Data Processing Addendum
Last Edited on 2020-Oct-15
This Data Processing Addendum (“DPA”) amends the Agreement (Terms of Service, Terms of Evaluation, or other agreement) between Backtrace I/O (“Backtrace”) and the Customer. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Applicable Data Protection Laws as defined below.
In the course of providing the Application Services to Customer pursuant to the Agreement, Backtrace may process personal data on behalf of Customer. Backtrace agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services.
Capitalized terms which are not defined herein shall have the meaning provided in the Agreement. In addition, the following defined terms apply solely with respect to this DPA.
“Applicable Data Protection Laws” mean any statute, regulation, executive order, and other rule or rules issued by a government office or agency that have binding legal force and are generally applicable to Personal Data or the provision of the Services with respect to Personal Data, including, to the extent applicable, EU Regulation 2016/679 (the General Data Protection Regulation or “GDPR”) and the state and federal laws of the United States such as the California Consumer Privacy Act of 2018 (“CCPA”).
The terms “data controller”, “data processor”, “data subject”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with Applicable Data Protection Laws. The terms “consumer”, “business”, “sale” and “service provider” shall have the meanings given in the CCPA. The term “personal data” means data that Customer provides to Backtrace for the provision of the Application Services or otherwise processed for Customer through the Application Services and that constitutes (i) personal data as defined in the GDPR; or (ii) “personal information” as defined in the CCPA.
The parties agree that (i) Customer is the data controller and that Backtrace is its data processor; and (ii) Customer is a business and that Backtrace is its service provider, each (i) and (ii), to the extent applicable, in relation to personal data that is processed in the course of providing the Application Services. Customer shall comply at all times with Applicable Data Protection Laws in respect of all personal data it provided to Backtrace pursuant to the Agreement.
The subject-matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Backtrace’s website or through an Ordering Document and provided by Backtrace to Customer, or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Customer’s ordering of the Application Services ceases. Further details of the data processing are set out in Attachment 1.
With respect of personal data processed in the course of providing the Application Services:
- Backtrace shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Backtrace (from time to time) If Backtrace is required to process the personal data for any other purpose provided by applicable law to which it is subject, Backtrace will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;
- Backtrace shall notify Customer promptly if, in Backtrace’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Applicable Data Protection Laws;
- Backtrace shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure (the “Security Measure”) as set forth in Attachment 2. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected, the state of the art, the costs of implementation and the nature, scope, context and purposes of processing;
- Backtrace may hire subcontractors to provide services on its behalf, provided that Backtrace complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Backtrace has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Backtrace remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Backtrace transfers personal data will have entered into written agreements with Backtrace requiring that the subcontractor abide by terms substantially similar to this DPA. If Customer requires prior notification of any updates to the list of subcontractors, Customer can request such notification in writing by emailing email@example.com. Backtrace will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with Applicable Data Protection Laws. If, in Backtrace’s reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Backtrace, terminate the Agreement.
- Backtrace shall ensure that all Backtrace personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
- Backtrace at the Customer’s request and cost (and in so far as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from data subjects under Applicable Data Protection Laws (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Backtrace reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
- Backtrace shall take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Backtrace reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
- Backtrace at the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy or return such personal data to Customer;
- Backtrace, may transfer personal data from the EEA European Economic Area (“EEA”), Switzerland or United Kingdom (“UK”) to the US (or in another country not deemed by the European or Swiss Commission to have adequate data protection) in accordance with the Standard Contractual Clauses for the transfer of personal data to processors established in third countries in the form set out by the European Commission Decision 2010/87/EU (“Standard Contractual Clauses”), the terms of which are hereby incorporated into this DPA unless an alternative recognized compliance standard for the lawful transfer of personal data from the EEA, Switzerland or UK (e.g., binding corporate rules) applies to the transfer. In furtherance of the foregoing, the parties agree that:
for purposes of the Standard Contractual Clauses, (a) Customer will act as the data exporter; and (b) Backtrace will act as the data importer;
for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, personal data, special categories of personal data (if appropriate) and the processing operations shall be as set out in Attachment 1 to this DPA;
for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures;
upon data exporter’s request under the Standard Contractual Clauses, data importer will provide copies of the subcontractor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent beforehand;
the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 10 of this DPA and satisfy the parties’ rights and obligations under the Standard Contractual Clauses;
Customer agrees that the provisions of Section 11 of this DPA satisfy the requirements under Clause 5(d)(ii) of the Standard Contractual Clauses between Customer and Backtrace;
Customer’s authorizations under Section 4 of this DPA constitute Customer’s prior written consent to the subcontracting by Backtrace of the processing of personal data if such consent is required under Clauses 5(h) and 11(1) of the Standard Contractual Clauses; and
certification of deletion of personal data in Clause 12(1) of the Standard Contractual Clauses shall be provided upon Customer’s written request.
