Komeer Data Processing Agreement
Komeer Data Processing Agreement
Processing personal data in a secure, fair, and transparent way is extremely important to us at Komeer. We process personal data in accordance with the EU’s General Data Protection Regulation (“GDPR”).
This Data Processing Agreement (“DPA”) documents how Komeer processes Personal Data on your behalf. It is designed to fulfill GDPR’s requirement for a written agreement between Data Controller and Data Processor regarding the processing of Customer’s Personal Data.
The latest version of this document is always available here
If you do not agree to this DPA, you may discontinue the use of Komeer and terminate your account.
If you require a signed copy of this document, please contact Komeer at firstname.lastname@example.org
“Komeer,” “we,” “us,” or “our” refers to the provider of the Komeer website and services.
“Customer,” “you,” “your” refers to the individual or organization that signs up to use the Service.
“TaC” refers to the Terms and Conditions.
“DPA” refers to this document, the Data Processing Agreement.
“Party” refers to Komeer and/or the customer depending on the context.
“Service” refers to the service provided by Komeer and as set forth in the TaC.
“EU Data Protection Legislation” or “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as amended or superseded).
“Personal Data” means any information relating to an identified or identifiable natural person.
“App Users” including Komeer Mobile app users and those who access the Komeer service by email, SMS and the Komeer web app services .
“Data Subject” means a natural person whose Personal Data is collected or processed.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Processor” means an entity which processes Personal Data on behalf of the Controller.
“Privacy Shield” means the EU-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce.
“Security Incident” refers to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“Special Category Data” refers to particularly sensitive Personal Data that falls within the definition of “special categories of data” under EU Data Protection Legislation. This includes for example information about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, sexual orientation or criminal records.
“Security Incident” refers to any breach of the security and/or confidentiality as set out in this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data, or any indication of such breach having taken place or being about to take place.
4. Relationship with TaC
- Except as amended by this DPA, the TaC will remain in full force and effect.
- If there is a conflict between the TaC and this DPA, the terms of this DPA will control.
- Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the TaC
5. Roles and Responsibilities
- Parties’ Roles: Customer, as Controller, appoints Komeer as a Data Processor to process the Personal Data described in Annex A on Customer’s behalf.
- Confidentiality: Each party agrees that Personal Data shall be treated as confidential information under this DPA.
- Ownership: Personal Data shall remain the property of the disclosing party.
- Prohibited Data: Customer will not provide (or cause to be provided) any Special Category Data to Komeer for processing under the TaC, and Komeer will have no liability whatsoever for Special Category Data, whether in connection with a Security Incident or otherwise.
- Description of Processing: A description of the nature and purposes of the processing, the types of Personal Data, categories of Data Subjects, and the duration of the processing are set out further in Annex A.
6. Responsibilities of Komeer
- Restrict processing: Komeer will process Customer’s Personal Data only to the extent strictly necessary for the purpose of providing the services in accordance with the TaC, any further instructions from the customer given in writing or through the Service, and in accordance with applicable laws.
- Data protection: Komeer will implement and maintain a reasonable and appropriate security program comprising adequate security, technical and organizational measures to protect against unauthorized, unlawful or accidental processing, use, erasure, loss or destruction of, or damage to Customer Personal Data. The technical and organizational security measures which Komeer shall have in place under the TaC are set out in Annex B to this DPA.
- Limit sharing of Personal Data: Komeer will not publish or disclose any Customer Personal Data to any third party with the exception of sub-processors as defined in section 8 “Sub-Processing.”
- Limit access to Personal Data: Komeer will ensure that only its personnel who “need-to-know” will be given access to Personal Data to the extent necessary to perform its obligations under the TaC. It shall provide adequate training to its staff and ensure that they comply with the obligations in this DPA.
- Confidentiality: Komeer will ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (whether contractual or statutory duty).
