Where applicable, this Data Processing Addendum is hereby incorporated in the SoftStart Terms of Service (the “Terms”), found at https://www.softstart.app/terms/, unless Customer has entered into a superseding written agreement with Supplier, in which case, it forms a part of such written agreement. All capitalized terms not defined herein shall have the meaning set forth in the Terms. Unless Customer has a superseding written agreement with Supplier, Supplier may amend this Data Processing Addendum from time to time on its Website, as its business evolves. Any revisions will become effective on the date Supplier publishes the changes. Customer can review the most current version of the Data Processing Addendum at any time by visiting this page. If Customer uses the Services after the effective date of any changes, that use will constitute the acceptance of the revised Data Processing Addendum.

1. DEFINITIONS AND INTERPRETATION

1. “Data Controller” has the meaning set out in GDPR;

2. “Data Processor” has the meaning set out in GDPR;

3. “Data Protection Regulator” means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;

4. “Data Subject” has the meaning set out in GDPR;

5. “Privacy Laws” means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information including but not limited to Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR“); and

6. “Process“, “Processing” or “Processed” have the meaning set out in GDPR.

2. Protection of Personal Information

1. Supersedence. This Data Processing Addendum shall supersede any and all provisions of the Terms inconsistent herewith.

2. Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Supplier is the Data Processor of the Customer Personal Information. Supplier will Process Personal Information in accordance with Section 3 of this Data Processing Addendum.

3. Customer’s Obligations as Data Controller. The Customer warrants that the Customer Personal Information has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws.

4. Supplier’s Obligations as Data Processor.

Supplier shall:

Process the Customer Personal Information only in accordance with Section 3 of this Data Processing Addendum and any other reasonable documented instructions as provided by the Customer to Supplier from time to time (“Instructions“), including with regard to transfers of Customer Personal Information to a third country, save where:

1. such Instructions are unlawful;

2. such Instructions would cause Supplier to breach its own obligations under Privacy Laws or the Terms or any other agreement with a third party;

3. Supplier is under a legal obligation to Process the Customer Personal Information, in which case Supplier shall inform the Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or

4. such Instruction delays or prevents performance of the Services.

2. inform the Customer if, in its opinion, an Instruction received from the Customer infringes the Privacy Laws;

3. ensure that all Supplier employees and personnel who are involved in the Processing of Customer Personal Information have committed themselves to confidentiality or are under statutory obligations of confidentiality;

4. not provide any new third party, with access to the Customer Personal Information or sub-contract any of its obligations under the Terms that involve Processing Customer Personal Information without noticing in advance the Customer and/or publishing the changes in this Data Processing Addendum on the Website. The Customer hereby approves those third parties listed below, or any further third party that is either a Privacy Shield certified entity or that is compliant with GDPR requirements regarding transfers of Customer Personal Information to a third country (the “Subprocessors”):

1. Microsoft Azure. Supplier’s internal database is hosted in Microsoft Azure data centers;

2. MongoDB Inc. Supplier’s database management service provider is MongoDB; and

3. Twilio Inc. Messages generated by the Supplier Platform are transmitted to Users via Twilio’s SendGrid service.

5. ensure that any sub-contract entered into by Supplier (where Customer Personal Information is Processed by a Subprocessor) contains provisions which comply with Privacy Laws and in any event are no less onerous than those imposed under Section 2 of this Data Processing Addendum, and where a Subprocessor fails to fulfil its data protection obligations under GDPR, Supplier shall remain liable to Customer for the performance of that Subprocessor’s obligations;

6. implement and maintain appropriate technical and organizational security measures to protect against unauthorised or unlawful Processing of the Customer Personal Information and against accidental loss, disclosure or destruction of, or damage to, the Customer Personal Information, taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing, as described in the Privacy Policy, found at https://softstart.app/privacy-policy/, and including:

1. the anonymization, pseudonymization and/or encryption of Customer Personal Information;

