Data Processing Addendum
Last modified September 19, 2022
This data processing addendum (“DPA”) amends and forms part of the written agreement between Customer and Logixboard titled Master Services Agreement (“Agreement”). In the event of any conflict or inconsistency between this DPA and the Agreement, the terms of this DPA shall prevail to the extent of such conflict.
1.1 In this DPA:
- a) “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR;
- b) “Customer Personal Data” means any Customer Data that constitutes Personal Data, the Processing of which is subject to Data Protection Laws, for which Customer or Customer’s customers are the Controller, and which is Processed by Logixboard to provide the Services;
- c) “Data Protection Laws” means General Data Protection Regulation (EU) 2016/679 (“GDPR”) and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland, the UK General Data Protection Regulation and the UK Data Protection Act 2018, each as applicable, and as may be amended or replaced from time to time;
- d) Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Laws;
- e) “International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
- f) “Services” means the services provided by Logixboard to Customer under the Agreement;
- g) “Subprocessor” means a Processor engaged by Logixboard to Process Customer Personal Data; and
- h) “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
- j) “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).1.2 Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
2. SCOPE AND APPLICABILITY
2.1 This DPA applies to Processing of Customer Personal Data by Logixboard to provide the Services.
2.2 The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 1.
2.3 Customer is a Controller and appoints Logixboard as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers, including, if applicable, the requirement to provide Data Subjects with sufficient notice and obtain consents in accordance with the Data Protection Laws.
2.4 Customer acknowledges that Logixboard may Process Customer Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Logixboard is the Controller for such Processing and will Process such data in accordance with Data Protection Laws.
3.1 Logixboard will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.
3.2 The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.
3.3 Customer may reasonably issue additional instructions as necessary to comply with Data Protection Laws. Logixboard may charge a reasonable fee to comply with any additional instructions.
3.4 Unless prohibited by applicable law, Logixboard will inform Customer if Logixboard is subject to a legal obligation that requires Logixboard to Process Customer Personal Data in contravention of Customer’s
4.1 Logixboard will ensure that all personnel authorized by Logixboard to Process Customer Personal Data are subject to an obligation of confidentiality.
5. SECURITY AND PERSONAL DATA BREACHES
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Logixboard will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2.
5.2 Customer acknowledges that the security measures in Appendix 2 are appropriate in relation to the risks associated with Customer’s intended Processing, and will notify Logixboard prior to any intended Processing for which Logixboard’s security measures may not be appropriate.
5.3 Logixboard will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Logixboard’s notification is delayed, it will be accompanied by reasons for the delay.
6.1 Customer hereby authorizes Logixboard to engage Subprocessors. A list of Logixboard’s current Subprocessors is included in Appendix 0.
6.2 Logixboard will enter into a written agreement with Subprocessors which imposes obligations as required by Data Protection Laws.
6.3 Logixboard will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Laws by providing written notice detailing the grounds of such objection within thirty (30) days following Logixboard’s notification of the intended change. Customer and Logixboard will work together in good faith to address Customer’s objection. If Logixboard chooses to retain the Subprocessor, Logixboard will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
7.1 Taking into account the nature of the Processing, and the information available to Logixboard, Logixboard will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Laws to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
7.2 Logixboard will maintain records of Processing of Customer Personal Data in accordance with Data Protection Laws.
7.3 Logixboard may charge a reasonable fee for assistance under this Section 7. If Logixboard is at fault, Logixboard and Customer shall each bear their own costs related to assistance.
8.1 Upon reasonable request, Logixboard will make available to Customer information reasonably necessary to demonstrate Logixboard’s compliance with its obligations under this DPA and will allow and provide reasonable cooperation for any audits, including inspections, mandated by a Supervisory Authority or reasonably requested no more than once a year by Customer and performed by an independent auditor as agreed upon by Customer and Logixboard. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data, and shall be conducted during normal business hours and in a manner that causes minimal disruption.
8.2 Logixboard will inform Customer if Logixboard believes that Customer’s instruction under Section 8.1 infringes Data Protection Laws. Logixboard may suspend the audit or inspection, or withhold requested information until Logixboard has modified or confirmed the lawfulness of the instructions in writing.
