This General Data Processing Addendum ("DPA"), is incorporated into, and is subject to the terms and conditions of, the Agreement between Honeybadger Industries, LLC d/b/a ("Honeybadger") and the customer entity that is a party to the Agreement ("Customer" or "you"). The parties have entered into a Services Agreement as of the date the Customer commenced using the Honeybadger service for Services ("Services Agreement") under which Honeybadger will process certain personal data provided or made available by Customer in the course of providing Services to Customer. The parties intend this DPA to be an extension of the Services Agreement that will outline certain requirements for the processing of such personal data. This DPA applies exclusively to personal data provided or made available by Customer in the EEA to Honeybadger in the US.
"Data Protection Legislation" means all applicable laws relating to privacy and the processing of personal data that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by the supervisory authorities. Data Protection Legislation includes, but is not limited to, European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)).
"Good Industry Practice" means, in relation to any activity and under any circumstance, exercising the same skill, expertise and judgement and using facilities and resources of a similar quality as would be expected from a person who:(a) is skilled and experienced in providing the services in question, seeking in good faith to comply with his contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply;(b) takes all proper and reasonable care and is diligent in performing his obligations; and (c) complies with the Data Protection Legislation.
"data controller", "data processor", "subprocessor", "data subject", "personal data", "processing", and "appropriate technical and organizational measures" shall be interpreted in accordance with Directive 95/46/EC, or other applicable Data Protection Legislation, in the relevant jurisdiction.
"Services" means any product or service provided by Honeybadger to Customer pursuant to the Agreement.
"Customer Data" means any personal data that Honeybadger processes on behalf of Customer as a data processor in the course of providing Services, as more particularly described in this DPA.
The parties agree that Customer is a data controller and that Honeybadger is a data processor in relation to personal data that Honeybadger processes on behalf of Customer in the course of providing the services under the Services Agreement (the "Services"). The subject-matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to that necessary to carry out the Services described in, the Services Agreement and any applicable Statement of Work ("SOW"). The processing will be carried out until the date Honeybadger ceases to provide the Services to Customer. The subject matter, duration, nature, and purpose of the processing of the personal data as well as the type of personal data and categories of data subjects are:
The subject matter of the data processing under this DPA is the Customer Data
The duration of the processing equals the Term of this Agreement, unless otherwise requested by Customer in writing.
The nature and purposes of the processing under this DPA is the provision of the Services to the Customer and the performance of Honeybadger’s obligations under the Agreement (including this DPA), including production monitoring and error reporting of Customer’s platform and related services.
The categories of the data subjects include (a) any employee or personnel of Customer accessing and/or using the Services through the Customer’s account(s) ("Customer Users") and (b) any individual whose information is stored on or collected via the Services at Customer’s direction ("Customer’s Customers").
The categories of personal data include the following:
Customer Users: identification and contact data (name, address, contact details, username); financial information (credit card details, account details, payment information);
Customer’s Customers: identification and contact data (name, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information); any other personal information as configured by Customer.
In respect of personal data processed in the course of providing the Services, Honeybadger shall adhere to the following requirements:
Honeybadger will process the personal data only in accordance with the written instructions from Customer (the Services Agreement and this DPA are hereby deemed to be Customer’s sole written instructions) and only in compliance with Data Protection Legislation. The nature and purposes of the processing shall be limited to that which is necessary to carry out such instructions, and not for Honeybadger’s own purposes, or for any other purposes except as required by law. If Honeybadger is required by law to process the personal data for any other purpose, Honeybadger will inform Customer of such requirement prior to the processing unless prohibited by law from doing so.
Honeybadger will process the personal data only to the extent, and in such manner, as is necessary for the provision of the Services. Honeybadger may only correct, delete or block the personal data processed on behalf of Customer as and when instructed to do so by Customer.
Honeybadger will implement and maintain appropriate technical and organizational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Legislation and Good Industry Practice. Customer may request additional details about Honeybadger’s information security policies here.
