Data Processing Addendum Appendices

Appendix 1

Description of processing activities, purposes, processed personal data and special categories of personal data

Within the context of data processing, the following processing of data is carried out on behalf of the Principal:

Categories of processing:

To provide the Clarisights platform to the Principal

☑️ Initial collection of personal data

☑️ Storing of personal data

☑️ Disposal of personal data

☑️ Organisation/structuring

☑️ Adaptation/alteration

☑️ Retrieval/consultation

☑️ Restriction

🔲 Cloud services

🔲 Data enrichment

🔲 Other:

Categories of data subjects:

To provide the Clarisights platform to the Principal

🔲 Prospective Customer

🔲 Customer

☑️ Employee

🔲 Applicant

🔲 Supplier

🔲 Restaurants

🔲 Children

🔲 Other:

Categories of personal data:

To provide the Clarisights platform to the Principal

☑️ Contact details (Name, Surname, E-Mail Address)

☑️ Technical Data (IP Address)

🔲 Geolocation data (Lat/Lon, Address, Postal Code, City etc.)

🔲 Financial data (IBAN, Bank account number, Bank identification number etc.)

☑️ Audio / Video Data (User session recording only)

🔲 Profile Data (performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movement)

🔲 Employee Data (Performance, Salary)

🔲 Sensitive Data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation)

🔲 Other:

Categories of recipients to whom the personal data have been or will be disclosed:

To provide the Clarisights platform to the Principal

🔲 Agencies

🔲 Audit / Tax Firms

🔲 Call center

🔲 Corporate Entities

🔲 Disposer

🔲 Hotels

🔲 IT Service Provider

🔲 Leasing Provider

🔲 Market research firms

🔲 Headhunter

🔲 Printing Service Provider

🔲 Security Firm

🔲 Travel Agencies

☑️ Others: Please refer to Appendix 3.

Transfer to third countries (outside the EU) or to international organisations:

To provide the Clarisights platform to the Principal

🔲 No

☑️ Yes: Please refer to Appendix 3

Safeguards for transfers to third countries:

To provide the Clarisights platform to the Principal

☑️ Standard data protection clauses

🔲 Binding corporate rules

🔲 Certification (e.g. EU US Privacy Shield)

🔲 None

Deletion period:

30 days post user deletion, and 2 months post contract termination

Appendix 2

Technical and organisational security measures of Contractor

§ 1 Location measures

The Contractor has taken the following measures related to the location (please tick the appropriate box in the column "Confirmed"):

*concerns protection goal

No. 1.1

Measure: All locations where the Data Controller's personal data is stored are located in the EU.

☑️ Confirmed

☑️ Confidentiality *

🔲 Integrity *

☑️ Availability *

🔲 Resilience *

No. 1.2

Measure: All locations from which the Data Controller's personal data can be accessed are either located in the EU, in a third country with an adequate level of data protection or are included in an EU standard contract or in approved codes of conduct.

☑️ Confirmed

☑️ Confidentiality *

🔲 Integrity *

☑️ Availability *

🔲 Resilience *

No. 1.3

Measure: Access to the building from which personal data of the Data Controller is accessed is only permitted or possible for authorised persons.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

🔲 Integrity *

☑️ Availability *

🔲 Resilience *

No. 1.4

Measure: Allocation and revocation of access equipment is fully documented.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security1

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 1.5

Measure: Visitors who gain access to the building in which personal data of the controller are processed will be accompanied or bound to confidentiality.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 1.6

Measure: Visitors are obliged to wear a visitor's pass during their visit to the building in which the personal data of the Data Controller are processed.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 1.7

Measure: External personnel deployed at the location (e.g. cleaning staff, security staff, janitors) have been obliged to maintain confidentiality.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 1.8

Measure: Insofar as the task requires processing in a special protection zone for the Data Controller, it is ensured that special access equipment is required for the associated rooms of this protection zone, which helps to ensure that only authorized persons have access to these protection zones.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 1.9

Measure: If special measures have to be taken for the special protection zones (e.g. installation of an alarm system, video surveillance, burglary protection), these have been implemented.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

🔲 Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 1

Measure: Number of protection goals achieved

🔲 Confirmed

🔲 Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

§ 2 Measures to protect the processing system

The Contractor has taken the following processing equipment related measures (please tick the appropriate box in the column "Confirmed"):

*concerns protection goal

No. 2.1

Measure: The servers used for processing are located in a server room which is treated as a special protection zone.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

☑️ Integrity *

🔲 Availability *

🔲 Resilience *

No. 2.2

Measure: There are no water pipes without sufficient overflow protection and no unnecessary fire loads in the server room, where servers are located, with which the data of the Data Controller are processed.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

🔲 Confidentiality *

🔲 Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.3

Measure: Maintenance activities by external personnel are only carried out in the server room under supervision.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.4

Measure: The server room has a mechanism that makes unauthorised access significantly more difficult (e.g. knob on the outside door, puller).

