1. Purpose of the Agreement
The purpose of the agreement is to regulate the rights and obligations under the applicable personal data legislation, and regulation (EU) 2016/679 of 27th April 2016 in respect of the protection of physical persons in connection with the processing of personal data and the free exchange of such data (GDPR), and repealing Directive 95/46/EF.
The agreement is intended to ensure that personal data is not processed illegally, wrongfully, or processed in ways that result in unauthorized access, alteration, erasure, damage, loss, or unavailability.
The agreement governs the data processor’s processing of personal data on behalf of the data controller, including creating, deploying, and executing Conclude apps (“Conclude Apps”).
In the event of a conflict, the Terms of Service will take precedence over any other agreement entered between the data processor and the data controller related to the use of Conclude’s Services.
2. Limiting clause
The purpose of the data processor’s processing of personal data on behalf of the data controller is to create, deploy, and execute Conclude Apps.
Personal data that the data processor processes on behalf of the data controller may not be used for any other purpose without the data controller’s prior approval.
The data processor may not transfer personal data covered by this agreement to partners or other third parties without the data controller’s prior approval, cf. section10 of this agreement.
The data processor will follow the written and documented instructions for the processing of personal data in Conclude Apps, which the data controller has determined will apply.
The data processor is obliged to comply with all obligations under the applicable Norwegian personal data legislation governing the use of Conclude Apps for the processing of personal data.
The data processor is obliged to notify the data controller if it receives instructions from the data controller that are in conflict with the provisions of the applicable Norwegian personal data legislation.
4. Types of information and registered subjects
The data processor processes the following personal data on behalf of the data controller:
Conclude collects information about Customer’s Slack workspace from Slack through API services provided by Slack Technologies, including:
Information about the Slack workspace (team), including name, avatar, and technical identifiers.
Contact information of Slack workspace members, including name, email address, phone number, avatar, and any other kind of information Slack shares in the users’ profiles.
Information about public Slack channel names, technical identifiers, and member lists.
Information about private Slack channels where at least one of the channel members has given explicit Sign In consent.
Information shared in Slack channels (activity channels) where Conclude is a channel member.
Information about actions in Slack channels where Conclude is a channel member, for example, when a User sets an attribute in Conclude.
Information about Conclude Apps that Customer installs. Conclude Apps are stored in JSON format and associated with a Slack channel in the Customer’s workspace.
Information about emails or SMS messages sent from Conclude Apps, created by the Customer. This information is part of the audit log of Conclude’s Inbox.
5. The rights of registered subjects
The data processor is obliged to assist the data controller in safeguarding the rights of registered subjects in accordance with applicable Norwegian personal data legislation.
The rights of the registered subjects include, but are not limited to, the right to information on how their personal data is processed, the right to request access to their own personal data, the right to request corrections or erasure of their own personal data, and the right to require restriction of processing of their personal data.
To the extent relevant, the data processor will assist the data controller in maintaining the registered subject’s right to data portability and the right to object to automated decision-making, including profiling.
6. Satisfactory data security
The data processor shall implement appropriate technical, physical, and organizational safety measures to safeguard the personal data covered by this agreement from unauthorized or unlawful access, alteration, erasure, damage, loss, or unavailability.
The data processor shall provide its employees with adequate information, instruction, and training in data security so that the protection of personal data processed on behalf of the controller is safeguarded.
Only employees of the data processor, who need to access personal data that is processed on behalf of the data controller in connection with their work, will be granted such access. The data processor is required to document guidelines and routines for control of access.
The processor shall ascertain that the data processor employees have a duty of confidentiality in respect of documentation and personal data to which they gain access in accordance with this agreement. This provision also applies after the termination of the agreement. The duty of confidentiality includes employees of third parties who perform maintenance (or similar tasks) of systems, equipment, networks, or buildings that the data processor uses to provide the service.
