The following definitions apply solely to this Data Processing Agreement:
"Data Protection Legislation" means any data protection or data privacy law or regulation of Switzerland or any European Economic Area ("EEA") country applicable to Customer's Controlled Personal Data, including, as applicable, the Federal Data Protection Act of 19 June 1992 (Switzerland), the General Data Protection Regulation (EU) 2016/679 (GDPR) and the e-Privacy Directive 2002/58/EC.
"GDPR" means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any amendment or replacement to it.
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Customer's Controlled Personal Data" means the personal data that Smoolis processes on Customer's behalf as part of the Services, but only to the extent that Customer is subject to EU Data Protection Law in respect of such personal data. Customer's Controlled Personal Data does not include personal data when controlled by Smoolis.
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
"Sub-processor" means an entity engaged by Smoolis to process Customer's Controlled Personal Data.
"Personal data breach" means a breach of security leading to the access to Smoolis's equipment or facilities and the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer's Controlled Personal Data transmitted, stored or otherwise processed by Smoolis on his behalf through the Services.
"Supervisory authority" means an independent public authority which is established by a Member State to monitor the application of Data Protection Legislation.
The terms "Data subject", "Process" and "Content" as used in this DPA shall be interpreted in accordance with applicable Data Protection Legislation.
This DPA applies only to the extent Customer or his End Users are data subjects located within the European Economic Area ("EEA") or Switzerland and only applies in respect of Customer's Controlled Personal Data.
The Customer agrees that Smoolis is not responsible for personal data that it has elected to process through third-party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.
4. Processing roles
Customer as Controller. Customer is the Controller of his Controlled Personal Data.
Smoolis as Processor. Smoolis is the Processor of Customer's Controlled Personal Data.
5. Data processing
Processing operations. Customer's Controlled Data will be subject to the basic processing activity of storage.
Data subjects. The Customer, his End Users or other individuals whose personal data is included in Content.
Purpose of processing. The purpose of data processing under this DPA is the provision of the Services.
Categories of personal data. Customer's Controlled Personal Data relating to him, his End Users or other individuals whose personal data is included in Content which is processed as part of the Services.
Special categories of personal data. Customer's Controlled Personal Data do not concern any special category of data.
6. Rights and obligations of the Controller
The Controller or Customer is the controller for the commissioned data processing performed by the Processor (Smoolis).
The Controller is obligated to only forward to Smoolis or collect via Smoolis, data that is lawfully collected and processed in accordance with the purpose for which it has been collected.
The Controller shall inform the Processor immediately if it ascertains an error or irregularity in connection with the processing of personal data by the Processor.
Should there be an obligation to inform third parties pursuant to Art. 33, 34 GDPR or another statutory reporting obligation applicable to the Controller, the Controller shall be responsible for observing such an obligation.
The Controller is solely responsible for protecting and upholding the rights of the data subject. The rights of the data subject must be upheld and maintained vis-à-vis the Controller.
7. Rights and general obligations of the Processor
The Processor shall process personal data solely within the context of concluded agreements, where applicable. This shall exclude statutory provisions, whereby the Processor is duty-bound to alternative processing. In such case the Processor shall notify the Controller of these legal requirements before processing, insofar as the provision in question does not prohibit such notification for reasons of public interest. Otherwise the purpose, type and scope of data processing shall be governed solely by this DPA. Any alternative data processing by the Processor shall be prohibited; unless the Controller has approved this in writing.
The data processing on behalf of the Controller outside the business premises of the Processor or sub-processors shall only be permitted with the written consent of the Controller, unless the parties have otherwise, reached an agreement that in particular ensures the data security and the audit rights under sections 7 and 10 of this DPA.
The Processor shall have the right to immediately inform the Controller if it believes the commission constitutes unlawful data processing.
8. Technical and organisational data security measures
Smoolis must implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure, and to ensure compliance with the applicable data protection regulations, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. In particular this shall include the provisions of Art. 32 GDPR.
Smoolis will regularly, and as the occasion may warrant, monitor the effectiveness of the technical and organisational measures it takes. Smoolis shall inform the Controller should the need for optimisation and/or amendment arise.
