Data Processing Addendum

Where applicable, this Data Processing Addendum is hereby incorporated in the Stroofy Terms of Service (the “General Terms”), found at terms of services, unless the Customer has entered into a superseding written agreement with Stroofy, in which case, it forms a part of such written agreement.

All capitalized terms not defined herein shall have the meaning set forth in the General Terms. Unless Customer has a superseding written agreement with Stroofy, Stroofy may amend this Data Processing Addendum from time to time on its Website, as its business evolves. Any revisions will become effective on the date Stroofy publishes the changes. Customer can review the most current version of the Data Processing Addendum at any time by visiting this page.

If Customer uses the Services after the effective date of any changes, that use will constitute the acceptance of the revised Data Processing Addendum.

  1. DEFINITIONS AND INTERPRETATION

    1.1. The following capitalized terms shall have the meaning ascribed to them below:

    1. 1.1.1. “Data Controller” has the meaning set out in GDPR;

    2. 1.1.2. “Data Processor” has the meaning set out in GDPR;

    3. 1.1.3. “Data Protection Regulator” means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;

    4. 1.1.4. “Data Subject” has the meaning set out in GDPR;

    5. 1.1.5. “Privacy Laws” means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information including but not limited to Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR” ); and

    6. 1.1.6. “Process” , “Processing” or “Processed” have the meaning set out in GDPR.

  2. PROTECTION OF PERSONAL INFORMATION

    2.1. Supersedence. This Data Processing Addendum shall supersede any and all provisions of the General Terms inconsistent herewith.

    2.2. Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Stroofy is the Data Processor of the Customer Personal Information. Stroofy will Process Personal Information in accordance with Section 3 of this Data Processing Addendum.

    2.3. Customer’s Obligations as Data Controller. The Customer warrants that the Customer Personal Information has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws. The Customer retains control of the Customer Personal Information and remains responsible for its compliance obligations under the Privacy Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Stroofy.

    2.4. Stroofy’s Obligations as Data Processor. Stroofy shall:

    1. 2.4.1. Process the Customer Personal Information only in accordance with Section 3 of this Data Processing Addendum and any other reasonable documented instructions as provided by the Customer to Stroofy from time to time (“Instructions”), including with regard to transfers of Customer Personal Information to a third country, save where:
      1. 2.4.1.1 such Instructions are unlawful;

      2. 2.4.1.2. such Instructions would cause Stroofy to breach its own obligations under Privacy Laws or the General Terms or any other agreement with a third party;

      3. 2.4.1.3. Stroofy is under a legal obligation to Process the Customer Personal Information, in which case Stroofy shall inform the Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or

      4. 2.4.1.4. such Instruction delays or prevents performance of the Services.

    2. 2.4.2. Inform the Customer if, in its opinion, an Instruction received from the Customer infringes the Privacy Laws;

    3. 2.4.3. Ensure that all Stroofy employees and personnel who are involved in the Processing of Customer Personal Information have committed themselves to confidentiality or are under statutory obligations of confidentiality;

    4. 2.4.4. not provide any new third party, with access to the Customer Personal Information or sub-contract any of its obligations under the General Terms that involve Processing Customer Personal Information without notifying in advance the Customer and/or publishing the changes in this Data Processing Addendum on the Website. The Customer hereby approves those third parties listed below, or any further third party that is either a Privacy Shield certified entity or that is compliant with GDPR requirements regarding transfers of Customer Personal Information to a third country (the “Subprocessors” ):
      1. 2.4.4.1. Amazon Web Services Inc ( “AWS” ). Stroofy’s internal database is hosted in AWS data centers. Amazon Inc. is located in the United States and is a Privacy Shield certified entity. The European Commission has recognized the Privacy Shield Framework adopted by the United States as providing adequate protection;

      2. 2.4.4.2. Digital Ocean LLC ( “Digital Ocean” ). Stroofy’s application deployment and database processing management provider is Digital Ocean and is located in both Europe and the United States. Digital Ocean is a Privacy Shield certified entity.

