Process Shepherd

Categories

Menu

Data Protection Agreement (DPA)

1. Introduction

This Data Protection Agreement (DPA) is an integral part of the agreement between Process Shepherd LLC (“Provider”) and the Customer. It outlines the roles, responsibilities, and obligations of both parties regarding the processing, protection, and management of personal data in compliance with relevant data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”).
  • Processing: Any operation or set of operations performed on personal data, whether automated or manual.
  • Data Controller: The entity that determines the purposes and means of processing personal data (typically the Customer).
  • Data Processor: The entity that processes personal data on behalf of the Data Controller (typically the Provider).
  • Sub-Processor: Any third party engaged by the Data Processor to assist in processing personal data.

3. Scope and Purpose of Data Processing

  • The Provider processes personal data on behalf of the Customer as necessary to provide the services outlined in the agreement, including the decision tree workflow system, knowledge management, eLearning management, and compliance features.
  • The purpose of data processing includes managing user access, ensuring service functionality, supporting customer operations, and complying with legal obligations.

4. Lawful Basis for Processing

The Provider processes personal data on behalf of the Customer based on the following lawful bases under GDPR:

  • Performance of a Contract: Personal data is processed as necessary to fulfill the terms of the contract between the Provider and the Customer, such as providing access to the Process Shepherd platform and related services.
  • Legitimate Interests: Personal data may be processed based on the legitimate interests of the Provider or the Customer, provided that these interests are not overridden by the rights and freedoms of the data subjects. Legitimate interests include improving the platform, ensuring security, and maintaining business operations.
  • Compliance with Legal Obligations: Personal data is processed to comply with legal obligations, such as data retention requirements and responding to lawful requests from public authorities.
  • Consent: Where applicable, personal data is processed based on the explicit consent of the data subject, such as for marketing communications. Data subjects have the right to withdraw consent at any time.

5. Types of Personal Data and Categories of Data Subjects

  • Personal Data: Name, email address, contact details, IP addresses, browsing data, and other data entered into the Process Shepherd platform.
  • Categories of Data Subjects: Employees, contractors, clients, or any individuals whose personal data is provided by the Customer to the Provider.

6. Duration of Processing

Personal data will be processed by the Provider for the duration of the agreement and any applicable data retention period thereafter, as agreed upon in the contract or as required by law.

7. Shared Security Responsibility Model (SSRM)

7.1 Introduction

This SSRM clarifies the shared security responsibilities between Process Shepherd (“Provider”) and the Customer. It outlines which security measures are the responsibility of the Provider and which are the responsibility of the Customer, ensuring clarity in managing, protecting, and securing data and systems.

7.2 Provider Responsibilities

  • Infrastructure Security: The Provider secures the underlying cloud infrastructure, including physical security, network security, and the virtualization layer. The Provider ensures that data centers hosting Process Shepherd services comply with relevant industry standards (e.g., SOC 2).
  • Platform Security: The Provider maintains the security of platform components, including application servers, databases, and middleware. This includes patching, updates, and vulnerability management.
  • Monitoring and Incident Response: The Provider implements continuous monitoring of infrastructure and services to detect and respond to security incidents. The Provider is responsible for logging, alerting, and regular security assessments, and will notify the Customer of any incidents impacting their data or services within a defined timeframe.
  • Compliance and Audits: The Provider ensures that services comply with relevant data protection regulations (e.g., GDPR, CCPA) and undergoes regular third-party audits to verify compliance.
  • Continuous Monitoring and Internal Audits: The Provider will implement continuous monitoring processes to oversee the security, availability, and confidentiality of the services. This includes:
    • Automated systems to monitor network traffic, detect anomalies, and alert the security team to potential threats.
    • Regular vulnerability scanning and penetration testing to identify and address security weaknesses.
    • Continuous tracking of system performance, data access, and user activities to ensure compliance with security policies.
    • The Provider will conduct periodic internal audits to assess the effectiveness of its security controls and compliance with SOC 2 criteria. These audits will review:
      • The implementation and effectiveness of security policies and procedures.
      • The integrity and availability of data and systems.
      • Compliance with relevant regulations, such as GDPR.
    • The findings from these continuous monitoring processes and internal audits will be compiled into a report that is reviewed by senior management. Key findings and any remediation actions taken will be communicated to the Customer upon request or as part of regular service reviews.

7.3 Customer Responsibilities

  • Data Security: The Customer is responsible for securing the data uploaded, processed, and managed within the Process Shepherd platform. This includes implementing encryption, managing access permissions, and ensuring data integrity.
  • Application Security: The Customer secures any custom applications or integrations deployed or used with the Process Shepherd platform, including securing APIs, managing authentication, and ensuring secure coding practices.
  • User Access Management: The Customer manages user accounts and access controls within their Process Shepherd environment, enforcing strong authentication mechanisms and regularly reviewing access logs.
  • Compliance and Audits: The Customer ensures that their use of the Process Shepherd platform aligns with internal compliance requirements and applicable regulations. The Customer is responsible for auditing their use of the platform and can request evidence of compliance from the Provider.

7.4 Shared Responsibilities

  • Change Management: Both parties must follow an agreed-upon change management process for updates or modifications to the platform that may affect security or service delivery. Significant changes in security configurations or procedures must be communicated and mutually approved.
  • Data Protection: Both parties collaborate to ensure that all data processing activities comply with relevant data protection regulations. The Provider implements and maintains data protection mechanisms, while the Customer ensures data use and handling practices align with these mechanisms.
  • Incident Management: The Provider maintains an incident response plan to address potential security breaches or operational disruptions. The Customer must report any suspected security incidents within their environment to the Provider immediately and collaborate on investigation and remediation efforts.

