This Data Processing Addendum (“DPA”) forms a part of the Customer Terms of Service found at https://fibery.io/terms-of-service — unless the Customer has entered into a superseding written master agreement with Fibery Limited (“Fibery”), in which case, it forms a part of such written agreement (in either case, the “Agreement”). By signing the DPA, the Customer enters into this DPA on behalf of themselves, and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below).
For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. In the course of providing the Services under the Agreement, Fibery may Process certain Personal Data (such terms defined below) on behalf of the Customer, and where Fibery Processes such Personal Data on behalf of the Customer, the Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
The Parties agree that in the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall control.
This Addendum will not apply to the processing of Client Personal Data, where such processing is not regulated by EU Data Protection Laws. If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.
Customer has two options to complete this DPA
NOW, THEREFORE, in consideration of the mutual agreements set forth in this document and for other good and valuable consideration, the receipt and sufficiency of which the Parties both acknowledge, the Parties agree as follows:
Capitalized terms used but not defined in this Data Processing Amendment have the meanings given elsewhere in the applicable Agreement. In this Data Processing Amendment, unless stated otherwise:
“Additional Products” means products, services and applications that are not part of the Services but that may be accessible via user interface or otherwise, for use with the Services.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
"Amendment Effective Date” means the date on which Customer clicked to accept or the parties otherwise agreed to this Data Processing Amendment in respect of the applicable Agreement.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Controller Affiliate” means any of Customer's Affiliate(s)
“Customer Personal Data” means personal data contained within the Customer Data.
“Data Protection Laws” means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, and the United Kingdom, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the GDPR;
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any Customer Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Model Contractual Clauses” means the agreement executed by and between Customer and Fibery, and available as a separate document pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-Processor” means any entity engaged by Fibery or its affiliates to Process Personal Data in connection with the Services.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
“Term” means the period from the Amendment Effective Date until the end of Fibery provision of the Services under the applicable Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Fibery may continue providing the Services for transitional purposes.
The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this Data Processing Amendment have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Fibery is the Processor and that Fibery or its Affiliates will engage Sub-Processors pursuant to the requirements set forth in Section 4 below. List of sub-processors is provided in Exhibit B.
If the European Data Protection Legislation applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants to Fibery that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Fibery as another processor, have been authorized by the relevant Controller.
Customer shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Law. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which Customer acquired Personal Data.
As the Customer’s Processor, Fibery shall only Process Personal Data for the following purposes:
The subject-matter of Processing of Personal Data by Fibery is as described in the Purpose in Section 2.3. The nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A (Description of Processing Activities) to this DPA.
This Data Processing Amendment will take effect on the Amendment Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Data by Fibery as described in this Data Processing Amendment.
Fibery shall, to the extent legally permitted, promptly notify Customer if Fibery receives any requests from a Data Subject to exercise the following Data Subject rights in relation to Personal Data: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). Taking into account the nature of the Processing, Fibery shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under applicable Data Protection Laws. In addition, to the extent the Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Fibery shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such a Data Subject Request, to the extent Fibery is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Fibery provision of such assistance, including any fees associated with the provision of additional functionality.
Fibery will, in a manner consistent with the functionality of the Service or per request, enable Customer to access, rectify, and restrict processing of Customer Personal Data.
With respect to the Personal Data under this DPA, Fibery warrants that it will:
Customer acknowledges and agrees that:
A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is accessible in Exhibit B and will be available in online version of this DPA via https://fibery.io/data-processing (“Sub-Processor List”). Customers with signed DPA will receive notifications of new
Sub-processors before authorizing such new Sub-Processor(s) to Process Personal Data in connection with the provision of the applicable Services.
Customer may reasonably object to Fibery using a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate applicable Data Protection Law or weaken the protections for such Personal Data) by notifying Fibery promptly in writing within ten (10) business days after receipt of Fibery notice in accordance with the mechanism set out in Section 4.2. Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Fibery will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected new
Sub-processor without unreasonably burdening Customer. If Fibery is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the applicable Service which cannot be provided by Fibery without the use of the objected new
Customer any prepaid fees covering the remainder of the term of Service following the effective date of termination, without imposing a penalty for such termination on the Customer.
Fibery shall be liable for the acts and omissions of its Sub-Processors to the same extent Fibery would be liable if performing the Services of each Sub-Processor directly under the terms of this DPA.
Upon Customer request, Fibery shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer obligation under the GDPR to carry out a data protection impact assessment related to Customer use of the Service, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Fibery. Fibery shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR. Customer shall cover all costs incurred by Fibery in connection with its provision of such assistance.
Subject to Section 6.2 (Deferred Deletion), on expiry of the applicable Service, Customer instructs Fibery to delete all Customer Data (including existing copies) from Fibery systems in accordance with applicable law. Fibery will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage of this Customer Data.
Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer acknowledges and agrees that Customer will be responsible for exporting, before the applicable Service expires, any Customer Data it wishes to retain afterwards.
