Data Processor Agreement

This Data Processor Agreement, version GDPR-DPA-1.0-UK (“The Agreement”) are entered into on the date indicated in the Order Form between Worklife Barometer ApS (CVR-no. 35 39 55 39), Njalsgade 76, 2300 Copenhagen S (“Worklife Barometer”) and “the Customer” as indicated in the Order Form. WLB and the Customer are each designated as a “Party” and collectively as “the Parties”.

Definitions

The agreement

Meaning the relevant client agreement, on which basis this data processor agreement is formed.

The Data Protection Legislation

Meaning i) The European Parliament and Council directive 95/46/EF, the act on Processing of Personal Data (law 2000-05-31 no. 429 with later amendments) and ii) after 25th May 2018 The general data protection regulation (EU) 2016/679 as well as future legislation, regulating the processing of personal data.

Data Processor Agreement

Meaning present Data Processor Agreement.

1. The Basis and Purpose of The Agreement

1.1. The purpose of this agreement is to ensure, that the data protection regulation is complied with. The purpose of the fact that data processor is processing personal data on behalf of data responsible is described in appendix 1.

1.2. In case of any discrepancies between this data processor agreement and the agreement itself this data processor agreement takes precedence, unless otherwise stated directly in the agreement. Furthermore, the data processor agreement rescinds and replaces i) previously agreed data processor agreement(s) between the parties and/or ii) requirements in other agreements between the parties that regulates the same data processor relations, as this agreement.

1.3. If any relations in the data processor agreement and appurtenant instructions are later known to be invalid or is in dispute of the data protection regulations, the parties cannot, notwithstanding point 1.1, invoke this. Moreover, the data processor agreement must last and if necessary the parties will initiate negotiation with the intent to clarify, supplement or revise the relations in question.

2. Rights and Obligations of The Data Responsible

2.1. Data responsible is responsible for the personal information, which data processor is processing on behalf of data responsible.

2.2. Data responsible is responsible for the fact that data processor can process personal information on behalf of data responsible, e.g. that the processing is legal. Data responsible has the rights and obligations that are given a data responsible in the data protection legislation.

3. Obligations of The Data Processor

3.1. The data processor is solely responsible for processing personal data on behalf of the data responsible according to terms described in the data processor agreement or if a documented instruction from data responsible has been submitted, according to section 5.

3.2. The data processor must keep a written (can be electronic) record of all categories of processing that is conducted on the behalf of the data responsible. As a minimum, this must include:

  • Name and contact information of the data processor, possible sub data processors, who is the data responsible, the data protection adviser as well as the data processor’s possible representative.

  • The categories of the processing that the data processor or their subs data processors conduct on behalf of the data responsible.

  • Provided any transfers of personal data to third-countries or international organisations are taking place, indication of the justification of this.

  • A description of the technical and organisational security measures taken in connection with the processing of personal data.

3.3. The data processor must free of costs at any given time provide the according to 3.2 written record to the data responsible or the data protection agency.

3.4. The data processor assists and aids the data responsible – on their request – by providing relevant information and documentation for the purpose of making it possible for data responsible to document the compliance with the legislative requirements for data responsible, e.g. right of insight, analysis of consequences etc. To provide such aid to the data responsible, as well as making amendments and/or expansions of the instruction, the data processor can demand remuneration for used time as well as increased costs. The hourly rate of this is stated on the data processors price list, which data responsible has been made familiar with.

3.5. If a registered person contacts the data processor with the intent of exercising his/her rights according to the data protection legislation against the data responsible, the data processor will pass on such a request – without unnecessary delay – to the data responsible for their action. The data processor assists the data responsible according to section 3.4.

4. The Data Processor’s Use of Subcontractors

4.1. The data processor is utilising subcontractors (sub data processors) for delivery of services, in accordance with the data processor agreement. The data responsible has by signing present agreement approved that the sub data processors listed in appendix 2 is being used.

4.2. The data responsible gives the data processor a general approval to utilise sub data processors provided that the following terms are fulfilled:

  • The data processor will always notify the data responsible of any possible planned additions or substitutions of sub data processors and give the data responsible the possibility of challenging such changes, within fair notice. The notification must be accompanied by a description in accordance with information in appendix 2 for already approved sub data processors, which gives the data responsible the groundwork to evaluate the relationship.

