Data Processing Agreement For AskCody Meeting Management and Resource Scheduling Platform
This Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under the AskCody Terms of Service as stated in ”Service Level Agreement and Terms & Conditions” (”SLA”). This DPA is an amendment to the SLA and is effective upon its incorporation into the SLA, which incorporation may be specified in an Order or an executed amendment to the SLA.
This DPA shall form part of the Main Contract, in cases where
Under this DPA, you, the Client or Purchaser, is Data Controller(s) (hereinafter the "Controller") and AskCody is Data Processor (hereinafter the "Processor").
This DPA supersedes any prior agreements regarding Personal Data security with regard to the Processors Processing of Personal Data on behalf of the Controller.
WHEREAS, the parties acknowledge that the Applicable Data Protection Law requires a Data Processing Agreement between a controller and a processor for the Processing of Personal Data;
AND WHEREAS, for the purposes of fulfilling the Service Level Agreement and Terms & Conditions (or Main Agreement), certain Personal Data for which the Controller is data controller will be processed by the Processor;
AND WHEREAS, the parties hereto have agreed to enter into this DPA with regard to the Processing of Personal Data, as required by the Applicable Data Protection law;
Definitions and interpretations
The following terms in this DPA shall have the following meaning:
Means AskCody, Gasværksvej 30D, DK-9000 Aalborg, Denmark, a Danish Company registered under Company Number DK33757891, AskCody, Inc, One Lincoln Avenue, MA02111, Boston, MA, and any company directly or indirectly owned by AskCody;
“Applicable Data Protection Law”
Means EU Data Protection Directive 95/46/EC, or other EU legislation that may be promulgated from time to time, any national or internationally binding data protection laws or regulations applicable at any time during the term of this DPA on, as the case may be, the Controller or the Processor. “Applicable Data protection laws” includes any binding guidance, opinions or decisions of regulatory bodies, courts or other bodies, as applicable, as well as the European Union General Data Protection Regulation (hereinafter referred to as “GDPR”);
The party hereto as stated above which alone or jointly with others, determines the purposes and means of the processing of Personal Data;
Means an identified or identifiable natural person;
Means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Personal Data Breach”
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
The company within the AskCody Group which is
Means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Means a third-party subcontractor or a company within the AskCody Group engaged by the Processor which, as part of the subcontractor’s role of delivering the services, will Process Personal Data on behalf of the Controller.
Means an independent public authority which is established pursuant to GDPR Article 51
1. Processing of Personal Data
1.1 The Processor guarantees that it has implemented and will continue to implement under the term of this DPA appropriate technical and organizational measures in such a manner that it is Processing of Personal Data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the Data Subject.
1.2 The Processor undertakes to only Process Personal Data in accordance with documented instructions in Appendix 1-5 unless required to do so pursuant to the Applicable Data Protection Law. The Processor shall at any time be able to document the specific instructions. The Controller guarantees that it is entitled to process the Personal Data under Applicable Data Protection Law before providing Personal Data to the Processor. The Controller hereby confirms that it is solely responsible for determining the purposes and means of processing Personal Data by the Processor. The Controller’s initial instructions to the Processor regarding the subject-matter and duration of the processing, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects are set forth in this DPA and in Appendix 1 - 4.
1.3 The Processor shall, when processing Personal Data under this DPA, comply with Applicable Data Protection Law and applicable recommendations by the Supervisory Authority or other competent authorities. The Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Law.
1.4 The Processor shall assist the Controller in fulfilling its legal obligations under Applicable Data Protection Law, including but not limited to the Controller’s obligation to respond to requests for exercising the Data Subject's rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased.
1.5 The Processor shall immediately inform the Controller if the Processor does not have an instruction for how to process Personal Data in a particular situation or if any instruction provided under this DPA or otherwise infringes Applicable Data Protection Law.
1.6 If Data Subjects, competent authorities or any other third parties request information from the Processor regarding the Processing of Personal Data covered by this DPA, the Processor shall refer such request to the Controller. The Processor may not in any way act on behalf of or as a representative of the Controller.
1.7 The Processor may not, without prior instructions from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party. In the event, the Processor, according to Applicable Data Protection Law, is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor shall be obliged to inform the Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.
