1. Background
1.1. This data processing addendum (“DPA”) supplements the Phase Terms of Service available at
https://www.phase.com/terms applies (as set out in section 2 of the Terms of Service), as updated from time to time between you and Phase, or other agreement between you and Phase governing your use of the Phase Service. This DPA is an agreement between you and the entity you represent (“Company”, “you” or “your”) and Phase Software GmbH (“Phase”, “we”, “our” or “us”).
1.2. This DPA does not apply to any processing of personal data in connection with Phase’s exercise of its rights under Section 3.15 of the Terms of Service.
1.3. In the event of any conflict between the remaining provisions of the Terms of Service and this DPA, this DPA shall prevail.
2. Definitions
2.1. Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Terms of Service and the following capitalised terms used in this DPA shall be defined as follows:
"Adequate Jurisdiction" means the UK, EEA, or a country, territory, specified sector or international organisation which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as set out in:
a) the Data Protection Act 2018 (“DPA 2018”) or regulations made by the UK Secretary of State under the DPA 2018; and
b) with respect to data subjects located in the EEA, a decision of the European Commission;
"Approved Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner and laid before the UK Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 of that Approved Addendum;
"Company Personal Data" means any personal data processed by Phase on behalf of the Company in connection with the provision of the Phase Service, as further described in Annex 1;
"Data Protection Laws" means any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK and the EEA and applicable to Phase's processing of Company Personal Data, including the EU GDPR, the UK GDPR and the DPA 2018;
"European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
"GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as defined in section 3 of the Data Protection Act 2018;
"Member State" means a member state of the EEA;
"Sub-processor" means a processor appointed by Phase to process Company Personal Data;
"Transfer Mechanism" means:
a) an agreement incorporating the applicable module(s) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as supplemented by the Approved Addendum; or
b) binding corporate rules approved by the UK Information Commissioner and (with respect to data subjects located in the EEA) an applicable supervisory authority under Article 47 of the GDPR; or
c) any other transfer mechanism approved under s119A of the DPA 2018.
- The terms "personal data", "controller", "processor", "data subject", "process" (and "processing" and "processed", as relevant), "personal data breach" and "supervisory authority" shall have the same meaning as set out in the GDPR.
3. Instructions for Data Processing
3.1. Phase shall process Company Personal Data only:
a) for the purpose of providing the Phase Service; and
b) on documented instructions from the Company,
unless other processing is required by applicable law in the EEA or the UK to which Phase is subject, in which case Phase shall inform the Company of that legal requirement before processing the Company Personal Data, unless the law prohibits this on important grounds of public interest.
3.2. The parties agree that the Terms of Service and this DPA shall be the Company's instructions for the processing of the Company Personal Data. The Company may issue additional written instructions to Phase, provided that, to the extent that any of the Company's additional instructions require processing of the Company Personal Data in a manner that falls outside the scope of the Phase Service, Phase may:
a) make the performance of any such instructions subject to the payment by the Company of any costs and expenses incurred by Phase or such additional charges as Phase may reasonably determine; or
b) terminate the Terms of Service and the Phase Service.
3.3. Phase shall immediately inform the Company if, in Phase's opinion, instructions given by the Company infringe the Data Protection Laws. Phase may, without liability, terminate the Terms of Service and this DPA insofar as it concerns processing of Company Personal Data where, after having informed the Company that its instructions infringe the Data Protection Laws, the Company insists on compliance with those instructions.
4. Company Warranties and Undertakings
4.1. The Company represents and warrants that:
a) it has provided all applicable notices to data subjects and, to the extent required, obtained consent from data subjects in each case as required for the lawful processing of the Company Personal Data in accordance with the Terms of Service, including this DPA; and
b) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Annex 2 are:
i) appropriate to ensure the security of the Company Personal Data, including protection against a personal data breach; and
ii) where applicable, otherwise consistent with the Company's obligations under Article 32 of the GDPR.