  • The use of sub data processors happens on the basis of a written agreement between the data processor and the sub data processors, which impose the same requirements on the sub data processors as on the data processor according to the data processor agreement, as well as the data protection legislation, so that the rights of the registered persons are secured. The data processor actively ensures that the sub data processor abide to such requirements.

  • The data responsible can at any given time demand documentation for the existents and content of the sub data processing agreement, apart from relations of confidential, commercial character, between the data processor and the sub data processor.

4.3. The data processor transfers the data responsible’s personal data to countries outside the eu/eea. The data processor ensures that a transfer policy is present, referring to appendix 2. The use of subcontractors located in unsafe third-countries must happen on the basis of a valid transfer policy, according to the data protection legislation.

5. Instructions

5.1. The data processor solely processes personal data in accordance with the data responsible’s at any given time applicable instructions. The data responsible’s instructions include any processing, which is necessary for the data processor’s delivery of services to the data responsible. Instructions from the data responsible that affect or amend the content of the agreed service will be handled in accordance with the requirements of the customer agreement.

5.2. The data processor will notify the data responsible if an instruction according to the date processor’s notion disputes the data protection legislation.

5.3. The data processor cannot refuse to obey to the data responsible’s instructions as a result of lacking payments of the data processor’s invoices etc., and the data processor has at no point in time the right to detain the data responsible’s personal data.

5.4. The data processor can only process personal data outside the instruction if it is required by eu- or national legislation that the data processor is subjected to. The data processor will notify the data responsible of the reason hereof unless such a notification will be in dispute of eu- or national legislation.

6. Technical and Organisational Security Measures

6.1. The data processor must – under consideration of the current technical level, costs of implementation and the character, extent, context and purpose of the processing in question as well as the risks of variable probability and severity of physical persons’ rights and fundamental freedom – complete appropriate technical and organisational precautions to, among other things, prevent:

  • Unpredictable or illegal destruction, loss, amendment;

  • Unauthorised transmission, access or abuse;

  • Other illegal processing, according to appendix 3 concerning security.

6.2. The data processor must be able to prove to the data responsible that the data processor has the necessary technical and organisational security measures in place. The parties agree that the submitted warrantees noted in appendix 3 are sufficient, at the time of entering this data processor agreement.

6.3. Without unreasoned delay and latest 24 hours after the data processor has become aware of a security breach, the data processor will notify the data responsible in written form. This orientation will as a minimum and as far as it is possible in light of the character of the incident include the following: 1) information on the sort of the ascertained security breach, 2) which categories of registered persons that are included, 3) approximate quantity of affected registered persons, hereunder the categories of the included personal data and quantity as well as which eliminating and/or minimising precautions the data processor has taken as cause of the ascertained security breach.

7. Transfers to Other Countries

7.1. Provided the personal data is transferred to an eu-member state it is the data processors responsibility that the at any given time applicable regulations on security measures, which are determined by the legislation in the concerned member state, is being complied to.

7.2. Moreover, the data processor is legitimate to complete transfers in accordance with the requirements established in section 4.3.

8. Confidentiality

8.1. The processing of personal data is performed under complete confidentiality between the data processor and the data responsible. Employees of the data processor, third-parties (e.g. Repairers) as well as sub data processors, who are employed to process personal data under the present data processor agreement must be bound to secrecy. Solely employees of the data processor who are authorised hereto, can access the personal data, which is being processed under the data processor agreement. The data processor must ensure that employees, who process personal data for the data processor has committed to confidentiality or is bound to a suitable statutory secrecy.

8.2. Notwithstanding point 13, the requirements on secrecy and confidentiality are applied without time limitation.

9. Control and Declarations

9.1. The data processor must on the request of the data responsible provide the data responsible with “all necessary information” for the data responsible to be able to detect if the data processor is complying with their obligations under the data processor agreement, hereunder that the necessary technical and organisational security measures are put into place.

9.2. “All necessary information” as a minimum meaning a description of the technical and organisational precautions taken as well as documentation making the data responsible able to be significantly convinced that these technical and organisational precautions have functioned consistently and as intended in the complete period the request of the data responsible is concerning.

