Effective May 25, 2018

These terms apply between ServiceBridge LLC, 343 W Erie St., Suite 600 Chicago, Illinois 60654, US (“ServiceBridge” or “Processor”) and

the customer (“Customer” or “Controller”) who subscribed for and receives ServiceBridge services and who is based in European Economic Area or Switzerland or is otherwise a subject to the territorial scope of the General Data Protection Regulation (GDPR).

These terms supplement the ServiceBridge Terms of Service (Terms of Service) accepted by the Customer when ordering ServiceBridge Services.

WHEREAS:

  • The General Data Protection Regulation (EU) 2016/679 (Regulation) replaces the Data Protection Directive (Directive 95/46/EC) on 25 May 2018 in European Union,
  • The Regulation requires data controllers to use only those data processors who provide sufficient guarantees to implement appropriate technical and organisational measures are implemented in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subjects,
  • The Regulation also requires that the processing of data by a data processor must be governed by a contract, that is binding on the data processor with regard to the data controller and includes obligations for the data processor required by the Regulation,
  • On the basis of the ServiceBridge Terms of Service, Customer as Controller is using ServiceBridge Services who acts as Processor to perform certain data processing activities on behalf of Controller and in accordance with the instructions of Controller,

THEREFORE in order to properly implement the requirements of the Regulation, the Parties entered into these Data Processing Terms (Terms):

  1. SCOPE OF PROCESSOR’S OBLIGATIONS
    1. These Terms provide for obligations of Processor, which the Regulation requires to impose upon data processor, as well as other terms and conditions that Processor must comply with in order to ensure that the Regulation is properly implemented.
    2. These Terms replace all previous obligations of Processor to Controller regarding the processing and protection of personal data, if such were established for Processor by the Terms of Service, ServiceBridge Software Services Agreement or other agreements between Processor and Controller.
    3. The provisions of these Terms shall become binding upon Processor as of 25 May 2018.
  2. SUBJECT MATTER AND DURATION OF THE DATA PROCESSING
    1. The subject matter of the data processing where the Processor is engaged by Controller consist of data processing operations performed by cloud solutions and services provided by Processor to the Controller (“Services”). Services are provided via web browser interface with native mobile apps of iOS and Android. The main modules available as ServiceBridge services are web application module, mobile application module, geo-tracking module, customer portal module, digital forms module, franchise management module, credit card payments processing module, QuickBooks Online two-way sync module. Detailed description of features is provided in ServiceBridge Software Services Agreement.
    2. Processor enables only those data processing operations on behalf of the Controller, which are documented in the ServiceBridge Software Services Agreement, Service Terms or any service change logs as communicated to the Customer.
    3. The data processing conducted by Processor may continue as long as the ServiceBridge Software Services Agreement and/or Terms of Service are in force and customer is a Subscriber of Services.
    4. When the subscription of Services ends, regardless of the legal ground, Processor will terminate all data processing operations on behalf of the Controller, unless the Parties agree on the transitional period for the provision of services, or on the transfer of data to another processor or the continuation, transfer, storage or termination of other data processing operations. In all cases data must be stored by Processor until it is returned (transferred) to Controller or Controller instructs Processor to delete the data. If Controller does not instruct Processor regarding transfer of deletion of data, Processor will keep the Customer data up to 6 months and then remove it permanently.
  3. NATURE AND PURPOSE OF THE DATA PROCESSING, TYPES OF DATA
    1. The data processing activities performed by Processor consists of data processing operations related to provision, support and maintenance of cloud Services offered at ServiceBridge.com, where Processor has access to and control of the infrastructure of the cloud Services, which are used for data processing by the Controller. Details of the functions performed by Processor are described in the ServiceBridge Software Services Agreement, Terms of Service and in the related documentation.
    2. The data processing operations performed by Processor are necessary for Controller in order to manage daily business operations (such as customer orders, employee task, invoicing, etc.).
    3. In accordance with the ServiceBridge Software Services Agreement and these Terms, Processor is entrusted with processing of order, task, invoicing, payment, geo-location tracking of performance, data of Controller’s customers, employees, suppliers and partners.
  4. INSTRUCTIONS FROM DATA CONTROLLER ON DATA PROCESSING
    1. Processor shall process the personal data controlled by Controller and entrusted to Processor only on the documented instructions from the Controller.
    2. Processor must always be prepared to document specific instructions received from Controller, which Controller can provide by email or automated support system of Processor.
    3. Controller’s initial instructions provided to Processor regarding the subject matter, duration, nature and purpose of the data processing, as well as the types of data subjects and data types are specified in the ServiceBridge Software Services Agreement, listing the services and features, which the Controller has ordered. The functional description of Processor’s conducted operations with Controller’s controlled data is provided in the ServiceBridge Software Services Agreement and related documentation.
    4. If Processor does not have instructions on how to process personal data in a particular situation or if any of the given instructions violate applicable data protection laws, Processor shall inform Controller in writing without delay.
    5. Processor may not comply with Controller’s instructions for processing data only in cases where certain data processing operations are required by the EU law or EU Member State law applicable to Processor. In such a case, Processor shall notify Controller about such legal requirement in writing prior to processing the data, unless the applicable law prohibits such information on important grounds of public interest.
    6. Processor must without delay inform Controller if, in his opinion, Controller's instructions violate the Regulation or other applicable data protection provisions of the EU or EU Member State.
  5. PERSONAL DATA CONFIDENTIALITY

