This Data Processing Agreement (DPA) is a part of the service agreement (“Agreement") between PRJ Analytics (a Delaware USA limited liability company with a business ID 6587412 “PRJ Analytics”) and PRJ Analytics’ customers (each individually a “Customer”), concerning the provision of the Service whose terms and conditions have been laid out in the PRJ Analytics Terms of Service (as provided at https://www.prjanalytics.net/terms-of-service).
PRJ Analytics and Customer are each individually referred to as the Party and together as the Parties
1. GENERALThis DPA forms an integral part of the Agreement and shall apply to all processing of personal data under the Agreement in the context where PRJ Analytics processes personal data on behalf of the Customer.
Where applicable and when this DPA does not explicitly state otherwise, the terms of the Agreement, such as governing law and dispute resolution, shall be applied to this DPA. If the Agreement or any other document regulating the relationship between PRJ Analytics and the Customer as set out in the Agreement contains provisions that are in conflict with this DPA, this DPA shall have precedence.
Customer shall be considered the controller under the EU regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and PRJ Analytics processes, by providing the Service to the Customer, such personal data on behalf of Customer as a processor for the purposes of the Agreement during the term thereof.
The Customer is responsible for the lawful processing and collection of personal data in compliance with the GDPR and other laws, regulations and directives pertaining to the processing or collection of personal data. PRJ Analytics will not monitor the Customer’s processing or collection of personal data in the Service. The Customer shall be responsible for having the required rights and necessary permissions from third parties to use and disclose personal data for the purposes set out in the Agreement. The Customer shall ensure that the Customer is entitled to transfer the relevant personal data to PRJ Analytics so that PRJ Analytics may lawfully process, use and transfer the personal data in accordance with the Agreement and this DPA.
Each Party shall be responsible for the information security of the Party’s own communications networks. Neither Party shall be responsible or liable for the information security of general communications networks, or for interferences or other disruptions, outside of the Parties influence, that may occur in general communications networks.
The subject matter, categories, and types of data as well as other details of the processing are specified in Schedule 1 of this DPA (Description of the Processing Operations).
2. PROCESSING OF PERSONAL DATA
When acting as a data processor PRJ Analytics shall process personal data in accordance with this DPA and documented instructions from Customer, unless required to do otherwise under European Union or Member State law to which PRJ Analytics is subject. In such case PRJ Analytics shall inform the Customer of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.
PRJ Analytics may not use the Customer’s personal data for any other uses than for which the personal data for the provision of the Services and as otherwise instructed by the Customer. PRJ Analytics shall process information disclosed to it by the Customer in accordance with this Agreement and according to written instructions or guidelines given to it by the Customer. Customer’s instructions must be commercially reasonable, compliant with applicable data protection legislation and regulations and consistent with this Agreement.
In case PRJ Analytics detects that any instruction given by the Customer is non-compliant with European Union or member state law to which PRJ Analytics is subject, PRJ Analytics shall not be obliged to comply with such instruction and shall inform the Customer of that legal requirement.In case the Customer’s instructions require additional measures or work to be performed by PRJ Analytics, PRJ Analytics has the right to charge an hourly consulting fee from the Customer for complying with such Customer’s instructions in accordance with PRJ Analytics’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
3. DATA SECURITY
PRJ Analytics ensures that it shall implement and maintain appropriate technical and organizational security measures to protect the personal data within its area of responsibility, in order to safeguard the personal data against unauthorized or unlawful processing or access and against accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing carried out by PRJ Analytics hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, where appropriate and relevant for each processing action:
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Service;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
(v) the ongoing confidentiality, integrity, availability, resilience and restoration of all processing systems and services in which personal data is stored or processed;(vi) the pseudonymisation and encryption of personal data and communications containing personal data when it is appropriate and necessary to maintain the integrity and confidentiality of personal data.
PRJ Analytics also ensures that the persons processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. ASSISTANCE OBLIGATIONS
Taking into account the nature of the processing, PRJ Analytics shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.