To the extent any Customer Data covered by the deletion instruction described in Section 6.1 (Deletion on Service Expiry) is also processed, when the applicable Service under Section 6.1 expires, in relation to an Agreement with a continuing Service, such a deletion instruction will only take effect with respect to such Customer Data when the continuing Service expires. For clarity, this Data Processing Amendment will continue to apply to such Customer Data until its deletion by Fibery.
Return of the Customer Data U pon expiration of the Term as well as during the Term of the Services Agreement, Fibery will provide Customer with access to export Customer Personal data from the Service.
Customer agrees that Fibery may, subject to Section 7.2 (Transfer Mechanisms), store and process Personal Data in the United States and any other country in which Fibery or any of its Sub-Processors maintains facilities.
NOTE: For customers based in EEA (others per request), Fibery stores Services Data in the Amazon Data center based in Frankfurt (Germany). Fibery may store in all data centers identifying information about Customer’s instance of the applicable Services. See additional details in Exhibit B.
For transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such applicable Data Protection Laws:
Fibery shall, to the extent permitted by law, notify Customer without undue delay upon Fibery or any Sub-Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient
information, to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Fibery shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Fibery shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Documentation.
Fibery regularly monitors compliance with these measures and will provide the Customer with supporting documentation, such as audit information, where applicable. Fibery will not materially decrease the overall security of the Service during a Service subscription term. Additional information provided in the Model Contractual Clauses. Fibery takes reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality.
Fibery Limited
28 Oktovriou, 2, Flat/Office 101 Egkomi, Makedonitissa, 2414 Nicosia, Cyprus
10.1 Subject to this section 10, Fibery shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customers Personal Data by the Sub-Processor.
10.2 Information and audit rights of the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
Exhibit A: Description of Processing Activities
Exhibit B: Sub-Processors
Exhibit C:
The parties' authorized signatories have duly executed this DPA:
| On behalf of customer: | on behalf of Fibery Limited: |
| Name: Vadim Gaidukevich | |
| Position: Director | |
| Signature: | Signature: |
The transferred personal data concerns the following categories of data subjects: the Data Exporter’s end users including employees and contractors; the personnel of the Data Exporter’s customers, suppliers and subcontractors.
The transferred personal data concerns the following categories of data: personal data submitted, stored or sent by the Data Exporter or its end users via the Services including identification and contact data (name, address, title, email, userID); employment details where provided (employer, job title); IT information (IP addresses, usage data, cookies data).
None
The transferred personal data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:
List of current Fibery Sub-Processors as of the Effective Date:
Core Services Sub-Processors(providing infrastructure hosting or processing significant amount of Customer Personal Data) | ||||
|---|---|---|---|---|
| Sub-processor Name | Purpose of processing | Entity Type | Location of processing | SCC /DPA |
| Amazon Web Services EMEA SARL | Data storage and processing – main hosting provider | Sub-Processor | Germany* | Available |
| SendGrid | Email Delivery for On-Demand Service | Sub-Processor | United States of America | Available |
Ancillary Services Sub-Processors(providing Processor with internal and supporting processing of insignificant amount of Controller Personal Data or no processing at all for some sub-processors and Categories of Controllers) | ||||
|---|---|---|---|---|
| Sub-processor Name | Purpose of processing | Entity Type | Location of processing | SCC/DPA |
| Google, LLC | Email and calendar services, online document storage, advertising services | Sub-Processor | United States of America | Available |
| Elasticsearch B.V. | Application logs storage and processing | Sub-Processor | Ireland | Not applicable |
| Braintree (PayPal (Europe)) | Payments processing | Sub-Processor | Ireland | Not applicable |
| Slack Technologies, Inc. | Internal communication | Sub-Processor | United States of America | Available |
| Calendly | CRM, calls scheduling service | Sub-Processor | United States of America | Available |
| UserVoice, Inc. | Customer support (decommissioning process) | Sub- Processor | United States of America | Available |
| Intercom R&D Unlimited Company | Customer support and communications | Sub-processor | Republic of Ireland | Available for US entity |
| Fibery Inc, USA | Customer Support, Sales, HQ | Affiliate | United States of America | Model Contractual Clauses |
* For customers based in the United States (per request), Fibery stores Services Data in the Amazon US data centers. Fibery may store in all data centers identifying information about Customer’s instance of the applicable Services only.
The technical and organisational measures having place in Fibery:
| Physical Access Control | |
| No unauthorised access to data processing systems | Office space: Access via key / RFID chip
|
| System Access Control | |
| No unauthorised system usage |
|
| Data Access Control | |
| No unauthorised reading, copying, modification or removal within the system |
|
| Data Separation Control | |
| Separate processing of data collected for different purposes |
|
| Transfer control | |
| No unauthorised reading, copying, modification or removal during electronic transmission or transport |
|
| Input control | |
| Determining whether and by whom personal data has been entered, modified or removed from data processing systems |
|
| Availability Control | |
| |
| Rapid Recovery & Restore | |
| |
| Organisational Control | |
| Data protection management |
|
| Privacy-friendly Default Settings | |
| (Art. 25 para. 2 GDPR) |
|
No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client, e.g: clear contract design, formalised order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.
Date of document last update: December 2023