Honeybadger will take reasonable steps to ensure the reliability and competence of any Honeybadger personnel who have access to the personal data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant personal data, as strictly necessary. Honeybadger will ensure that all Honeybadger personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this DPA. Honeybadger further ensures that all such individuals shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
Honeybadger will take all reasonable steps to assist Customer in meeting Customer’s obligations under applicable Data Protection Legislation, including Customer’s obligations to respond to requests by data subjects to exercise their rights with respect to personal data, adhere to data security obligations, respond to data breaches and other incidents involving personal data, conduct data protection impact assessments, and consult with supervisory authorities. Honeybadger will promptly inform Customer in writing if it receives: (i) a request from a data subject concerning any personal data; or (ii) a complaint, communication, or request relating to Customer’s obligations under Data Protection Legislation.
Honeybadger will not retain any of the personal data for longer than is necessary to provide the Services. At the end of the Services, or upon Customer’s request, Honeybadger will securely destroy or return (at Customer’s election) the personal data to Customer unless continued storage is required by law.
With regard to personal data related to data subjects located in the European Economic Area, Honeybadger will not process such personal data in a location outside the European Economic Area, except pursuant to the EU-US Privacy Shield, provided that Honeybadger maintains its certification under the EU-US Privacy Shield and notifies Customer in the event it reasonably believes it will no longer be able to maintain its certification.
Honeybadger will allow Customer and its respective auditors or authorized agents to conduct audits and inspections during the term of the Services Agreement and for 12 months thereafter, which shall solely include, unless otherwise expressly required by applicable law, providing access to summaries of Honeybadger’s data protection and data security measures and access to personnel used by Honeybadger in connection with the provision of the Services for purposes of asking questions regarding Honeybadger’s data protection and data security measures. The purposes of an audit pursuant to this paragraph include to verify that Honeybadger is processing personal data in accordance with its obligations under this DPA, the Services Agreement, and applicable Data Protection Legislation.
If Honeybadger becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Honeybadger in the course of providing the Services under the Services Agreement (a "Security Breach"),
it shall promptly and without undue delay notify Customer and provide Customer with: a detailed description of the Security Breach; the type of data that was the subject of the Security Breach; the identity of each affected person, and the steps Honeybadger takes in order to mitigate and remediate such Security Breach, in each case as promptly as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Customer may reasonably request relating to the Security Breach); and
take action promptly, at its own expense, to investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and to carry out appropriate recovery actions to remedy the Security Breach.
Honeybadger shall comply at all times with, and assist Customer in complying with its applicable obligations under, Data Protection Legislation. Honeybadger shall provide reasonable information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
Honeybadger will notify Customer immediately if, in Honeybadger’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.
Customer agrees that Honeybadger may engage third-party sub-contractors in connection with the provision of services. Honeybadger will not give access to or transfer any personal data to any third-party (including affiliates, group companies or sub-contractors) without the prior consent of Customer. Customer hereby consents to the transfer of personal data to the sub-contractors listed in Annex A for purposes of providing the services.
Honeybadger shall notify Customer if it adds or removes subprocessors at least 10 days prior to any such changes if Customer opts in to receive such notifications by clicking here.
Honeybadger has or shall enter into a written agreement with each sub-contractor (the "sub-contracting Agreement") containing data protection obligations not less protective than those in the Agreement and/or this Addendum with respect to protection of Customer personal data to the extent applicable to the nature of the Services provided by such sub-contractor. Honeybadger shall be liable for the acts and omissions of its sub-contractors to the same extent Honeybadger would be liable if performing the services of each sub-contractor directly under the terms of this Addendum.
Honeybadger shall provide to Customer for review, copies of the sub-contracting Agreements as Customer may reasonably request from time to time. Customer acknowledges that, pursuant to subprocessor confidentiality restrictions, Honeybadger may be restricted from disclosing onward subprocessor agreements to Customer. Notwithstanding this, Honeybadger shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to Customer.
Customer shall, in its use of the Services, at all times process personal data, and provide instructions for the processing of personal data, in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679). Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the personal data, and that the processing of personal data in accordance with Customer’s instructions will not cause Honeybadger to be in breach of the GDPR. Customer is solely responsible for the accuracy, quality, and legality of (i) the personal data provided to Honeybadger by or on behalf of Customer, (ii) the means by which Customer acquired any such personal data, and (iii) the instructions it provides to Honeybadger regarding the processing of such personal data. Customer shall not provide or make available to Honeybadger any personal data in violation of the Agreement or otherwise inappropriate for the nature of the Services.