9.3. The information must be provided at least four weeks after the data responsible has raised the request.

9.4. The data responsible is legitimate to this once yearly or in case of an incident, as for INSTANCE a security breach that can give reason for a renewed request. Furthermore, the data processor can demand remuneration for the time spent and costs connected hereto. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.

9.5. Furthermore, the data responsible has the right – at its own expense – to appoint an independent expert, who must have access to the data processor’s physical facilities for processing of personal data as well as receive the necessary information for performing an investigation on whether the data processor is complying with its requirements under the data processor agreement or not. There will not be gained remote access to such audits and access to possible sub data processors can solely be given with the restrictions that follows of the data processor’s agreement with the sub data processor concerning access to audits. The investigation can never concern IT- and security environments, e.g. disaster recovery and/or business continuity plans (“bcp”), besides the data processor’s confirmation of the existence of these. The expert must on the data processor’s request sign a customary confidentiality agreement and treat any information gathered at, or received directly from, the data processor with secrecy and can solely share the information with the data responsible. Provided neither Deloitte; PWC, EY or KPMG is appointed as independent expert, the choice of the independent expert must be previously approved by the data processor. The data responsible does at any given time have the right to complete further control measures, e.g. to limit the data processor’s access possibilities to the data responsible’s network and data. the data processor is entitled to remuneration for time spent and costs connected to this. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.

10. Amendments to The Data Processor Agreement

10.1. Provided amendments in the legislation or practices result in amendments to the data processor agreement, the data processor is entitled to make these amendments free of cost.

10.2. In case the amendments are due to the data responsible’s relations, hereunder the data responsible’s wish for protection of personal data at a level that exceeds the statutory and/or the relevant security level, the data processor can demand remuneration for time spent and increased costs.

10.3. The data processor must ensure that the sub data processors as far as possible is put under obligation of any amendments implied by point 10.1 and 10.2, according to point 4.2.

11. Deletion or Destruction of Personal Data

11.1. At the expiry of the agreement the present data processor agreement will concurrently expire. The data processor will hereafter perform deletion by anonymising all personal data that has been processed on behalf of the data responsible. furthermore, The data processor will delete all copies of information from backup in accordance with the data processor’s planned and systematic deletion of backup.

11.2. The data responsible is at its own costs – assisted by an independent third-party – entitled to oversee that all deletion, as described above has been completed, as informed by the data processor. The data processor is entitled to remuneration for time spent and costs connected to this. The hourly rate is stated in the data processor’s pricelist, which the data responsible has been made familiar with.

11.3. Notwithstanding section 11.1 the data processor is entitled to – in the extent necessary to be able to document delivery of services after the agreement, or defend itself against legal claims – to keep a copy of the data responsible’s personal data.  in that case, The data responsible’s personal data can solely be processed for the noted purpose, and will cease, when these no longer last.

11.4. The data processor must also ensure that possible sub data processors will not be processing personal data after the expiry of the agreement, unless section 11.2 is can be applied.

12. Violation and Responsibility

12.1. The requirements on violation and responsibility of the agreement also applies to the data processor agreement.

13. Entry Into Force and Duration

13.1. Present data processor agreement entries into force at both parties’ physical or electronic signature and endures until the agreement expires.

13.2. Notwithstanding section 13.1 present data processor agreement will stay in force as long as the data processor is in possession of any of the data responsible’s personal data.

14. Applicable Law and Jurisdiction

14.1. The data processing agreement is regulated by danish law.

14.2. It is agreed that all claims and any disputes, set on the data processor agreement, must be settled at the danish court.

15. Signatures

15.1. Present data processor agreement is physically or electronically signed in 2 original copies, one for each of the parties.

Data Processors

Introduction

This document lists the data processors and sub-processors, Worklife Barometer is using to deliver the Howdy solution.

For each (sub) data processor the following information is listed:

  • Name
  • The purpose of the processing and processing activities
  • Exchanged data
  • Physical location
  • Transfer Policy on transfers outside the EU/EEA
  • Security

Data processors/sub-processors

The following Data processors/sub-processors are used to deliver the Howdy solution:

Microsoft

Microsoft Azure

The purpose of the processing and processing activities:

Microsoft Azure delivers PaaS (The platform, meaning; database, web server, etc.)

