Policies:
Controller to Processor
Emoji archive

This Data Processing Addendum (“DPA”) forms a part of the Customer Terms of Service found at https://fibery.io/terms-of-service — unless the Customer has entered into a superseding written master agreement with Fibery Limited (“Fibery”), in which case, it forms a part of such written agreement (in either case, the “Agreement”). By signing the DPA, the Customer enters into this DPA on behalf of themselves, and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Controller Affiliates (defined below).

For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. In the course of providing the Services under the Agreement, Fibery may Process certain Personal Data (such terms defined below) on behalf of the Customer, and where Fibery Processes such Personal Data on behalf of the Customer, the Parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

The Parties agree that in the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall control.

Applicability

This Addendum will not apply to the processing of Client Personal Data, where such processing is not regulated by EU Data Protection Laws. If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.

How to execute this DPA

  1. This DPA consists of two parts: the main body of the DPA, and Exhibit A, B.
  2. This DPA has been pre-signed on behalf of Fibery.
  3. The Standard Contractual Clauses might be signed where necessary and have been pre-signed by Fibery as the data importer.
  4. Customer has two options to complete this DPA

    1. Complete the information in the signature box and sign on Page 10, then send completed and signed DPA to Fibery by email indicating Customer’s account URL(s) via gdpr@fibery.io. Upon receipt of the validly completed DPA by Fibery at this email address, this DPA will become legally binding.
    2. Provide corresponding consent when signing up for the Service

NOW, THEREFORE, in consideration of the mutual agreements set forth in this document and for other good and valuable consideration, the receipt and sufficiency of which the Parties both acknowledge, the Parties agree as follows:

Definitions

Capitalized terms used but not defined in this Data Processing Amendment have the meanings given elsewhere in the applicable Agreement. In this Data Processing Amendment, unless stated otherwise:

“Additional Products” means products, services and applications that are not part of the Services but that may be accessible via user interface or otherwise, for use with the Services.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Amendment Effective Date” means the date on which Customer clicked to accept or the parties otherwise agreed to this Data Processing Amendment in respect of the applicable Agreement.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Controller Affiliate” means any of Customer's Affiliate(s)

  1. (i) that are subject to applicable Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (ii) permitted to use the Services pursuant to the Agreement between Customer and Fibery, but have not signed their own Order Form and are not a “Customer” as defined under the Agreement,
  2. if and to the extent Fibery processes Personal Data for which such Affiliate(s) qualify as the Controller.

“Customer Personal Data” means personal data contained within the Customer Data.

“Data Protection Laws” means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, and the United Kingdom, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the GDPR;

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any Customer Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Model Contractual Clauses” means the agreement executed by and between Customer and Fibery, and available as a separate document pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

“Sub-Processor” means any entity engaged by Fibery or its affiliates to Process Personal Data in connection with the Services.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

“Term” means the period from the Amendment Effective Date until the end of Fibery provision of the Services under the applicable Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Fibery may continue providing the Services for transitional purposes.

The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this Data Processing Amendment have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

2. Processing of Personal Data

2.1 Roles of the Parties.

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Fibery is the Processor and that Fibery or its Affiliates will engage Sub-Processors pursuant to the requirements set forth in Section 4 below. List of sub-processors is provided in Exhibit B.

2.1.1.Authorization by Third Party Controller.

If the European Data Protection Legislation applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants to Fibery that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Fibery as another processor, have been authorized by the relevant Controller.

2.2 Customer’s Processing of Personal Data.

Customer shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Law. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which Customer acquired Personal Data.

2.3 Fibery Processing of Personal Data.

As the Customer’s Processor, Fibery shall only Process Personal Data for the following purposes:

  1. Processing in accordance with the Agreement;
  2. Processing initiated by Authorized Users in their use of the Services; and
  3. Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (individually and collectively, the “Purpose”). Fibery acts on behalf of and on the instructions of the Customer in carrying out the Purpose.

2.4 Details of the Processing.

The subject-matter of Processing of Personal Data by Fibery is as described in the Purpose in Section 2.3. The nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A (Description of Processing Activities) to this DPA.

