This Data Processing Agreement and its Annexes (“DPA”) reflect the parties' agreement with respect to the Processing of Personal Data by Schemon on behalf of you (“Customer”) in connection with the Subscription Services under the Schemon SaaS Agreement between Customer and Schemon (also referred to in this DPA as the“Agreement”).
1. Background and Interpretation
- Schemon Inc. (“Schemon”), a Delaware USA based company, will upon performance of the Agreement process personal data on behalf of the Customer, in the capacity of the Customer’s processor.
- Schemon will process personal data for which the Customer is the controller as defined in the “GDPR”, regulation 2016/679 of the EU parliament and of the Council.
- This DPA forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.
- If the Customer acts as processor of personal data on behalf of a third-party so that such third-party is the controller and Schemon is a sub-processor. In such case the Customer shall always notify Schemon of any controller so that Schemon can comply with the GDPR.
- The obligations that Schemon has towards the Customer under this DPA shall apply towards such company that is the controller, insofar as is necessary in order to comply with existing data protection laws, including the GDPR.
- Any terms used in this DPA, such as processing, personal data, data subjects, supervisory authority, and similar shall primarily have the meaning as stated in the GDPR and otherwise in accordance with the Agreement, unless otherwise clearly indicated by the circumstances. The terms “processing” and “personal data” refer exclusively to such processing and such personal data that Schemon processes on behalf of the Customer in accordance with this DPA.
- In light of the above, the Parties have agreed as follows.
2. Schemon's Obligations
- Schemon shall notify the Customer without undue delay, if, in Schemon’s view, an instruction infringes the GDPR.
- Schemon is to immediately inform the Customer of any changes affecting Schemon’s obligations pursuant to this DPA.
- Schemon may not take any action which may result in that the Customer can be deemed to be in violation of the GDPR.
- When processing personal data, Schemon shall:
- only process personal data in accordance with the Customer’s documented instructions, which at the time of the Parties entering into this DPA are set out in Appendix 1A, including transfers to a third country or an international organisation, unless required to do so by Union or Member State law to which Schemon, or party that process personal data as sub-processor to Schemon (“Sub-processor”), is subject to. In such a case, Schemon or the Sub-processor shall inform the Customer of that legal requirement before processing, unless the law prohibits such information in important grounds of public interest;
- ensure confidentiality according to section 5;
- maintain an adequate level of security for the personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in section 4 below;
- respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a Sub-processor;
- taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
- assist the Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Schemon;
- at the choice of the Customer, delete or return all the personal data to the Customer sixty (60) days after the Customer removes the Product in the Third Party Platform, to make sure that the Customer e.g. not has removed the Product by mistake, and delete existing copies, unless EU law or applicable national law of an EU Member State requires storage of the personal data; and
- make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor agreed upon by the Parties.
3. The Customer's Obligations
- The Customer is required to provide clear and documented instructions to Schemon regarding the processing of personal data by Schemon under this DPA.
- The type of personal data and categories of data subjects processed by Schemon under this DPA and the purpose, nature, duration and objects of this processing, are described in the instructions on processing of personal data in Appendix 1A.
- The Customer shall ensure that Schemon is not able to process additional categories of personal data or personal data in relation to other data subjects than those specified in Appendix 1A.
- The Customer is responsible for ensuring that the instructions provided by the Customer to Schemon are in accordance and compliance with the requirements of the GDPR and the supervisory authority's binding decisions, recommendations and guidelines, practices in the field of data protection, supplementary local adaptation and legislation as well as sector-specific legislation in relation to data protection.
- The Customer undertakes to comply and keeping up to date with the GDPR. The Customer shall in particular:
- be contact person towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;
- ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 13 and 14 of the GDPR and maintain a record of processing activities under its responsibility;
- provide Schemon with documented instructions for Schemon’s processing of personal data, including instructions regarding the subject-matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects;
- immediately inform Schemon of changes that affect Schemon’s obligations under this DPA;
- immediately inform Schemon if a third party takes action or lodges a claim against the Customer as a result of Schemon’s processing of personal data; and
- immediately inform Schemon if anyone else is the Customer or joint Customer with the Customer of the personal data.
