Data Processing Addendum

Effective: August 31, 2020

This Langstack Data Processing Addendum (“DPA”) forms part of the Langstack Subscription Agreement (“Agreement”) including its Order Forms and governs Our Processing of Personal Data on behalf of You, except in respect of any usage during a free trial.

By signing the Agreement, You accept the terms in this DPA. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, this DPA shall prevail.

In the course of providing the Services to You pursuant to the Agreement, We may Process Personal Data on behalf of You and the Parties agree to comply with the following provisions with respect to any Personal Data.

1. DEFINITIONS

1.1 In this DPA, defined terms and expressions with capital letters shall have the meaning set out in the Agreement or as set out below:

Agreement means the Langstack Subscription Agreement including associated Order Forms.

Data Controller means the entity that determines the purposes and means of the Processing of Personal Data.

Data Subject means the individual to whom Personal Data relates.

DPA means this Langstack Data Processing Addendum

GDPR means the General Data Protection Regulation issued by the European Parliament (EU) 2016/679 of 27 April 2016

Personal Data means any information relating to an identified or identifiable natural person, see article 4(1) of GDPR. If other confidential information than personal data is Processed for the purpose of fulfilling the Agreement, e.g. information considered confidential according to the Financial Business Act, any reference to Personal Data shall include the other confidential information.

Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combing, restricting, blocking, erasing or destructing as set out in Annex 1 to the Agreement. Processing shall include other grammatical variations of the same meaning.

Sub-Processor means any data processor engaged by Us or under common control by Us.

2. Scope of the Data Processing Addendum

2.1 We act as a data processor for You, as We Process Personal Data for You as set out in Annex 1 to the Agreement.

2.2 The Personal Data to be Processed by Us concerns the categories of data, the categories of Data Subjects and the purposes of the Processing set out in Annex 1 to the Agreement.

3. Processing of Personal Data

3.1 Instructions: We are instructed to Process the Personal Data only for the purposes of performing the Processing tasks set out in Annex 1. We may not Process or use Your Personal Data for any other purpose than provided in the instructions, including the transfer of Personal Data to any third country or an international organization unless We are required to do so according to European Union or member state law. In that case, We shall inform You in writing of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3.2 If You in the instructions in Annex 1 or otherwise have given permission to a transfer of Personal Data to a third country or to international organizations, We will ensure that there is a legal basis for the transfer, e.g. the EU Commission’s Standard Contractual Clauses for the transfer of Personal Data to third countries.

3.3 If We consider an instruction from You to be in violation with the GDPR, or other European Union or member state data protection provisions, We will immediately inform You in writing about this.

3.4 If We are subject to legislation of a third country, We declare not to be aware of the mentioned legislation preventing Us from fulfilling the DPA, and that We will notify You in writing without undue delay, if We become aware of that such hindrance is present or will occur.

4. Our general obligations

4.1 We will ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 We will implement appropriate technical and organizational measures to prevent that the Personal Data Processed is

(i) accidentally or unlawfully destroyed, lost or altered,

(ii) disclosed or made available without authorization, or

(iii) otherwise Processed in violation of applicable laws, including the GDPR.

4.3 We will also comply with the special data security requirements that apply to You specified in Annex 1, and with any other applicable data security requirements that are directly incumbent on Us; including the data security requirements in the country of establishment of Us, or in the country where the Processing will be performed.

4.4 The appropriate technical and organizational security measures will be determined with due regard for

(i) the current state of the art,

(ii) the cost of their implementation, and

(iii) the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.5 We will upon request provide You with sufficient information to enable You to ensure that Our obligations under the DPA are complied with, including ensuring that the appropriate technical and organizational security measures have been implemented. “Sufficient information” is to be understood as a description of Our implemented organizational and technical measures, as well as the necessary documentation that enables You to obtain confirmation that the organizational and technical measures have been performed consistently and as intended.

4.6 Furthermore, You are entitled at Your own cost to appoint an independent expert who will get access to Our Processing facilities and receive the necessary information in order to be able to audit whether We have implemented and maintained said technical and organizational security measures. The expert shall upon Our request sign a customary nondisclosure agreement, and treat all information obtained or received from Us confidentially, and may only pass on the information to You. Any information passed on to you shall be governed by the confidentiality clauses of the Agreement including its Annexes.

4.7 We will provide information related to the provision of the services to authorities or Your external advisors, including auditors if this is necessary for the performance of their duties in accordance with European Union or member state law.

4.8 We will give authorities who by European Union or member state law have a right to enter Your or Your supplier’s facilities, or representatives of the authorities, access to Our physical facilities against proper proof of identity.

4.9 We will without undue delay after becoming aware of the facts in writing notify You about:

(i) any request for disclosure of Personal Data Processed under the DPA by authorities, unless expressly prohibited under European Union or member state law,

(ii) any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Us under the DPA, or (b) other failure to comply with Our obligations under Clause 2 and 4.3, or

(iii) any request for access to the Personal Data received directly from the Data Subjects or from third parties.

