Breadcrumbs

DATA PROCESSING AGREMENT

This Data Processing Agreement (“DPA”) is between RadBee Ltd., a UK company, and the accepting counterparty and its affiliates (“Customer”), (each, a “Party” as applicable, and collectively, the “Parties”). This DPA is effective upon Customer’s signing or acceptance of any agreement with RadBee governing the licensing or purchase of RadBee products or services (the “Main Agreement”). This DPA modifies terms and is part of each Main Agreement only if such agreement involves RadBee handling Customer Personal Data.

The scope, duration, extent, and nature of processing personal data under this DPA are defined in the Main Agreement. This DPA's term matches the Main Agreement's duration.

All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Main Agreement. If there is any inconsistency or conflict between this DPA and any Main Agreement in effect between RadBee and the Customer, the terms of this DPA shall govern and control with respect to data protection or processing.

By accepting these terms, you confirm that: (a) you have the legal authority to bind the Customer to these data processing terms; (b) you have read and understand these data processing terms; and (c) you agree, on behalf of the Customer, to these data processing terms. RadBee and the Customer agree as follows:

 

DEFINITIONS

In this DPA, the terms below shall have the following meanings:

  • "Applicable Data Protection Laws" refers to all laws governing the processing of personal data as applicable in the Customer’s jurisdiction as set in the Main Agreement, including (1) the EU GDPR and related national laws; (2) the laws mentioned in the Jurisdiction Specific Terms; and (3) any other relevant data protection or privacy laws.

  • "Applicable Law" refers to all relevant laws, rules, regulations, orders, ordinances, guidance, and industry self-regulations, including Applicable Data Protection Laws.

  • "Subprocessor" refers to any third party appointed by RadBee to process Customer Personal Data;

  • "Customer Personal Data" refers to the information relating to an identified or identifiable natural person (”data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • Terms like "Controller", "Data Subject", "Personal Data", “Personal Data Breach”, "Processing", "Processor", and “Supervisory Authority” should be interpreted according to their definition in Article 4 of the EU GDPR.

 

  1. Processing of Customer Personal Data: To the extent that RadBee processes any Customer Personal Data, RadBee hereby represents and warrants that it will comply with the obligations outlined in this Section:

    1. Processing Roles. In the context of this DPA, concerning the Processing of Customer Personal Data, (1) when the Customer acts as a Controller, RadBee functions as a Processor; and (2) when the Customer acts as a Processor, RadBee serves as a sub-Processor. For clarification, both scenarios described in this section are encompassed by, and fall under the provisions of, this DPA.

    2. General Obligations. RadBee will comply with Applicable Law when processing Customer Personal Data. RadBee will not disclose this data to third parties without Customer’s written consent, unless required by law. RadBee will ensure that all personnel involved in this process are aware of their confidentiality obligations and comply with this DPA during the Term of the Main Agreement.

    3. Processing Only on Customer Instructions: RadBee will process Customer Personal Data solely to perform Services and follow Customer’s written instructions. RadBee will act as a Data Processor and only collect necessary Customer Personal Data for the Services. If applicable law requires any processing inconsistent with Customer's instructions, RadBee will inform the Customer promptly before starting. If RadBee believes any Customer instruction may violate applicable law, they will notify the Customer immediately.

    4. Subprocessors. Customer authorizes RadBee to appoint (and permitted each Subprocessor appointed in accordance with this paragraph (d)) Subprocessors in accordance with this paragraph (d).

      RadBee may continue to use those Subprocessors already engaged by RadBee as of the date of the Main Agreement, subject to RadBee meeting the obligations set out this paragraph (d) of this DPA. RadBee’s Sub processors are listed on the RadBee Privacy and Security Policy. RadBee shall maintain an updated list of Subprocessors.

      RadBee will post notifications on social media and its Atlassian MarketPlace page in case that its Privacy and Security Policy is updated. If, within fourteen (14) days of posting of each such update, Customer notifies RadBee in writing of any reasonable objections to the proposed appointment of Subprocessor by contacting support@radbee.com Customer may, as a sole and exclusive remedy, immediately terminate the applicable Main Agreement and this DPA only with respect to those Services which cannot be provided by RadBee without the use of the objected-to Subprocessor. Customer may terminate the Main Agreement by providing written notice to RadBee pursuant to the terms of the Main Agreement provided that all amounts due under the Main Agreement(s) before the termination date with respect to the Processing of Customer Personal Data are duly paid to RadBee. RadBee shall remain responsible for the Processing of the Customer Personal Data until the termination or expiration of the Main Agreement.