4. Security
- Schemon shall implement technical and organisational security measures in order to protect the personal data against destruction, alteration, unauthorised disclosure and unauthorised access.
- The technical and organisational measures Schemon implements shall meet the requirements of the GDPR and the Agreement, taking into account the state of the art, the costs of implementation, the nature, scope, context and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
- Schemon shall notify Customer of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that Schemon has committed any wrongful act or omission, or that Schemon shall become liable for the personal data breach.
5. Confidentiality
- In addition to what follows from the Agreement, Schemon shall not without the Customer's prior written consent, disclose or otherwise make available personal data to any third party, except (i) to the Sub-processors that have been engaged in accordance with this DPA, or (ii) if the data is ordered to be shared with the supervisory authority or should be disclosed according to the GDPR or another statutory obligation.
- Schemon undertakes to ensure that persons authorized to process the personal data have committed themselves to confidentiality for such processing or are under an appropriate statutory obligation of confidentiality.
6. Disclosure of Personal Data and Contact With Supervisory Authority
- If Schemon receives a request from a data subject, supervisory authority or any other third party regarding obtaining access to personal data that Schemon processes on behalf of the Customer, Schemon shall immediately forward the request to the Customer.
- Schemon, or persons under Schemon's supervision, shall not disclose personal data or any other information related to the processing of the personal data without explicit, documented instruction from the Customer, unless Schemon is required to do so subject to the GDPR.
- In the event that Schemon is required to disclose personal data subject to the GDPR, Schemon shall take all actions to request confidentiality in connection with the requested information and immediately inform the Customer of the disclosure, in so far as Schemon is not prevented from doing so under the GDPR.
- Schemon shall without undue delay inform the Customer of any contacts from the supervisory authority regarding the processing of personal data and provide the Customer, to the extent permitted by law, with all information relevant in this regard.
- Schemon is not entitled to represent or act on the Customer’s behalf in relation to the supervisory authority.
7. Sub-Processors and Transfer
- Schemon may engage Sub-processors in its processing of personal data. The Customer hereby grants Schemon a general authorisation to engage Sub-processors.
- Sub-processors, at the conclusion of the Agreement, are listed in the list of sub-contractors in Appendix 1B.
- All Sub-processors shall be bound by written agreements in which the Sub-processor is imposed to the same data protection obligations as Schemon is imposed to under this DPA.
- Schemon shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes.
- Such objection shall be made in writing and within thirty (30) days after Schemon has informed the Customer about the intended changes.
- If the Customer objects to Schemon engaging a sub-processor and the Parties are unable to agree within a reasonable time, Schemon shall have the right to terminate the DPA and/or relevant parts of the Agreement in whole or in part with thirty (30) days' notice.
- In case a Sub-processor fails to perform its undertakings, Schemon is fully responsible towards the Customer for the due performance of the Sub-processor’s undertakings.
8. Trasfer to Third Countries
- The Processor shall, as a main principle, not intentionally, nor unintentionally transfer personal data outside the EU/EEA.
- However, in some cases, the use of certain services, despite what is stated above, could entail processing of personal data outside the EU/EEA.
- If Schemon and/or Sub-processors transfers personal data outside the EU/EEA, such transfer shall always, as far as possible, comply with the applicable data protection requirements according to the GDPR.
9. Compensation
- If not explicitly stated in this DPA, Schemon is not entitled to any additional compensation for the processing of personal data in accordance with this DPA, instead the compensation provided pursuant to the Agreement also encompasses the measures in this DPA.
- In addition to the above, Schemon is entitled to reasonable compensation for additional costs as a result of special adjustments for the Customer if such adjustments is due to the Customer’s instructions, the compensation shall include any costs relating to hiring third parties to make the relevant adjustments.
- However, the compensation shall only be paid if Schemon has notified the Customer in advance of such compensation and the Customer has given its approval.
10. Limitation of Liability
- Each Party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.
- Notwithstanding any limitation of liability in the Agreement and what is stated in this clause 10, Schemon’s liability under this DPA shall be limited to direct damages and an amount corresponding to the fees paid by the Customer to Schemon under the Agreement for a period of twelve (12) months before the damage occurred.