8. Data Subject Requests

Expand this section with the following detailed procedures:

8.1 Right to Access

  • Data subjects have the right to request confirmation as to whether their personal data is being processed, access to their personal data, and information about the processing.
  • Procedure: Data subjects can submit an access request by contacting the Customer directly. The Customer will then submit the request to the Provider through the customer support portal. The Provider will assist the Customer in providing the requested data within the GDPR-mandated timeframe of one month.

8.2 Right to Rectification

  • Data subjects have the right to request the correction of inaccurate personal data or the completion of incomplete data.
  • Procedure: Data subjects should direct rectification requests to the Customer, who will forward the request to the Provider. The Provider will then update the data as instructed by the Customer and confirm the changes within one month.

8.3 Right to Erasure (Right to be Forgotten)

  • Data subjects have the right to request the deletion of their personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.
  • Procedure: Data subjects can request data erasure through the Customer. Upon receiving such a request, the Customer will notify the Provider via the support portal. The Provider will securely delete the requested data and confirm the deletion to the Customer within the GDPR-specified timeframe.

8.4 Right to Restrict Processing

  • Data subjects may request the restriction of processing their data in specific circumstances, such as when they contest the accuracy of the data.
  • Procedure: Data subjects should request processing restrictions through the Customer. The Customer will then coordinate with the Provider to ensure processing is restricted as required and confirm to the data subject that their request has been fulfilled.

8.5 Right to Data Portability

  • Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Procedure: Data subjects can request data portability through the Customer, who will request the data export from the Provider. The Provider will supply the data in a portable format (e.g., JSON text files) and ensure the secure transmission to the data subject or another controller as instructed by the Customer.

9. Data Transfers

The Provider will ensure that any transfers of personal data outside the European Economic Area (EEA) are subject to appropriate safeguards, such as Standard Contractual Clauses or other mechanisms approved under applicable data protection laws.

10. Data Protection Impact Assessment (DPIA)

10.1 Assistance with DPIAs

  • The Provider agrees to assist the Customer in conducting Data Protection Impact Assessments (DPIAs) as required by GDPR, particularly when the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. This assistance includes:
    • Providing relevant information about the data processing activities, including the nature, scope, context, and purposes of the processing.
    • Offering insights into the security measures and safeguards implemented by the Provider to mitigate identified risks.
    • Supporting the Customer in assessing the potential impacts on data subjects and identifying appropriate measures to address those risks.
    • Collaborating with the Customer to document the DPIA and implement any necessary changes to the data processing activities or security measures based on the DPIA findings.
  • The Customer is responsible for initiating the DPIA and making the final decisions regarding the assessment’s conclusions and actions.

11. Service Termination and Data Retention

11.1 Data Retrieval and Deletion

  • Upon termination of services, the Customer will have 30 days to retrieve their data from the Provider. The Provider will assist in the data export process, providing the data in a JSON text file format, and will ensure that all customer data, including backups and log files, are securely deleted from its systems within 60 days after service termination.

11.2 Termination Process

  • The termination process includes finalizing any outstanding obligations, ensuring data integrity, and completing service handover or shutdown procedures in a secure manner.

12. Right to Audit and Third-Party Assessments

12.1 Customer Audits

  • The Customer has the right to audit the Provider’s compliance with this DPA and applicable data protection laws. Audits must be scheduled at least 30 days in advance and conducted in a manner that minimizes disruption. The audit scope includes data handling processes, security controls, and compliance with specific regulations like GDPR and SOC 2. Sensitive or proprietary information may be redacted. Any costs related to the audit will be paid by the Customer.

12.2 Third-Party Assessments

  • The Provider will undergo regular third-party security assessments and provide the results to the Customer upon request. This includes compliance with industry standards like SOC 2 and GDPR.

13. Liability and Indemnity

The Provider will be liable for breaches of this DPA that result from its failure to comply with its obligations under this DPA or applicable data protection laws. The Customer agrees to indemnify and hold the Provider harmless from any claims, damages, or fines resulting from the Customer’s breach of this DPA or applicable data protection laws.

14. Security-Related Commitments

  • Incident Response: The Provider commits to responding to critical security incidents within 2 hours of detection and non-critical incidents within 24 hours. Continuous monitoring and automated alerts are in place to ensure rapid detection and response.
  • Regular Security Audits: The Provider conducts regular internal and external security audits to ensure compliance with security standards and best practices. Audit results are reviewed by senior management, and remediation actions are taken as necessary.
  • Continuous Monitoring: The Provider employs continuous monitoring of its infrastructure, including regular vulnerability assessments, penetration testing, and the use of automated monitoring tools to track system performance, data access, and potential security threats.

15. Review and Updates

15.1 Periodic Review

  • This DPA and SSRM will be reviewed annually or upon significant changes to the services or regulatory environment. Both parties will collaborate on any necessary updates to ensure ongoing compliance.

15.2 Amendments

  • Any amendments to this DPA or SSRM must be mutually agreed upon by both parties and documented in an updated version of this document.

16. Governing Law and Jurisdiction

This DPA is governed by and construed in accordance with the laws of Delaware, USA. Any disputes arising out of or in connection with this DPA will be subject to the exclusive jurisdiction of the courts of Delaware, USA.

17. Acknowledgment

By using Process Shepherd’s services, the Customer acknowledges and agrees to the responsibilities outlined in this DPA and SSRM. Both parties commit to working together to maintain the security, compliance, and integrity of the services.