stagewise
stagewise

Data processing addendum

Last updated on 8/29/2024

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement ("Agreement") between tiq UG (haftungsbeschränkt) ("Processor") and the customer ("Controller") regarding the processing of personal data. This DPA sets out the terms and conditions under which Processor processes personal data on behalf of Controller in accordance with applicable data protection laws.

2. Definitions

  • "Processor": tiq UG (haftungsbeschränkt), responsible for processing personal data on behalf of the Controller.
  • "Controller": The entity (individual or business) that determines the purposes and means of processing personal data.
  • "Data Subject": An identifiable individual to whom personal data relates.
  • "Personal Data": Any information relating to an identified or identifiable Data Subject.
  • "Sub-processor": Any third party engaged by the Processor to assist in processing personal data.
  • "GDPR": General Data Protection Regulation (EU) 2016/679.

3. Subject Matter and Purpose

Processor will process and store textual and image data provided by the Controller to serve as a knowledge base. Additionally, Processor may use AI features to process customer information, subject to user opt-in. The processing of data may include names, emails, billing information (for account owners), and potentially sensitive information such as hearing or vision impairments, provided users explicitly opt-in.

4. Duration of Processing

This DPA is effective as long as the Processor provides services to the Controller under the Agreement or until an updated DPA is released.

5. Types of Personal Data and Categories of Data Subjects

  • Personal Data: Names, emails, billing information, textual data, image data, and potentially sensitive information.
  • Categories of Data Subjects: Single end-users and business users with multiple user accounts.

6. Sub-processors

The Processor utilizes the following Sub-processors:

  • Vercel: Hosting and processing
  • Planetscale: Data storage
  • Upstash: Key-Value Database for caching and other operational purposes
  • Amazon Web Services (AWS): Image and other file storage
  • HubSpot: Customer Relationship Management and marketing
  • Google Analytics: User activity tracking
  • Stripe: Payment processing and subscription management

The Processor will notify the Controller via email of any new or replacement Sub-processors.

7. International Data Transfers

Personal data may be transferred outside the European Economic Area (EEA) based on Standard Contractual Clauses or other legally approved mechanisms.

8. Security Measures

Processor implements industry-standard security measures, including encrypted storage and data access protection, to safeguard personal data. Regular internal audits are conducted to ensure data safety and compliance with data protection laws.

9. Data Subject Rights

Processor shall, insofar as possible, assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under GDPR, including access, rectification, erasure, restriction, data portability, and objection.

10. Data Breach Notification

In the event of a data breach, Processor will notify the Controller without undue delay, typically within a timely manner via email, to enable the Controller to meet its breach notification obligations.

11. Data Retention and Deletion

Personal data will be retained indefinitely unless the user account is deleted. Upon account deletion, personally identifiable information will be deleted within 30 days.

12. Audit Rights

The Controller has the right to audit the Processor's data protection measures. Audits must be scheduled with a reasonable notice period, in accordance with industry standards, to allow adequate preparation.

13. Liability and Indemnification

Processor shall be exempt from liability for any damages arising unless directly caused by gross negligence in data protection measures. Processor’s liability shall be limited to the extent permitted by applicable law.

14. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Germany. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Germany.

15. Termination

This DPA will terminate when the Controller ceases to use Processor's services or upon the release of an updated DPA.

By continuing to use Processor’s services, the Controller acknowledges and agrees to the terms of this DPA.

stagewise

Copyright © 2024 tiq UG (haftungsbeschränkt)