5. Confidentiality
5.1. Phase shall ensure that:
a) access to the Company Personal Data is limited to those employees or other personnel who have a business need to have access to such the Company Personal Data; and
b) any employees or other personnel have agreed in writing to protect the confidentiality and security of the Company Personal Data and do not process such Company Personal Data other than in accordance with this DPA.
6. Sub-processors
6.1. The parties agree that:
a) the Company gives Phase general authorisation to engage Sub-processors from an agreed list; and
b) Annex 3 sets out the list of Phase’s current Sub-processors.
6.2. Phase shall:
a) enter into a written contract with each Sub-processor that contains terms that are substantially the same as those set out in this DPA; and
b) remain liable to the Company for the Sub-processor's processing of Company Personal Data.
6.3. If Phase changes any Sub-processors, Phase shall update the list of Sub-processors and shall provide Customers with a mechanism to obtain notice of that update not less than [twenty-one (21) days’] days in advance of the implementation of the changes to the Sub-processors it uses to process the Company Personal Data (including any addition or replacement of any Sub-processors), including any information reasonably necessary to enable the Company to assess the Sub-processor and exercise its right to object.
6.4. The Company may object to Phase's use of a new Sub-processor by terminating its Subscription on giving at least 14 days’ notice in writing to Phase and ceasing use of the Phase Service.
6.5. Phase may (without liability) suspend the affected portion of the Phase Service during any notice period under paragraph 6.4.
7 International Transfers
7.1. Phase shall not transfer the Company Personal Data outside the UK or EEA other than:
a) to Sub-processors appointed in accordance with paragraph 6;
b) in accordance with documented instructions from the Company; or
c) in order to fulfil a specific requirement under applicable law in the EEA or the UK to which Phase is subject.
7.2. Where Phase transfers any Company Personal Data to a Sub-processor, it shall ensure that:
a) the Sub-processor is located in an Adequate Jurisdiction; or
b) the transfer is made subject to an appropriate Transfer Mechanism.
8. Security
8.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Phase shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in Annex 2 and (as appropriate) any other measures listed in Article 32(1) of the GDPR.
8.2. Phase may, by written notice to the Company, vary the security measures set out in Annex 2 including (where applicable) following any review of such measures, provided that such variation does not reduce the overall level of protection afforded to the Company Personal Data by Phase under this DPA.
9. Audits
9.1. Upon the Company's written request, the Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA.
9.2. The Company may, subject to the remainder of this paragraph 9, audit Phase's compliance with this DPA (including the technical and organisational measures as set out in Annex 2), and Phase shall assist with, and contribute to any such audits.
9.3. To request an audit, the Company shall submit a detailed proposed audit plan to Phase in advance of the proposed audit. Phase shall notify the Company if the scope of the proposed audit is covered by any data protection compliance certifications held by Phase which were issued by a commonly accepted certification issuer and audited by a data security expert or by a publicly certified auditing company. Provided that:
a) the certification was produced by a qualified third-party auditor within twelve (12) months of the Company's audit request; and
b) Phase confirms to the Company in writing that there are no known material changes in the controls audited,
the Company agrees to accept the findings of such certification in place of conducting an audit of the controls covered by the certification report.
9.4. The parties agree that any audits under paragraph 9.2 shall be conducted:
a) on reasonable notice to Phase and only during Phase's normal business hours;
b) in a manner that does not materially disrupt Phase's business; and
c) not more than once per year, save that the Company may conduct additional audits if it becomes aware that Phase has suffered a personal data breach affecting the Company Personal Data.
9.5. The Company may engage a third-party independent auditor to conduct any audit under paragraph 9.2 on its behalf, provided that it notifies the identity of such auditor to Phase in advance and Phase does not reasonably object to the appointment of that auditor.
9.6. The Company, or where appropriate the third-party independent auditor appointed by the Company, shall:
a) enter into a confidentiality agreement with Phase prior to conducting the audit in such form as Phase may request; and
b) ensure that its personnel comply with Phase and any Sub-processor’s policies and procedures when attending Phase or any Sub-processor’s premises, as notified to the Company by Phase or any Sub-processor.