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.5

Measure: Servers on which personal data of the Data Controller are processed and network components used for processing are hardened, insofar as this is possible for functional and maintenance reasons.

🔲 Confirmed - Refer to GCP Security & Firstcolo Security

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.6

Measure: The server is only operated with personalized administrator accounts.

☑️ Confirmed

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.7

Measure: Special protection exists for administrative access to the server (e.g. dedicated access, access only from administration network, two-factor authentication, transport encryption).

☑️ Confirmed - (IAM based access for Admin & users with 2 factor Auth)

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.8

Measure: Administrator accounts ensure higher security than normal user accounts (e.g. with significantly longer passwords, comprehensive password history).

☑️ Confirmed - (2 factory auth is enforced for everyone)

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.9

Measure: Default passwords have been reset for the servers and network components used for processing.

☑️ Confirmed - (No default password, SSH key based login)

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.10

Measure: If functional accounts are used to administer the server, the passwords of these accounts will be reset as soon as an authorized admin has left the team.

🔲 Confirmed - Not documented though we apply them to test environment before applying to production

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.11

Measure: AChanges carried out on the server are documented and have been tested for safety beforehand by the Data Processor.

☑️ Confirmed

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.12

Measure: Required security patches are applied promptly.

☑️ Confirmed

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 2.13

Measure: The servers have a secure and sufficiently robust default setting to enable a secure restart of the server system within the scheduled time.

☑️ Confirmed - no one can reboot them unless they have GCP console access which is protected by 2FA

🔲 Confidentiality *

🔲 Integrity *

🔲 Availability *

☑️ Resilience *

No. 2

Measure: Number of protection goals achieved

🔲 Confirmed

🔲 Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

§ 3 Measures for proper operation

The Contractor has taken the following measures for the ongoing operation of the agreed activity (please tick the appropriate box in the column "Confirmed"):

*concerns protection goal

No. 3.1

Measure: The personal data of the Data Controller stored by the processor is backed up in accordance with the state of the art.

☑️ Confirmed

🔲 Confidentiality *

☑️ Integrity *

☑️ Availability *

☑️ Resilience *

No. 3.2

Measure: Media used for data backup is stored separately from productive servers used to process personal data of the Data Controller.

☑️ Confirmed

🔲 Confidentiality *

🔲 Integrity *

☑️ Availability *

☑️ Resilience *

No. 3.3

Measure: The effectiveness of data backups is regularly checked by replay tests.

☑️ Confirmed - databases have standby servers and we try to switch to them regularly. We don’t replay data backups as standby suffices.

🔲 Confidentiality *

🔲 Integrity *

☑️ Availability *

☑️ Resilience *

No. 3.4

Measure: Servers, on which personal data of the Data Controller is stored, have a sufficiently dimensioned uninterruptible power supply.

☑️ Confirmed - (rely on Google Cloud Platform and Firstcolo for this)

🔲 Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 3.5

Measure: The personal data of the Data Controller stored by the processor will be deleted after the specified retention period has expired.

☑️ Confirmed

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 3.6

Measure: The infrastructure used to complete the job is protected against malware by up-to-date virus scanners.

🔲 Confirmed - Access is controlled through a firewall but doesn’t run specific virus scans currently

🔲 Confidentiality *

☑️ Integrity *

🔲 Availability *

🔲 Resilience *

No. 3.7

Measure: The Data Processor has sufficient network segmentation and network segregation.

🔲 Confirmed - No separate DB but all queries are restricted by the company to which the user belongs.

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 3.8

Measure: The effectiveness of the measures taken is monitored at least once a year.

🔲 Confirmed

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

☑️ Resilience *

No. 3.9

Measure: If the server system as a whole or components used to operate the server system are to be replaced, it is ensured that no readable data of the Data Controller is left on the data storage media to be disposed of.

🔲 Confirmed - Rely on GCP, Firstcolo

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 3.10

Measure: If data storage media are to be disposed of which contain data of the Data Controller, which are stored, transmitted or evaluated by the server system used, these data storage media shall either be physically destroyed or overwritten by means of erasure software in such a way that a reconstruction of the data is no longer possible with justifiable effort.

🔲 Confirmed - GCP, Firstcolo

☑️ Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

No. 3.11

Measure: The client systems of the persons who access personal data of the Data Controller during the execution of the data processing have a screen protection which, after a sufficiently short period of inactivity, triggers an automatic lock which can only be removed by entering a password.

☑️ Confirmed

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 3.12

Measure: User passwords of the persons used to complete the data processing have a high password complexity with at least eight characters and using upper and lower case letters, numbers and special characters.

🔲 Confirmed - We require a minimum of 8 characters

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 3.13

Measure: Access authorizations shall be blocked immediately upon expiry of the validity of the authorizations.