- Data retention and export: Upon termination of Customer’s use of the Service Komeer will delete the Personal Data, in accordance with our standard backup and retention policy, no later than 90 days after the termination. Komeer makes available to Customer tools to export all data in a format that allows it to be imported into other services.
- Assistance with compliance: Komeer will assist the Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably and commercially possible, in fulfilling Customer’s obligations under applicable data protection laws.
7. Responsibilities of Customer
- Customer is a data controller: Customer is in control of what data is made available to the Service. Customer understands, as a controller, that it is responsible for obtaining the consent of Data Subjects for the processing of Personal Data, for determining the lawfulness of any processing, for performing any required data protection impact assessments, and for accounting to regulators and Data Subjects, as may be needed.
- Rights to Personal Data: Customer warrants that it has all necessary rights to provide to Komeer the Personal Data for processing in connection with the provision of the Komeer Service.
- Parental consent: Customer will make a reasonable effort to verify parental consent when data is collected on a data subject under 16 years of age.
- Measures to protect the data: Customer will implement their own appropriate measures to ensure and demonstrate processing of Personal Data in accord with this DPA and data protection laws.
- Sub-processors: Customer agrees that Komeer may engage Komeer affiliates and third party sub-processors (collectively, “Sub-processors”) to process Personal Data on Komeer’s behalf. The Sub-processors currently engaged by Komeer and authorized by Customer are available at Annex C Customer may receive notifications of new Sub-processors by e-mailing info@komeer with the subject “Subscribe”. If a Customer subscribes, Komeer shall provide Customer with notification of new Sub-processor(s) before authorizing such new Sub-processor(s).
- Objection to Sub-processors: Customer may object in writing to the appointment of an additional Sub-processor within ten (10) calendar days after receipt of Komeer’s notice in accordance with the mechanism set out at section 8.1 above. In the event that Customer objects on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Komeer will, at its sole discretion, either not appoint Sub-processor, or permit Customer to suspend or terminate the affected Komeer service in accordance with the termination provisions of the TaC.
Sub-processor obligations: Where a Sub-processor is engaged by Komeer as described in this section, Komeer shall:
(a) impose on such Sub-processors the requirement to comply with GDPR.
(b) establish a DPA with the Sub-processor on substantially the same terms as this DPA.
(c) restrict the Sub-processor’s access to Personal Data only to what is necessary to
perform the subcontracted services.
(d) remain liable for any breach of the DPA caused by a Sub-processor.
9. International Transfers
Komeer will exclusively host Personal Data:
(a) in the European Economic Area
(b) in countries designated by the European Commission as providing an adequate level of protection for Personal Data. Read more…
(c) in the United States if the Sub-processor hosting the data is certified under the EU/US and CH/US Privacy Shield and has committed to comply with GDPR.
10. Incident Management
- Notification: When either party becomes aware of a Security Incident that impacts the processing of Personal Data, it shall promptly notify the other about the incident and shall reasonably cooperate in order to enable the other party to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
- Mitigation: In case of a Security Incident, each party shall take appropriate and commercially reasonable steps to mitigate the effects of such a Security Incident on the Personal Data under this TaC.
- Cooperation and Data Subjects’ rights: Komeer shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable the Customer to respond to requests from a data subject seeking to exercise their rights under EU Data Protection Legislation. In the event that such a request is made directly to Komeer, Komeer shall promptly inform Customer of the same.
- Data Protection Impact Assessments: Komeer shall, to the extent required by EU Data Protection Legislation and at the Customer’s expense, taking into account the nature of the processing and the information available to Komeer, provide Customer with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Legislation.
12. Security Reports and Audits
- Compliance information: Komeer will make available to the Customer information reasonably necessary to demonstrate compliance with Komeer’s obligations under this DPA.
- Audits: The Customer does not have any independent right to audit Komeer’s technical and/or organizational measures.
- Customer requests: Komeer shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Komeer’s compliance with this DPA.