2.5 Duration of Data Processing Amendment.

This Data Processing Amendment will take effect on the Amendment Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Data by Fibery as described in this Data Processing Amendment.

3. Rights of Data Subjects

3.1 Data Subject Requests.

Fibery shall, to the extent legally permitted, promptly notify Customer if Fibery receives any requests from a Data Subject to exercise the following Data Subject rights in relation to Personal Data: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). Taking into account the nature of the Processing, Fibery shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under applicable Data Protection Laws. In addition, to the extent the Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Fibery shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such a Data Subject Request, to the extent Fibery is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Fibery provision of such assistance, including any fees associated with the provision of additional functionality.

Fibery will, in a manner consistent with the functionality of the Service or per request, enable Customer to access, rectify, and restrict processing of Customer Personal Data.

With respect to the Personal Data under this DPA, Fibery warrants that it will:

  1. only process Personal Data in order to provide the Service, and shall only act in accordance with: (i) this DPA, (ii) the Customer's written instructions as represented by the Main Agreement and this DPA, and (iii) as required by applicable laws;
  2. upon becoming aware, inform the Customer if, in Fibery’ opinion, any instructions provided by the Customer infringe Data Protection Laws or GDPR. In this case, Fibery shall have the right to refuse to execute the infringing instruction.

4. Sub-Processors

4.1 Appointment of Sub-processors.

Customer acknowledges and agrees that:

  1. Fibery Affiliates may be retained as Sub-processors through written agreement with Fibery.
  2. Fibery and Fibery Affiliates respectively may engage third-party Sub-Processors in connection with the provision of the Services. As a condition to permitting a third-party Sub-processor to Process Personal Data, Fibery or a Fibery Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-Processor. In either case, Customer agrees to enter into the Model Contractual Clauses where necessary acknowledges that Sub-processors may be appointed by Fibery in accordance with Clause 11 of Model Contractual Clauses.

4.2 List of Current Sub-processors and Notification of New Sub-processors.

A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is accessible in Exhibit B and will be available in online version of this DPA via https://fibery.io/data-processing (“Sub-Processor List”). Customers with signed DPA will receive notifications of new

Sub-processors before authorizing such new Sub-Processor(s) to Process Personal Data in connection with the provision of the applicable Services.

4.3 Objection Right for New Sub-Processors.

Customer may reasonably object to Fibery using a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate applicable Data Protection Law or weaken the protections for such Personal Data) by notifying Fibery promptly in writing within ten (10) business days after receipt of Fibery notice in accordance with the mechanism set out in Section 4.2. Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Fibery will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected new

Sub-processor without unreasonably burdening Customer. If Fibery is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the applicable Service which cannot be provided by Fibery without the use of the objected new

Customer any prepaid fees covering the remainder of the term of Service following the effective date of termination, without imposing a penalty for such termination on the Customer.

4.4 Liability.

Fibery shall be liable for the acts and omissions of its Sub-Processors to the same extent Fibery would be liable if performing the Services of each Sub-Processor directly under the terms of this DPA.

5. Data Protection Impact Assessment

Upon Customer request, Fibery shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer obligation under the GDPR to carry out a data protection impact assessment related to Customer use of the Service, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Fibery. Fibery shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR. Customer shall cover all costs incurred by Fibery in connection with its provision of such assistance.

6. Data Deletion and Return.

6.1 Deletion on Service Expiry.

Subject to Section 6.2 (Deferred Deletion), on expiry of the applicable Service, Customer instructs Fibery to delete all Customer Data (including existing copies) from Fibery systems in accordance with applicable law. Fibery will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage of this Customer Data.

Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer acknowledges and agrees that Customer will be responsible for exporting, before the applicable Service expires, any Customer Data it wishes to retain afterwards.

6.2 Deferred Deletion.

To the extent any Customer Data covered by the deletion instruction described in Section 6.1 (Deletion on Service Expiry) is also processed, when the applicable Service under Section 6.1 expires, in relation to an Agreement with a continuing Service, such a deletion instruction will only take effect with respect to such Customer Data when the continuing Service expires. For clarity, this Data Processing Amendment will continue to apply to such Customer Data until its deletion by Fibery.