Significant amendments that may impair the integrity, confidentiality or availability of the personal data shall be agreed by Smoolis and the Controller in advance. Measures that involve only minor technical or organisational changes can be implemented by Smoolis without the consent of the Controller.
Smoolis may (but is not obliged to) use external or internal auditors to verify the adequacy of its technical and organisational measures.
The technical and organisational measures in their current version at the time of concluding the DPA are attached to this DPA as Annex 2.
9. Notification obligations of the Processor
Smoolis shall immediately inform the Controller after becoming aware of and confirming the occurrence of any breach of data protection regulations or any breach of contractual agreements that occur during data processing by it or by other persons involved in the processing. The same shall apply to any breach of personal data privacy as regards the data processed on behalf of the Controller.
Smoolis shall inform the Controller immediately if a supervisory authority pursuant to Art. 58 GDPR takes action against Smoolis, where this may also involve the monitoring of data processing that Smoolis renders on behalf of the Controller.
Smoolis acknowledges that the Controller may be subject to a data breach notification obligation pursuant to Art. 33, 34 GDPR that stipulates notification to the supervisory authorities within seventy-two (72) hours of having become aware of the breach. The Processor shall support the Controller in fulfilling its reporting obligations, as it is reasonably able to do, taking into account the nature of the Services, the information available to Smoolis and any restrictions on disclosing the information such as for confidentiality. In particular, the Processor shall inform the Controller in text form (email) of any unauthorised access to personal data that is processed on behalf of the Controller, immediately but no later than within forty-eight (48) hours of becoming aware of such an incident. It is Customer's sole responsibility to ensure it maintains accurate contact information on Smoolis's support systems at all times. The Processor's report to the Controller must include the following information in particular:
(a) a description of the type of breach of personal data privacy, where possible with indication of the categories and the approximate number of data subjects affected, categories affected and the approximate number of personal data records affected;
(b) a description of the measures taken or proposed by the Processor to remedy the breach in protecting the personal data and where necessary, measures to mitigate the potentially negative effects of this.
Processor's obligation to report or respond to a data breach under this Section is not and will not be construed as an acknowledgement by Smoolis of any fault or liability of Smoolis with respect to the data breach.
Obligations under this Section do not apply to incidents that are caused by Customer or Customer's personnel or End Users, any activity on Controller's Smoolis Account and/or Third-Party Services or to unsuccessful attempts or activities that do not compromise the security of Customer's Controlled Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
10. Processor's obligation to cooperate
Insofar as cooperation of the Processor is required to enable the Controller to protect data subjects' rights, the Processor will undertake the necessary measures. Where possible and to the extent Smoolis is legally permitted to do so, the Processor shall assist the Controller with appropriate technical and organisational measures to fulfil his obligation to respond to requests for the exercise of the data subjects' rights.
Smoolis shall support the Controller in its duty to respond to requests from data subjects in accordance with Articles 12-23 GDPR insofar as the Controller is unable to satisfy the demands without the cooperation of the Processor. The Controller will be responsible for Processor's reasonable costs arising from its provision of such cooperation. The Processor shall, to the extent legally permitted, inform the Controller immediately if data subjects assert their rights vis-à-vis the Processor and this directly affects the Controller. Smoolis shall not respond to any such data subject request relating to Customer's Controlled Personal Data without Customer's prior written consent except to confirm that the request relates to Customer.
Smoolis must cooperate in the creation of Records of processing activities by the Controller. It shall share necessary information with the Controller in an appropriate manner.
Taking into account the type of processing and the information available to him, the Processor shall assist the Controller in complying with the obligations set out in Articles 32-36 GDPR.
11. Supervisory powers and audits
To enable the Controller to exercise its supervisory rights and obligations prior to and during the contractual relationship, upon request, Smoolis shall provide the Controller with a report concerning the technical and organisational measures adopted by Smoolis. The report shall be updated at least every twenty-four (24) months.
The Controller shall have the right to monitor Smoolis's compliance with statutory data protection regulations and/or compliance with contractual regulations agreed between the parties, at any time and to the necessary extent.