Exchanged data: 

All data used and registered in connection to the Howdy solution is stored in Microsoft Azure hosting environment

Physical location:

Microsoft’s data centres in Europe (Holland and Ireland)

Transfer policy:

N/A. Data is processed inside the EU.

Security:

Read more about security, audit of Microsoft and see audit reports:

https://www.microsoft.com/en-us/trustcenter/compliance/soc

https://aka.ms/mssocreports

Microsoft Ireland Operations Limited is Microsoft’s data protection representative in the EU and can be contacted on the following address:

Microsoft Ireland Operations, Ltd.
Attn: Data Protection
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
D18 P521

The Rocket Science Group, LLC

MailChimp & Mandrill

The purpose of the processing and processing activities:

Email service Howdy is using for email communication (invitations, reminders, resend password, and other similar services)

Exchanged data: 

Email address, First name, Surname, Company, Partner, Type of Transaction, Message content, Pdf-file (Well-being reports)

Physical location:

1526 DeKalb Ave NE, Atlanta, GA 30307, USA

Security:

Read more about security here: https://mailchimp.com/about/security

Twilio

Twilio

The purpose of the processing and processing activities:

The company Twilio delivers a telecom service (Text message, voice etc.), which Howdy uses for telecommunication (invitations, reminders, resend passwords, and other similar services.

Exchanged data: 

Mobile phone number, Type of Transaction, Message content

Physical location:

375 Beale Street, Suite 300 | San Francisco, CA 94105

Security:

Read more about security here: https://www.twilio.com/security

Widgix

SurveyGizmo

The purpose of the processing and processing activities:

The company Widgix LLC delivers an online survey tool, which WLB uses for sending out user surveys.

Please note that SurveyGizmo is not an integrated tool in the Howdy solution and is only used in agreement with the client.

Exchanged data: 

First name, Email address and storage of answers

Physical location:

4888 Pearl East Cir. Suite 100, Boulder, CO 80301 USA

Security:

ZenDesk

ZenDesk

The purpose of the processing and processing activities:

The company ZenDesk delivers an online support tool, which WLB uses to support the usual end-user support.

Please note that ZenDesk is not an integrated tool in the Howdy solution.

Exchanged data: 

Information the end-user is sending per email as well as WLB’s case handling and further email exchange.

Physical location:

1019 Market St, San Francisco, CA 94103

Security:

RayGuy

RayGun

The purpose of the processing and processing activities:

Logging of error messages etc.

Exchanged data: 

IP address, unique ID (for identification)

Physical location:

USA

Transfer policy:

The European Commission’s standard contract

Security:

Read more about security here: https://raygun.com/security

Amazon Web Services

Amazon Web Services

The purpose of the processing and processing activities:

Amazon Web Services delivers PaaS (The platform, meaning; database, web server, etc.)

Exchanged data: 

All data used and registered in connection to the Howdy solution can be stored in Amazon Web Services hosting environment.

Physical location:

Amazon’s data centres in Europe (Currently Germany, Ireland, England and France.) Read more here: https://aws.amazon.com/about-aws/global-infrastructure

Transfer policy:

N/A. Data is processed inside the EU.

Security:

Read more about security here: https://aws.amazon.com/security

Protection & Privacy

Preface

This technical fact sheet addresses the most common security and data protection questions as well as compliance standard, backup procedures and data accessibility.

Data Protection

Data at Worklife Barometer is protected at many levels – From ensuring people cannot gain physical access to our servers to data encryption at your mobile device. We build on top of the best-in-class security practices of the Microsoft Azure Platform. Key words are:

  • 24 hour monitored physical security. Datacenters are physically constructed, managed, and monitored to shelter data and services from unauthorized access as well as natural environment threats.
  • State of the art cyber defences. Intrusion detection and Distributed Denial oService (DDoS). Intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing, and forensic tools help identify and mitigate threats from both outside and inside of the data centers.
  • Encrypted communications. Built-in SSL and TLS cryptography encrypts communications within and between system components and datacenters, and from the data center to end-users.

