HeroBot GDPR Processing Addendum
HeroBot, Inc. GDPR Processing Addendum
Effective June 15, 2018
What is GDPR?
GDPR stands for General Data Protection Regulation. A new law enforced by EU to protect end user’s personal data. This law enforce several aspect of data security. Here we want to give a guideline how we protect your data, what is our responsibility and what is your responsibility. We strongly suggest you read all our documentation or other article about GDPR and take decision whether you want to use our application or not. We are not responsible for any negligence or fault on data protection on your side or any third party side. Take your time to read documentation and act wisely, stay safe.
1.1 This Data Processing Addendum represents an addendum to HeroBot’s Master Service Agreement. Under the European Union General Data Protection Regulation (GDPR), HeroBot is the Processor and its clients are the Controller for the processing of Personal Data of EU/EEA residents by HeroBot on behalf of its clients.
1.2 This Data Processing Addendum is an integral part of and incorporated into the MSA.
2.1 The following definitions explain are used throughout this Addendum:
- “DPA” refers to this Data Processing Addendum.
- “MSA” refers to the HeroBot’s Master Service Agreement.
- “Processor” refers to HeroBot.
- “Controller” refers to you, HeroBot’s client, pursuant to the MSA and the party requesting the data processing that is the subject of this DPA.
- “Processing” refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Personal Data” refers to that information provided by Controller to the Processor relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Data Subject” refers to an identified or identifiable natural person to whom Data relates.
- “Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed
3.1 Processor undertakes to process all Personal Data in accordance with GDPR and other applicable laws, statutes and regulations.
3.2 Processor may process the Data only in accordance with the Controller’s documented instructions. Instructions referred to herein are incorporated into the MSA or may be contained within a separate Statement of Work or another written document concluded or exchanged between the Controller and the Processor. The Processing will take place in the United States.
3.3 During the term of this DPA, Controller shall remain the owner of the Personal Data transferred to the Processor. Nothing in this DPA shall be understood to transfer the ownership of the Personal Data to the Processor or any other third party.
3.4 Controller warrants that the Personal Data is obtained and provided to the Processor in accordance with the applicable laws, statutes and regulations and that the contemplated Processing requested by the Controller will not violate any applicable law, statute or regulation.
3.5 For Controllers located in the EU/EEA, the Standard Contractual Clauses adopted by the European Commission (available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087) are an integral part of and incorporated by reference into this DPA and shall apply to the Controller and Processor.
3.6 Personal Data may be processed by the Processor only during the duration of this DPA.
4.1 The Processor shall ensure that all employees, contractors, and other persons operating under the authority of the Processor are bound by a strict confidentiality agreement prior to providing them with an access to the Personal Data.
4.2 The Processor shall take steps to ensure that any person acting under the authority of the Processor who has access to the Data does not process them except on instructions from the Controller.
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- The pseudonymization and encryption of the Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5.2 In assessing the appropriate level of security, the Processor shall consider in particular the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data transmitted, stored or otherwise processed.
6.1 The Processor shall not engage another processor (a “Sub-Processor”) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-Processors, thereby giving the Controller the opportunity to object to such changes. The Controller may object to such changes in writing within fifteen (15) days from receipt of the notice on changes.
6.2 Where the Processor engages Sub-Processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set forth in this DPA shall be imposed on that other Sub-Processor by way of a contract or other legal mechanisms to provide sufficient guarantees by the Sub-Processor that it will implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the applicable laws, statutes and regulations. Where any Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-Processor’s obligations.
- Data Subject Rights
7.1 Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the GDPR.
7.2 The Processor shall:
- Promptly notify the Controller if the Processor or a Sub-Processor receives a request from a Data Subject under GDPR or other applicable law, statute or regulation in respect of the Personal Data; and
- Ensure that the Processor or such Sub-Processor do not respond to that request except on the documented instructions of the Controller or as required by applicable laws to which the Processor or Sub-Processor is subject, in which case the Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before the Processor or Sub-Processor respond to the request.
- Data Breach
8.1 The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting the Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform appropriate authorities and Data Subjects where necessary of the Data Breach.
8.2 The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Data Breach.
- Data Protection Impact Assessment and Prior Consultation
9.1 The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessments, and prior consultations with competent data privacy authorities, which the Controller reasonably considers to be required by the GDPR or equivalent provisions of any other applicable law, in each case solely in relation to processing of the Personal Data by, and considering the nature of the processing and information available to, the Processor.