1.8 Upon the Controller’s reasonable request, the Processor shall implement additional reasonable technical and organizational security measures and adjustments to the processing activities. The Controller shall notify the Processor of any adjustments to the Controller’s instructions concerning security and the processing of Personal Data, without undue delay, for the Processor to enable the necessary amendments to procedures to be implemented.
1.9 The Processor undertakes to make available to the Controller all information and provide all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by the Controller or another auditor mandated by the Controller.
1.10 The Processor will demonstrate its compliance with the obligations in this DPA by certifications issued by approved certification bodies.
1.11 During the duration of the Main Agreement, the Controller grants to the Processor a limited, non-exclusive, non-sublicensable, non-transferable license to capture, copy, store, transmit, maintain, access and display the Controllers Data solely to the extent necessary to provide the Services to the Controller under this main agreement.
2. Data Security
2.1 The Data Processor shall implement technical, physical, and organizational measures to ensure a high level of security of the Personal Data processing and to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The Data Processor's aforementioned security measures shall at all times meet or exceed the (i) requirements of any applicable laws and regulations, and (ii) security measures then prevalent in the Data Controller's industry to which the processing of Personal Data relates to.
The Data Processor shall implement at least the following measures:
- pseudonymize and encrypt the Personal Data where so required under an assignment made in accordance with Appendix 2 and 3;
- ensure at all times the confidentiality, integrity, availability, and resilience of systems and services processing Personal Data;
- restore the availability and access to Personal Data in a timely manner in the event of a Disaster;
- regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing.
2.2 The Data Processor shall ensure that any person acting under the authority of the Data Processor who has access to Personal Data shall not process them except on instructions from the Data Controller unless he or she is required to do so by Laws.
2.3 The Data Processor shall document the activities taken to ensure its compliance with its obligations under this Section 2, and shall ensure such activities have been completed before starting to process the Personal Data, and upon request present the documentation to the Data Controller for review.
3.1 The Controller agrees that the Processor and companies within the AskCody Group respectively may engage the third-party Sub-processors as listed in Appendix 5 in connection with the provision of the services under this DPA and the Main Agreement.
3.2 The Processor may provide the Controller’s Data to third parties that perform operation and development services for the Processor for technical purposes, subject to confidentiality agreements between the Processor and such third parties.
In the event such third parties have/will have access to Personal Data, such third parties shall be identified in Appendix 5 as such and if the Processor is to engage other such third parties in the future, the Processor shall pre-notify the Controller hereof and obtain prior written approval from the Controller before such are engaged. The Controller shall have the right to veto such third parties on reasonable grounds only.
3.3 The Controller agrees that the provision of the Controllers Services can be reliant and/or depending on whether Sub-Processors (3rd party SaaS providers) can use the Controllers Data to carry out any requested task as a part of the Processors Services. The use of Controllers Data is limited to the same extent as the rights thereto are attributed to the Processor, cf. above.
3.4 The list of Sub-Processors is set out in Appendix 5. The Processor shall pre-notify inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors.
Prior to the Processor adding any new Sub-Processor to the list and engaging such, it shall obtain prior written approval or consent from the Controller. The Controller shall have the right to veto such Sub-Processors on reasonable grounds only. In the event the Controller cannot accept such new Sub-Processor, the Processor shall substitute this Sub-Processor with a suitable Sub-Processor not part of the same group as the substituted Sub-Processor.
3.5 The Processor shall ensure that any approved Sub-Processors from time to time are bound by written agreements that require them to comply with corresponding data processing obligations to those contained in this DPA.
3.6 The Processor shall remain fully liable to the Controller for the performance of the Sub-Processor's obligations.
3.7 In addition, the Processor may use data stored on the Services (and statistics about the use of the Services) in order to operate and improve the Services, including for the purpose of verification of compliance with this Service Agreement.
4.1 The Data Processor shall once yearly at the Data Processor’s expense obtain an inspection report from an independent third party with regards to the Sub-Processor's compliance with this Data Processing Agreement and its associated Appendices.
