Data Processing Agreement

Last updated: 2nd August, 2024

This Data Processing Agreement (“DPA”) forms an integral part of the IndyKite Subscription Agreement (the “Agreement”), available at https://www.indykite.com/legal-agreements between IndyKite (Processor) and Subscriber (Controller), or other agreement entered into between Controller and Processor that governs Controller’s use of Service made available by Processor when Processor is processing personal data on behalf of Controller. The DPA has been entered into for the purpose of fulfilling the requirements under Regulation 2016/679 (GDPR) and to ensure protection of the rights of the data subject between IndyKite and Subscriber. In case of any conflict between the Agreement and the DPA, the DPA shall prevail. 


1.  Definitions 

1.1 Each capitalized term used in the DPA shall have the meaning assigned to it in the Agreement, unless expressly provided herein to the contrary. 

1.2 In addition, the following definitions apply:

  • Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 
  • Data Protection Laws and Regulations” means applicable laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, and the United States and its states, relevant for the Processing of Personal Data under the Agreement.
  • GDPR” means EU Regulation 2016/679 (EU) – the General Data Protection Regulation.
  • Personal Data” means Controller Data related to a User. 
  • Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
  • Processor” means the entity which processes Personal Data on behalf of the Controller.

1.3 Terms not otherwise defined herein shall have the meanings given to the terms in the GDPR.

2.  The Parties’ roles under the DPA

2.1 The Parties agree that with respect to Processing of Personal Data covered by this DPA, Processor will Process the Personal Data on behalf of Controller. 

This means that under this DPA, Processor shall be considered the Processor, and Controller shall be considered the Controller. 

2.2 This DPA sets out the rights and obligations concerning Processor’s Processing of Personal Data on behalf of Controller and shall ensure that the Processing complies with the requirements set out in the GDPR and other relevant Data Protection Laws and Regulations. 

3.  Purpose of the Processing of Personal Data

3.1 The purpose of Processor’s Processing of the Personal Data is to provide Services to Controller as specified by the Controller in the Agreement, including applicable Order Form(s). 

4.  Controller’s rights and obligations

4.1 Controller is responsible for ensuring that the Processing of Personal Data, which Processor is instructed to perform, takes place in compliance with Data Protection Laws and Regulations. 

4.2 Controller shall have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which Controller acquired Personal Data. Controller shall be responsible, among other, for ensuring that the Processing of Personal Data has legal basis, and that the Users are informed about the Processing in accordance with Data Protection Laws and Regulations, including being informed about Processor’s role as a Processor of the Personal Data.

4.3 Controller has the right and obligation to make decisions about the purposes and means of the Processing of Personal Data.

4.4 Controller will provide information about the Processing, including an overview of the type of Personal Data, categories of Users, and duration of the Processing, in Annex A

4.5 Controller’s instructions to Processor for the Processing of Personal Data shall comply with Data Protection Laws and Regulations.

5.  Processor’s rights and obligations

5.1 Processor shall only Process the Personal Data on behalf of Controller and for the following purposes: 

  • Processing in accordance with the Agreement, including this DPA and applicable Order Form(s); 
  • Processing as otherwise reasonable requested in writing by Controller provided such instructions are consistent with the terms of the Agreement; and
  • Processing required by applicable law to which Processor is subject. 

Processor shall not be required to comply with or observe Controller’s instructions if such instructions are in conflict with GDPR or other Data Protection Laws and Regulations. Processor shall notify Controller immediately if any of the instructions are inadequate or in violation of the GDPR or other Data Protection Laws and Regulations. 

5.2 Processor shall immediately notify Controller if Processor receives a request from an authority to disclose Personal Data Processed under this DPA. Processor is not obliged to notify if the law prohibits such notification. Unless required by law, Processor shall not comply with such a request without prior written approval from Controller.

5.3 At the request of Controller, Processor will assist Controller in responding to requests from the data subjects pursuant to Chapter III of the GDPR (including the right to information, access, correction and erasure), and assist Controller in fulfilling its duties pursuant to Article 32-36 of the GDPR. 

The scope of the duty to provide assistance to Controller under this Section shall take the nature of the Processing and the information available to Processor into account. 

6.  Confidentiality

6.1 Processor shall keep the Personal Data being Processed on behalf of Controller confidential and shall only grant access to persons who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. 

6.2 Processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the abovementioned confidentiality. 

7.  Sub-processors

7.1 Processor shall meet the requirements specified in Article 28(2) and (4) of GDPR in  order to engage another processor (sub-processor). 

