Data Processing Addendum
Last updated: 23 November 2020
Humaans Software UK LTD (“Humaans Software UK”, “we”, “us”, “our”) has contracted to provide you (“you”, “your(s)”, “user”) with our cloud-based people management software as a service called Humaans through the humaans.io website (“Services”).
Humaans Software UK has agreed to provide Services to you in accordance with the terms of the Terms of Service. In providing these Services, we shall process Personal Data on your behalf. From the date that you agree to the Terms of Service, we will process and protect such Personal Data in accordance with the terms of this Data Protection Addendum for the terms of the Agreement.
Data Protection Terms to be added to Terms of Service:
- For the purposes of these terms, “personal data”, “sub processors” “data subject”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation. Further details around the data processing are set out in the Annex hereto.
- Both of us must comply with all Applicable Data Protection Laws relating to the protection of Personal Data which apply to our respective businesses.
- You warrant that you have the right to transfer your Personal Data to us so that we may lawfully use, process and transfer it in accordance with the Terms of Service on your behalf. You agree that Humaans may engage Sub-processors to process Customer Data on your behalf. The Sub-processors currently engaged by Humaans and authorised by you are listed in the Annex hereto. We will provide notice via this policy of updates to the list of Sub-processors that are utilised or which we propose to utilise to deliver our Services. We will keep this list updated regularly to enable you to stay informed of the scope of subprocessing associated with our Services. You can object in writing to the processing of the Personal Data by a new Sub-processor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If you do not object during such time period the new Sub-processor(s) shall be deemed accepted. We will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor.
- To the extent you upload any content onto our Services containing Personal Data and we are deemed to be a processor of such Personal Data, we will:
- Process such Personal Data to the extent necessary in order to provide our Services to you and in accordance with your instructions;
- Take reasonable appropriate technical and organisational measures against unauthorised or unlawful processing of the Personal Data or its accidental loss, destruction or damage as is appropriate to the harm that might result. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected; Our technical and organizational security measures are described in our Security page.
- Ensure that anyone who has access to and/or processes Personal Data is obliged to keep it confidential;
- Not transfer the Personal Data outside of the European Economic Area without ensuring adequate measures are in place to protect the Personal Data as required by applicable data protection laws;
- Notify you promptly and without undue delay if we become aware of a breach of security which has resulted in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data;
- If you ask us to and in any event of termination of the Terms of Service, delete all copies of the Personal Data, in accordance with the procedures and timeframes specified in our Terms of Service, except to the extent required by applicable law;
- If you ask us to and in any event on termination of the Terms of Service, delete all copies of the Personal Data;
- Provide you with reasonable assistance and information to allow you to comply with your obligations under Applicable Data Protection Law;
- Maintain complete and accurate records and information to show we have complied with these terms; and
- Permit you (or your third party auditor) to audit our compliance with these terms on giving reasonable notice to us, provided that any third party auditor mandated by you to conduct such audit has entered into confidentiality undertakings which are satisfactory to us, the audit is at your expense, and you use reasonable endeavours to ensure that any such audit is designed to minimise disruption to our business.
We use third party sub processors to provide infrastructure services, analytics, customer support and email notifications.
|Entity||Sub Processing Activity||Entity Country|
|Google Ireland Limited||Infrastructure, analytics||Ireland|
|Postmark (Wildbit, LLC)||Transactional emails||USA|
|Stripe Payments Europe, Ltd.||Payment processing||Ireland|
|Intercom R&D Unlimited Company||Customer support, email marketing||Ireland|
Details of the Data Processing
We shall process information to provide the Services pursuant to the Agreement. We shall process information sent by Customer’s end users identified through Customer’s implementation of the Services. As an example, in a standard programmatic implementation, to utilize the Services, Customer may allow the following information to be sent by default as “default properties:”
Types of Personal Data
Please note that the following lists may not be exhaustive.
To use the application, the user who signs up must provide:
- First and last name
- Job role
- Email address
- Company name
- Company address
Once they have signed up, all further data collection is optional, and the list of types of personal data collected can be customized and extended by the user, and it is their responsibility to communicate their requirements on personal data to their employees.
The application encourages but does not require the user to use the service to collect various personal data on employees, including but not limited to:
- First and last name
- Home address
- Personal and professional email addresses
- Personal and professional telephone number
- Date of birth
- Bank account details
- Scan of ID, Passport, Visa or other forms of identification
- Employment details, such as role and compensation
- Time off information, such as holiday or sick days taken
- Personal documents, such as employment agreement and share options agreement
- Next of kin name, telephone number, and email address
Categories of Data Subjects
- Company executives and administrators
- Contractors who the customer wishes to add to the service
- Third-party administrators who the customer consents to provide access to their account