    Processor must ensure that only those persons who require direct access to personal data, controlled by Controller and entrusted to Processor, are authorised to access it in order to fulfil the Processor's obligations under the ServiceBridge Software Services Agreement or Terms of Service. Processor ensures that all persons involved in processing of personal data have committed themselves to confidentiality or are under applicable statutory obligation of confidentiality.

  6. SECURITY OF DATA PROCESSING
    1. Processor will implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, inter alia as appropriate:
      1. the pseudonymisation and encryption of personal data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
    2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
    3. Adherence to an approved code of conduct or an approved certification mechanism, insofar as it complies with the Regulation, may be used as an element by which Processor may demonstrate his compliance with security obligations.
    4. Processor must ensure that any natural person acting under the authority of Processor who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by applicable European Union or Member State law.
    5. The minimum organisational security measures that Processor must implement and ensure compliance with them are the following:

      Security Management

      1. Security policy. Processor must define its data security policy and revise it, if necessary, annually;
      2. Roles and responsibilities. Roles and responsibilities related to the processing of personal data must be clearly defined and allocated in accordance with the security policy. During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand over procedures should be clearly defined;
      3. Access control. Specific access control rights should be allocated to each role (involved in the processing of personal data) following the need to know principle;
      4. Resource/asset management. Processor must have a register of the IT resources used for the processing of personal data (hardware, software, and network). The register shall include at least the following information: IT resource, type (e.g. server, workstation), location (physical or electronic). A specific person should be assigned the task of maintaining and updating the register (e.g. IT officer). IT resources must be reviewed and updated on a regular basis.
      5. Change management. Processor must ensure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). This process must be regularly monitored. Software development should be performed in a special environment that is not connected to the IT system used for the processing of personal data. When testing is needed, dummy data should be used (not real data). In cases that this is not possible, specific procedures should be in place for the protection of personal data used in testing.
      6. Data sub-processors. When the processor uses other data processors, he must have established and documented guidelines and procedures governing the processing of data by other data processors which would apply to data processors. These guidelines and procedures should mandatorily establish the same level of personal data security as mandated in the Processor’s security policy. Processor must require other data processors to immediately notify Processor about personal data breaches, as well as provide evidence of the implementation of appropriate security measures.
      7. Incident response and business continuity

      8. Personal data breaches. Processor must have an incident response plan with detailed procedures defined to ensure effective and orderly response to incidents pertaining personal data. Management must be immediately informed about the personal data breach as well as there must be an established procedure to inform Controller about the incident.
      9. Business continuity. Processor must establish the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).
      10. Human Resources

