Data Processing Addendum
Updated on September 27th, 2024
This Data Processing Addendum (“DPA”) forms part of the Terms of Service, entered into by and between the Customer and Koalify (“TOS”) (“Koalify”), pursuant to which Customer has accessed the Service. The purpose of this DPA is to reflect the Parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of the Data Protection Legislation.
In the course of providing the Service to the Customer, Koalify may Process Personal Data on behalf of the Customer. Koalify agrees to comply with the following provisions with respect to any Personal Data submitted by or for the Customer to the Service or collected and Processed by or for Customer through the Service.
- Definitions
Any capitalized but undefined terms herein shall have the meaning set forth in the TOS.
"CCPA" refers to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CPRA), and any implementing regulations or laws.
“Data Protection Legislation” refers to all applicable laws relating to the Processing of Personal Data and Personal Information, including but not limited to the GDPR and US Data Protection Laws.
"GDPR" refers to the General Data Protection Regulation of 27 April 2016 (‘the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data).
"Personal Data" refers to any information that relates to an identified or identifiable living individual, including, but not limited to, Personal Information.
"Personal Information" shall have the meaning given to it under the CCPA; i.e. any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
"Sub-Processor" refers to any Data Processor engaged by Koalify and authorized under this DPA to have logical access to and Process certain Personal Data of the Customer in order to provide parts of the Service.
"US Data Protection Laws" refers to the CCPA and other U.S. state privacy laws in effect.
“Data Controller”, “Data Processor”, “Data Subject”, , “Processing” “Personal Data Breach”, and “Appropriate Technical and Organisational measures” shall be interpreted in accordance with the GDPR.
- US Data Protection Laws
Koalify agrees to Process Personal Data in compliance with US Data Protection Laws, where applicable, and will provide the necessary assistance to enable the Customer to meet its respective obligations under these laws.
Koalify shall not retain, use, or disclose Personal Data for any purpose other than for the specific purpose of providing the Service or as otherwise permitted by the US Data Protection Laws, this DPA or the TOS. Koalify certifies that it does not, and will not, disclose or transfer Personal Data to third parties in exchange for monetary or other valuable consideration.
Koalify does not Process any health-related data or protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Koalify does not retrieve this data, as it is only available through a HubSpot API endpoint to which Koalify does not have access. For more information, go here. Consequently, Koalify is not considered a "Business Associate" or "Covered Entity" under HIPAA, and no provisions of HIPAA apply to the Service provided by Koalify.
- Processing of Personal Data
The Parties agree that Customer is the Data controller and that Koalify is its Data Processor in relation to Personal Data that is Processed in the course of providing the Service. Customer shall comply at all times with Data Protection Legislation in respect of all Personal Data it provides to Koalify pursuant to the TOS.
Koalify will Process this Personal Data in respect of this DPA and the Data Protection Legislation.
The Processing will be carried out until the term of the Service ceases in accordance with the TOS. Further details of the data Processing are set out in Annex 1 hereto.
- Processing under the instructions of Customer
Koalify shall Process the Personal Data only in accordance with the documented instructions from Customer (as set out in this DPA or the TOS or as otherwise notified by Customer to Koalify (from time to time).
If Koalify is required to Process the Personal Data for any other purpose provided by applicable law to which it is subject, Koalify will inform Customer of such requirement prior to the Processing unless that law prohibits this on important grounds of public interest.
Koalify shall notify Customer without undue delay if, in Koalify’s opinion, an instruction for the Processing of Personal Data given by Customer infringes Data Protection Legislation.
- Technical and organisational measures
Koalify shall implement and maintain appropriate technical and organisational measures designed to protect the Personal Data against unauthorized or unlawful Processing and against accidental or unlawful loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected.
The list of technical and organisational security measures is in Annex 2.
- Sub-Processors
Customer grants general consent to Koalify to engage Sub-Processors for the purpose of carrying out (part of) the Processing activities under this DPA. The list of Sub-Processors is available in Annex 1.
The list of Sub-Processors may be amended from time to time. Koalify will notify Customer about the intended changes regarding to the addition or replacement of Sub-Processors. Koalify will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Legislation.
Any Sub-Processors will be permitted to Process Personal Data only to deliver the services Koalify has retained them to provide, and they shall be prohibited from using Personal Data for any other purpose. Koalify remains responsible for its Sub-Processors’ compliance with the obligations of this DPA. Any Sub-Processors to whom Koalify transfers Personal Data will have entered into written agreements with Koalify requiring that the Sub-Processor abides by terms substantially similar to this DPA. In this context, Koalify ensures that in the case of data transfers to third countries or countries without an adequacy decision by the European Commission, the data transfer is based on the EU standard contractual clauses (2021/914).
Koalify shall ensure that all Koalify personnel required to access the Personal Data is informed of the confidential nature of the Personal Dataand complies with the obligations set out in this DPA.
- Providing assistance
Koalify shall assist the Customer by implementing appropriate measures to assist with the Customer’s obligation to respond to requests from Data Subjects under Data Protection Legislation, however Koalify will not response to the request rather than forward it to the Customer without undue delay (including requests for information relating to the Processing, and requests relating to access, rectification, erasure or portability of the Personal Data).
