Data Processing Agreement
1. Introductory provisions
1.1 These terms of processing personal data (the “Data Processing Agreement”) govern the rights and obligations between you as the controller (the “Controller”) and us, Ideoworks s.r.o., with registered address at Račianska 18, Bratislava 831 02, Slovak Republic (Company registration number: 46 819 771), as the processor (the “Processor”) in the context of providing the Service on the Website.
1.2 Capitalised terms not defined in this Data Processing Agreement take the meaning assigned to them in the Terms of Service and/or the Privacy Policy.
2. Subject matter, purpose and period of processing
The Processor will, on behalf of the Controller, process personal data of individuals – the Controller’s Slack workspace users (“Data Subjects”).
2.1 Types of Personal Data
Controller acknowledges and agrees that the following types of Personal Data may be Processed by
Processor on Controller’s behalf (as applicable to the Services):
- Basic Personal Identifiers: Name, business email address, Slack handle, job title, Slack user avatar URL, and Slack user role.
- Employment & Work-Related Data: time-off / absence data (including reason codes), departmental or team assignments, work status, hire date and birthdate as required for the operation of the Services.
- Usage Data: Information on how the Controller’s authorized users interact with the platform, including login times, activity logs, and user preferences.
- Billing Information: Controller's billing information for generating invoices for service as company address, contact information, email, and Tax/VAT IDs.
2.2 The Processor will process the Personal Data of Data Subjects for the purposes of providing the Service for the Controller on the Website.
2.3 The Processor may process the Personal Data on behalf of the Controller throughout the duration of the contract between the Controller and the Processor (i.e. the duration of the Controller’s account with the Service). Within 60 days of achieving the purpose of processing, the Processor will delete or return to the Controller all Personal Data and delete all existing copies unless applicable legislation requires storage of the Personal Data by the Controller.
3. Terms of processing
3.1 The Processor will process the Personal Data in accordance with applicable legislation, in particular, the GDPR and Act No. 18/2018 Coll. on the protection of personal data.
3.2 The Processor will process the Personal Data only on the basis of documented instructions from the Controller, except for cases when required to do so by applicable legislation; in such a case, the Processor will inform the Controller of that legal requirement before processing, unless the relevant legislation prohibits such information on important grounds of public interest.
3.3 The Processor is not authorized to process the Personal Data for a purpose other than that specified by the Controller. The Processor is not authorized to transmit the Personal Data to countries outside the European Union or to third countries that do not guarantee an adequate level of protection.
3.4 The Processor will inform the Controller without delay if the Processor believes that an instruction of the Controller contradicts the GDPR or other legislation relating to the protection of personal data.
4. Specific obligations of the Processor
4.1 The Processor may engage another processor (subcontractor) in the processing of Personal Data, of which the Processor will inform the Controller without undue delay. The Processor will inform the Controller of any intended changes concerning the addition or replacement of other processors, giving the Controller the opportunity to object to such changes at any time. If the Processor engages another processor in the processing of Personal Data, the Processor will impose on that other processor, by means of a contract, the same data protection obligations as set out in this Data Processing Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. If that other processor fails to fulfill its data protection obligations, the Processor will remain fully liable to the Controller for the performance of that other processor's obligations.
4.2 The Processor undertakes to assist the Controller in assessing the impact of data protection and in prior consultations of supervisory authorities as reasonably deemed necessary by the Controller within the meaning of Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
4.3 If the Data Subject exercises his or her rights vis-à-vis the Processor within the meaning of Chapter III of the GDPR, the Processor will forward this request to be processed by the Controller. The Processor may inform the Data Subject of forwarding this request to be processed by the Controller. Having taken into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.
5. Security of Personal Data
5.1 The Processor undertakes to take all measures required under Article 32 of the GDPR, in particular, the Processor undertakes to take appropriate technical and organisational measures taking into account, above all, the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
5.2 The Processor will provide the Controller at any time at the latter’s request any information required to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, in particular, the obligations to take appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and the protection of the Data Subject’s rights is ensured.
5.3 For the purposes of checking compliance with the obligations laid down in this Data Processing Agreement, the Processor will allow for and contribute to audits, including inspections, conducted by the Controller (or another auditor mandated by the Controller).
5.4 The Processor will comply with the obligation of secrecy of processed Personal Data and will not make available or provide the Personal Data to any third party unless otherwise provided in this Data Processing Agreement. The Processor will ensure that its employees or other persons who are authorized to process or have access to Personal Data are bound by the obligation of secrecy within the meaning of this Article.
6. Sub-processing
Processor uses certain third-party subprocessors to assist it in providing its Service and perform various functions as explained in the table below.
A subprocessor is a third party data processor engaged by Processor, who has or potentially will have access to or process Service Data (which may contain Personal Data).
Prior to engaging any third party subprocessor, Processor performs due diligence to assess their privacy, security, and confidentiality practices.
Subprocessors
Entity Name | Entity Type | Entity Country |
---|---|---|
DigitalOcean, Inc. | Cloud Service Provider | United States |
Amazon Web Services, Inc. | Cloud Service Provider | United States |
Braintree Inc. | Payments | United States |
Help Scout PBC | Customer Support Services | United States |
Google Inc. | Business Analytics Services | United States |
Mixpanel Inc. | Business Analytics Services | United States |
Heap Inc. | Business Analytics Services | United States |
Hotjar Limited | Business Analytics Services | Malta |
Plausible Analytics | Business Analytics Services | Estonia |
Twilio SendGrid | Email Services | United States |
Campaign Monitor | Email Services | Australia |
7. Final provisions
7.1 This Data Processing Agreement represents the legally binding agreement on the processing of personal data between the Controller and the Processor within the meaning of Article 28 of Regulation (EU) 2016/679 – the General Data Protection Regulation (hereinafter the “GDPR”). The Controller declares that it has read, agrees with without reservation, is bound by and undertakes to abide by this Data Processing Agreement.
7.2 Should any of the provisions of this Data Processing Agreement be found to be or become invalid, ineffective or unenforceable, this will not affect the other provisions and the parties undertake to replace such provisions with valid, effective and enforceable provisions that are closest to the commercial purpose of the original provisions.
7.3 This Data Processing Agreement forms part of the Privacy Policy and the Terms of Service made available on the Processor’s Website.
7.4 This Data Processing Agreement becomes valid and effective on May 25, 2018.
Last updated on Dec 16, 2024.