4.2 The Controller can at all time request and download the current available ISAE 3000 report by third party Auditor here: AskCody ISAE 3000 Documentation
4.3 Further, at any time during the term of the DPA, the Data Controller and/or a recognized, independent third party auditor appointed by the Data Controller with proven experience and procedures shall have the right (exercisable by giving prior written notice to the Data Processor, such notice to be given at least fourteen (14) calendar days prior to any audit) to perform audits and inspections of the Data Processor in order to verify compliance of the Data Processor with the DPA and especially with the technical and organizational security measures required to be implemented.
4.4 The Data Processor shall ensure that the Data Controller is able to conduct an audit in accordance with Section 4.3 and undertakes to assist the Data Controller in the execution of such inspections and audits. In the event of an audit request directly from a relevant supervisory authority, the Data Processor shall assist the Data Controller in answering the request and organizing the audit.
4.5 Each Party shall bear its own costs in connection with an audit. However, if there are more than one (1) audit per year, the Data Controller shall bear the costs starting from the second (2nd) audit.
4.6 Audit for Sub-processors: The Controller may request that the Processor audit the Sub-Processor or provide confirmation that such an audit has occurred, or, where available, obtain or assist the Controller in obtaining a third-party audit report concerning Sub-Processor’s operations to ensure compliance with Applicable Data Protection Laws. The Controller will also be entitled, upon written request, to receive copies of the relevant terms of the Processors agreement with Sub-Processors that may Process Personal Data.
4.7 The Data Processor’s and the Sub-Processor’s costs related to audit of the Sub-Processor’s facilities shall not concern the Data Controller – irrespective of whether the Data Controller has initiated and participated in such inspection.
5. Information Security and Confidentiality
5.1 The Processor shall, in order to assist the Controller to fulfill its legal obligations including but not limited to; security measures and privacy impact assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data.
- The measures shall at least result in a level of security which is appropriate taking into consideration:
- the technical possibilities available;
- the cost to implement the measures;
- the special risks involved with the processing of personal data; and
- the sensitivity of the personal data.
5.2 The Processor shall maintain adequate security for the Personal Data appropriate to the risk of processing. The Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Having regard to the state of art and the costs of implementation and taking into account the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by the Processor shall include, inter alia, as appropriate:
- the Pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing Personal Data;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5.3 The Processor shall prepare and keep updated an Information Security Policy that maintain compliant with the Applicable Data Protection Law.
5.4 The Processor undertakes not to, without the Controller’s prior written consent disclose or otherwise make Personal Data Processed under this DPA available to any third party, except for Sub-Processors engaged in accordance with this DPA. When new third parties enter into this agreement, the Controller will within a reasonable time be notified and updated. Thirds parties will only be able to enter into this agreement as Sub Processers if the Sub Processer complies with GDPR and a Data Processing Agreements is in place.
5.5 The Processor shall be obliged to ensure that only persons that directly require access to Personal Data in order to fulfill the Processor’s obligations in accordance with the Main Agreement have access to such information. The Processor shall ensure that any persons involved in the Processing of Personal Data have committed themselves to confidentiality or are under a proper statutory obligation of confidentiality.
5.6 The duties of confidentiality set forth in section 5 shall survive the expiry or termination of the DPA.
6. Personal Data Breach
6.1 In case of a Personal Data Breach involving Personal Data Processed on behalf of the Controller the Processor shall be taking into account the nature of Processing and the information available to the Processor assist the Controller in ensuring compliance with the Controllers obligations pursuant to article 33 in the GDPR. Further, the Processor shall notify the Controller without undue delay, but not later than 24 hours (Standard Article 33 GDPR states not later than 72 hours where feasible) after becoming aware of such a Personal Data Breach. The notification shall at least:
- describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- communicate the name and contact details of the contact point where more information can be obtained; describe the likely consequences of the Personal Data Breach;
- describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6.2 Should Controller security team need additional logs for investigation of an incident determined to affect Controllers organization, the Processors security team will coordinate responsibly provide access as needed.
6.3 Where, and in so far as, it is not possible to provide the information listed at the same time, the information may be provided in phases without undue further delay.
6.4 The Data Processor take all the necessary steps to protect the Data after having become aware of the Breach. After having notified the Controller in accordance with above, the Processor will, in consultation with the Controller, take appropriate measures to secure the Data and limit any possible detrimental effect to the Data Subjects. The Processor will cooperate with the Controller, and with any third parties designated by the Controller, to respond to the Breach. The objective of the Breach response will be to restore the confidentiality, integrity, and availability of the Services, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to Data Subjects or the Controller.