For more information see: http://azure.microsoft.com/en-us/support/trust-center/security/

Compliance

Our data center complies with a wide set of international recognized standards including:

  • ISO 27001/27002
  • SOC 1/SSAE 16/ISAE 3402 and SOC 2
  • United Kingdom G-Cloud
  • EU Model Clauses
  • Singapore MTCS Standard
  • ISO/IEC 27001:2005 Audit and Certification
  • Federal Risk and Authorization Management Program (FedRAMP)

For more information see: http://azure.microsoft.com/en-us/support/trust-center/compliance/

Data Backup

Data at Worklife Barometer is always replicated at minimum two other servers in our data centers, this ensures that in the event of a hardware failure the system will automatically be able to continue on new hardware without any data loss nor downtime for the system.

Furthermore, every night a backup of the data is copied to a secondary data center located in another geographical region. This ensures that the system can resume service in the unlikely event of major natural disaster.

Data Encryption

Whenever data travels – inside the data center or on the Internet – encryption is applied. We use standard TLS 4096-bit encryption between our edge-facing servers and end-user client (mobile apps and web browsers).

Access Control

Strong security measures are in place to ensure no-one gains unauthorized access to the Worklife Barometer Portal.

Information is only available on a need-to-know basis e.g. agents in a Response Center will only have access a person’s journal once a new case is opened. When the case is resolved then all access to that person’s journal is revoked as well.

Mobile Website and Apps

End users may register their personal data though mobile apps or through a mobile-enabled website. Both systems uses email and a personal 4-digit PIN-code as authentication mechanism.

Whenever a user opens the App or Mobile Website a login prompt shows. Upon successful validation of credentials, the server exchanges the provided credentials with a cryptographically signed token, which gives access to the granted resources for 60 minutes before it expires. After expiry the token becomes invalid and the client must login again in order to obtain a new token.

These systems have a lower authentication level than e.g. the portal. This is to ease the user adoption and participation of the system. For that very same reason the system are “entry-only” systems. Below is a list of data available on these systems:

  • (read only) Profile information: Name, email, phone number, company name, department
  • (read only) Statistics: Total score of last 20 readings of the persons wellbeing level (no “highly sensitive health information” is stored)
  • (entry only) Health Information: Answer of health related questions (the 5 questions that regards the persons perception of: Happiness, Feeling Relaxed, Energy, Sleep and Motivation)

No health information is stored directly on the mobile devices.

All communication between the systems is encrypted (SSL/TLS RSA 2048 bits) end to end.

Portal Security

The Worklife Barometer Administration Portal is used to gain access to the administrative tasks for company administrators as well as Response Team personnel for handling calls to end users.

Access to this portal is protected by a personal e-mail and password and either an OTP (One-Time Password sent over SMS) or a TOTP (Time-based One-time Password attached to a personal device).

Upon successful validation of credentials, the server exchanges the provided credentials with a cryptographically signed token, which gives access to the granted resources for 12 hours before it expires. After expiry the token becomes invalid and the client must login again in order to obtain a new token.

Some actions performed in the portal may require reentry of credentials in order to complete the intended action.

All communication between the browser and Portal APIs are encrypted (SSL/TLS RSA 4096 bits) end to end.

Information Security Policy

Introduction

This documents describes Worklife Barometer’s Information Security Policy, and the document “Manual on Information Security Policy for Worklife Barometer” describes how the Security Policy is implemented.

The purpose of the Security Policy is to indicate to all employees and extern business partners that the use of information and information systems is subject to standards and guidelines. Particularly to be noticed is that Worklife Barometer’s core product Howdy is subject to the strictest requirements from the Danish Data Protection Agency, as personal information is being processed.

Worklife Barometer therefore wishes to maintain and continuously expand an IT security level that oblige to the legislation at any given time, as well as specific relations emphasised by the Data Protection Agency (up until 25thMay 2018) and as regulated under the General Data Protection Regulation after 25thMay 2018 (GDPR). To guarantee this, Worklife Barometer is cooperating with the company’s legal adviser, currently the legal company Lundgrens.

Maintenance and development of a high security level is an essential prerequisite for Worklife Barometer to achieve credibility.

To maintain Worklife Barometers credibility it must be ensured that information is being processed with the required confidentiality and that complete, accurate and timely processing of approved transactions take place.

