DATA PROCESSING ADDENDUM
This Data Processing Agreement (“DPA”) is made and entered into effect as of the date signed below. This DPA supplements the terms of the Service Agreement between Totango and the legal entity defined as “Customer” thereunder (the “Agreement”) under which Totango provide services to the Customer (collectively, the “Services”), and this DPA forms part of that Agreement and is governed by the terms thereof. You acknowledge that you, on your own behalf as an individual and on behalf of Customer have read and understood and agree to comply with this DPA, and are entering into a binding legal agreement with Totango, as defined below (“Totango”) to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below). Both parties shall be referred to as the “Parties” and each, a “Party”.
This DPA applies only to Customer Data (as defined in the Agreement) that includes (or might potentially include) Personal Data in circumstances where the Processing of that Personal Data is subject to Data Protection Legislation. If this DPA is inconsistent with any provision of the Agreement, the parties intend this DPA shall prevail to the extent of such inconsistency. The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.
1. Definitions
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the Data Protection Legislation of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Totango, but which has not signed its own agreement with Totango.
- “CCPA” means the California Consumer Privacy Act of 2018 and its modifications and amendments (including, the California Privacy Rights Act).
- "Data Privacy Framework" or "DPF" means the EU-US Data Privacy Framework as adopted by the European Commission on July 10, 2023, and/or the Swiss-US Data Privacy Framework. "UK Extension" means the United Kingdom's extension to the EU-US Data Privacy Framework;
- “Data Protection Legislation” means GDPR, CCPA, the United Kingdom, and the Israeli Privacy Protection Law, 1981 and the regulations promulgated thereunder (including Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 and Privacy Protection Regulations (Data Security), 5777-2017), and any binding instructions, guidelines and requirements of the Israeli Privacy Protection Authority, as applicable to the Processing of Personal Data under the Agreement.
- “GDPR” means Regulation (EU) 2016/679, as updated, amended, replaced or superseded from time to time.
- “Member State” means a country that belongs to the European Union and/or the European Economic Area.
- “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here, as updated, amended, replaced or superseded from time to time by the European Commission; or (ii) where required from time to time by a supervisory authority for use with respect to any specific restricted transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Regulatory Authority or Data Protection Laws and Regulations.
- “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Customer, as updated from time to time, and accessible at Annex II to the Standard Contractual Clauses attached to this DPA, or as otherwise made reasonably available by Totango.
- “Sub-processor” means any Processor engaged by Totango to Process Personal Data.
- “Supervisory Authority” means an independent public authority which is established pursuant to Data Protection Legislation.
- “Totango” means the relevant Totango entity of the following: Totango. Inc., and Totango Metrics, Ltd.
- “Totango Group” means Totango and its Affiliates engaged in the Processing of Personal Data.
- “UK GDPR” means the Data Protection Act 2018, as updated, amended, replaced or superseded from time to time by the ICO.
- “UK Standard Contractual Clauses” or “UK SCCs” means the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out by the ICO, as available here, as updated, amended, replaced or superseded from time to time by the ICO.
- “Union” means the European Union.
“Consumers”, “Sell”, and “Service Provider” shall have the meaning set forth in the CCPA.
“Controller”, “Data Subject”, “Personal Data”, “Process(ing)”, and “Processor” have the meaning set forth in GDPR. For the purposes of this DPA only, and except as indicated otherwise, the term “Controller” shall include Customer and its Authorized Affiliates.
2. PROCESSING OF PERSONAL DATA
- Roles of the Parties. For all Personal Data provided to Totango by or on behalf of the Customer for Processing under the Agreement, the Parties intend that Customer is the Controller and Totango is the Processor, with respect to CCPA, as a “service provider” as defined therein. Totango or members of the Totango Group may engage Sub-processors pursuant to the requirements set forth in Section 5 below. For clarity, this DPA shall not apply with respect to processing activity involving Personal Data of which Totango is a Data Controller under its Privacy Policy.
- Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of all applicable Data Protection Legislation and comply at all times with the obligations applicable to data controllers (including, without limitation, Article 24 of the GDPR). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Legislation. Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer to Totango the Personal Data and to authorize the Processing by Totango of the Personal Data which is authorized in this DPA. Customer shall have sole responsibility for: (a) any and all instructions regarding Processing of Personal Data it give Totango; (b) the means by which Customer acquires Personal Data; and (c) determining whether Customer has a legal basis for collecting, Processing, and transferring such Personal Data to Totango.