10. Personal Data Breaches
If Phase becomes aware of a personal data breach, Phase shall:
a) notify the Company of the personal data breach without undue delay;
b) investigate the personal data breach and provide such reasonable assistance to the Company (and any law enforcement or regulatory official) as required to investigate the personal data breach and submit any notifications required under Data Protection Laws in respect of the personal data breach; and
c) take steps to remedy any non-compliance with this DPA.
11. Access Requests and Data Subject Rights
11.1 Phase shall notify the Company if it receives a request from a data subject to exercise their rights under Data Protection Laws in respect of the Company Personal Data (a "Data Subject Request") and shall not respond to the data subject other than to notify them that the Company acts as the controller of their personal data or unless required under applicable law.
11.2 The Company shall have sole responsibility for responding to and giving effect to any Data Subject Requests received by Phase. Phase shall, taking into account the nature of the processing, assist the Company with responding to any Data Subject Requests by:
a) providing to the Company, on request, with a copy of the Company Personal Data relating to the Data Subject Request; and
b) deleting, blocking or amending the Company Personal Data relating to the Data Subject Request as instructed by the Company.
11.3 Phase shall promptly notify the Company of any request for the disclosure of Company Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
12. Data Protection Impact Assessment and Prior Consultation
To the extent required under applicable Data Protection Laws, Phase shall provide reasonable assistance to the Company with data protection impact assessments and with prior consultations to a supervisory authority of the Company, in each case solely in relation to the processing of Company Personal Data and taking into account the nature of the processing and information available to Processor.
13. Costs
13.1. The Company shall pay to Phase on demand all costs and expenses incurred by Phase in connection with:
d) facilitating and contributing to any audits of Phase under paragraph 9.2, unless such audit reveals any material non-compliance by Phase with this DPA;
e) facilitating and contributing to any audits of Phase conducted by a supervisory authority in relation to Phase's processing of Company Personal Data;
f) any assistance provided by Phase to the Company with its fulfilment of its obligations to respond to Data Subject Requests; and
g) any assistance provided by Phase to the Company with any data protection impact assessments or prior consultation with any supervisory authority of the Company.
14. Return and deletion
14.1. Phase shall, following the date of termination or expiry of the Terms of Service retain the Company Personal Data for thirty (30) days (the "Retention Period"). Upon expiry of the Retention Period, Phase shall delete (and procure that any Sub-processors delete) all copies of Company Personal Data, other than any Company Personal Data that:
a) Phase is required to retain under applicable law in the EEA or the UK; and/or
b) is stored in Phase's backup systems, provided that such copies are deleted in accordance with Phase's normal backup overwrite procedures.
14.2 If requested to do so by the Company during the Retention Period, Phase shall return a complete copy of all Company Personal Data by secure file transfer in such a format as agreed between Phase and the Company.
14.3 Notwithstanding termination or expiry of the Terms of Service, this DPA shall continue to apply for as long as Phase continues to process any Company Personal Data.
15. Modifications
15.1 Phase may amend or supplement this DPA, by notice to the Company, including:
a) if required to do so by a supervisory authority or other government or regulatory entity;
b) if necessary to comply with applicable law;
c) to implement amended standard contractual clauses laid down by the European Commission or, where applicable, the UK Secretary of State; and/or
d) to adhere to a code of conduct or certification mechanism approved or certified pursuant to Article 40, 42 and 43 of the GDPR.
15.2 The Company shall notify Phase if it does not agree to Phase's proposed amendment to this DPA, in which case Phase may terminate the Terms of Service (including this DPA) by giving to the Company not less than fourteen (14) days' prior written notice. Save where the Company objects to the proposed amendment on the basis that it does not comply with applicable Data Protection Law, Phase shall not be under any obligation to refund any pre-paid fees relating to the period after termination in accordance with this paragraph 15.2.