8.3 Logixboard and Customer each bear their own costs related to an audit.
9. INTERNATIONAL DATA TRANSFERS
9.1 Customer hereby authorizes Logixboard to perform International Data Transfers to any country deemed adequate by the European Commission or the competent authorities, as appropriate; on the basis of appropriate safeguards in accordance with Data Protection Laws; or pursuant to the SCCs referred to in Section 9.2.
9.2. By signing this DPA, Logixboard and Customer conclude Module 2 (controller-to-processor) of the SCCs which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Logixboard; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of the United States; the courts in Clause 18(b) are the Courts of the United States, Seattle; Annex I, II and III to module 2 of the SCCs are Appendix 1, 2 and 0 to this DPA respectively.
9.3. By signing this DPA, Logixboard and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Logixboard, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) to the “Approved EU SCCs” are Appendix 1, 2, 0 to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum
9.4. If Logixboard’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of Logixboard’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Logixboard will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Logixboard reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Laws.
10.1 Customer will send all notifications, requests and instructions under this DPA to Logixboard’s Data Protection Officer via email to email@example.com.
11.1 Subject to any limitation of liability set out in the Agreement, to the extent permitted by applicable law, where Logixboard has paid compensation, damages or fines, Logixboard is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.
12. TERMINATION AND RETURN OR DELETION
12.1 This DPA is terminated upon the termination of the Agreement.
12.2 Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Logixboard will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
13. MODIFICATION OF THIS DPA
13.1 This DPA may only be modified by a written amendment signed by both Logixboard and Customer.
14. INVALIDITY AND SEVERABILITY
14.1 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Appendix 0 – Subprocessors
Contact person’s name, position and contact details
Description of the processing
410 Terry Avenue North Seattle, WA 98109
Infrastructure to run Logixboard, including RDS, S3 and cloudwatch for data storage and logging.
45 Fremont Street, 8th Floor, San Francisco, CA 94105
Application error reporting
100 California St #700, San Francisco, CA 94111
One Front Street, San Francisco, CA 94111
Onboarding user experience in the product
25 1st Street Cambridge, MA 02141
1600 Amphitheatre Parkway Mountain View, CA 94043
Product usage analytics
1745 Peachtree Rd NW Suite G, Atlanta, GA 30309
User experience monitoring
201 3rd Street, Suite 200. San Francisco, CA 94103
Product usage analytics
New York, NY 10006
Centralized logs and alerting
CATEGORIES OF CUSTOMER PERSONAL DATA
Appendix 1 - Description of the Processing
The Customer Personal Data Processed concern the following categories of Data Subjects (please specify):#Category1[Employees of Customer, including current and former employees, as well as, temporary staff, interns, and contractors and consultants who perform services for Customer.]
CATEGORIES OF CUSTOMER PERSONAL DATA
- Basic personal data (for example street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, screen name/handle, email address)
- Authentication data (for example user name/handle, password, security question, audit trail)
- Contact information (for example physical addresses, email, phone numbers, social media identifiers)
- Unique identification numbers such as IP addresses, employee number, student number, unique identifier in tracking cookies or similar technology)
For purposes of this DPA, “business operations” consist of the following, each as incident to delivery of the Products to Customer: (1) billing and account management; (2) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (3) combatting fraud and cybercrime; (4) improving functionality of the Products and the Customer experience; and (5) financial reporting and compliance with legal obligations.
Appendix 2 - Security Measures
Logixboard has a strong focus and emphasis on security and privacy. We review each feature during the initial development phase and constantly monitor and evolve our software to provide the highest level of security and compliance.
1. Physical access control
Logixboard is hosted on the AWS infrastructure which provides strong security mechanisms for physical access control. See https://aws.amazon.com/compliance/data-center/controls/
2. Virtual access control.
The Logixboard platform is hosted in a Virtual Private Cloud (VPC) at AWS which effectively prevents direct access to our resources in the cloud.All access requires use of Multi-Factor Authentication. Access to our infrastructure is restricted to engineers who absolutely need access to develop and maintain the system to support customers.All transfers to and from our cloud infrastructure are encrypted.All data is encrypted at rest.
3. Data access control
Logixboard implements organizational and technical access to systems and data. Multi-factor authentication is required to access any customer personal data, and such data is only accessed in the context of customer support.
All customer personal data is encrypted at rest and in transit.