- Backtrace shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Backtrace in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Backtrace is processing personal data in accordance with its obligations under the DPA and Applicable Data Protection Laws. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Backtrace of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Backtrace’s IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Backtrace’s IT system, data hosting sites or centers, or infrastructure will be permitted;
- If Backtrace becomes aware of a breach of security leading to any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Backtrace in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Backtrace shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
- Backtrace shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
- The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with this DPA and the Standard Contractual Clauses (if entered into as described in Section 9 of this DPA) combined will be limited to the liability limitations or other liability caps agreed to by the parties subject to Section 14.
- Nothing in Section 13 will affect any party’s liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent the limitation of such rights is prohibited by Applicable Data Protection Laws.
- Backtrace shall not sell any personal data governed by the CCPA (“CA Personal Data”) or retain, use or disclose CA Personal Data outside the direct business relationship between Customer and Backtrace.
Details of the Data Processing
Backtrace shall process information to provide the Application Services pursuant to the Agreement. Backtrace shall process information sent by Customer’s end users identified through Customer’s implementation of the Application Services. It is the Customer who makes the decision which data is sent to Backtrace for processing.
Types of Personal Data
- Computer diagnostic information, usually in the form of a minidump file.
- IP Address
- Email Addresses
- Full Names
- Operating System Identifiers
- Any other personal data the Customer chooses to send us related during the course of our provision of the Service and technical support
Categories of Data Subjects
Users of the Customer’s applications.
The provision of Application Services by Backtrace to Customer.
Backtrace may update the Security Measures from time to time, provided the updated measures do not decrease the overall protection of personal data.
- Organizational management and staff responsible for the development, implementation and maintenance of the Backtrace’s information security program.
- Audit procedures for the purposes of monitoring and maintaining compliance with the Backtrace’s policies and procedures.
- Data security controls which include restricted (e.g. role-based) access and monitoring and utilization of commercially reasonable technologies for securing personal data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
- Access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity.
- Physical and environmental security of data centers, server room facilities and other areas containing personal data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Backtrace’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems.
- Threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
SUBCONTRACTORS IN USE
Amazon Web Services — Hosting Backtrace Infrastructure
- Backtrace customers configure what data is sent to Backtrace for Processing. Full data scrubbing and anonymization is supported. If a standard minidump is sent, it includes: stack memory for each thread in the process: the address which was executing and the register state at the time the process stopped, a list of shared libraries loaded at the time of crash, memory around the crashing address, platform and OS specific data, and optionally other memory regions, if requested by the application.
Sumologic — Hosting Backtrace Logging Data
- Any error data submitted into the Backtrace system will have an IP address logged, representing the IP address that submitted the data. This data is managed by Sumologic for internal diagnostics and support.
Intercom — Hosting Backtrace Usage Data
- Employees of Customer: Backtrace username, application pages visited and activities performed within the application
Zendesk — Hosting Backtrace Customer Support
- Employees of Customer: Username and contact information.