7. Term and duration
7.1 The provisions in this DPA shall apply during such time the Processor Processes Personal Data on behalf of the Controller.
7.2 Irrespective of the termination of the ‘Main Agreement’ and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by the Data Processor and any sub-processors.
8. Effect On Termination
8.1 Upon termination or expiry of this DPA, the Processor shall cease its processing activities, and, at the choice of the Controller delete or return all the personal data to the Controller and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data. The Processor shall ensure that any Sub-Processor does the same.
8.2 Upon request by the Controller, the Processor shall provide written notice of the measures taken regarding the Personal Data upon the completion of the Processing.
9.1 If a Change Management processes
9.2 Request for change can be submitted and changes made for the following reasons:
- As a result of business requirements or requests by the Processor
- Introduction of new services, products or projects
- Correction of technical problems or improvement of
- Updating of existing services
- Statutory changes or requirements hereunder changes in Applicable Data Protection Law
10. Limitation of Liability
10.1 Limitation of Liability is in accordance with the AskCody SLA and T&C as set forth in article 12.
10.2 For the avoidance of doubt, AskCody, as the Data Processor, is liable in accordance with GDPR art. 82 (or its successor) if applicable.
10.3 Notwithstanding any opposing terms in the contractual basis the Processor shall not be liable to the Controller for any indirect loss, including loss of production, sales, profits, time or goodwill, unless they are caused intentionally or by gross negligence.
11.1 No delay or failure of either party to enforce any provision of this DPA will operate as a waiver of the right to enforce that or any other provision of this DPA, nor will any single or partial exercise of any such rights preclude any other or further exercise thereof. To be effective, any waiver must be in writing, signed by the party providing the waiver.
11.2 In the event that any provision of this DPA is held by a court of competent jurisdiction to be invalid, illegal and/or unenforceable, such provision(s) shall be changed mutatis mutandis and such provision(s) shall be substituted with new provision(s) giving equivalent economic and legal effect as the substituted provision(s), to the extent permissible by law.
11.3 Without prejudice to other provisions of this Agreement, any obligations which either expressly or by their nature are to continue after the termination or expiration of this DPA shall survive and remain in effect.
11.4 This DPA may be executed contemporaneously in one or more counterparts, each of which shall be deemed an original, but which together shall constitute one instrument. The parties may rely on a facsimile or scanned signature to bind the other party and may deliver such signatures electronically.
12.1 All notices, requests, claims, demands and other communications under this DPA from one Party to the other shall be in writing, in English.
13.Governing Law And Dispute Resolution
13.1 If one or more provisions of this DPA is declared to be invalid, illegal or unenforceable in any respect under any applicable law, the validity, legality or enforceability of the remaining provisions contained therein shall not in any way be affected. In such event, the Parties, meaning the Controller and the Processor, shall use its best efforts to immediately and in good faith negotiate a legally valid provision in replacement, without affecting the spirit of this Agreement.
13.2 Governing law and dispute resolution are in accordance with the AskCody SLA and T&C as set forth in article 14.
The authorized signatures for Controller and Processor below signify their acceptance of the terms of this Data Processing Agreement.
Please contact firstname.lastname@example.org to sign DPA
Appendix 1 - Data processing instructions: Purposes and subject matter
AskCody will process Personal Data as necessary to perform the Services pursuant to the agreement, as further specified in the Documentation, and as further instructed by Controller in its use of the AskCody Services.
The purposes of the Processing of data from the Controller is to provide a SaaS Subscription Service (which may include the detection, prevention and resolution of security and technical issues) to deliver a Modern Workplace Platform that reduce office friction, improves work pleasure, productivity, and workplace utilization and otherwise to fulfill the obligations under the terms of service as stated in the SLA and Terms & Conditions or in the Main Contract.
AskCody process data to provide and improve the services we offer and perform essential business operations. This includes operating the services, maintaining and improving the performance of the services, including developing new features, research and providing customer support.