7.2 Processor has Controller’s general authorisation for the engagement of sub-processors to carry out processing activities on Customer Data on behalf of Controller. Processor maintains an updated list of all sub-processors, ref. Annex B. At least 30 days before Processor engages a Sub-processor, Processor shall update the applicable annex and provide Controller with a mechanism to obtain notice of that update. To object to a Sub-processor, Controller can: (i) terminate the Agreement pursuant to its terms; (ii) cease using the Service for which Processor has engaged the Sub-processor; or (iii) move the relevant Customer Data to another Region where Processor has not engaged the Sub-processor.

7.3 Processor shall remain fully liable to the data controller as regards the fulfillment of the obligations of the sub-processor if the sub-processor does not fulfill its data protection obligations. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor

8.  Security of Processing

8.1 Processor shall maintain appropriate organizational and technical measures for the protection of the security, confidentiality, and integrity of the Personal Data. This includes protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Personal Data. 

8.2 Processor shall regularly monitor compliance with these measures and shall not materially decrease the overall security of the Services during a Subscription Term.

8.3 Annex C includes an overview of the applicable measures pursuant to this section. 

9.  Notification of Personal Data breach  

9.1 In the event of a Personal Data breach, Processor shall notify Controller without undue delay.  The notification shall at least describe: 

  • The nature of the breach of Personal Data, including, if possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned; 
  • The name and contact information of the data protection officer or other contact where further information can be obtained;
  • The likely consequences of the Personal Data breach; and 
  • The measures taken or proposed to be taken to address the Personal Data breach, including any measures to mitigate its possible adverse effects.

9.2 If Processor is unable to provide all the information above in the first notice, the information shall be provided without undue delay and no later than 72 hours after the occurrence of the Personal Data breach. Controller shall ensure that an incident report is sent to the relevant data protection authority in accordance with Article 33 of the GDPR. 

10.  Audits 

10.1 Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

10.2 Processor shall be required to provide supervisory authorities with jurisdiction access to its physical facilities on presentation of appropriate identification.


11.  The Parties agreement on other terms 

11.1 The parties may agree, in Annex D, other clauses concerning the provision of the Personal Data Processing, for e.g.  liability, as long as they do not contradict directly indirectly the DPA  of prejudice the fundamental rights or freedoms of the data subject and the protection afforded by GDPR. 

12.  Commencement and termination

12.1 The DPA shall become effective on the date of the creation of Controller’s account with Processor.This DPA shall remain in force for as long as Processor Processes Personal Data on behalf of Controller pursuant to the Agreement. 

12.2 Both parties shall be entitled to require the DPA renegotiated if changes to the law or inexpediency of the DPA should give rise to such renegotiation.

12.3 This DPA may be terminated in accordance with the Agreement. If the Agreement is terminated, this DPA shall automatically be terminated. 

12.4 In the event of a breach of the DPA Controller may instruct Processor to stop further Processing of the Personal Data with immediate effect. 

13. Return, deletion and/or destruction at the end of the Agreement 

13.1 Upon termination of this DPA, Processor is obligated to return all Personal Data received on behalf of Controller unless Union or Member State law requires storage of the personal data.

13.2 Controller may require that Processor deletes or destroys all Personal Data processed under this DPA. Controller may ask Processor to confirm in writing that the deletion is completed. The deletion shall be carried out no later than 60 days after the Agreement is terminated. 

13.3 Should Controller not request return or deletion in accordance with the previous paragraph, Processor shall nevertheless delete Personal Data received on behalf of Controller no later than 60 days after the termination of this DPA, unless Processor has another legal basis for storing the data, such as having a legal obligation to do so. 

13.4 Backup copies that contain Personal Data will be deleted in accordance with Processor’s routines for deletion of backups. If Controller requires the backup copies to be deleted outside the regular routines, Processor will do this as a paid service, with remuneration based on Processor’s hourly rates. 

14. Law and legal venue 

14.1 The choice of law and legal venue are pursuant to the Agreement. 

ANNEX A: INFORMATION ABOUT DATA PROCESSING

A.1. The purpose of the Processor’s processing of personal data on behalf of the Controller

Processor shall only Process the Personal Data on behalf Controller and for the following purposes: 

  1. Processing in accordance with the Agreement, including the DPA and applicable Order Form(s); 
  2. Processing as otherwise reasonable requested in writing by Controller provided such instructions are consistent with the terms of the Agreement; and
  3. Processing required by applicable law to which Processor is subject. 