IT-systems are considered to be Worklife Barometer’s most critical resource. The focus is therefore on operation, security, quality, compliance with the law and that the systems are user-friendly, without unnecessarily difficult security arrangements.

An effective safeguard against IT-security threats must be installed, so that Worklife Barometer’s image and the employees’ safety and work conditions are secured in the best possible way. The protection must tackle natural as well as technical and human-induced threats. All persons are considered as being possible reasons for a breach of security; meaning that no group of people will be above the security regulations.

The objectives are therefore to:

  • obtain a high level of security of operation with a high availability percentage and minimised risk of larger breakdowns and data loss. 
    e. AVAILABILITY
  • obtain correct function of the systems with a minimised risk of manipulations of and errors in data as well as systems. 
    e. INTEGRITY
  • obtain confidential processing, transmission and storage of data
    e. CONFIDENTIALITY
  • obtain a mutual security around the involved parties
    e. AUTHENTICITY
  • obtain a security for mutual and documentable contact
    e. INDISPUTABILITY

All Worklife Barometer’s employees are explicitly made aware of Worklife Barometer’s Information Security Policy and all Data processors (who are not processing IT Services) used by Worklife Barometer are informed of the company’s Information Security Policy through Data Processor Agreements and Service Level Agreements (SLAs) (where necessary).

Rules and guidelines from the Information Security Policy are continuously incorporated in the relevant applicable rules of the Staff Policy.

Extent

The security concept includes the following:

  • An Information Security Policy, which is approved by the management on the basis of recommendation from the committee for Information Security Policy.
  • Security instructions and procedures formulated by respective business-area-owners from requirements and guidelines described in “Manual on Information Security Policy for Worklife Barometer”

Area of Validity

The policy applies to all Worklife Barometer’s information related activities, whether these are performed by employees at Worklife Barometer or by Data processors used by Worklife Barometer.

Organization and Responsibility

The delegated security related responsibility and the connected authority for this policy is generically described/distributed into roles in “Manual on Information Security Policy for Worklife Barometer”.

Contingency Planning

Disasters are attempted to be avoided through a well-organised surveillance of the utilised IT services. The extent of these precautions is decided from an assessment of risk versus security costs and user-friendliness.

Worklife Barometer’s contingency plan includes the following areas:

  • Damage constricting initiatives
  • Establishment of temporary emergency solutions
  • Re-establishment of permanent solutions

The contingency plans must be continuously updated and tested – minimum once a year.

Sanctioning

Employees violating the applicable Information Security Regulations in Worklife Barometer can be disciplinarily sanctioned. The detailed regulations on this area is determined in agreement with the current Staff Policy.

Appendix 1

The Processed Data

The Personal Data the Data processor is processing on behalf of the Data responsible affects the categories of Personal Data that is transferred to the Data processor in an agreed way

The item for data processing

The Data Responsible’s employees are offered access to the Howdy platform with access to the modules the Data Responsible has purchased access to.

The duration of the data processing

The data processing commences when the Data Responsible hands over data to the Data Processor.

The data processing ceases when:

  • The agreement between the Data Responsible and the Data Processor expires.
  • The employee accepts the terms and conditions of the Howdy platform and thereby signs up. Hereafter, processing is no longer performed on behalf of the Data Responsible, but the processing of the received data is completed on the basis of the employee’s consent, where the Data Processor under this agreement becomes independent Data Responsible for the processing.

The character of the processing

The Data Processor receives, utilises and stores personal data from the Data Responsible. The data processing is used to offer the Data Responsible’s employees to use the Howdy platform. As part of this processing the employees receive an invitation to use the service on the provided e-mail.

The purpose of the treatment

The purpose of the processing is to offer the Howdy platform to the employees of the Data Responsible.

Type of personal data

As Data Processor, only the data that the Data Responsible provides is stored. This is typically:

Personal data:

  • Organisational ID *
  • First name *
  • Surname *
  • E-mail address *
  • Mobile telephone number
  • Role: Employee / Manager
  • Seniority
  • Date of birth
  • Private zip code + city
  • Health scheme

Organisational:

  • Department hierarchy (Divisions, Departments, Units)
  • Nearest manager
  • Location

* marks the required information for setting up the agreement.

The categories of the registered personsmployees of the Data Responsible.