Return of the Customer Data U pon expiration of the Term as well as during the Term of the Services Agreement, Fibery will provide Customer with access to export Customer Personal data from the Service.

7. Data Transfers

7.1 Data Storage and Processing Facilities.

Customer agrees that Fibery may, subject to Section 7.2 (Transfer Mechanisms), store and process Personal Data in the United States and any other country in which Fibery or any of its Sub-Processors maintains facilities.

NOTE: For customers based in EEA (others per request), Fibery stores Services Data in the Amazon Data center based in Frankfurt (Germany). Fibery may store in all data centers identifying information about Customer’s instance of the applicable Services. See additional details in Exhibit B.

  1. Fibery obligations. If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EEA and the European Data Protection Legislation applies to the transfers of such data, Fibery will ensure that Fibery as the data importer of the Transferred Personal Data enters into Model Contract Clauses with Customer as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses
  2. Customer Obligations. In respect of Customer Personal Data, Customer agrees that if under the European Data Protection Legislation, Fibery reasonably requires the Customer to enter into Model Contract Clauses in respect of such transfers, then the Customer will do so.

7.2 Transfer Mechanisms.

For transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such applicable Data Protection Laws:

  • The Standard Contractual Clauses provided as a separate document apply.

8. Personal Data Breach

8.1 Notification of Data Breach.

Fibery shall, to the extent permitted by law, notify Customer without undue delay upon Fibery or any Sub-Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient

information, to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Assistance to Client.

Fibery shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Security

9.1 Controls for the Protection of Customer Data

Fibery shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Documentation.

Fibery regularly monitors compliance with these measures and will provide the Customer with supporting documentation, such as audit information, where applicable. Fibery will not materially decrease the overall security of the Service during a Service subscription term. Additional information provided in the Model Contractual Clauses. Fibery takes reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality.

9.2 Data Privacy contact

gdpr@fibery.io

Fibery Limited

28 Oktovriou, 2, Flat/Office 101 Egkomi, Makedonitissa, 2414 Nicosia, Cyprus

10. Audit rights

10.1 Subject to this section 10, Fibery shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customers Personal Data by the Sub-Processor.

10.2 Information and audit rights of the Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

11. List of exhibits:

Exhibit A: Description of Processing Activities

Exhibit B: Sub-Processors

Exhibit C:
The parties' authorized signatories have duly executed this DPA:

On behalf of customer:on behalf of Fibery Limited:
Name: Vadim Gaidukevich
Position: Director
Signature:Signature:

Exhibit A

Description of Processing Activities

Data Subjects

The transferred personal data concerns the following categories of data subjects: the Data Exporter’s end users including employees and contractors; the personnel of the Data Exporter’s customers, suppliers and subcontractors.

Categories of data

The transferred personal data concerns the following categories of data: personal data submitted, stored or sent by the Data Exporter or its end users via the Services including identification and contact data (name, address, title, email, userID); employment details where provided (employer, job title); IT information (IP addresses, usage data, cookies data).

Special categories of data (if appropriate)

None

Processing operations

The transferred personal data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:

  • to identify users when authenticating
  • provide the Services and related technical support services
  • to improve Services.

Exhibit B

Sub-Processors

List of current Fibery Sub-Processors as of the Effective Date:

Core Services Sub-Processors

(providing infrastructure hosting or processing significant amount of Customer Personal Data)
Sub-processor NamePurpose of processingEntity TypeLocation of processingSCC /DPA
Amazon Web Services EMEA SARLData storage and processing – main hosting providerSub-ProcessorGermany*Available
SendGridEmail Delivery for On-Demand ServiceSub-ProcessorUnited States of AmericaAvailable