8. Access to security documentation
The data processor is obliged to provide the data controller, upon request, with access to all security documentation necessary for the data controller to meet its obligations under the applicable Norwegian personal data legislation.
The data processor is obliged to provide the data controller, upon request, with access to other relevant documentation that allows the data controller to assess whether the data processor complies with this agreement’s terms.
The data controller has a duty of confidentiality regarding confidential security documentation, which the data processor makes available to the controller.
9. Duty to notify in case of a security breach
The data processor shall notify the controller without undue delay in the event of personal data processed on behalf of the controller is exposed to a breach of security.
The data processor’s notification shall, at minimum, include information that describes the security breach, which registered subject is affected by the breach, what personal data is affected by the breach, what immediate measures are implemented to address the breach and what preventive measures may have been established to avoid similar incidents in the future.
The data controller is responsible for ensuring that the Norwegian Data Protection Authority is notified when required according to the Norwegian data protection legislation.
The data processor is obliged to enter into separate agreements with sub-processors that govern the sub-processor’s processing of personal data in connection with this agreement.
In agreements between the data processor and sub-processors, the sub-processors shall be required to comply with all the obligations to which the data processor is subject under this agreement and according to law. The data processor is obliged to submit the agreements to the data controller on demand.
The data processor shall verify that sub-processors comply with their contractual obligations, in particular, that data security is satisfactory and that employees of the sub-processors are familiar with their obligations and fulfill them.
The data controller approves that the data processor contracts the following sub-processors to satisfy this agreement:
- Google, USA, for storing and processing Customer data.
- Mixpanel, USA, for website- and product analytics.
- SendGrid Twilio, USA, for sending email from Conclude Apps.
- Twilio, USA, for sending SMS messages from Conclude Apps.
- Vonage, USA, for sending SMS messages from Conclude Apps.
The data processor may contract other sub-processors other than those listed above with notification on our website.
The data processor is not liable for any damages to the data controller or for any financial loss inflicted on the data controller due to illegal or improper processing of personal data or inadequate data security on the part of a sub-processor.
11. Safety audits and impact assessments
The data processor shall regularly implement security audits of its work to safeguard personal data from unauthorized or unlawful access, alteration, erasure, damage, loss, or unavailability.
Security audits shall include the data processor’s security goals and security strategy, security organization, guidelines and routines for security work, established technical, physical, and organizational safeguards.
12. Return and erasure
Upon termination of this agreement, the data processor is obliged to return and erase any personal data that is processed on behalf of the data controller under this agreement.
Erasure is to be carried out by the data processor within a reasonable time after the termination of the agreement. This also applies to any backups of personal data.
The data processor shall document that the erasure of personal data has been carried out in accordance with this agreement. The documentation shall be made available to the data controller on request.
The data processor covers all costs associated with the return and erasure of the personal data covered by this agreement.
In case of breach of terms in this agreement caused by errors or omissions on the part of the data processor, the data controller may cancel the agreement with immediate effect. The data processor will continue to be obliged to return and erase personal data processed on behalf of the data controller pursuant to the provisions of Section 12 above.
14. Limitation and Liability
Under no circumstances is the data processor liable for any loss/damage, including loss of data, resulting from errors of other events related to the Service given.
The data processor is not liable for indirect financial loss. Indirect financial loss includes, but is not limited to, loss of profit, revenue, anticipated savings, goodwill, loss of or damage to data, loss caused by interruption of production, disruption of use of the Service or third party claims (except third party claims based that third party intellectual property rights are infringed). If the data processor, despite the foregoing, is liable for losses incurred by the data controller in connection with this Agreement, the data processor total liability for damage in a calendar year shall in any case be no more than 25% of the annual invoiced amount, excluding VAT.
15. Duration of the Agreement
This agreement applies as long as the data processor processes personal data on behalf of the data controller.
16. Law and Legal Venue
The agreement is governed by Norwegian law and the parties accept Oslo District Court as legal venue. This also applies after termination of the agreement.