      3. 2.4.4.3. Stripe Payments Europe, a subsidiary of Stripe Inc ( “Stripe” ). Stripe’s customer payment gateway is currently used by Stroofy. Stripe is a Privacy Shield certified entity.

      4. 2.4.4.4. Alphabet Inc, and it’s subsidiaries including Google and Firebase ( “Google” ). Google manages certain email interactions with customers and notifications. Google is a Privacy Shield certified entity.

      5. 2.4.4.5. Hubspot Inc ( “Hubspot” ). Hubspot manages certain email interactions with Customers. Hubspot is a Privacy Shield certified entity.

    5. 2.4.5. ensure that any sub-contract entered into by Stroofy (where Customer Personal Information is Processed by a Subprocessor) contains provisions which comply with Privacy Laws and in any event are no less onerous than those imposed under Section 2 of this Data Processing Addendum, and where a Subprocessor fails to fulfil its data protection obligations under GDPR, Stroofy shall remain liable to Customer for the performance of that Subprocessor’s obligations;

    6. 2.4.6. implement and maintain appropriate technical and organizational security measures to protect against unauthorized or unlawful Processing of the Customer Personal Information and against accidental loss, disclosure or destruction of, or damage to, the Customer Personal Information, taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing, as described in the Privacy Policy, found at privacy policy and including:
      1. 2.4.6.1. the anonymization, pseudonymization and/or encryption of Customer Personal Information;

      2. 2.4.6.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

      3. 2.4.6.3. the ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident; and

      4. 2.4.6.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

    7. 2.4.7 taking into account the nature of the Processing, assist the Customer (at the Customer’s cost) by appropriate technical and organizational measures, to enable the Customer to comply with its obligations under Privacy Laws in responding to requests from Data Subjects (insofar as this is possible);

    8. 2.4.8. assist the Customer (at the Customer’s cost), to comply with the following obligations under the GDPR, taking into account the nature of Processing and information available to Stroofy, including:
      1. 2.4.8.1. notification and assistance to Customer without undue delay, in accordance with the provision set forth in Section 10 of the Privacy Policy, and notification to the Data Protection Regulator and Data Subjects of a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Information transmitted, stored or otherwise Processed; and

      2. 2.4.8.2. the Customer’s obligations to carry out data protection impact assessments and any subsequent consultation with the Data Protection Regulator;

    9. 2.4.9. make available to Customer or an independent third party auditor mandated by the Customer (but not being a competitor of Stroofy), at the Customer’s reasonable cost, to a maximum of once a year or when a breach of Customer Personal Information is reasonably suspected, all reasonable information that Stroofy deems necessary to demonstrate compliance with the obligations imposed on Stroofy under Section 2 of this Data Processing Addendum, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance; and

    10. 2.4.10. unless required by law, at Customer’s request following termination or expiry of the General Terms for whatever reason, at the Customer’s reasonable cost, securely delete all of the Customer Personal Information.

INSTRUCTIONS FOR PROCESSING OF CUSTOMER PERSONAL INFORMATION

Stroofy will Process Customer Personal Information in accordance with the instructions from the Controller (Customer), please see data addendum:

Article 30 record of processing activities

Categories of Customer Personal Information collected Details of categories of Customer Personal Information collected Categories of Data Subjects for which Customer Personal Information is Processed Purposes for which Stroofy Processes Customer Personal Information Nature of Processing Duration of Processing and Retention Subprocessor or international organisation that personal data is transferred to Safeguards or Certifications
User Credentials User credentials permit the Users to access the Stroofy Services and includes emails and password hashes. Account administrators that manage the account and engagement survey responses provided by employee's to improve their organisation.

Employees that use the coaching tool to improve their day and answer the surveys to improve their organisation. 		Provide, maintain and improve Stroofy's offering.