DESCRIPTION OF PROCESSING
1. Nature and Purposes of Processing
Komeer provides a cloud-based communications service for creating and sending alerts, event alerts and payment alerts to specific users/groups. The service is accessible through a web app, for iOS devices, for Android devices and access to customers accounts through a web client.
Komeer offers features to:
- enter, update, amend and delete users, alerts and accounts.
- view, print, search, export, filter different tables and reports in various ways.
- receive notifications about alerts, events, payments. Notifications are delivered by email, SMS, mobile push notifications and on the Komeer web app.
- export and import users data.
- The content of the alerts is determined by the Customer in its sole discretion.
2. Categories of Data Subjects
Komeer collects Personal Data from five categories of Data Subjects:
Dashboard administrators: Komeer dashboard administrators create alerts, create groups, accept pending users, view/export data, create/monitor access levels for sub admins, view and delete users and have full access to all payment reports.
Sub administrators users: A sub admin may only have access to a particular group that they are involved with and will only be able to send messages to this groups. Access levels are determined by the Administrator.
Web App users: Web App users will receive notification through the web app relating to alerts, events and payments.
Email Users: Web App users will receive notification through the web app relating to alerts, events and payments.
SMS users: An SMS user will receive message alerts but limited to 160 characthers.
3. Categories of Data
Komeer in its role as Controller collects the following Personal Data:
From Komeer dashboard administrators: Email address, name, address, organization name, phone number, image (optional) .
From Komeer Sub administrators: Email address, name, image (optional).
From Komeer app users: Email address, name, address, phone number, image (optional) .
Komeer in its role as Data Processor processes the following data:
Any Personal Data that the Customer chooses to enter into the dashboard/app. Komeer has no control over the volume and sensitivity of Personal Data collected by the Customer.
4. Special Category Data
Komeer does not collect or process any Special Category Data in the provision of its service.
Under this DPA, Customer agrees not to provide Special Category Data to Komeer at any time.
5. Duration of Processing
Komeer SECURITY MEASURES
1. Data Protection
The protection of your data is our highest priority. We have built a fully redundant, highly available, secure and state-of-the-art technical infrastructure to host your data. Our servers are hosted in data centers operated by Amazon Web Services. Read more…
Whenever your data is in transit between you and us, everything is encrypted and sent using HTTPS. Data at rest (stored on disk) is encrypted. Any files which you upload to us are stored and are encrypted at rest. Our backups of your data are encrypted.
Data in active use in our database is not encrypted. Access to the database is highly restricted to the server administration personnel needed to maintain systems.
Our servers operate at full redundancy. This includes power supplies, disks, Internet connections, cooling systems and even entire servers. All data is stored on multiple redundant disks instantly, replicated to multiple independent data centers and backed up daily. Our infrastructure is engineered to stay available even if any one component fails.
4. Physical Security
Only authorized personnel have access to the data centers. Round-the-clock onsite security staff as well as interior and exterior surveillance monitoring provides additional protection against unauthorized entry and security breaches.
5. Regularly Updated
Our software infrastructure is updated regularly with the latest security patches.
6. Billing Information
All credit card transactions are processed using secure encryption—the same level of encryption used by leading banks. Credit card information is transmitted directly between customer and our payment provider Stripe. Komeer does not see, collect, or store your credit card details.
Komeer LIST OF SUB-PROCESSORS
Komeer uses the following Sub-processors to provide its service. They have access to some Personal Data as detailed below:
To provide the Komeer Communications Service:
- Amazon Web Services – Server hosting
- Firebase – Mobile traffic analytics
- Google – Traffic analytics
- MailChimp – Newsletter mailing
- Sendgrid – Email and Newsletter mailing
- Papertrail Inc. – Log aggregation
- Vtiger – CRM System
- Stripe – Payment solution
To respond to Customers’ support requests:
- Help Scout – Help desk solution
- Google – Help desk archive
- Slack – Internal communication
Last updated: March 7th 2019