Any submission and transfer of Personal Data to the Platform, by or on behalf of Controller, is determined and controlled by Controller in its sole discretion. 

A.2. Processing includes the following categories of data subject

The Personal Data may include, but is not limited to Personal Data relating to the following categories of Users: 

  1. Controllers of Controller (when natural persons)
  2. Business partners of Controller (when natural persons)
  3. Vendors of Controller (when natural persons) 
  4. Employees of Controller
  5. Employees of Controller’s customers, business partners, and vendors 

A.3. The processing includes the following types of personal data about data subjects

The Personal Data may include, but is not limited to the following categories of Personal Data:

  1. Business contact information (company name, e-mail, phone, business address)
  2. Personal contact information (first and last name name, e-mail, phone)
  3. Position 
  4. Employer 
  5. Gender (this only applies if enabled by Customer)
  6. Birth Year (this only applies if enabled by Customer)
  7. Nationality biometric verification (this only applies if enabled by Customer)

A.4. Special categories of Personal Data

Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic data, biometric data, health data, and data concerning a natural person’s sex life or sexual orientation, are considered Special Categories of Personal Data.

For Special Categories of Personal Data restrictions and safeguards that fully take into consideration the nature of these data and the risks involved, such as for instance strict purpose limitation, access restrictions, access logs, and restrictions for onward transfers, are required. If Controller submits Special Categories of Personal Data to the Platform, Controller thereby confirms that it has reviewed and assessed the restrictions and safeguards that are being applied to the Special Categories of Personal Data and has decided, in its sole discretion, that such restrictions and safeguards are sufficient.

A.5. The Processor’s processing of personal data on behalf of the Controller may be performed when the DPA comes into force. Processing has the following duration:

Subject to Controller’s use of the Service, Personal Data will be Processed on a continuous basis during the term of the Agreement.

ANNEX B: LIST OF SUB-PROCESSORS

The Controller has approved the use of the following sub-processors:

GitHub
88 Colin P Kelly Jr St
San Francisco, CA 94107
United States
+1 (877) 958-8742
https://support.github.com/
Source code repositories, build, and deploy management.

Google
1600 Amphitheatre Parkway
Mountain View, CA 94043
https://cloud.google.com/contact/
Cloud services and workspace.

Hubspot
25 First Street, 2nd Floor Cambridge, MA 02141 United States
+1 (888) 482-7768
https://www.hubspot.com/company/contact
CRM and ticketing system.

Zapier
548 Market St. # 62411, San Francisco, CA, 94104
United States
+1 (877) 381-8743
https://zapier.com/app/get-help
API workflow integrations.

Slack
500 Howard St
San Francisco, CA 94105
United States
https://slack.com/help
Business communication platform.

IndyKite Norway AS
Hegdehaugsveien 24,
Oslo 0352
Norway
contact@indykite.com
Identity platform services.

CockroachDB
125 W. 25th Street, 11th Floor, New York, NY 10001
https://www.cockroachlabs.com
Distributed configuration database

Neo4j Aura
San Mateo, 400 Concar Dr, United States
https://neo4j.com/
Hosted graph database 

Confluent
Mountain View, 899 W Evelyn Ave, United States
https://www.confluent.io/
Platform for managing real-time data streams

Zendesk
989 Market St,San Francisco, CA 94103
https://www.zendesk.com/
Customer support ticketing system

Cloudfare
101 Townsend St., San Francisco, California 94107
https://www.cloudflare.com/
Content Delivery Network, DNS services


ANNEX C: SECURITY OF PROCESSING 

C.1. The subject of/instruction for the processing

The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the processing as described above in this DPA and as described in the Agreement.

C.2. Security of processing

The level of security shall take into account:

The Services of the data processor are designed with the intention of minimizing the collection of personal information. The data required to use the service is limited to what is needed to authenticate a user and give them access to their own account, and data that is needed for the features in the services to work.

The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organizational security measures that are to be applied to create the necessary (and agreed) level of data security.