Prevent or address service, security, support or technical issues with the product or Services. 		Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent. As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Unless required by law, personal data will be deleted when a Customer or, where appropriate, a User, deletes their account. 		Amazon Web Services Inc
Digital Ocean LLC Privacy Shield Certified
Employee Profile The account administrator has the ability to create a profile for each of his employees in the web application for the purposes of improving aggregated insights. This page contains optional information such as first name, last name, job title, gender and department. The only required information is the email address of the employee. Employees answering the surveys, which may include account administrators. Provide, maintain and improve Stroofy's offering.



Prevent or address service, security, support or technical issues with the product or Services. 		Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent. As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Unless required by law, personal data will be deleted when a Customer deletes their account. 		Amazon Web Services Inc
Digital Ocean LLC Privacy Shield Certified
Answers to Employee Surveys Answers to surveys can reveal a wide range of Personal information.

Employees answer surveys such as “You feel motivated by your organisations values” and “I feel happy when I'm at work”

Stroofy’s internal database includes the identity of the Survey Respondents but is never shared with the account administrator. 		Employees answering the surveys, which may include account administrators. Provide, maintain and improve Stroofy's offering.



Prevent or address service, security, support or technical issues with the product or Services.

Create statistics based on the aggregated Personal Information for benchmarking purposes. 		Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent. As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Unless required by law, personal data will be deleted when a Customer deletes their account. 		Amazon Web Services Inc
Digital Ocean LLC Privacy Shield Certified
User Attributes The account administrator can input his or her own categories of User attributes under certain profile headings (e.g. first name, last name, title, department, gender) and inputs the User attributes relating to the categories in each of the employee profiles. The Personal Information collected according to those User attributes will therefore vary accordingly.

Stroofy does not have control over the categories of user attributes inputted by the account administrator. 		Employees answering the surveys, which may include account administrators. Provide, maintain and improve Stroofy's offering.

Prevent or address service, security, support or technical issues with the product or Services. 		Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent. As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Unless required by law, personal data will be deleted when a Customer deletes their account. 		Amazon Web Services Inc
Digital Ocean LLC Privacy Shield Certified
Session Logs Stroofy records information about the following for the purpose of its focus algorithms: active process name, active window title, URL if active on browser, start time of use, end time of use and; for distinguishing users and devices: company UUID, hash sum over user name, machine hardware UUID, device operating system version and I.P. address Employees that use the coaching tool to improve their day, which may include account administrators.

The information adjacent is only shared with the account administrator in aggregated and anonymised format for the purposes of the wellbeing and insights dashboard. Minimum thresholds of aggregation are applied to prevent any individual user being identified. 		Provide, maintain and improve Stroofy's offering.

Prevent or address service, security, support or technical issues with the product or Services. 		Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent. As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Unless required by law, personal data will be deleted when a Customer deletes their account. 		Amazon Web Services Inc
Digital Ocean LLC Privacy Shield Certified
User Profile on Coaching Tool User's have the option to add their first name and last name via the mobile application. A users email address is required in order to match the Services to a Customer. Employees that use the coaching tool to improve their day which may include account administrators. Provide, maintain and improve Stroofy's offering.

Prevent or address service, security, support or technical issues with the product or Services. 		Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent. As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law.

Unless required by law, personal data will be deleted when a Customer or, where appropriate, a User, deletes their account. 		Amazon Web Services Inc
Digital Ocean LLC Privacy Shield Certified
Customer Account Administrators Customer when contacting Stroofy via telephone, email or its website will often provide us with their first name, last name, email address, company name and phone number for the purpose of interacting with our sales and support team, and making payment for the Services when appropriate.

Account Administrator responsible for payment processes on behalf of the Customer. 		Customer representatives and Account administrators that manage the account with Stroofy. Provide, maintain and improve Stroofy's offering.

Prevent or address service, security, support or technical issues with the product or Services. 		Handling, storing, sharing with Subprocessors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent. As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law. Alphabet Inc
Amazon Web Services
Digital Ocean LLC
Hubspot Inc
Stripe Inc Privacy Shield Certified