2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

3. the ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident; and

4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

7. taking into account the nature of the Processing, assist the Customer (at the Customer’s reasonable cost) by appropriate technical and organizational measures, to enable the Customer to comply with its obligations under Privacy Laws in responding to requests from Data Subjects or the Data Protection Regulator, insofar as this is possible;

8. assist the Customer (at the Customer’s reasonable cost), to comply with the following obligations under GDPR, taking into account the nature of Processing and information available to Supplier, including:

1. notification and assistance to Customer without undue delay, in accordance with the provision set forth in Section 9 of the Privacy Policy, and notification to the Data Protection Regulator and Data Subjects of a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Information transmitted, stored or otherwise Processed; and

2. the Customer’s obligations to carry out data protection impact assessments and any subsequent consultation with the Data Protection Regulator;

9. make available to Customer or an independent third party auditor mandated by the Customer (but not being a competitor of Supplier), at the Customer’s reasonable cost, to a maximum of once a year or when a breach of Customer Personal Information is reasonably suspected, all reasonable information that Supplier deems necessary to demonstrate compliance with the obligations imposed on Supplier under Section 2 of this Data Processing Addendum, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance; and

10. unless required by law, at Customer’s request following termination or expiry of the Terms for whatever reason, at the Customer’s reasonable cost, securely delete all of the Customer Personal Information.

3. Instructions for Processing of Customer Personal Information

Supplier will Process Customer Personal Information in accordance with the following instructions:

Categories of Customer Personal Information collected by SupplierCategories of Data Subjects for which Customer Personal Information is ProcessedPurposes for which Supplier Processes Customer Personal InformationNature of ProcessingNature of Processing
Users credentials (such as emails, names, etc.)   User credentials permit the Users to access the Supplier Platform and include emails and password hashes.account administrator that purchases the subscription and manages the accountaccount administrators, plan owners, coaches and collaborators which use the Platform to improve onboarding processesemployees and recruits using the Platform, answering the surveys and providing commentsprovide, maintain and improve the Supplier Platformprevent or address service, security, support or technical issues with the Supplier Platformhandling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacentAs long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Employee profiles   The account administrator creates a profile for each of his/her employees, which contains the first name, last name, job title and email of the employee. Each employee has access to his/her employee profile and can update his/her information. The employee can also upload his/her own picture in his/her profile.account administrators, plan owners, coaches and collaborators which use the Platform to improve onboarding processesemployees and recruits using the Platform, answering the surveys and providing commentsprovide, maintain and improve the Supplier Platformprevent or address service, security, support or technical issues with the Supplier Platformhandling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacentAs long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
Answers to surveys   Answers to surveys can reveal a wide range of Personal information.Employees answer surveysemployees and recruits using the Platform which may include plan owners, coaches and collaborators  prevent or address service, security, support or technical issues with the Supplier Platformcreate statistics based on the aggregated Customer Personal Information for benchmarking and marketing purposeshandling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent  As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.  
Comments   Comments given by Users can reveal a wide range of Personal Information.Supplier can encourage employees to share comments with questionsSupplier’s internal database includes the identity of the comment providers.employees and recruits using the Platform which may include plan owners, coaches and collaboratorsprovide, maintain and improve the Supplier Platformprevent or address service, security, support or technical issues with the Supplier Platform.handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacentAs long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.
User attributes   The account administrator creates his/her own categories of User attributes (e.g. gender, age, salary) and inputs the User attributes relating to the categories he created in each of the employee profiles. The Personal Information collected according to those User attributes will therefore vary accordingly.Supplier does not have control over the categories of User attributes created by the account administrator, however the account administrator is prohibited under the Terms to create a category of User attributes that would result in the input of Sensitive Personal Information in the Supplier Platform. Supplier’s internal database includes the identity of the employee in respect of which User attributes are provided.employees and recruits using the Platform which may include plan owners, coaches and collaboratorsprovide, maintain and improve the Supplier Platformprevent or address service, security, support or technical issues with the Supplier Platformhandling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacentAs long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Make every first day, a great first day.