Koalify shall take reasonable steps to assist Customer in meeting Customer’s obligations under Article 32 to 36 GDPR of that regulation taking into account the nature of the Processing under this DPA.
If Koalify becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data or Personal Information that is Processed by Koalify in the course of providing the Service (a “Personal Data Breach”), it shall without undue delay, and where feasible, no later than 24 hours after becoming aware of the Personal Data Breach, notify Customer. Koalify shall also provide Customer (as soon as possible) with a description of the incident as well as periodic updates to information about the incident, including its impact on the Customer’s Personal Data or Personal Information.
Koalify will provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform data protection authorities and/or Data Subjects of the Personal Data Breach under the applicable laws. In addition, the Data Processor shall immediately remedy any underlying causes for each Personal Data Breach.
- Termination
At the end of the applicable term of the Service, upon Customer’s choice, shall securely destroy or return such Personal Data to Customer and delete any copies. Unless applicable law obliges Koalify to store certain Personal Data.
- Audits
Koalify shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Service, which shall include providing reasonable access to the premises, resources and personnel used by Koalify in connection with the provision of the Service and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause.
The purposes of an audit pursuant to this Clause include to verify that Koalify is Processing Personal Data in accordance with its obligations under the DPA and applicable Data Protection Legislation (GDPR and SCCs). Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Koalify of written information (including, without limitation, questionnaires, and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Koalify’s IT personnel.
Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Koalify’s IT system, data hosting sites or centers, or infrastructure will be permitted.
Audits are allowed only once a year, unless in case of a Personal Data Breach.
- Liability
Subject to the relevant provisions in the TOS, in application of Article 82 GDPR and the general provisions on liability, the following applies:
The data controller involved in the Processing, is liable for direct damage caused by a Processing activity that infringes the GDPR or other applicable legislation.
The data Processor is liable for the direct damage caused by the Processing activity if the specific tasks and obligations provided for in this DPA are not met during the Processing or in case he has acted outside or in violation of the legitimate instructions of the data controller.
The data controller or data Processor can be exempted from its liability if he proves that he is in no way responsible for the event that caused the direct damage.
In case the data controller or data Processor has fully compensated the direct damage, the data controller or data Processor can recover from the other data controller or data Processor the part of the compensation corresponding to their part of the liability for the damage.
Notwithstanding the TOS, the Data Processor shall be fully responsible for any direct damages arising from Personal Data Breaches, when the data Processor Processes the data in violation of the Data Protection Legislation and/ or fails to comply with the instructions of the Data Controller. The liability is extended to the maximum extent permitted by applicable law. The Data Processor is not liable for damages if it is proven that the Data Processor is not responsible for the damages.
The Data Processor shall maintain comprehensive and adequate insurance coverage to address liabilities arising from Personal Data Breaches. The Data Processor agrees to provide evidence of such insurance coverage upon request by the Data Controller.
- Changes to DPA due to new privacy laws
Koalify will make reasonable efforts to comply with any new or amended privacy laws or regulations that may apply to its Processing of Personal Data. Koalify reserves the right to modify this DPA if new privacy laws or regulations come into effect that materially impact the Processing of Personal Data. Koalify will notify the Customer of any significant changes to the DPA and provide the opportunity to review and discuss the impact of these changes.
- Miscellaneous
In the event of inconsistencies between the provisions of this DPA and the TOS, the provisions of this DPA shall prevail.
Should any provision of this DPA be or become invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes as closely as possible to the Parties' initial intent.
The Parties to this DPA hereby submit to the exclusive jurisdiction as set out in the TOS and accept that Belgian law shall apply to this DPA.
Annex 1
Details of the Personal Data Processing
Koalify shall Process Personal Data to provide the Service pursuant to the TOS. Koalify shall Process the Personal Data which the Customer makes available to Koalify by using the Service.
The following types of Personal Data may be Processed by Koalify as a result of the Customer using the Service:
Types of Personal Data
- Company name
- First name
- Last name
- Email address
- Phone numbers
- Address
- City
- Country
- Linkedin URL
Categories of Data Subjects
HubSpot contacts and customers of the Customer
Processing activities
The provision of the Service by Koalify to Customer.
Subprocessors
Name subprocessors |
Address of registered office |
Place of processing |
Nature of the processing (description of the nature of the processing, assets, …) |
Digital Ocean Holdings, Inc. |
New York, 101 6th Ave |
London |
Main hosting provider for the application. |
Annex 2
Technical and organizational security measures
Measure |
Nature |
|||
|
Technical |
Organizational |
Preventive |
Detective |
Active directory structure and usage |
|
✓ |
✓ |
|
Security equipment configuration |
✓ |
|
✓ |
|
Generation of keys or client authentication certificates |
✓ |
|
|
|
System monitoring |
✓ |
|
|
✓ |
Authentication |
✓ |
|
✓ |
|
Confidentiality of communication |
|
✓ |
|
|
Intrusion detection |
✓ |
|
|
|
Anti-virus |
✓ |
|
|
|
VPN connection |
✓ |
|
✓ |
|
Logs |
✓ |
|
✓ |
|
Firewall configuration |
✓ |
|
|
✓ |
Default passwords |
|
✓ |
✓ |
|
Configuration standards |
|
✓ |
✓ |
|
Encryption |
✓ |
|
✓ |
|
System components inventory |
|
✓ |
✓ |
|