The AskCody Platform consists of different modules and elements that enables organizations to understand their workplace better, seeing it in its full context, including:
- Meeting Room Booking and Management
- Workspace Insights and Analytics
- Meeting Room Displays
- Canteen Management
- Facilities Overview and Management
- Vendor and Service Management
- Visitor Management and Front Desk Software
The SaaS solution integrates seamlessly with Microsoft Outlook, Microsoft 365, and Microsoft Exchange, enabling organizations to transform into a digital workplace. The AskCody SaaS solution comes as a
AskCody uses the information collected from all of the services to provide, maintain, protect and improve them, to develop new ones, and to protect AskCody and our users.
AskCody uses the data we collect for two basic purposes:
(1) To operate our business and provide (including improving and personalizing) the services we offer to you,
(2) to send communications for AskCody solutions, that will help you improve the utilization of the AskCody solution.
In carrying out these purposes, we combine data we collect through the various AskCody services you use to give you a more seamless, consistent and personalized experience.
Providing and improving our services:
We use data to provide and improve the services we offer and perform essential business operations. This includes operating the services, maintaining and improving the performance of the services, including developing new features, research, and providing customer support. Examples of such uses include the following.
We use data to carry out your transactions with us and to provide our services to you. Often, those services include personalized features that enhance your productivity and enjoyment and tailor your service experiences based on your activities, interests, and location.
Customer support. We use data to diagnose service problems and provide other customer care and support services.
Product Activation. We use data - including device and application type, location, and unique device, application, network and subscription identifiers - in order to activate software and devices that require activation.
Service Improvement. We use data to continually improve our services, including adding new features or capabilities.
Security, Safety and Dispute Resolution. We use data to protect the security and safety of our services and our customers, to detect and prevent fraud, to confirm the validity of software licenses, to resolve disputes and enforce our agreements. Our communications and data syncing services systematically scan content in an automated manner to identify suspected spam, viruses, abusive actions, or URLs that have been flagged as fraud, phishing or malware links. We may block the delivery of
Investigations of Questionable Activity. We disclose information that we, in good faith, believe is appropriate to cooperate in investigations of fraud or other illegal activity or to conduct investigations of violations of our user agreements. For example, this means that if we conduct a fraud investigation and conclude that one side has engaged in deceptive practices, we can give that person or entity’s contact information to victims who request it. In addition, we reserve the right to disclose aggregate information and personally identifiable information to third parties as required or permitted by this DPA and when we believe that disclosure is necessary to protect our rights.
Legal Requests. We disclose information in response to a subpoena, warrant, court order, levy, attachment, order of a court-appointed receiver or other comparable legal process (“Legal Request”), including Legal Requests from private parties in a civil action, and in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. If the Legal Request seeks information about an identified user or limited group of users, we’ll make reasonable business efforts to contact the user(s) before providing information to the party that requests it. We cannot guarantee that we will be able to contact the user(s) in all cases, whether because of a time limit, court order, inability to effectively contact a user, or for any other reason. We may disclose information to an individual’s agent or legal representative (such as the holder of a power of attorney that an individual grants, or a guardian appointed for an individual).
Business Operations. We use data to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.
Sale of Business. As with any other business, it is possible that in the future we could merge with or be acquired by another company. If such an acquisition occurs, the successor company would have access to the information maintained by us, including customer account information, but would continue to be bound by this Policy unless and until it is amended.
Communications. We use the data we collect to deliver and personalize our communications with you. For example, we may contact you by email or other means to inform you when a subscription is ending, let you know when security updates are available, update you or inquire about a service or repair request, invite you to participate in a survey, or tell you that you need to take action to keep your account active. Additionally, you can sign up for email subscriptions and choose whether you wish to receive communications from AskCody by email.
Advertising. AskCody services are not supported by advertising. We don't use the data we collect to help select ads - whether on our own services or on services offered by third parties. We don't support adds based on your current location, search, or the content you are viewing. We don't target
Appendix 2 – Types of Personal Data
The Data Processor will be processing the following types of personal data:
The Processer use and collect Personal Data from the Controller to operate effectively and provide Controller the best experiences with the services. The Controller provides some of this data directly, such as when you create an AskCody account, submit a room search, order meeting room services, use our web portal, or contact us for support. We get some of it by recording how you interact with our services by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device.