- Under no circumstances shall a Party be liable for any loss of profits or other indirect damage caused to the other Party, unless such damage is the result of intent or gross negligence. Furthermore, the Party is only entitled to compensation for damage provided that:
- the aggrieved Party immediately, and no later than within thirty (30) days, notify the other Party in writing after the aggrieved Party has become aware of the damage; and
- the aggrieved Party seeks to reduce the extent of the damage as much as possible through cooperation with the other Party.
11. Term and Termination
- The DPA is valid from the time the Agreement is entered into.
- Upon termination of the DPA, for whatever reason, Schemon shall, in accordance with the Customer’s instructions and at the expense of the Customer, delete or return all personal data to the Customer or the person responsible for personal data and then delete existing copies, unless personal data storage is required under Union or Member State law.
- However, the above requirements for deletion do not apply to deletion of backups, which occurs in accordance with the current backup routine, and that is thus not something that Schemon can affect manually.
- This DPA remains in force as long as Schemon processes personal data on behalf of the Customer, including by deletion or returning of personal data according to section 11.2 above. This DPA shall thereafter cease to apply.
- Sections 5, 10 and 13 shall continue to apply even after this DPA has been terminated.
12. Amendments
- If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions or regulations regarding the application of the GDPR during the term of this DPA, with the result that this DPA does not meet the requirements for a data processor agreement, the Parties shall change this DPA to meet the requirements.
- Schemon is at any time entitled to change the DPA by notifying the Customer.
- Changes in accordance with section 12.1 or 12.2 above shall enter into effect no later than thirty (30) days after the party’s amendment notification, unless the other party has objected to such proposed change or new version of the DPA. If a party makes such an objection and the parties are unable to agree within a reasonable time, Schemon shall have the right to terminate the DPA and/or relevant parts of the Agreement in whole or in part with thirty (30) days' notice.
- If Schemon would choose to adapt to the Customer’s objection, Schemon shall be entitled to reasonable compensation from the Customer for the costs that Schemon incurs as a result of such adaptation.
13. Miscellaneous
- This DPA supersedes and replaces all data processor agreements between the Parties potentially existing prior to this DPA.
- If a Party assigns the Agreement (according to the terms in the Agreement), this DPA shall also be deemed assigned to the assignee of the Agreement. However, this DPA may still apply between the original Parties. No Party shall assign this DPA separately from the Agreement.
- Should any clause in this DPA or part thereof be void or invalid, the other provisions of the DPA shall remain in force and the clause may be amended to the extent such invalidity materially affects the rights or obligations of either Party under this DPA.
- In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regards to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA.
Appendix 1A - GDPR - Instructions on Porcessing of Personal Data
Purposes
- Schemon processes personal data under the DPA for the purpose of providing any and all Products as well as fulfilling its obligations under the agreement in relation to providing the Product (“For Services”).
- Schemon also processes personal data under the DPA for the purpose of providing support to the Customer (“For Support”)
Types of Personal Data
The types of personal data that are processed by Schemon are provided under the sections below.
For Services
The following personal data are processed:
- IP Address: The customer IP address is used to provide the correct regional service and prevent fraud.
- Email Address: The customer email address is used as a username and used for contacting customers.
- Name and Surname: The customer name and surname is needed for invoices. It is also used to identify the customer within the services.
- Address: The customer address is needed for invoices. It is also used to select the correct service region for all services.
- Telephone Numbers: The customer telephone numbers are needed for invoices. They are also used by the services to send SMS messages.
- Social Media Accounts: They are needed by certain service features to share service content on social media.
- Age: The customer age is used to restrict younger than 13 years of age customers. It is also used to age restrict some services.
- Gender: The customer gender is used during communications with the customer and on invoices.
- Language: The customer language is used to provide the correct languge for the services.
- Company Name: Used on invoices for business customers.
- Company Address: Used on invoices for business customers.
- Company Telephone Numbers: Used on invoices for business customers.
- Company Email Addresses: Used on invoices for business customers.
- Company VAT Information: Used on invoices for business customers.