      With respect to each Subprocessor, RadBee shall: (a) carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection and security for Customer Personal Data required by this DPA, the Main Agreement, and Applicable Laws before the Subprocessor first Processes Customer Personal Data impose on the Subprocessor terms between RadBee and the prospective Subprocessor that provide for at least the same level of protection for Customer Personal Data as those set out in this DPA.

    5. Details Related to the Processing of Customer Personal Data. Information regarding the processing of customer personal data is outlined in the RadBee Privacy and Security Policy. The customer may request reasonable amendments to the RadBee Privacy and Security Policy through written notice to RadBee (to support@radbee.com), as deemed necessary by the customer to comply with applicable law. RadBee commits to reasonably provide written notification to the customer if it determines that the RadBee Privacy and Security Policy is inaccurate or otherwise fails to meet the requirements of applicable law.

    6. Personnel. RadBee will take reasonable measures to ensure the reliability of all personnel with access to Customer Personal Data. Additionally, it will ensure that access to Customer Personal Data is restricted to individuals who need such access for purposes required by the Main Agreement and in accordance with Applicable Law.

    7. Cooperation to Facilitate Responses. RadBee will, considering the nature of the Processing, assist the Customer:

      1. by reasonably establishing and maintaining appropriate technical and organizational measures, to the extent possible, in fulfilling the Customer's obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Laws; and

      2. in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the EU GDPR.

      3. RadBee may charge a reasonable fee for any assistance provided to the Customer under this DPA.

    8. Cross-Border Restricted Transfers. RadBee may only Process, access, or transfer Customer Personal Data across national borders in compliance with the requirements regarding Restricted Transfers, as set out in the Applicable Data Protection Laws in the Customer’s jurisdiction as set in the Main Agreement. The Jurisdiction Specific Terms may further define and augment the term “Restricted Transfer” as necessary to comply with the requirements of applicable to international laws and regulations. If a transfer of personal data to a third country or international organization is required by law, RadBee will inform the data controller of such requirement and follow the controller's instructions regarding such transfers. This to ensure compliance with with Article 28 of the General Data Protection Regulation (GDPR).

    9. Retention and Deletion. RadBee may keep Customer Personal Data and only as long as needed to perform the Services, or as required by law or the Main Agreement, or as requested by Customer in writing. Upon the termination of the Main Agreement, Customer must decide if RadBee should delete or return all Customer Personal Data. If Customer does not provide instructions within 30 days, RadBee will permanently delete all copies, unless required to retain them by law.

 

  1. Technical and Organizational Security Measures

To the extent RadBee Processes any Customer Personal Data on behalf of Customer or its Affiliate(s) pursuant to the Main Agreement, RadBee represents and warrants that it shall comply with the following obligations:

a. Measures to be Implemented Radbee implements and maintains TOMs regarding the protection of personal data (e.g. physical and software/hardware aspects of security, data handling policies, procedures, and training that guide how data is handled) as outlined in Article 32 of the GDPR. RadBee’s TOMs ensure a level of security which is appropriate to risk aiming to protect the Customer Personal Data from unauthorized processing, loss, destruction, damage, theft, alteration, or disclosure. These measures will match the potential harm of any data breach and consider the nature of the data. Considering the current technology, implementation costs, and processing context, RadBee will ensure appropriate security levels.

b. Personal Data Breaches. If RadBee becomes aware of any Personal Data Breach affecting Customer Personal Data, RadBee will notify Customer without undue delay after having become aware of it and:

i. As soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Customer may reasonably request relating to the Personal Data Breach), provide to Customer a detailed description on the type of data that was the subject of the Personal Data Breach and the identity of each affected person.

ii. Immediately, take reasonable commercial steps, at RadBee's own expense, to investigate the Personal Data Breach and to identify, prevent and mitigate the effects of the Personal Data Breach and to carry out any recovery or other action necessary to remedy the Personal Data Breach.

iii. Not release or publish any filing, communication, notice, press release, or report concerning the Personal Data Breach without Customer's prior written approval except where RadBee is required by Applicable Law to make such disclosure prior to obtaining Customer’s written consent.

c. RadBee’s notification of or response to a Personal Data Breach under this Section 2 will not be construed as an acknowledgement by RadBee of any fault or liability with respect to the Personal Data Breach.

 

  1. Rights of the Data Subjects

i. RadBee shall assist the Customer by implementing appropriate technical and organizational measures, as far as possible, to fulfill the Customer’s obligations in responding to requests to exercise rights of the Data Subjects under Applicable Law. The Customer is responsible for collecting any required consent from the Data Subject. If the Customer intends to disclose RadBee’s data processing practices to the Data Authorities, the Customer must notify RadBee before such disclosure.

ii. Regarding the rights of the Data Subjects within this Section, RadBee shall:

a. Promptly notify the Customer on any request received from a Data Subject under any Applicable Law with respect to Customer Personal Data;

b. Refrain from responding to the request except according to the documented instructions of the Customer or as required by Applicable Law, in which case RadBee shall, to the extent permitted by Applicable Law, inform the Customer of that legal requirement before responding to the request.