☑️ Confirmed - (subject to SLAs of GCP and Github)

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 3.14

Measure: Persons who process personal data of the Data Controller will be informed about their obligations.

☑️ Confirmed

☑️ Confidentiality *

☑️ Integrity *

☑️ Availability *

🔲 Resilience *

No. 3.15

Measure: Any security incidents discovered during ongoing operations concerning personal data of the Data Controller shall be reported to the Data Controller without delay.

☑️ Confirmed

🔲 Confidentiality *

🔲 Integrity *

🔲 Availability *

☑️ Resilience *

No. 3

Measure: Number of protection goals achieved

🔲 Confirmed

🔲 Confidentiality *

🔲 Integrity *

🔲 Availability *

🔲 Resilience *

§ 4 Verification of sufficient commitments by the Data Processor

1. On the basis of the commitments made by the processor, it must be verified whether there is sufficient protection with regard to the protection objectives by summing up the respective crosses in the columns promised by the processor.

2. If further security measures are required for the contractual relationship to be considered, these further measures shall either be implemented in a suitable place or a further paragraph shall be inserted for this purpose.

3. Where a processing activity to be contracted, e.g. as part of a data protection impact assessment or risk analysis, has been identified as requiring the processor to make certain commitments, the non-compliance shall be assessed, agreed with the processor and may result in the planned processor being considered inappropriate.

§ 5 Verification of sufficient commitments by the Data Processor

(1) The following applies to the location-related measures:

*concerns protection goal

No. 1

Measure: Amount of protection goals achieved

- Confirmed

9 - Confidentiality *

0 - Integrity *

3 - Availability *

0 - Resilience *

No. 1

Measure: necessary at medium risk

- Confirmed

6 - Confidentiality *

0 - Integrity *

2 - Availability *

0 - Resilience *

No. 1

Measure: necessary at high risk

- Confirmed

9 - Confidentiality *

0 - Integrity *

3 - Availability *

4 - Resilience *

(2) The following applies to the processing system related measures:

*concerns protection goal

No. 1

Measure: Amount of protection goals achieved

- Confirmed

11 - Confidentiality *

11 - Integrity *

11 - Availability *

1 - Resilience *

No. 1

Measure: necessary at medium risk

- Confirmed

8 - Confidentiality *

8 - Integrity *

6 - Availability *

1 - Resilience *

No. 1

Measure: necessary at high risk

- Confirmed

9 - Confidentiality *

9 - Integrity *

8 - Availability *

1 - Resilience *

(3) The following applies to the proper operation related measures:

*concerns protection goal

No. 1

Measure: Amount of protection goals achieved

- Confirmed

9 - Confidentiality *

9 - Integrity *

10 - Availability *

5 - Resilience *

No. 1

Measure: necessary at medium risk

- Confirmed

6 - Confidentiality *

6 - Integrity *

5 - Availability *

3 - Resilience *

No. 1

Measure: necessary at high risk

- Confirmed

8 - Confidentiality *

8 - Integrity *

7 - Availability *

4 - Resilience *

Appendix 3

Approved subcontractors

The following companies are approved subcontractors within the meaning of § 9:

Nr. 1

Name of subcontractor: Google Cloud Platform

Address of subcontractor: 1600 Amphitheater Parkway, Mountain View, CA, USA

Country: USA

Purpose of commission: Cloud hosting provider

Location of data processing: EU

For third countries, safeguards: Privacy Policy

Nr. 2

Name of subcontractor: LogRocket

Address of subcontractor: 87 Summer St, Boston, MA 02110, USA

Country: USA

Purpose of commission: User session recording

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 3

Name of subcontractor: Intercom

Address of subcontractor: 3rd Floor, Stephens Ct. 18-21 St. Stephens’s Green Dublin 2

Country: Ireland

Purpose of commission: In-app messaging

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 4

Name of subcontractor: Segment

Address of subcontractor: 100 California Street, Suite 700 San Francisco, CA 94111, USA

Country: USA

Purpose of commission: Customer Data Platform

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 5

Name of subcontractor: Amplitude

Address of subcontractor: 631 Howard Street, Floor 5, San Francisco, CA 94105, USA

Country: USA

Purpose of commission: Product Analytics

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 6

Name of subcontractor: Shortcut

Address of subcontractor: 201 Allen Street, Unit 10004, New York, NY 10002, USA

Country: USA

Purpose of commission: Productivity

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 7

Name of subcontractor: Mailchimp

Address of subcontractor: The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000. Atlanta, GA 30308 USA