- Totango’s Processing of Personal Data.
- Subject to the Agreement, Totango shall Process Personal Data that is subject to this DPA only in accordance with Customer’s or an End User’s documented instructions, including electronic instructions in the Totango Service, as necessary for the following purposes: (a) to provide the Services; (b) for Customer to be able to use the Services; (c) to comply with other documented reasonable instructions provided by Customer (e.g., via email); and (d) as required by applicable Data Protection Legislation to which Totango is subject. Totango shall inform the Customer of the legal requirement before processing, unless applicable law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Annex I to the Standard Contractual Clauses attached to this DPA.
- To the extent that Totango cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer and/or its End Users relating to Processing of Personal Data, or where Totango considers such a request to be unlawful: (a) Totango shall inform Customer, providing relevant details of the problem (but not legal advice); (b) Totango may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (c) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay Totango all amounts owed prior to the date of termination. Customer will have no further claims against Data Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
- Totango will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Totango, to the extent that such is a result of Customer’s instructions.
- Details of the Processing. The duration of the Processing, the nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Annex I to the Standard Contractual Clauses attached to this DPA.
3. RIGHTS OF DATA SUBJECTS
- Data Subject Request. If Totango receives a request from a Data Subject to exercise its rights as laid down in Chapter III of the GDPR (“Data Subject Request”), Totango shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Totango shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Data Processor’s provision of such assistance.
4. TOTANGO PERSONNEL
- Confidentiality. Totango shall grant access to Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality and non-disclosure or are under an appropriate statutory obligation of confidentiality.
- Data Processor may disclose and Process the Personal Data (a) as permitted hereunder; (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Legislation (in such a case, Totango shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s),accountant(s), investors, or potential acquirers.
5. AUTHORIZATION REGARDING SUB-PROCESSORS
- Totango's current list of Sub-processors is available on Totango's website at: https://www.totango.com/subprocessors/ and included in Annex III to the Standard Contractual Clauses attached to this DPA (“Sub-processor List”) and is hereby approved by Customer. Customer hereby agrees to subscribe for updates to the Sub-processor List using the mechanism on the webpage listed above.
- Customer hereby grants Totango a general written authorization to appoint new Sub-processors and to update the Sub-processors List and Totango will provide notice to Customer of any such updates (if Customer registers to receive such notifications in accordance with Section 5.1. above). If Customer’s Personal Data is subject to Data Protection Legislation, Customer may reasonably object Totango’s use of a new Sub-processor by providing a written objection related to the Data Protection Legislation to [email protected] within 10 days of Totango sending the notice. In the event Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentence, the Parties will work together in good faith to find a solution to the issue in question. If the Parties do not resolve the issue, Customer may, as its sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Totango without the use of the objected-to Sub-processor, provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Totango. Until a decision is made regarding the Sub-processor, Totango may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Totango due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph. If Customer does not send notice objecting to a new Sub-Processor within the said 10 days, the new Sub-processor will be deemed accepted by Customer.
- This Section 5 shall not apply to subcontractors of Totango which provide ancillary services to support the performance of the Service or the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.
6. SECURITY
- Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Totango shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation attached hereto as Annex II to the Standard Contractual Clauses which are hereby approved by customer. Upon Customer’s request, at reasonable intervals and at its sole expense, Totango will use commercially reasonable efforts to assist Customer in ensuring compliance with Customer’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Totango.
- Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Totango shall make available to Customer (provided Customer is not a competitor of Totango) a copy or a summary of Totango’s then most recent third-party audits or certifications, as applicable. Any such information shared by Totango, and any such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, will be Totango’s Confidential Information and subject to the applicable terms of the Agreement. Upon Totango's first request, Customer shall return all records or documentation in Customer's possession or control provided by Totango in the context of an audit and/or a certification. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Customer. Nothing in this DPA will require Totango either to disclose to Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Totango; (ii) Totango’s internal accounting or financial information; (iii) any trade secret of Totango; or (iv) any information that, in Totango’s sole reasonable discretion, could compromise the security of any of Totango’s systems or premises or cause Totango o breach obligations under any applicable law or its obligations to any third party.
