Provider’s individual costs arising from the audit conducted or requested by the Customer shall be borne fully by the Customer.
-
TERMINATION
This Addendum may be terminated at the earliest of:(i) termination of the Service Agreement (without prejudice to the survival of accrued rights and liabilities of the Parties and any obligations of the Parties which either expressly or by implication survive termination); (ii) as agreed by the Parties in writing.
-
LIABILITY
7.1 The Provider shall be liable for any direct damage caused to the Customer due to the non-compliance with this Addendum during the processing of the Customer’s Personal Data. The Provider’s liability shall not include situations where the damage is the result of an action or omission for which the Provider is not responsible.
7.2. The Provider’s entire liability to the Customer arising out of this Addendum, including this Addendum, shall not exceed the value of the Service Subscription expenses from the last 12 (twelve) months prior to the damage.
-
MISCELLANEOUS
This Addendum shall remain in full force and effect until the earlier of the expiration or termination of the Service Agreement.
-
FINAL STATEMENT
9.1 Any changes to the Addendum shall be made in writing.
9.2 The Addendum shall be governed by the law of Poland.
9.3 If the amicable settlement is not possible between the Parties, any disputes that may arise from the performance of the Addendum shall be considered by the court having jurisdiction over the Provider.
9.4. If the Customer wishes to receive a DPA with the full text of Standard Contractual Clauses included or a signed version please contact [email protected].