Tables
data | path to data files to supply the data that will be passed into templates. |
engine | engine to be used for processing templates. Handlebars is the default. |
ext | extension to be used for dest files. |
Annex 1
Details of Processing
Categories of data subjects: | Personnel of Company (Authorised Users) |
Categories of personal data: | Name and business contact details of Authorised Users; any personal data included by Company and Authorised Users in User Content. |
Special categories of personal data: | N/A |
Frequency of the transfer: | On-going. |
Subject matter of the processing: | Company Personal Data. |
Nature of the processing: | Compute, store and the Services described in the Terms of Services and initiated by the Company and Authorised Users from time to time. |
Purpose of the processing: | The provision of the Services to the Company and Authorised Users. |
Duration of the processing: | The Term of the Subscription. |
Sub-processors | As set out in Annex 3 |
Annex 2
Technical and Orgnizational Measures
Phase (the “Processor”) employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction:
Governance and Policies
The Processor assigns personnel with responsibility for the determination, review and implementation of security policies and measures.
The Processor:
- has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
- reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
The Processor establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.
Breach response
The Processor has a breach response plan that has been developed to address data breach events. The plan is regularly tested and updated.
Intrusion, anti-virus and anti-malware defences
The Processor's IT systems used to process personal data have appropriate data security software installed on them, including:
- Anti-virus protection
- Regular penetration testing
- Regular vulnerability scanning
- Collection, maintenance, review and audit of event logs
Access controls
The Processor limits access to personal data by implementing appropriate access controls, including:
- limiting administrative access privileges and use of administrative accounts;
- changing all default passwords before deploying operating systems, assets or applications;
- requiring authentication and authorisation to gain access to IT systems (i.e. require users to enter a user ID and password before they are permitted access to IT systems);
- only permitting user access to personal data which the user needs to access for his/her job role or the purpose they are given access to the Processor's IT systems for (i.e. the Processor implements measures to ensure least privilege access to IT systems);
- having in place appropriate procedures for controlling the allocation and revocation of personal data access rights. For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role;
- encouraging users to use strong passwords, such as passwords with over eight characters, combination of upper and lower case letters, numbers and special characters;
- monitoring and logging access to IT systems.
Availability and Back-up personal data
The Processor has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated.
The Processor regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested periodically.
Encryption
The Processor uses encryption technology where appropriate to protect personal data held electronically, including:
encryption of data at rest and in transit;
encryption of portable devices used to process personal data.
Transmission or transport of personal data
Appropriate controls are implemented by the Processor to secure personal data during transmission or transit, including:
use of VPNs;
encryption in transit;
logging personal data when transmitted electronically;
logging personal data when transported physically;
ensuring physical security for personal data when transported on portable electronic devices or in paper form.
Asset and Software management
The Processor maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.
Physical security
The Processor implements physical security measures to safeguard personal data. This may include:
- deployment of appropriate building security.
- deployment and enforcement of appropriate policies to ensure that:
- when travelling or working away from the office hard copy documents and portable devices containing personal data are kept secure e.g. never left in a car or unsecured in a public place.
- paper records which contain confidential information (including personal data and Sensitive personal data) are shredded after use.
Staff training and awareness
The Processor's agreements with staff and contractors and employee handbooks set out its personnel's responsibilities in relation to information security.
The Processor carries out:
- regular staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the on boarding procedures);
- appropriate screening and background checks on individuals that have access to sensitive personal data.
Selection of service providers and commission of services
The Processor assesses service providers’ ability to meet their security requirements before engaging them.
The Processor has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with the Processor's instructions.
Annex 3
Approved Sub-Processors
Sub-processor | Location | Contact person (name, position and contact details) | Description of processing | Specific technical and organisational measures |
---|
Amazon Web Services, Inc. | Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg | Ruth Cullinane, Senior Data Privacy Compliance Manager at Amazon, linkedin.com/in/ruth-cullinane-07b8042 | AWS provides cloud infrastructure services for our animation design software platform. This includes hosting our application servers, databases, and storage solutions on their cloud platform. | 1. Data encryption: AWS implements encryption mechanisms to protect data both in transit and at rest.