Taking into account the nature of the processing and the information available to PRJ Analytics, PRJ Analytics shall further provide the Customer with assistance in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority)
In case such assistance requires measures from PRJ Analytics, PRJ Analytics has the right to charge an hourly consulting fee from the Customer for handling such assistance requests in accordance with PRJ Analytics’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
5. INTERNATIONAL TRANSFERS
The Customer accepts that PRJ Analytics may have personal data processed and accessible by PRJ Analytics or its subprocessors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Customer authorizes PRJ Analytics to enter, on behalf of the Customer, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or PRJ Analytics shall provide for other appropriate safeguard for the protection of the personal data transferred outside the EEA as set out in the GDPR.
6. AUDITS
The Customer or an auditor appointed by the Customer shall with the assistance of PRJ Analytics have the right to audit the processing activities of PRJ Analytics under this DPA to assess the compliance of PRJ Analytics with its contractual obligations under this DPA and applicable data protection legislation during ordinary business hours of PRJ Analytics and with 30 days’ prior written notice. If PRJ Analytics’s employees or other representatives participate in such audits at the request of the Customer, the Customer shall compensate PRJ Analytics for the expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of PRJ Analytics or threaten intellectual property rights of PRJ Analytics, the Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to PRJ Analytics’s benefit.
Where an audit may, in PRJ Analytics’s sole opinion, lead to the disclosure of business or trade secrets of PRJ Analytics or threaten the intellectual property rights of PRJ Analytics, the Customer shall employ an independent auditor, that is not a competitor of PRJ Analytics, to carry out the audit, and the auditor shall agree to be bound to confidentiality to PRJ Analytics’s benefit.
PRJ Analytics makes available to the Customer, at the Customer’s request, information necessary to demonstrate compliance with the GDPR. In case the Customer’s request requires measures or work to be performed by PRJ Analytics, PRJ Analytics has the right to charge an hourly consulting fee in accordance with its then current price for consulting services for handling such requests, subject to the Customer’s prior approval of such additional costs.
6. SUBPROCESSORS
The Customer gives its general authorization to allow PRJ Analytics to engage subcontractors as subprocessors to process personal data in connection with the provision of the Service.
PRJ Analytics is free to choose and change its subprocessors. Upon request, PRJ Analytics shall inform Customer of subprocessors currently involved. In case there is a later change of a subprocessor (addition or replacement), PRJ Analytics shall notify the Customer of such change, thereby giving the Customer the opportunity to object to such change. If PRJ Analytics is not willing to change the subprocessor the Customer has objected to, both Parties shall have the right to terminate the Agreement and this DPA.
Where PRJ Analytics engages a subprocessor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA shall be included in the DPA between PRJ Analytics and that subprocessor. Where a subprocessor fails to fulfil its data protection obligations, PRJ Analytics shall remain liable to the Customer for the performance of the subprocessor’s obligations as further stipulated in the Agreement.
Schedule 1 - Description of the Processing Operations
Categories and Types of Personal data
In connection to the provision of Service, the customer data includes first name, last name, email, and if provided by the customer: title, organization, country and primarily field of work.
Duration of the Processing
The data may be processed during the time period the service is used by the customer. It may be processed up to six months after the customer has terminated the service contract unless the customer explicitly requests to delete their data before that.
Transfers Outside of the EU or the EEA
All our data is currently stored on servers in the US. For testing and development purposes, some data samples may be transferred between Europe, Taiwan, Vietnam, and USA.
List of Subprocessors
Company | Purpose | Country of Processing
Amazon Web Services | Cloud infrastructure | USA
Google Cloud Platform & Analytics | Cloud computing services and analytics (app) | USA
HubSpot,Inc | CRM software with marketing automation | USA
Hotjar | Analytics (app) | USA
Stripe Payments USA Limited | Collecting payments | USA
Slack Technologies Limited | Communication platform | USA
Atlassian Corporation Plc | Project management (Jira, Bitbucket, Confluence, Miro) | USA