Smoolis shall be obligated to share information with the Controller, insofar as this is necessary to conduct the monitoring. The Controller may be required to agree to a non-disclosure agreement with Smoolis before Processor shares any such information.
The Controller can ask to inspect the data processed by Smoolis for the Controller, as well as the data processing systems and programs used.
After prior notification with appropriate notice (at least three weeks) and the submission of a detailed audit plan describing the proposed scope, duration, and start date of the audit, the Controller may inspect the business premises of Smoolis GmbH during standard business hours. Audit requests must be sent to email@example.com. In order to avoid disproportionate disruption to the operations of the Processor, the Controller shall ensure that the inspections are limited to the extent required. In principle, the effort involved in an inspection by the Processor shall not exceed one (1) day per calendar year. Where confidential internal information is disclosed by the Processor for or during such an inspection, particularly details on technical and organisational measures, the Controller shall protect this confidentiality and shall not share this information with or disclose it to third parties, unless for the purpose of the contractual relationship between Controller and Processor. The Controller may be required to agree to a non-disclosure agreement with Smoolis before Processor shares any such information.
Should supervisory authorities take action against the Controller pursuant to Art. 58 GDPR, particularly as regards disclosure and inspection obligations, Smoolis shall share the necessary information with the Controller and shall facilitate an on-site inspection by the relevant supervisory authorities. The Controller must be informed of corresponding measures planned by the Processor.
The Controller shall be entitled to have the inspection performed by an auditor appointed individually in text form at least three (3) weeks prior to the inspection, provided the Processor consents to such an external audit. The Processor shall not unreasonably withhold its consent. In particular, the Processor shall be entitled to deny the auditor access if the auditor is in direct competition with the Processor. External auditors shall conclude a written confidentiality agreement with the Processor and only then shall be granted leave to conduct the audit. The auditing powers of the Controller shall remain unaffected. Any audits are at Controller's sole cost and expense.
Controller shall promptly notify Processor with information regarding any non-compliance discovered during the course of an audit.
Any information and documentation provided by Smoolis or its auditors will be provided at Controller's cost.
Smoolis may engage sub-processors to render its services vis-à-vis service users, which also includes the processing of Customer's Controlled Personal Data.
Smoolis will remain liable for the acts and omissions of its sub-processors or their further sub-contractors that process Customer's Controlled Personal Data solely to the same extent Smoolis would be liable if performing the services of each sub-processor or further sub-contractor directly under the terms of this DPA.
Smoolis must select sub-processors carefully and shall check prior to engagement that the regulations agreed in this DPA also apply to the sub-processors. In particular, prior to and regularly during contractual term, Smoolis must check that the sub-processor has taken the necessary technical and organisational measures pertaining to personal data privacy pursuant to Art. 32 GDPR. Furthermore, Smoolis must contractually obligate sub-processors to impose contractual obligations on any further sub-contractors, as those established between the Controller and Smoolis.
Smoolis must conclude a DPA with the sub-processors, which meets the requirements of Art. 28 GDPR. The Controller can request a copy of the relevant DPA upon request.
Smoolis shall promptly inform the Controller in writing if it intends to change or engage a new sub-processor, however no later than four (4) weeks before the change and/or the new engagement. The Controller shall have the right to object to the change/new engagement of sub-processor by sending an email to firstname.lastname@example.org, citing reasons, within three (3) weeks of being informed. The Controller can withdraw its objection by sending an email to email@example.com at any time. In the event of an objection, the Processor can terminate the contractual relationship with the Controller with a notice period of at least fourteen (14) days. With such notice period the Processor shall give appropriate consideration to the interests of the Controller. If no objection of the Controller is received within three (3) weeks of being informed, the change and/or new engagement of the relevant sub-processor shall be deemed approved by the Controller.
Smoolis shall ensure through contractual provisions that the supervisory powers of the Controller and of supervisory authorities also apply to the sub-processor and that corresponding supervisory rights are agreed by Controller and supervisory authorities. It shall also be contractually agreed that the sub-processor must accept these supervisory measures and any on-site inspections.