2. Access controls: AWS employs robust access controls, integrating Identity and Access Management (IAM) and Single Sign-On (SSO) solutions. This ensures that only authorized personnel can access our data and infrastructure.
3. Network security: AWS maintains a secure network infrastructure, including firewalls and intrusion detection systems, to prevent unauthorized access to our systems.
4. Disaster recovery: AWS offers disaster recovery services to ensure that our data remains available in the event of a system failure or outage.
5. Compliance certifications: AWS adheres to various compliance standards, such as SOC 2, ISO 27001, and GDPR, to ensure that our data is handled in accordance with industry regulations and best practices.
6. Monitoring and logging: AWS provides monitoring and logging services to track and analyze system activity, helping us detect and respond to security incidents promptly. |
Sentry.io | United States (Sentry.io data center) | Jeffery Hung, Security Engineer at Sentry.io, linkedin.com/in/chi-heng-hung | Sentry.io provides error monitoring and performance insights services for our animation design software platform. This service captures data on application errors and performance issues in real time, enabling us to diagnose and fix problems promptly. | 1. Data encryption: Sentry.io utilizes encryption mechanisms to safeguard data both in transit and at rest, ensuring that sensitive information is protected against unauthorized access.
2. Access controls: To prevent unauthorized access, Sentry.io implements strict access controls, ensuring that only authorized personnel can access relevant data and systems.
3. Privacy and compliance: Sentry.io is committed to privacy and data protection, adhering to applicable laws and regulations. Their compliance with standards such as GDPR helps ensure the responsible handling of data.
4. Monitoring and logging: Sentry.io offers extensive monitoring and logging capabilities, allowing for the detailed tracking of application errors and performance issues. This aids in the rapid identification and resolution of potential problems. |
Heap.io | United States (Heap.io headquarters in San Francisco, California) | Judicaël Phan Data Protection Officer privacy@contentsquare.com | Heap.io provides analytics services for our animation design software platform. This includes tracking user interactions, analyzing usage patterns, and generating insights to improve our product. | 1. Data anonymization: Heap.io anonymizes user data to protect user privacy while still allowing us to analyze usage patterns and trends.
2. Data retention controls: Heap.io allows us to set data retention policies to ensure that user data is only stored for as long as necessary for analytics purposes.
3. Access controls: Heap.io implements access controls to restrict access to user data to authorized personnel only.
4. Compliance certifications: Heap.io complies with industry regulations such as GDPR and CCPA to ensure that user data is handled in accordance with applicable privacy laws.
5. Data encryption: Heap.io encrypts user data both in transit and at rest to protect it from unauthorized access.
Transparency and auditability: Heap.io provides tools for us to monitor and audit data usage, allowing us to ensure compliance with privacy regulations and internal policies. |
HubSpot | Cambridge, Massachusetts, United State | privacy@hustle.co | Hubspot will assist in managing customer relationship management (CRM) data, including contact information, interactions, and marketing communications. | Hubspot will implement robust data encryption protocols, access controls, and regular security audits to safeguard customer data. Additionally, they will ensure compliance with relevant data protection regulations such as GDPR and CCPA. |
MailChimp | Intuit Mailchimp, 405 N Angier Ave. NE, Atlanta, GA 30308, USA | Farman Pirzada, Data Platform Officer at MailChimp, linkedin.com/in/farmanp | MailChimp assists in managing email marketing campaigns, including collecting and storing contact information, sending marketing emails, and tracking email engagement metrics. | MailChimp implements robust data encryption protocols, access controls, and regular security audits to safeguard customer data. They also ensure compliance with relevant data protection regulations such as GDPR and CAN-SPAM. |
Google Analytics | Mountain View, California, United States | privacy@google.com | Google Analytics assists in tracking website traffic and user interactions, including collecting and analyzing anonymized user data such as page views, session duration, and referral sources. | Google Analytics employs advanced data encryption techniques, access controls, and regular security assessments to protect user data. They comply with relevant privacy regulations and offer tools for users to opt-out of data tracking. |