- Data Protection Impact Assessments. At Customer’s cost and expense, Totango shall provide Customer with reasonable assistance to perform data protection impact assessments in relation to the Processing of Personal Data pursuant to the Agreement.
7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
- Totango shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (a “Personal Data Incident”). Totango shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Totango deems necessary, possible, and reasonable in order to remediate the cause of such a Personal Data Incident, to the extent the remediation is within Totango’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or its users or are otherwise unrelated to the provision of the Services. Customer shall be solely responsible for notifying Supervisory Authorities and/or Data Subjects of any Personal Data Incident (where required by Data Protection Legislation).
8. RETURN AND DELETION OF PERSONAL DATA
- Subject to the Agreement, Totango shall, at the choice of Customer, delete or return the Personal Data to Customer after the end of the provision of the Services relating to Processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Totango may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. If the Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Totango’s Customers.
9. AUTHORIZED AFFILIATES
- Contractual Relationship. The Parties acknowledge and agree Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between the Authorized Affiliate and Totango. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA, and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
- Communication. Customer is and shall at all times remain responsible for coordinating all communications with Totango under the Agreement and this DPA and shall be entitled to make and receive all communications in relation to this DPA on behalf of its Authorized Affiliates.
10. TRANSFER OF DATA
- Totango will store Customer Data in the service region selected by Customer and will not transfer Customer Data to Other Countries (as defined below), except to the Sub-processors or at Customer’s or an End User’s direction, or as required by law. For purposes of this section, “transfer” shall not include (a) any transfer of Customer Data in or through the Service in accordance with the digital instructions of the Customer or an End User, and/or (b) use of the Service by an End User outside the service region.
- Transfers to countries that offer adequate level of data protection: Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein, and Iceland), (collectively, “EEA”) and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
- Totango has self-certified as part of the EU-US Data Privacy Framework, Swiss-US Data Privacy Framework and the UK-Extension and as such, Totango adheres to the Data Privacy Framework Principles. Our Data Privacy Framework certification is available at https://www.datprivacyframework.gov/, therefore Totango transfers Personal Data to the United States under the EU-US Data Privacy Framework, Swiss-US Data Privacy Framework and the UK-Extension are declared adequate by the European Commission, without any further transfer mechanism being necessary. The Parties hereby decide to execute the SCCs which shall apply to the transfers subject to this Section 10 and Schedule 3 in the event that a Supervisory Authority invalidates the EU-US Data Privacy Framework, Swiss-US Data Privacy Framework and/or the UK-Extension in such a way that following the invalidation of the mechanism in question, the transfer of the Personal Data subject to it would be unlawful without an alternative mechanism.
- Transfers to other countries: If the Processing of Personal Data includes transfers from the EEA to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with the below terms that shall apply:
- With respect to the EU transfers of Personal Data, Customer as a Data Exporter (as defined in the SCCs) and Totango on behalf of itself and each Totango Affiliate (as applicable) as a Data Importer (as defined in the SCCs) hereby enter into the Standard Contractual Clauses set out in Schedule 3. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this DPA, the terms of the Standard Contractual Clauses shall take precedence.
- With respect to the UK transfers of Personal Data (from the UK to other countries which have not been subject to a relevant Adequacy Decision), Customer as a Data Exporter (as defined in the SCCs) and Totango on behalf of itself and each Totango Affiliate (as applicable) as a Data Importer (as defined in the SCCs), hereby enter into the UK Standard Contractual Clauses set out in Schedule 3. To the extent that there is any conflict or inconsistency between the terms of the UK Standard Contractual Clauses and the terms of this DPA, the terms of the UK Standard Contractual Clauses shall take precedence.