 

  1. Provision of Information and Audit Rights

    1. If the Customer is entitled under Applicable Data Protection Laws and wishes to review RadBee’s compliance with the terms of this DPA, the Customer may make a request in writing to support@radbee.com. RadBee will then provide the information subject to obligations of confidentiality.

    2. If Customer, after having reviewed such information, still reasonably deems that it requires additional information, RadBee shall further reasonably assist and make available to Customer, upon a written request and subject to obligations of confidentiality, all other information (excluding legal advice) and/or documentation necessary to demonstrate compliance with this DPA.

    3. If so required, RadBee will provide Customer or mutually agreed third-party independent auditors at Customer’s cost and expense, once per calendar year, at a time mutually agreed upon by RadBee and Customer, access to RadBee’s security policies, practices and procedures, and records relating to the Services for the purpose of verifying RadBee’s compliance with this DPA. RadBee shall provide the assistance described in this paragraph insofar as in RadBee’s reasonable opinion, such audits and the specific requests of Customer, do not interfere with RadBee’s business operations or cause RadBee’s to breach any legal or contractual obligation to which it is subject.

 

  1. Customer Representation and Warranties

    1. Customer represents and warrants that it has the rights to provide RadBee with Customer Personal Data for Processing as outlined in this DPA and the Main Agreement. Customer must comply with Applicable Data Protection Laws when disclosing, transferring, and processing Customer Personal Data with RadBee.

    2. Customer confirms that sharing Customer Personal Data with RadBee is not considered a sale under Applicable Data Protection Laws.

 

  1. Exhibits to the DPA

    1. List of Exhibits.

      1. https://radbee.com/privacy-and-security-policy/

      2. End user License Agreement

      3. https://marketplace.atlassian.com/apps/1225123/snapshots-of-jira-data-into-confluence

    2. Updates to the Exhibits. RadBee reserves the right to update the Exhibits to the DPA from time to time by posting updated versions of the Exhibits. RadBee offers the Customer, on its web pages, to subscribe to a mailing list and through that receive notifications on updates to same webpage(s) where the Exhibits are posted. If Customer does not object to the updated Exhibit within fourteen (14) days from the day the update(s) were posted, Customer will be deemed to have consented to the updated Exhibits.

    3. Conflicts between the DPA and the Exhibits. In case of any conflict or ambiguity between the terms in the Exhibits and the terms of the body of the DPA, the applicable terms in the Exhibits shall prevail.

 

  1. Customer Data Protection Officer and Data Protection Representative Information

Customer shall provide the contact details of its Data Protection Officer (if any) and data protection representative in the EU and in the UK (if any) to RadBee by sending an email to support@radbee.com.

In the event that the provided identity and contact details change, Customer shall provide the updated information to RadBee by sending another email to support@radbee.com.

 

  1. Indemnification

RadBee shall indemnify, defend, and hold Customer, its Affiliates, and their respective directors, officers, employees, independent contractors and agents (each an “Indemnified Party”) harmless, to the fullest extent permitted by law, from and against all losses, judgments, liabilities, costs, expenses, fines, penalties and awards that an Indemnified Party suffers or incurs as a result of any claims, demands, suits, causes of action or enforcement proceedings (each, a “Claim”) arising from, relating to or alleging any breach of this DPA or violation of Applicable Law by RadBee but solely to the extent that RadBee fails to act or acts outside or against the instructions of Customer. RadBee’s liability under this DPA shall be limited to the amount paid by Customer to RadBee in the previous year. In no event will either party's liability be limited with respect to any individual's data protection rights under this DPA.

 

  1. Miscellaneous

    1. Conflicts. In the event of any conflict or inconsistency between the provisions of this DPA and the Main Agreement, the provisions of this DPA shall control with respect to the subject matter set forth herein. All the terms, provisions and requirements contained in the Main Agreement shall remain in full force and effect except to the extent they conflict with and are superseded by this DPA.

    2. Governing Law and Jurisdiction. To the extent allowable by Applicable Law, this DPA shall be governed by and construed in accordance with the internal laws of the UNITED KINGDOM. The parties irrevocably agree with the exclusive jurisdiction of the courts of London UK.

    3. Term. This DPA shall enter into force on the date of signing of the Main Agreement and shall remain in force for as long as RadBee processes Customer Personal Data on behalf of Customer.

    4. Binding Effect. The terms, provisions and conditions of this DPA shall be binding upon and inure to the benefit of each respective party and their respective legal representatives, successors and assigns.