Ancillary Services Sub-Processors

(providing Processor with internal and supporting processing of insignificant amount of Controller Personal Data or no processing at all for some sub-processors and Categories of Controllers)
Sub-processor
Name
Purpose of processingEntity TypeLocation of processingSCC/DPA
Google, LLCEmail and calendar services, online document storage, advertising servicesSub-ProcessorUnited States of AmericaAvailable
Elasticsearch B.V.Application logs storage and processingSub-ProcessorIrelandNot applicable
Braintree (PayPal (Europe))Payments processingSub-ProcessorIrelandNot applicable
Slack Technologies, Inc.Internal communicationSub-ProcessorUnited States of AmericaAvailable
CalendlyCRM, calls scheduling serviceSub-ProcessorUnited States of AmericaAvailable
UserVoice, Inc.Customer support (decommissioning process)Sub- ProcessorUnited States of AmericaAvailable
Intercom R&D Unlimited CompanyCustomer support and communicationsSub-processorRepublic of IrelandAvailable for US entity
Fibery Inc, USACustomer Support, Sales, HQAffiliateUnited States of AmericaModel Contractual Clauses

* For customers based in the United States (per request), Fibery stores Services Data in the Amazon US data centers. Fibery may store in all data centers identifying information about Customer’s instance of the applicable Services only.

Exhibit C

Technical Organizational Measures

The technical and organisational measures having place in Fibery:

Physical Access Control
No unauthorised access to data processing systems

Office space:

Access via key / RFID chip

System Access Control
No unauthorised system usage
  • Authentication with user and password
  • Multi Factor Authentication (MFA)
  • Firewall
  • Complex passwords
  • Password database (Team password Manager)
  • Technical blocking of the workstation when not active
  • Data carriers of the notebooks are encrypted
  • Comprehensive protection against malware on workstations and servers
Data Access Control
No unauthorised reading, copying, modification or removal within the system
  • Authorisation concepts are updated once a year.
  • Changes and authorisations to the IT system are documented in the ticket system
Data Separation Control
Separate processing of data collected for different purposes
  • Multi-client capability
  • Separate database schema for each client
  • Separate development, test and production systems.
  • Separated data storages by type - user data, user owned data, development data
Transfer control
No unauthorised reading, copying, modification or removal during electronic transmission or transport
  • Remote access via Bastion with 2FA,
  • Secure SMTP server
  • Encryption of the data carriers
  • WLAN WPA2
Input control
Determining whether and by whom personal data has been entered, modified or removed from data processing systems
  • Logging of entries (change history)
  • Logging of access to customer systems
  • Ticket system
Availability Control
  • Comprehensive virus protection
  • Use of firewalls
  • Current emergency manual available
  • Backup and recovery concept
  • copy of Backup into other certified datacenter in the same region
  • Prompt installation of security patches and updates
  • Uninterruptible power supply (UPS)
  • Automated patch management
  • Monitoring systems with alarms
  • Data backup in a secure, off-site location
Rapid Recovery & Restore
  • Restoration from backup and system recovery is carried out as required and documented in the ticket system.
Organisational Control
Data protection management
  • Information security guideline
  • Obligation of employees to maintain confidentiality and telecommunications secrecy
  • Appointment of a data protection officer
  • List of processing activities (Art. 30 GDPR)
  • Organisational and technical measures (Art. 32 GDPR)
  • Risk analysis (Art. 32 GDPR)
  • Data security guidelines
  • Training and sensitisation of employees
  • Notification of security incidents (Art. 33, 34 GDPR)
  • If required: Data protection impact assessment (Art. 35 GDPR)
  • Internal information security audits
  • Internal data protection audits
  • External audits (SOC II)
Privacy-friendly Default Settings
(Art. 25 para. 2 GDPR)
  • SMTP server
  • Web server with SSL (HTTPS)
  • Access to the websites only via (HTTPS)
  • Secure provisioning of end devices (HTTPS/ AES256 token)
  • Encryption of client communication (TLS)
  • WLAN communication WPA2
Order Controls

No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client, e.g: clear contract design, formalised order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.

Date of document last update: December 2023

Escape scattered tools
Get a single connected workspace where all teams are welcome.