Third-party services engaged by the Processor as purely supplementary services to facilitate its business activities shall not be considered a sub-contractual relationship (e.g. cleaning services, purely telecommunication services without specific reference to services rendered by the Processor on behalf of the Controller, postal and courier services, transport services as well as security services). For supplementary services rendered by third parties, the Processor shall nevertheless ensure that appropriate precautions and technical and organisation measures are taken to guarantee personal data privacy. The service and maintenance of IT systems or applications shall constitute a sub-contractual relationship and commissioned processing pursuant to Art. 28 GDPR if the service and maintenance concerns IT systems that are also used in connection with the provision of services for the Controller and if access to personal data processed on behalf of the Controller may be obtained during maintenance.
A list of our current Sub-Processors is cited in Annex 1.
Both parties hereby undertake to treat all information received in connection with the processing of this DPA and Terms indefinitely confidential. No party has the right to use the information in part or as a whole for other than those mentioned purposes or to make this information available to third parties.
The foregoing obligation shall not apply for information that one party received demonstrably from third parties, without being bound by secrecy or which are publicly known.
Smoolis shall ensure that it is familiar with the respective, applicable data protection regulations and their application. Smoolis shall also ensure that its personnel entrusted with carrying out data processing tasks are familiar with relevant data protection provisions and that such personnel are bound by confidentiality pursuant to GDPR and by data secrecy which survives the termination of Controller's engagement with Smoolis. The personnel obligation must be demonstrated to the Controller upon request.
14. Data Transfers
Controller authorizes Smoolis to transfer its Controlled Personal Data away from the country in which such data was originally collected. In particular, Controller authorizes Processor to transfer Customer's Controlled Personal Data to the US. Smoolis will transfer Customer's Controlled Personal Data to outside the EEA using the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks or another lawful data transfer mechanism that is recognized under EU Data Protection Law as providing an adequate level of protection for such data transfers.
For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms. The Controller agrees that any regulatory penalties or claims by data subjects or others incurred by Smoolis in relation to Customer's Controlled Personal Data that arise as a result of, or in connection with, its failure to comply with its obligations under this DPA or EU Data Protection Law shall reduce Smoolis's maximum aggregate liability to it under the DPA and Terms in the same amount as the fine and/or liability incurred by Smoolis as a result.
In the event of any conflict or inconsistency between this DPA and the Terms of Service as it relates to data protection, this DPA will govern.
17. Duration of the DPA
The DPA shall commence upon signature and shall be valid for the duration of the primary contract concluded between the parties concerning utilisation of the Services of the Processor.
The Controller can terminate the DPA without notice at any time should Smoolis commit a serious breach of the applicable data protection regulations or obligations under this contract; or if Smoolis denies the Controller or relevant supervisory authorities access contrary to the DPA.
After termination of the contract, at the discretion of the Controller, Smoolis shall return or delete all documents and data in its possession, as well as all processing or usage results generated in connection with the contractual relationship, except to the extent that Smoolis is required under Data Protection Legislation to keep a copy of the Customer's Personal Data. The deletion must be documented in an appropriate manner. Any statutory retention requirements or other obligations to store the data shall remain unaffected.
The Controller shall have the right to verify the complete and contractual return and deletion of the data by the Processor. This can also be performed by inspecting the data processing systems at the business premises of the Processor. The Controller should provide appropriate notice (at least 20 working days) for the on-site inspection.
Controller is responsible for any costs and expenses arising from Smoolis's compliance with its requests pursuant to this DPA which fall outside the standard functionality made available by Smoolis generally through the Services.
Controller acknowledges and agrees that Smoolis may amend this DPA from time to time by posting the relevant amended and restated Agreement on Smoolis's website, available at www.smoolis.com and such amendments to the DPA are effective as of the date of posting. Controller's continued use of the Services after the amended DPA is posted to Smoolis's website constitutes its agreement to, and acceptance of, the amended DPA. If the Controller disagrees with Smoolis's changes, then it should stop using the Services.
If any provision of the DPA is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this DPA shall remain operative and binding on the parties.