Customer may submit Personal Data to the AskCody services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- Professional life data (Meeting data)
- ID data
- Connection data
- Localization data
Meeting data is defined as:
- Organizer name
- Organizer email address
- Meeting Title/Subject
- Visibility (Private/Not Private)
- Start and end times
- Location (e.g. “Meeting Room Charlie”)
- Attendees (Name and email for attendees)
- Resources (Name and email of exchange resources)
- Exchange ID
- Exchange Object ID (Immutable Exchange identifier for the meeting)
The Controller may apply additional controls by changing the permissions of the associated Service Account Processor uses to access Controllers calendar system. When “Private Meetings” are booked with Microsoft 365 and Outlook these meetings stay private.
Appendix 3 - Categories of data and data subjects
The Data Processor will be processing personal data regarding the following categories of data subjects:
The Controller may submit Personal Data to the AskCody Services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Employees of Customer and Customer’s Users authorized by Customer to use the Services (who are natural persons)
- Internal service vendors (Canteen, Facilities Management or others)
- Visitor and meeting attendees of Customer (who are natural persons)
The Processor process Personal Data based on Personal Data being defined as:
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier of that person.
The Processor, AskCody, does not process Sensitive Personal Data, following the definition of "Sensitive Personal Data" as personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offenses and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).
The Processor, AskCody, does not process data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including identifiers such as genetic data and all data pertaining to a data subject’s health status.
Categories of Data
The data we collect depends on the services and features used by the Controller and may include the following categories:
o Name and contact data (If you have an AskCody account or is granted with an employer-account). We collect your first and last name, email address, phone number, and other similar contact data.
o Credentials. We collect login and passwords (for admin users) and similar security information used for authentication and account access.
o Billing data (For organizational owner accounts only). We collect data necessary to process your payment if you make purchases.
o Usage data. We collect data about how you and your device interact with our services. This includes data, such as the features you use. This also includes data about your device and the network you use to connect to our services, regional and language settings. It includes information about the operating systems and other software installed on your device, including product keys. And it includes data about the performance of the services and any problems you experience with them.
o Location data. We collect data about your location. Location data includes, for example, a location derived from your IP address or data that indicates where you are located with less precision, such as at a city or postal code level.
o Content. We collect
- Organizer name
- Organizer email address
- Meeting Start Time
- Meeting End Time
- Attendees (Name and email for attendees)
- Resources (Name and email of exchange resources)
- Exchange ID
- Exchange Object ID (Immutable Exchange identifier for the meeting)
- Location (Location String for the meeting)
- Private status (Whether the meeting is private in Outlook. Will mask organizer, subject, location, and description on signage products)
- Description (The meeting description)
A full list of
Appendix 4 - Location of Processing Operations
Personal data collected by The Processor may be stored and processed in either Europe or in the United States, or in any other country where Microsoft Azure has data centers used as Datacenter for Microsoft.
AskCody comes as a Software as a Service is built on Microsoft Azure and hosted in the Microsoft Azure cloud. To get a full list of compliance offering and to find audit information, go to the related certification on https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings
In Europe, AskCody utilizes North Europe (Primary) and West Europe (Secondary) Azure regions. (Please see infrastructure document for details - https://www.askcody.com/askcody-on-azure.) The service is fully managed by us. Maintenance and updates are included in your subscription.
In North America, we utilize East US (Primary) and West US (Secondary). Learn more about regions here - https://azuredatacentermap.azurewebsites.net/. Also, this service is fully managed by us. Maintenance and updates are included in your subscription.
Controllers Data will never leave the Data Region on which the Controllers Data is placed based on the location of the Controller, meaning the Customers in Europe will only be using Data Centers in Europe, and Customers in North America will only be using Data Centers in North America.
We benefit from Microsoft’s unmatched scale and experience running trusted enterprise cloud services around the globe. This is why AskCody is built on Microsoft Azure. We leverage Microsoft’s deep investments in technology, operational processes, and expertise to provide a trusted platform for the AskCody solution. With Microsoft as our supplier of cloud services, we can take advantage of the Azure Cloud more quickly while reducing security and compliance costs and minimizing risk to your organization.