- Deletion or Return of the Data
10.1 Subject to sections 10.2 and 10.3 the Processor and each Sub-Processor, if any, shall promptly and in any event within thirty (30) days of the date of cessation of any services involving the processing of the Personal Data (the “Cessation Date“), delete and procure the deletion of all copies of the Personal Data.
10.2 Subject to section 10.3, the Controller may in its absolute discretion by written notice to the Processor within seven (7) days of the Cessation Date require Processor and each Sub-Processor, if any, to return a complete copy of all Personal Data to the Controller by secure file transfer in such format as is reasonably notified by the Controller to the Processor; and
10.3 The Processor may retain the Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that the Processor ensures the confidentiality of all such Personal Data and ensures that such Personal Data is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
10.4 The Processor shall provide written certification to the Controller that the Processor has fully complied with this Section 10 within sixty (60) days of the Cessation Date.
- Audit Rights
11.1 Subject to provisions of this Section 11, the Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor designated by the Controller in relation to the processing of the Data. The Controller shall pay for the costs of any such audit.
13.1 The Controller shall indemnify the Processor and any Sub-Processors from a claim from a third party resulting from a violation of its obligations as a Controller.
13.2 The Processor shall indemnify the Controller from a claim from a third party resulting from a violation of its obligations as Processor.
- Miscellaneous Provisions
12.1 Any matter that is not regulated by this DPA shall be governed by the MSA or any Statement of Work or Order concluded or exchanged between the parties to this DPA concerning the specific Processing to be undertaken by the Processor.
12.2 If any part of this DPA is found to be invalid, illegal or unenforceable in any respect, it will not affect the validity or enforce-ability of the remainder of this DPA or the MSA.
12.3 Any failure to exercise or enforce any right or the provision of this DPA shall not constitute a waiver of such right or provision.
12.4 The section titles in the DPA are for convenience only and have no legal or contractual effect.
Our Action on GDPR
- Collect as less data as possible. Tell the user necessity or collecting specific data.
- Enforce https
- Destroy all session and cookies after logout.
- Do not track user activity for commercial purpose.
- Tell users of any logs that saves computer ip and location.
- Clear terms and condition.
- Inform user about any data sharing with third parties.
- Create clear policies about data breaches.
- Delete data on cancelling subscription or account deletion.
- Patch web vulnerabilities.
Supported GDPR Features
Adios, Application: Once you cancel your subscription or delete account we give you option to delete all your data existing or related to your account. Note that, this action is irreversible. The moment you say yes to delete all your data will be erased from the database and server forever. You can back up data before delete in case of re subscribe or re-register.
Secrecy is my right: We encrypt most of your personal data on database. If any bad things occur (data breach) then the hacker will get encrypted hash not your personal on plain text. So your secrecy will intact even in case of data breach. Note that, some data cannot be encrypted because we need to show it upon login to account (like username). We will hide all your personal data as much as possible.
No cookie and session saving: We will give option to save or do not save cookie and session. Even if you save cookie and session these will be destroyed after logout. We strongly suggest you not save your credential in browser. Please memorize your credential or use tools like lastpass to manage your credential.
Destroy footprints: We do not save or track any of your activity for any commercial purpose. We may store your login time or IP for security purpose only. When you delete your account every single piece of your data will be deleted from server.
Social engineering is bad: We do not record any of your personal activity on the application. Recording user’s personal activity, analyzing it and try to sell a product or motivating user to pursue a certain thought upon analyzed data is becoming a malpractice. We do not do such things.
Notify me: Get notified about all your activity relating to your account (account creation, password change) by email. We suggest you to change your credential if any unusual things occur.
Connect without worry: We enforced HTTPS everywhere. Data sniffing is not possible on this case. Even possible, the sniffer will get encrypted hash. So feel safe to use our application.
No data collecting: We do not collect any data of user. No backdoor, No hidden option to collect data. Once the application is uploaded to server even we cannot enter to application without app admin password. So do not worry about any hidden data leak.
Data breach policy: We implement all the security to store your data carefully on database (data encryption, MySQLi, SQL injection prevention, input checking etc.). But we do not take any responsibility of data breaches from server. Because it is total responsibility of app admin and server admin to secure your data from breaching. Any weak or too predictable password of app admin or server admin could compromise database. Any inherent fault on database config can give away the database (MongoDB security fault). Any security flaw on server can lead to data leaking. Please contact your app admin on this regard.