11. TERMINATION
This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections 2.2, 2.3.3, 2.3.4, 8, and 11, 13 and 14 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
12. CCPA
To the extent that the Personal Data is subject to the CCPA, Totango shall not sell or share Customer's Personal Data. Totango acknowledges that when processing Personal Data in the context of the provision of the Services, Customer is not selling or sharing Personal Data to Totango. Totango agrees not to retain, use or disclose Customer Personal Data: (i) for any purpose other than the Business Purpose (as defined below); (ii) for no other commercial or Business Purpose; or (iii) outside the direct business relationship between Totango and Customer. Notwithstanding the foregoing, Totango may use, disclose, or retain Customer Personal Data to: (i) transfer the Personal Data to other Totango ’s entities (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Customer; (ii) to comply with, or as allowed by, applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by Totango to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyse anonymous information. Totango shall use commercially reasonable efforts to comply with its obligations under CCPA. If Totango becomes aware of any material applicable requirement (to Totango as a service provider) under CCPA that Totango cannot comply with, Totango shall use commercially reasonable efforts to notify Customer. Upon written Customer’s notice, Totango shall use commercial reasonable and appropriate steps to stop and remediate Totango ’s alleged unauthorized use of Personal Data; provided that Customer must explain and demonstrate in the written notice which processing activity of Personal Data it considers to be unauthorized and the applicable reasons. Totango shall use commercially reasonable efforts to enable Customer to comply with consumer requests made pursuant CCPA. Notwithstanding anything to the contrary, Customer shall be fully and solely responsible for complying with its own requirements under CCPA. “Business purpose” means the Processing activities that Totango will perform to provide Services (as described in the Agreement), this DPA and any other instruction from Customer, as otherwise permitted by applicable law, including, CCPA and the applicable regulations, or as otherwise necessary to provide the Services to Customer.
13. Miscellaneous
This DPA may be amended at any time by a written instrument duly signed by each of the Parties. Totango may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any Totango obligation hereunder may be performed (in whole or in part), and any Totango right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Totango. The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA. You, as the signing person on behalf of Customer, represent and warrant that you have, or you were granted, full authority to bind the Customer and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Customer and/or its Authorized Affiliates, you shall not supply or provide Personal Data to Totango. By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that Totango processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.
14. LIMITATION OF LIABILITY.
Each Party’s and their Affiliates’ aggregate liability arising out of or relating to this DPA (including the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
List of Schedules
- SCHEDULE 1 - DETAILS OF THE PROCESSING
- SCHEDULE 2 - SUB-PROCESSOR LIST
- SCHEDULE 3 – STANDARD CONTRACTUAL CLAUSES
Customer:
Signature:
Customer Legal Name:
Print Name:
Title:
Date:
Totango Inc.:
Signature:
Legal Name:
Print Name:
Title:
Date:
Totango Metrics Ltd.:
Signature:
Legal Name:
Print Name:
Title:
Date:
SCHEDULE 1 - DETAILS OF THE PROCESSING
Subject matter. Totango will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing
- Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) to Customer and providing support and technical maintenance, if agreed in the Agreement
- For Totango to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
Duration of Processing. Subject to any provision of this DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Totango will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data. Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Full name
- Username
- Email address
- Title / job position
- Customer details (to the extent that includes Personal Data)
- LOU services:
- User ID (random number generated by LOU services
- Usage information, actions of the end users with the in-app experience and analytic results of the in-app experience (to the extent that includes Personal Data).
- Any information that you decide to request or collect in the context of the in-app experience.
- Any other Personal Data or information that the Customer provides or instructs Totango to Process in the context of the Services.
For the avoidance of doubt, the log-in details to Totango’s platform are subject to Totango’s privacy policy available here: https://www.totango.com/privacy-policy? and not to this DPA.
Notwithstanding anything to the contrary, Customer acknowledges that the same personal information or Personal Data provided by Customer or processed on behalf of Customer may have already been (or will be) provided by other customers or clients to Totango, or may have already been (or will be) collected by Totango independently or from other customers or clients, or may be available on public sources. For avoidance of doubt, this data and information may be collected, used and processed by Totango and/or disclosed by Totango to third parties and other customers or clients without this being deemed a breach of this DPA and/or the Agreement.
Categories of Data Subjects. Customer and its End Users may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
- Customer’s customers and End Users.
- Customer’s employees and contractors by Customer to use the Services
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors
The frequency of the transfer. Continuous basis
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period - As described in this DPA and/or the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. As detailed in Schedule 2.