      11. Confidentiality obligations. Processor must ensure that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities should be clearly communicated during the pre-employment and/or induction process.
      12. Training. Processor must ensure that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data should also be properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
    6. The minimum technical security measures that Processor must implement and ensure compliance with them are the following:
      1. Access control and authentication. Processor must install an access control system applicable to all users accessing the IT system must be implemented. The system must allow creating, approving, reviewing and deleting user accounts. The use of common user accounts must be avoided. In cases where this is necessary, it should be ensured that all users of the common account have the same roles and responsibilities. An authentication mechanism must be installed allowing access to the IT system (based on the access control policy and system). As a minimum a username/password combination must be used. Passwords should respect a certain (configurable) level of complexity. The access control system must have the ability to detect and not allow the usage of passwords that don’t respect a certain (configurable) level of complexity.
      2. Logging and monitoring. Log files must be activated for each system/application used for the processing of personal data. They should include all types of access to data (view, modification, deletion). Log files must be timestamped and adequately protected against tampering and unauthorized access. Clocks must be synchronised to a single reference time source.
      3. Security of data at rest. Database and applications servers must be configured to run using a separate account, with minimum OS privileges to function correctly. Database and applications servers must only process the personal data that are actually needed to process in order to achieve its processing purposes.
      4. Workstation security. Users must not be able to deactivate or bypass security settings in computer workstations. Anti-virus applications and detection signatures must be configured on a weekly basis. Users must not have privileges to install or deactivate unauthorized software applications. The system should have session time-outs when the user has not been active for a certain time period. Critical security updates released by the operating system developer must be installed regularly.
      5. Networks and communications security. Whenever access is performed through the Internet, communication must be encrypted through cryptographic protocols (TLS/SSL).
      6. Backups. Backup and data restore procedures must be defined, documented and clearly linked to roles and responsibilities. Backups must be given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data. Execution of backups must be monitored to ensure completeness. Full backups must be carried out regularly.
      7. Application lifecycle security. During the development lifecycle best practises, state of the art and well acknowledged secure development practices, frameworks or standards must be followed. Specific security requirements must be defined during the early stages of the development lifecycle. Specific technologies and techniques designed for supporting privacy and data protection (also referred to as Privacy Enhancing Technologies (PETs)) should be adopted in analogy to the security requirements. Secure coding standards and practises must be followed. During the development, testing and validation against the implementation of the initial security requirements must be performed.
      8. Data deletion/disposal. Software-based overwriting must be performed on all media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction should be performed. Shredding of paper and portable media used to store personal data shall be carried out.
      9. Physical security. The physical perimeter of the IT system infrastructure must not be accessible by non-authorized personnel.
    7. Processor must always take into account the risks that are presented by particular processing operations, and Processor must choose and implement stricter security measures in order to ensure the proper level of security of personal data.
  7. SUB-PROCESSORS
    1. Processor may engage the following sub-processors for certain processing operations:
      1. Devbridge LT, UAB, A. Juozapavičiaus pr. 11D, Kaunas, Lithuania – ServiceBridge group company, who is the main software developer and main subcontractor for support and maintenance service;
      2. Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, US. - provides the cloud infrastructure and services, which are necessary to host the Services and store the data;
      3. Microsoft Corporation Inc., One Microsoft Way Redmond, Washington 98052 - provides the Enterprise Online Services, which are used to set up and provide the Services;
      4. New Relic, Inc, 188 Spear Street, Suite 1200, San Francisco, CA 94105 - provides performance monitoring tools used to ensure the quality and availability of the Services;
      5. Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, - provides fabric.io, Google Analytics, which are used to collect and analyse statistic data;
      6. Zendesk, Inc, 1019 Market Street, San Francisco, CA 94103, United States - provides the support platform used to provide support for the Services.
    2. Controller hereby permits the Processor to engage other sub-processors. Processor shall inform Controller of any intended changes concerning the addition or replacement of other processors, thereby giving Controller the opportunity to object to such changes.
    3. Processor may engage only those data processors who provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.
    4. Where Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on the sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation. Processor must provide copies of these contracts to Controller on Controller’s request.
    5. Where the sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that other processor's obligations.
    6. Controller may require Processor to verify Processor’s engaged data processor or to provide the confirmation of the execution of such verification or, if possible, to obtain or assist Controller to obtain findings of external auditor regarding the engaged data processor’s activities in order to ensure compliance with the Regulation and other applicable requirements.
  8. DATA TRANSFER TO THE US
    1. Transfer of personal data by the Controller to the United States under these Terms shall also be governed by Standard Contractual Clauses as approved by the European Commission decision 2010/87/EU, which are incorporated into these Terms as Appendix 1.