4.10 Taking into account the nature of the Processing We will promptly assist You with the handling of any requests from Data Subjects under Chapter III of the GDPR, including requests for access, rectification, blocking or deletion.

4.11 We will assist You with meeting the other obligations that may be incumbent on You according to European Union or member state law where the assistance of Us is implied, and where the assistance of Us is necessary for You to comply with its obligations. This includes, but is not limited to, on request to provide You with all necessary information about an incident under Clause 9(ii), and all necessary information for an impact assessment in accordance with article 35 and 36 of the GDPR.

4.12 We are entitled to remuneration for Our assistance as set out in Clauses 10 and 4.11, provided that such assistance is required due to a written request from You and for Our assistance as set out in Clauses 4.5, 4.6, 4.7, and 4.8 to the extent provision of Our services exceeds what is reasonably required. Our remuneration for the assistance in Clauses 4.5, 4.6, 4.7, 4.8, 4.10 and 4.11 is to be invoiced based on Our documented costs including time spent.

4.13 Our servers are located and hosted with: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany with servers placed at Hetzner datacenters in Nuremberg, Germany, and Falkenstein in Vogtland, Germany, and with: Hetzner Finland Oy, Huurrekuja 10 04360 Tuusula, Finland with servers placed at Data Center Park in Helsinki, Finland. We undertake to keep the information about the physical location updated by providing a prior written notice of two months to You. This does not require a formal amendment of the DPA, prior written notice by email suffices.

5. Subsuppliers

5.1 We will not engage a Sub-Processor for the Processing of Personal Data under this DPA without prior, written authorization by You. You may object to the use of a Sub-Processor without cause. We will inform You in writing of the discontinued use of a Sub-Processor.

5.2 Prior to the engagement of a Sub-Processor, We will conclude a written agreement with the Sub-Processor, in which at least the same data protection obligations as set out in the DPA shall be imposed on the Sub-Processor, including an obligation to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR.

5.3 You have the right to receive a copy of Our agreement with the Sub-Processor as regards the provisions related to data protection obligations. The fact that You have given consent to Our use of a Sub-Processor is without prejudice for Our duty to comply with the DPA.

6. Confidentiality

6.1 We will keep Personal Data confidential.

6.2 We will not disclose the Personal Data to third parties or take copies of Personal Data unless strictly necessary for the performance of Our obligations towards You according to the DPA, and on condition that whoever Personal Data is disclosed to is familiar with the confidential nature of the data and has accepted to keep the Personal Data confidential in accordance with this DPA.

6.3 All terms of the DPA applies to any of Our employees and We will ensure that Our employees comply with the DPA.

6.4 We will limit the access to Personal Data to employees for whom access to said data is necessary to fulfill Our obligations towards You.

6.5 The obligations of Us under this Clause 6 persist without time limitation and regardless of whether the cooperation of the Parties has been terminated.

6.6 You shall treat confidential information received from Us confidentially and may not unlawfully use or disclose the confidential information.

7. Amendments and Assignments

7.1 The Parties may at any time agree to amend this DPA. Amendments must be in writing.

7.2 We may not assign or transfer any of Our rights or obligations arising from this DPA without Your prior written consent except as part of a Bone Fide transfer of all or the majority of our shares to a third party.

8. Term and termination of the DPA

8.1 The DPA enters into force when an Agreement is signed by both Parties and remains in force until terminated by one of the Parties.

8.2 Each party may terminate the DPA upon 3 months written notice.

8.3 Regardless of the term of the DPA, the DPA is in force as long as We Process the Personal Data, for which You are Data Controller.

8.4 In case of termination of the DPA, regardless of the legal grounds, therefore, We will provide the necessary transition services to You. We are obliged to assist in a loyal way and as fast as possible with transferring the Personal Data to another supplier or return them to You. The cost of providing these services shall be borne by You.

8.5 On Your request and at Your cost We will immediately transfer or delete Personal Data, which We are Processing for You unless European Union or member state law requires storage of the Personal Data.

8.6 We are under no circumstances entitled to condition the full and unlimited compliance with Your instructions on Your payment of outstanding invoices etc., and We have no right of retention in the Personal Data.

9. Priority

9.1 If any of the provisions of the DPA conflict with the provisions of any other written or oral agreement concluded between the Parties, then the provisions of the DPA shall prevail. However, the requirements in Clause 4 do not apply to the extent that the Parties in another agreement have set out stricter obligations for Us. Furthermore, the DPA shall not apply if and to the extent the EU Commission’s Standard Contractual Clauses for the transfer of Personal Data to third countries are concluded and such clauses set out stricter obligations for Us and or for Sub-Processors.

9.2 This DPA does not determine Your remuneration of Us for Our services according to the Agreement.