SCHEDULE 2 – SUB-PROCESSOR LIST
The controller has authorized the sub-processors listed at https://www.totango.com/subprocessors
SCHEDULE 3 - STANDARD CONTRACTUAL CLAUSES
EU SCCs. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:
a) The Standard Contractual Clauses (Controller-to-Processor and/or Processor to Processor), as applicable, will apply, with respect to restricted transfers between Customer and Totango that are subject to the EU GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Totango (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Customer, as informed by Customer to Totango; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
c) Annex I.A: With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Totango as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Totango as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Ireland supervisory authority.
f) Annex II of the Standard Contractual Clauses shall be completed as follows:
As an industry leading customer success solution provider, we understand that our clients are entrusting us with sensitive and confidential business data. To that end, we are committed to support industry leading security practices, to ensure our customers’ information is kept safe.
Totango has based our security management practices on the ISO 270001 standard for information security management systems (ISMS). By following this framework, our team performs the following high-level activities on a regular basis:
- Performing regular security reviews internally and with external auditors to ensure ongoing governance and risk mitigation
- Performing ongoing monitoring and analysis of our network infrastructure to detect threats and suspicious activities
- Performing ongoing and onboarding security training for our staff
- Practicing secure development and ongoing security thread analysis on our software and infrastructure
Following are key practices and principles of our security programs
Data Center & Physical Security
Totango is hosted on Amazon Web Services infrastructure (AWS), an industry leading provider of data center. AWS provides a rich set of security and compliances for their data centers as explained on their website.
This includes physical security and environmental controls to ensure the data is kept safe from human attack and environmental hazards.
Data access and Encryption
All customer data stored in Totango is encrypted using strong encryption. This related to both “in-flight” (network traffic) and “at rest” (stored on disk) data.
Only our technical staff has access to customer data, and our team is training to review custom data only for the purpose of troubleshooting in relation to a customer support case. Access to custom data is audited and we review these logs regularly to ensure compliance. Technician level access to data is only possible using secure connection and multiple factor authentication (MFA).
Secure Software Development
Any new feature and product enhancement we implement goes through a security review during design. Additionally, any code committed to our code base goes through a code-review process ensuring code quality and adherence to standards. We also perform regular penetration testing and automatic scanning to validate no security vulnerabilities exist in our platform.
Network Security
Our data center is protected with firewalls, shielding customers from attacks or scans. Technician level access is only available through our VPN, requiring two layers of authentication (MFA) just to gain basic network access.
System Monitoring, Logging and Alerting
We perform extensive monitoring and logging of our servers and the application running on them. This includes monitoring of basic server metrics (CPU, memory), access logs and application-level logs. All telemetry data is centralized and we an extensive alerting framework to be alerted of any critical item
Backup
All customer data is backed up daily. Backup data is stored securely, in an encrypted fashion in our Amazon data center. We perform regular restore tests to ensure our backup procedure is sound.
Employee Training and Security
Totango technical staff goes through security training when upon joining our organization and at least annually during regular training. All employee computers and laptops are centrally managed to ensure critical OS and application patches are installed, antivirus software is properly running and configured, strong login passwords and disk encryption are enabled, and other critical policies to ensure employee devices are kept secure.
All employees go through background and reference checks upon hiring, as allowed by local employment rules.
Compliance
Totango is ISO-27001 certified and uses that as our security framework. Additionally, our hosting provider AWS has obtained the relevant compliance levels as listed here.
Need more info?
We care deeply about security and are happy to engage clients with additional information. Feel free to reach out at [email protected] to get in touch!
g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-Processor List) of this DPA.
UK SCCs. If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. The Parties hereby agree to execute the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as follows:
a) The UK Standard Contractual Clauses (Controller-to-Processor and Processor to Processor), as applicable, will apply with respect to restricted transfers between Customer and Totango that are subject to the UK GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Totango (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of England and Wales; and (v) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.
c) Annex I.A: With respect to Module Two: Data Exporter is Customer as a data controller and the Data Importer is Totango as a data processor. With respect to Module Three: Data Exporter is Customer as a data processor and the Data Importer is Totango as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these UK Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the UK Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the UK Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the ICO supervisory authority.
f) Annex II of the UK Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.
g) Annex III of the UK Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.