  9. PROCESSOR’S ASSISTANCE TO CONTROLLER
    1. Processor will assist Controller in fulfilling its legal obligations under the Regulation and other applicable legislation. If any of the following assistance is not embedded into the Services and require investment from the Processor, the Parties will agree on the terms to enable such assistance.
    2. Processor shall together with Controller cooperate with data protection supervising authority.
    3. Implementation of data subject rights. Processor, taking into account the nature of processing and the information available, assists Controller by employing appropriate technical and organisational measures to the extent possible to fulfil the obligation of Controller to respond to requests of data subjects to exercise their rights under the Regulation (right of access, right to rectification, right to erasure, right to restriction of processing, right to object, right to data portability, where applicable).
    4. Data breaches. In case of personal data breach, Processor must without delay notify Controller about the personal data breach, irrespective of whether the breach is likely to result in a risk to the rights and freedoms of natural persons.
    5. When reporting a personal data breach, Processor must provide at least the following information:
      1. contact details of the person providing a report;
      2. a brief description of the incident;
      3. description of affected data:
        • types of personal data related to the breach;
        • was the data publicly available before the breach, or can easily be collected through publicly available sources;
        • does the data relate to special categories of persons whose personal security or health may be at risk;
        • whether the data affected by the incident was encrypted or was subject to other technical safeguards, if such information is known;
      4. description of the incident:
        • incident time or duration of the incident;
        • type of incident (e.g., loss or abduction of files or devices, disposal before erasing data, disclosure of data to known contacts, data publication, data modification, destruction or restriction of access, premature destruction of data);
        • location of the data (e.g., on a computer, a mobile device, on a network, on a storage medium);
        • where unauthorised access occurred (inside or outside Processor);
        • cause of the breach (mistake or intentional action);
        • volume of personal data and number of data subjects related to the breach;
        • what are the expected consequences of the incident.
    6. Processor is also required to inform Controller about the steps that Processor has taken, proposes to take or that Controller should take in order to reduce or eliminate the negative consequences of the incident and data breach.
    7. Processor must document all personal data breaches, including the facts relating to the personal data breach, its effects and corrective actions taken. Processor, at Controller’s request, must submit these documents to Controller for familiarising, in particular when required by the supervising authority.
    8. Processor must also provide all possible assistance to Controller which is required to properly report the data breach to the data subject.
    9. Data protection impact assessment and prior consultations. Processor shall provide Controller with the necessary assistance in conducting personal data impact assessment on data processing operations, including providing all required technical and other available information about data processing carried out or to be carried out by Processor and consulting on these matters. When Controller performs prior consultations with the supervisory authority, Processor must provide all necessary information which is required for consultations.
    10. Obligations to inform. Processor shall provide Controller with all information necessary to demonstrate that the obligations laid down in this Agreement, the Regulation and other legal acts are being complied with. On Controller’s request, among other things, Processor must provide copies of data protection policies, records of data processing activities.
  10. RIGHTS OF THE CONTROLLER’S DATA PROTECTION OFFICER AND AUDIT
    1. Processor must allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. Controller must ensure that such audit or inspection is undertaken during normal business hours and with minimal disruption to the Processor’s business and the business of other clients of the Processor. All information obtained or generated by the Controller or its auditor in connection with such audits and inspections shall be kept strictly confidential (save for disclosure to a regulatory authority or as otherwise required by applicable law).
    2. If results of the audit or inspections are negative, Controller may immediately terminate or suspend these terms and suspend performance of the ServiceBridge Software Services Agreement if after being notified about the negative findings processor is unable to correct them within a reasonable time. In such a case, Processor must immediately implement Controller’s instructions regarding return, storage, restriction of access to, deletion of the data, or implementation of security measures.
    3. Processor’s data protection officer (if appointed), shall cooperate with Controller’s data protection officer (if appointed), exchange information relevant for performance of this Agreement, and consult in case of questions.
  11. CONSEQUENCES OF END OF THIS AGREEMENT
    1. The provisions of these Terms apply as long as Processor processes personal data on behalf of the Controller and until all the requirements of this Agreement are fulfilled.
    2. In case of termination of these Terms, Processor’s obligations to implement appropriate level of security of the personal data may only terminate after the data is returned to Controller (or other person assigned by Controller), or deleted.
    3. At the choice of Controller, Processor shall delete or returns all the personal data to Controller (or other person assigned by Controller) after the end of the provision of services relating to processing, and shall delete existing copies unless EU or Member State law requires storage of the personal data.
    4. Processor must submit a written notice of the measures Processor has taken to erase the data on Controller’s request.
  12. APPLICABLE LAW
    1. These Terms shall be governed and interpreted in accordance with the Regulation.
  13. MISCELANEOUS PROVISIONS
    1. Nothing in this Agreement shall in any way reduce the obligations directly applicable to Processor under the Regulation and the applicable law.
    2. This Agreement may be amended, supplemented or terminated only in writing.

Appendix 1. EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)