The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller:

  1. Access controls: Processor shall establish and uphold policies, procedures, and logical controls to restrict access to its information systems and facilities exclusively to authorized individuals. These measures are designed to prevent unauthorized personnel from gaining access and to promptly revoke access when employment status changes. Furthermore, controls are in place to ensure that only personnel with a legitimate need-to-know can access any Customer Data, and all access granted is based on the Principle of Least Privilege (PoL). Processor has strict processes for requiring any personnel to sign NDAs or contracts containing confidentiality clauses before access is given to systems which contain data processed on behalf of controllers.
  2. Customer user authentication: Customers access the IndyKite Console via Enterprise Single Sign-On (ESSO), which they are responsible for setting up, configuring, and managing to ensure that authentication requirements for their end users comply with their own security policies and standards.
  1. Vulnerability Assessments: Testing is integrated into the development process, with a system for continuous deployment that runs automated tests before deployment. The Processor regularly conducts infrastructure and application vulnerability scans, especially after major feature changes or architectural modifications. Vulnerabilities are addressed based on risk and as soon as commercially viable. 
  1. Change management: Processor shall maintain policies and procedures for managing changes to production systems, applications and databases for all services. Proper procedures are in place to ensure all changes are documented, reviewed, approved, and tested before service deployment or release.
  1. Application security: Processor shall perform application security reviews designed to identify, mitigate and remediate security risks before launching new services or significant new features of services. 
  1. Encryption: The Processor utilizes industry-standard secure encryption methods to protect Customer Data, both in transit and at rest, utilizing the latest cryptographic protocols to ensure comprehensive security. 
  1. Business Continuity & Disaster Recovery: The Processor has policies and procedures for emergency response to protect Customer Data and production systems. This includes periodic data backups and Disaster Recovery Plan tested at least annually to minimize service disruption. Additionally, a structured incident management process is in place to address and mitigate the impact of unexpected events, such as system failures or operational disruptions, to minimize resource loss and ensure continuity.
  2. Incident Response Plan (IRP): The Processor has implemented a comprehensive Incident Response Plan (IRP) to effectively manage and mitigate the impact of security incidents. This plan includes well-defined procedures for identifying, containing, eradicating, and recovering from security incidents that affect Customer Data or production systems. The IRP outlines specific roles and responsibilities, escalation paths, and communication protocols to ensure a coordinated response. It includes detailed steps for incident detection, reporting, and assessment, along with guidelines for documenting and analyzing incidents. The IRP is tested through regular simulation exercises and updated at least annually to incorporate lessons learned and adapt to emerging threats. The Processor ensures timely notification to the Data Controller of any significant incidents, including providing detailed reports on the nature and impact of the incident, as well as the steps taken to address and remediate the issue.
  1. Physical security: The Processor does not hold any in-house data and relies on the IaaS provider for these security controls. Physical security measures, including safeguards to prevent unauthorized access, damage, or interference, are the responsibility of our IaaS provider. 
  1. Employees and contractors: Processor shall establish and maintain comprehensive employee security training programs covering information security requirements. These training programs will be reviewed and updated at least annually. Processor will mandate that employees undergo thorough verification, identification, skills assessments, and reference checks appropriate to their roles and the level of access they have to systems and networks.

C.3. Assistance to the data controller

The data processor shall insofar as this is possible assist the data controller, within the scope and the extent of the assistance in Section 8. 

C.4. Storage period/erasure procedures

Personal data is processed by the data processor on behalf of the controller for as long as the data processor provides the services to the controller under the Agreement after which the personal data is erased by the data processor pursuant to the DPA and retention schedule in Privacy Policy. If the data processor processes personal data as a controller, the personal data will be erased/anonymised according to the retention schedule set out in the Privacy Policy of the data processor.

Personal data that the data processor processes for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 13 (save for the retention as set forth above), unless the data controller – after the signature of the contract – has modified the data controller’s original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the DPA.

C.5. Processing location

Processing of the personal data under the DPA cannot be performed at other locations than the following without the data controller’s prior written authorisation: The location for the processing is listed in Appendix B (approved sub-processors).

C.6. Instruction on the transfer of personal data to third countries

For subcontractors located outside the EEA, the transfer of personal data shall be done according to the regulation on transfers to third countries in Article 45 to 47 and 49 GDPR.

C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor

The data processor shall allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The data processor and the controller shall cover their own costs with regard to any audit. If the controller requests the use of an external auditor, the controller shall cover the costs of use of such an auditor.

ANNEX D: OTHER TERMS OF AGREEMENT BETWEEN THE PARTIES

None

Close Cookie Popup
Cookie Settings
This site uses cookies to offer you a better browsing experience. Find out more on how we use cookies.
Accept all
Decline all
Customize
Made by Flinch 77
Cookies Preferences
Close Cookie Preference Manager
Cookie Settings
This site uses cookies to offer you a better browsing experience. Find out more on how we use cookies.
Functional cookies (always active)
Functional cookies enable basic website functionality and are essential to browse the Site and use its features.
Accept all cookies
Accept selected cookies
Made by Flinch 77
Oops! Something went wrong while submitting the form.