Country: USA

Purpose of commission: Email Marketing

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 8

Name of subcontractor: AWS

Address of subcontractor: 410 Terry Avenue North Seattle, WA 98109 USA

Country: USA

Purpose of commission: Cloud Services

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 9

Name of subcontractor: Upvoty

Address of subcontractor: Hurksestraat 19, 5652 AH, Eindhoven, The Netherlands

Country: EU

Purpose of commission: Product Feedback

Location of data processing: EU

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 10

Name of subcontractor: Calendly

Address of subcontractor: Buford, 115 E Main St NE #A1B, USA

Country: USA

Purpose of commission: Scheduling

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 11

Name of subcontractor: Hubspot

Address of subcontractor: 2 Canal Park, Cambridge, MA 02141, USA

Country: USA

Purpose of commission: CRM

Location of data processing: USA

For third countries, safeguards: GDPR link; Privacy Policy

Nr. 12

Name of subcontractor: Make

Address of subcontractor: Celonis, Inc. \ One World Trade Center, 87th Floor, New York, NY, 10007, USA

Country: USA

Purpose of commission: Sales Enablement

Location of data processing: EU

For third countries, safeguards: Privacy Policy

Nr. 13

Name of subcontractor: Slack

Address of subcontractor: 500 Howard Street, San Francisco, California 94105, USA

Country: USA

Purpose of commission: Internal Communication

Location of data processing: USA

For third countries, safeguards: GDPR Link; Privacy Policy

Nr. 14

Name of subcontractor: Notion

Address of subcontractor: San Francisco, 2300 Harrison Street, Floor 2, USA

Country: USA

Purpose of commission: Productivity & collaboration

Location of data processing: Multiple Locations

For third countries, safeguards: GDPR Link; Privacy Policy

Nr. 15

Name of subcontractor: Gong

Address of subcontractor: 201 Spear St. 13th Floor, San Francisco, CA 94105, USA

Country: USA

Purpose of commission: Revenue Intelligence

Location of data processing: USA

For third countries, safeguards: GDPR Link; Privacy Policy

Nr. 16

Name of subcontractor: Retool

Address of subcontractor: San Francisco, 292 Ivy St, USA

Country: USA

Purpose of commission: Engineering Tooling Automation

Location of data processing: USA

For third countries, safeguards: Privacy Policy

Nr. 17

Name of subcontractor: Superhuman

Address of subcontractor: 555 Mission St 300, San Francisco, California, 94105, USA

Country: USA

Purpose of commission: Email Client

Location of data processing: Multiple Locations

For third countries, safeguards: GDPR Link; Privacy Policy

Nr. 18

Name of subcontractor: Google workspace

Address of subcontractor: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

Country: USA

Purpose of commission: Productivity Suite

Location of data processing: Multiple Locations

For third countries, safeguards: Privacy Policy

Nr. 19

Name of subcontractor: Channeled

Address of subcontractor: 1486 Mcallister Street, San Francisco, CA 94115, USA

Country: USA

Purpose of commission: Customer Communications

Location of data processing: USA

For third countries, safeguards: Privacy Policy

Nr. 20

Name of subcontractor: Outreach

Address of subcontractor: 333 Elliott Ave W #500 Seattle, WA 98119, USA

Country: USA

Purpose of commission: Sales Execution Platform

Location of data processing: Multiple Locations

For third countries, safeguards: GDPR Link; Privacy Policy

Nr. 21

Name of subcontractor: LinkedIn

Address of subcontractor: Sunnyvale, California, USA

Country: USA

Purpose of commission: Professional Networking

Location of data processing: Multiple Locations

For third countries, safeguards: GDPR Link; Privacy Policy

Nr. 22

Name of subcontractor: Firstcolo

Address of subcontractor: Kruppstraße 105, 60388 Frankfurt am Main, Germany

Country: EU

Purpose of commission: Cloud Hosting

Location of data processing: EU

For third countries, safeguards: Privacy Policy

Nr. 23

Name of subcontractor: Konfetti, Inc.

Address of subcontractor: 470 Noor Ave STE B #1148, South San Francisco, CA 94080, USA

Country: USA

Purpose of commission: Sales Enablement

Location of data processing: USA

For third countries, safeguards: Privacy Policy

Subsidiaries and approved sub-contractors

Nr. 1

Name: Clarisights LLP

Address: Clarisights LLP, 749, CPB Complex, Shiri Krishna Temple Road, Indira Nagar, Bengaluru 560038, Karnataka, India

Country: India

Purpose: Subsidiary – Processor

Location of data processing: India

Link: Service Transfer Agreement

Nr. 2

Name: Clarisights Oy

Address: Siltasaarenkatu 10, 00530 Helsinki, Finland

Country: Finland

Purpose: Subsidiary – Processor

Location of data processing: EU

Link: Intercorporate Services Agreement

Nr. 3

Name: Clarisights GmbH

Address: Nostitzstraße 20, 10961 Berlin

Country: Germany

Purpose: Subsidiary – Processor

Location of data processing: EU

Link: Intercorporate Services Agreement