The DPA was originally written in English. Smoolis may translate these Terms into other languages. In the event of a conflict between a translated version and the English version, the English version will control.
20. Applicable law and jurisdiction
The terms of this DPA shall be governed by and interpreted in accordance with the Swiss Law.
Any dispute arising out of or relating to this DPA is subject to the exclusive jurisdiction of the Swiss courts and, in particular, those of Zürich.
Infrastructure / Technical platform:
Function / Purpose
Ticket system for
1019 Market Street,
San Francisco, CA 94103, USA
The Rocket Science Group, LLC,
675 Ponce de Leon Ave NE,
Atlanta, GA 30308, USA
Amazon Web Services EMEA SARL,
5 rue Plaetis,
185 Berry Street, Suite 550,
San Francisco, CA 94107, USA
Use of Google productivity
1600, Amphitheatre Parkway,
Mountain View, CA 94043, USA
1600, Amphitheatre Parkway,
Mountain View, CA 94043, USA
Function / Purpose
Slack Technologies, Inc.,
500 Howard Street,
San Francisco, CA 94105, USA
c/o Atlassian, Inc.
1098 Harrison Street
San Francisco, CA 94103, USA
88 Colin P. Kelly Jr. St.,
San Francisco, CA 94107, USA
One Microsoft Way, Redmond,
WA 98052-6399, USA
Technical and organisational security measures of the Processor
Security OverviewSmoolis pays special attention to controls, processes, and procedures governing the security of Smoolis and its customers. Its information security program reflects the following principles:
- Align security activities with Smoolis's strategies and support Smoolis's objectives.
- Leverage security to facilitate confidentiality, integrity, and availability of data and assets.
- Utilize Smoolis's security resources efficiently and effectively.
- Utilize monitoring and metrics to facilitate adequate performance of security related activities.
- Manage security utilizing a risk-based approach.
- Implement measures designed to manage risks and potential impacts to an acceptable level.
- Leverage industry security frameworks where relevant and applicable.
- Leverage compliance/assurance processes as necessary.
- Analyze identified or potential threats to Smoolis and its customers, provide reasonable remediation recommendations, and communicate results as appropriate.
Data Center Security, Availability, and Disaster Recovery
- Smoolis leverages leading data center providers to house its physical infrastructure.
- Its data center providers utilize an array of security equipment, techniques and procedures designed to control, monitor, and record access to the facilities.
- Implementation of solutions designed to protect against and mitigate effects of DDoS attacks.
- Dedicated teams located in multiple geographies to support its platform and supporting infrastructure.
- Maintenance of geographically separate data centers to facilitate infrastructure and service availability and continuity.
- Smoolis has a formally documented disaster recovery (failover) plan which is tested at least annually. Results of testing are documented and maintained.
Application Level Security
- Smoolis hashes passwords for user accounts and provides SSL for customers.
- Utilization Web Application Firewall (WAF) technology.
- Regular pen testing is performed on the Smoolis platform, the results of which are analyzed and remediated (as appropriate) by its engineering and security teams.
- In the event of an issue related to the security of the Smoolis platform, the Smoolis security team follows a formal incident response process.
- Analyzation of identified or potential threats to Smoolis and its customers, provision of reasonable remediation recommendations, and communication of the results as appropriate.
Smoolis Building and Network Access
- Physical access to Smoolis offices is monitored. The internal network is restricted and monitored.
Systems Access Control
- Access to Smoolis systems is limited to appropriate personnel.
- Smoolis subscribes to the principle of least privilege (e.g., employees, system accounts etc. are provided with the least amount of access for their job function).
- Multifactor authentication.
Security Risk ManagementThreat intelligence and risk assessment are key components of Smoolis's information security program. Awareness and understanding of potential (and actual) threats guides the selection and implementation of appropriate security controls to mitigate risk. Potential security threats are identified, and assessed for severity and exploitability prior to being classified as risks. If risk mitigation is required, the security team works with relevant stakeholders and system owners to remediate. The remediation efforts are tested to confirm the new measures/controls have achieved their intended purpose.