We understand that to realize the benefits of cloud computing you as a company must be willing to trust your cloud provider with your data. When you invest in a cloud service, you must be able to trust that your data is safe, that data privacy is protected, and that you own and control your data in all its uses. AskCody is divided into a European and North American setup due to data regulations. AskCody fully supports EU Model Clauses.
All secondary datacenters (West Europe and West U.S.) works as a storage and geographically redundant backup.
In the case of emergency and disaster recovery is needed, the recovery time is 12 hours maximum. Loss of data will be limited to
Replication between primary and secondary datacenters in a Region is happening at a maximum delay of 15 minutes.
Appendix 5 - Sub-processors
AskCody, the Processor, may leverage and use other SaaS-solutions or third party applications, Sub-Processors, to provide limited services on its behalf, surrounding the functionality of the very core of the AskCody suite. Third party applications of this kind could be an email service to send out emails to the users at the right time with the right information, or a Google Analytics, to monitor
The Controller gives the Processor the mandate to enter into agreements with Sub-Processors for the performance of its obligations under this DPA under the condition that the Processor maintains a list of Sub-Processors and notifies any intended changes to the Controller.
These third-party applications from Sub-Processors or other SaaS-vendors can occasionally access limited Controllers data only to deliver the services we have hired them to provide, and are prohibited from using Controllers data for any other purpose.
Any such sub-processors will be permitted to obtain Controllers Data only to deliver the services the Processor has retained them to provide, and they are prohibited from using Controllers Data for any other purpose. In the list below we have listed the purpose of using and leveraging the services.
These sub-processors are required to maintain the confidentiality of Controllers' information and are contractually obligated to meet our privacy requirements meaning all Controllers data are anonymized and/or pseudonymized when a third-party vendor access it.
To ensure sub-processors accountability, we require all sub-processors who handle Controllers data to comply with the same rules and policies that the Processor complies with. For example, sub-processors with access to Controllers data must agree to the EU Model Clauses and GDPR.
This initiative is designed to standardize and strengthen the handling of Controllers personal information and to bring vendor business processes and systems into compliance with those of the Processor.
The list below does not apply to Previews or other services not yet in general release or general availability.
Providers and services:
Postmark – Email Service Provider
Pusher - Websockets Service Provider
Twilio – SMS Service Provider
AppCues - Onboarding and Engagement
Microsoft Azure – Cloud Platform
What is the scope of the processing?
What types of personal data is processed?
What processing (and storage) locations (e.g. country/state) are used?
How is personal data transferred to or access by the sub-processor?
What is the legal basis for transfer of personal data outside the EU/EEA area? (if applicable)
Email Service Provider
Transferred over SSL by the platform when an email is sent
No transfer of PII outside the EU/EEA area
Websocket service provider
Potentially everytime an application uses the pusher service
|No transfer of PII outside the EU/EEA area|
|Phone number + SMS body||
United States of America
Data sent over SSL, every time an SMS is sent
Twilio’s binding corporate rules as set forth at https://www.twilio.com/legal/binding-corporate-rules (“Twilio BCRs”) Standard Contractual Clauses ("SSC") as set forth in Exhibits 2 and 3 attached hereto
Onboarding flows, surveys, and in-app feature announcements
Browser information such as OS, user interaction data, device type, browser language, user agent, IPs, current page url and title. No PII.
United States of America
Via HTTPS/TLS and stored at rest using automated rotating AES-256 keys
|No transfer of PII outside the EU/EEA area|
Cloud Platform Services
· First name
· Last name
· Physical business address
· Organizer name
· Organizer email
· Meeting title / subject
· Start time
· End time
· Attendees (name and email)
· Exchange resource name
· Exchange resource email
· Exchange ID
· Exchange object ID
Ireland, and Amsterdam
Internally by applications running in the cloud
|No transfer of PII outside the EU/EEA area|
Appendix 6 – Data Security
This Appendix 6 (Data Security) sets out the minimum security requirements that the Data Processor and its sub-processors will adhere to in relation to the processing of personal data.
AskCody, as the Data Processor shall ensure by itself, and on behalf of all its Sub-processors, that AskCody, as the the Data Processor always complies with the following minimum-security requirements:
AskCody leverages the Microsoft Azure platform, and all implemented security features available on Microsoft Azure.
