TermsData Processing Agreement
Last Updated: September 4, 2023
This Data Processing Agreement (“Agreement”) sets out the terms, requirements and conditions on which WEDO SA (“WEDO”) will process Personal Data when providing services to you as a Client having subscribed to our services.
This Agreement is an annex to the WEDO Terms of Services and forms an integrant part of it.
1. DEFINITIONS
For the purposes of this Agreement:
1.1 “Applicable Data Protection Law” means privacy laws applicable to WEDO as the Processor of the Personal Data, or Client as Data Controller of Personal data, including but not limited to the Federal Data Protection Act of 1992 and its forthcoming revised version, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, ‘GDPR’) and any further implementation, amendment, replacements or renewals thereof (collectively called the “EU Legislation”), as well as all binding national laws implementing the EU Legislation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time.
1.2 “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3 The words “Data Controller“, “Data Subject“, “Personal Data“, “Data Processor” and “Sub-Processor“, “Processing” or “Process” shall be construed in accordance with the definition of “Processing“.
2. PROCESSING OF PERSONAL DATA
WEDO shall:
2.1 process the Client’s Personal Data exclusively in accordance with the provisions of this Agreement and only pursuant to the Client’s written instructions, and use the Personal Data for the sole purpose of the performance of this Agreement and no other use (e.g., for commercial purposes), as set out in Appendix 1;
2.2 ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
2.3 adopt the security measures required under Applicable Data Protection Law as detailed by WEDO from time to time, including the following: (i) resiliency of systems and services related to the processing activities; (ii) ability to timely re-store the availability and the access to Personal Data, where a physical or technical incident occurs; (iii) procedures in order to test, verify and assess regularly the effectiveness of the technical and organizational measures aimed at ensuring the security of Personal Data Processing activities;
2.4 inform the Client of any new Sub-Processor, other than the approved Sub-Processors listed in Appendix 1. The Client is entitled to object to such appointment; provided, however, that, in this case, its sole right shall be to terminate its Agreement with WEDO. Each Sub-Processor shall be bound by the same obligations detailed in this clause 2.2;
2.5 assist the Client to respond to requests for exercising the Data Subjects’ rights;
2.6 notify the Client immediately (and in any event within a period not exceeding 48 hours) after becoming aware of any actual or suspected breach of Personal Data or any security breach leading to, in an accidental or unlawful manner, the deletion, loss, alteration, unauthorized disclosure of the Personal Data transmitted, stored or processed in any other manner, or the unauthorized access to such Personal Data, as well as if, in its opinion, the Client’s instruction should infringe the Data Protection Laws;
2.7 upon termination of this Agreement for whatever reason, cease Processing any Personal Data on behalf of the Client and, at the Client’s option, either forthwith return to the Client all the Personal Data that it is Processing or has Processed on behalf of the Client and/or any documentation or materials containing them and any copies thereof, or according to the Client’s instructions, securely delete or destroy, the Personal Data within thirty (30) calendar days of being requested to do so by the Client.
3. TERMINATION
This Agreement shall terminate in accordance with the terms set out in the WEDO Terms of Service.
APPENDIX 1: DESCRIPTION OF PROCESSING
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Client Personal Data are set out in the Agreement.
The subject matter of the data processing is the collection, processing and use of Personal Data for the Client to the extent this is required for carrying out the Agreement and is limited to the term of the Agreement.
The nature and purpose of the Processing of Client Personal Data
Responding to customer requests, sending notifications and reminders about activity in WEDO, sending transactional emails such as password recovery.
The types of Client Personal Data to be Processed
Users first name, last name, email address and optionally: job title, phone number, location and organization name. Client billing address.
The categories of Data Subject to whom the Client Personal Data relates
Employees of the Client and other specific invited users such as business partners or customers.
Service Data
“Service Data” is Personal Data or other information that Users: input directly into the Platform; create within the Platform; send to the Platform; or provide to WEDO through authorized methods as part of other Service.
APPENDIX 2: APPROVED SUBPROCESSORS
Contractors
WEDO uses certain subcontractors to assist in the operations necessary to provide the WEDO Services. The following is a list of the names and locations of material third-party subcontractors. Subcontractors do not have access to Service Data.
| No. | Subprocessor | Scope | Location | Compliance | Data subjects |
|---|---|---|---|---|---|
| 1 | Equinix (Suisse) GmbH | Data center operator | Switzerland | ISO 27001, GDPR | Service Data |
Infrastructure Sub-processors – Service Data Storage and Processing
WEDO owns or controls access to the infrastructure that WEDO uses to host and process Service Data submitted through the Services. Currently, the WEDO production infrastructure used for hosting Service Data for the Services are located in co-location facilities in Switzerland and in the infrastructure sub-processors listed below. The following table describes the countries and legal entities engaged by WEDO in the storage of Service Data. WEDO also uses additional services provided by these sub-processors to process Service Data as needed to provide the Services.
| No. | Subprocessor | Scope | Location | Compliance | Data subjects |
|---|---|---|---|---|---|
| 2 | Akenes SA (Exoscale) | Hosting | Switzerland | ISO 27001, GDPR | Service Data |
Service Specific Sub-processors
WEDO engages a few third party service providers that process Personal Data on behalf of WEDO in connection with the provision of our Services to customers.
| No. | Subprocessor | Scope | Location | Compliance | Data subjects |
|---|---|---|---|---|---|
| 3 | Intercom | Chat service for customer support | United States | ISO 27001, SOC 2 Type II, GDPR | First name, last name and email address |
| 4 | Mailgun | Email service provider | European Union | GDPR | First name, last name and email address |
| 5 | Pipedrive | Newsletter | United States | ISO 27001, GDPR | First name, last name and email address |
| 6 | Twilio | SMS delivery service | United States | ISO 27001, GDPR | Phone number |
| 7 | Chargebee | Subscription management | European Union | ISO 27001, SOC 2 Type II, GDPR | Billing address |
| 8 | Sentry | Error Tracking | United States | GDPR | No user data |