- Usage Data: Used to track the usage of services to provide a better exprience.
- User Content: Any content that the user shares on the Schemon services that may contain personal data.
For Support
The types of personal data that are processed will be dependent on what the Customer shares with Schemon during support. Schemon will only process such personal data that the Customer may show during the support or that Schemon is otherwise given access to.
If Schemon asks the Customer to provide a HAR file it may include, for example, the first and last name of the user who generated the file. The Customer should review the content of the file and remove any personal or sensitive information before sending the file to Schemon.
Categories of Data Subjects
The categories of data subjects are:
- For Services: Users who access any Schemon subdomain.
- For Support: The categories of data subjects which the Customer shares personaldata about during support, e.g. the Customer’s employees.
Retention Time
The personal data retention time is provided in the sections below.ç
For Services
- IP Address: 1 Year
- Email Address: During Subscription
- Name and Surname: During Subscription
- Address: During Subscription
- Telephone Numbers: During Subscription
- Social Media Accounts: During Subscription
- Age: During Subscription
- Gender: During Subscription
- Language: During Subscription
- Company Name: During Subscription
- Company Address: During Subscription
- Company Telephone Numbers: During Subscription
- Company Email Addresses: During Subscription
- Company VAT Information: During Subscription
- Usage Data: During Subscription
- User Content: During Subscription
For Support
The other personal data is kept for 6 months.
Processing Options
The processing options are:
- For Services: The processing and storing of personal data are done in order to provide a reliable service and block possible malicious or unintended use of the Service.
- For Support: Reading the information that the Customer provides, e.g. by screen sharing. Storing the information that the Customer sends, e.g., in case Schemon needs to review the information in detail to handle a support case.
Appendix 1B
GDPR - List of Sub Processors
- Company: Amazon Web Services, Inc.
Region: North America
Purpose: File Storage. Mechanism for transfer to third country (outside of EU/EEA):Standard Contractual Clauses. - Company: Amazon Web Services, Inc.
Region: EU
Purpose: File Storage. Cloud service provider. - Company: Cloudflare, Inc.
Region: Global
Purpose: DNS/CDN/Security. Mechanism for transfer to third country (outside of EU/EEA):Standard Contractual Clauses.
GDPR Technical and Organizational Measures
Data Access Control
The organisation uses a password manager to ensure that strong and unique passwords are used by personnel. In general all passwords are stored in the encrypted vault of the password manager.
Use of Multi Factor Authentication is enforced for critical high risk systems.
Principle of Least Privilege is followed to make sure that people only have access to the data they need to access. Request for access, authorization and any changes to these are done through an IT service portal. The request is expected to be done by a senior personnel member or a manager. Requests are approved by IT. When employees leave the company, access to systems is revoked during an off-boarding process. A bi-annual access review is performed for all systems.
Secure Software Development Pratices
All code is regularly scanned for vulnerabilities using code vulnerabiliy analysis toos. All code changes are reviewed by at least one other software engineer and all changes are introduced via pull requests. All code changes are tested both programmatically and manually.
Awareness and Training
IT policies are documented and easily discoverable by personnel. Regular sessions are organized for personnel to make sure that personnel is aware of the requirements and expectations. Training is organized for all new employees as part of the on-boarding process.
Security Incident Management
In case of a security incident, we notify our customers via email, using the technical email address provided to us through our portal. We also publish the security advisories publicly on security.schemon.com .
Schemon follows coordinated vulnerability disclosure model. This gives customers at least two weeks to take action before the security advisory is published publicly. The customers don’t generally needto take any action unless otherwise communicated.
Data Transmission
Schemon's Cloud Services follow best practises and recommendations for secure data transmission. All products ensure that traffic is encrypted at transit using minimum TLS 1.2 protocol.
We only use reliable cloud service providers who are certified and provide detailed information about compliance, processes and measures.
Cloud Incident Management
24/7 incident management process is in place to ensure that Schemon’s Cloud services are available and working as expected. Incident management process covers all Schemon’s Cloud Services. Process and responsibilities are documented.
Incident management process is automated where possible and confirmations and escalations are done by on-call engineers. Incidents are are visible on on status.schemon.com.