As such AskCody has security features in place including but not limited to firewall, DDOS protection, Antimalware protection, anomaly detection on server behavior and anti-virus.
Further, AskCody has access restrictions implemented throughout the platform in terms of authenticating both users and applications access to services which interact with data.
AskCody monitors every service and has alarm systems in place if anything out of the ordinary occurs, and continuously evaluates the measures in place based on the implemented Information Security Policy.
Every application in AskCody's services has logging services implemented, which record all operations on the data.
Services have both audit logs and application logs, logging historical events.
Further access to manipulating data is restricted to specific user roles and hence governed by managed access in the form of both implemented systems and organizational structures, preventing unintended and/or malicious or accidental access to data.
Being a multi-tenant environment and SaaS application AskCody's data architecture ensure the integrity and isolation of Customer's data by separating data logically based on UUIDs so customer data are separated logically and secured from other customers. Each customer therefore shares the cloud platform and application, but each tenant’s data is isolated and remains invisible to other tenants.
AskCody leverages different technologies in terms of securing data, depending on the nature of the data. All databases are encrypted. Data stored in the database is further encrypted using industry-standard encryption algorithms.
Extremely sensitive data such as Exchange Credentials for Basic Auth are secured by an encryption service, using Microsoft Key Vault and Hardware Secured Modules.
AskCody has confidentiality agreements with all employees and all AskCody employees are required to use two-factor authentication and strong passwords that are unique from other services.
Furthermore, AskCody maintains automatic access and security logs in multiple locations.
Customer data access is governed by our documented security policies and limited to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and requires public key authentication.
Individual employee access follows a principle of least access, and access rights are reviewed quarterly.
All data at rest are encrypted using best practice encryption algorithms or AES 256.
Public Key: AES-256
Private Key: RSA2048
All backup data is encrypted using TLS+1.2.
All data in motion is encrypted using TLS 1.2+ and encrypted at rest using best practice encryption algorithms (AES-256)
AskCody has a DPA in place for all Sub-processors. This DPA requires all the Sub-processors to comply with the EU Model Clauses and GDPR. An updated list of all third party and providers is available at www.askcody.com. Customers may request that AskCody audit third-party providers / sub-processors, or provide confirmation that such an audit has occurred, or, where available, obtain or assist the customers in obtaining a third-party audit report concerning the sub-processors operations, to ensure compliance with applicable data protection laws. Customers will also be entitled, upon written request, to receive copies of the relevant terms of AskCody's agreement with Sub-processors that may process personal data
Isolation (purpose limitation)
AskCody has implemented user roles granting access to individual parts of the system. This includes employees managing the product, and employees at AskCody maintaining the product. Authorization to any given data is granted only if the user has access to said data, as such personal data can only be accessed by either a person with adequate roles (Customer Owner, Administrator etc.) or AskCody employees with special work tasks. This includes employees in Support, in order to give meaningful support and some developers for advanced support or development.
To administrate this privileged access, organizational structures are in place to govern who is granted access to what in accordance with our Information Security Policy.
All Personal Data in the AskCody platform is based on the integration with either Microsoft Exchange or Active Directory. Both systems are systems and platforms, that Customers fully manages themselves, therefore having the full ability to access, rectify, delete, block and manage the processing of personal data. Full access to all data types and data subjects is therefore controlled by the Customer.
AskCody supports export of data in CSV.
AskCody has audit logs on all applications as well as application logs detailing what the application has done. Further, access to any services, such as specific Microsoft Azure Services or AskCody administration features, has been granted based on organizational investigations. As such only the relevant and required amount of people have access to any given service.
Data retention and deletion
AskCody stores all data with redundancy on Microsoft Azure. Our databases support point-in-time backups to the minute, with 31-day retention. All data is stored digitally and as such can easily be deleted or moved.
Resilience of systems
All AskCody services operate on a redundant server setup on Microsoft Azure. For European customers and users, the primary server cluster is Europe NORTH and our secondary backup is Europe WEST. For customers in North and South America, the primary server cluster is East US and our secondary backup is West US.
The availability of this system is guaranteed through the Microsoft Azure Cloud.