This Policy describes the rules by which SoftComply processes personal data and is valid from October 18th, 2022.
1. GENERAL TERMS AND DEFINITIONS
1.1. In the Policy, the following definitions shall apply:
Agreement: terms of service governing the use of the App by the Customer.
Appendix: terms governing the personal data processing where SoftComply is considered as data processor. Terms stipulated in the Appendix shall be considered as Customer’s complete and final instructions to SoftComply in relation to the processing of personal data specified therein, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
App: any risk and quality management solutions on Jira and Confluence (such as Risk Manger, Risk Reporting, Risk Manager Plus, Cloud eQMS Solution, SoftComply eQMS, Static Snapshots, Change History, Validation App) which have been developed by SoftComply.
Data Subject: a representative of the Customer. In exceptional cases the circle of Data Subject may be extended (see the processing performed under the Appendix).
GDPR: regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
SoftComply: SoftComply OÜ (registry code 14013101, located at Saue tn 9/2-9, Tallinn, Estonia) a company established and existing under the laws of Estonia, operating the Website and providing the App.
Customer: a legal person who is using the App under the Agreement entered with SoftComply.
1.2. Unless otherwise indicated in clause 1.1 of this Policy, terms used in this Policy shall have the same meaning as under GDPR.
1.3. This Policy regulates the personal data processing related to the use of any App provided by SoftComply. The use of certain App may be subject to App specific rules, which are set out as an appendix to this Policy.
1.4. This Policy sets rules to the personal data processing where SoftComply acts as a controller as well as a processor. The roles of SoftComply when processing the personal data are clarified in the clause 2 of this Policy.
2. CONTROLLER AND PROCESSOR
2.1. According to the GDPR, a controller is a person who, alone or jointly with others, determines the purposes and means of the processing of personal data. The processor, on the other hand, is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2.2. SoftComply is processing the personal data of the Data Subject mainly for the performance of the Agreement entered with Customer, i.e. to provide an access to the App, collect fees, change information, or to improve its services. When performing these data processing operations, SoftComply is considered as controller.
2.3. SoftComply is processing the personal data as the processor upon exceptional cases. In general, the use of App by the Customer does not give SoftComply an access to Customer’s personal data. Certain SoftComply apps, which purpose is to assess the compliance of other applications used by the Customer (e.g. validation app for Confluence), may require an access to Customer’s application. Although the compliance of the Customer’s application is assessed via “dummy” user, SoftComply cannot guarantee that in the course of testing, it will not gain access to the real data stored in the Customer’s app. If as a part of assessment, SoftComply gains access to the Customer’s personal data, then SoftComply is processing such personal data as processor acting on behalf of Customer and in accordance with data processing rules set forth in the Appendix 1 to this Policy.
3. PERSONAL DATA TO BE PROCESSED
3.1. SoftComply processes the following personal data of the Data Subject:
Account information: username, company name and other details the Data Subject is representing when creating an account, name and surname of the Data Subject, phone number, e-mail address.
Payment details: selected payment method, payment history.
Correspondence data: complaints, questions and feedback submitted by the Data Subject to SoftComply.
Cookie data: technical product usage data, logs, metrics, metadata, device information, location information, content and information that you submit through the site.
3.2. SoftComply processes the personal data of the Data Subject, which it receives directly from the Data Subject.
3.3. Disclosure of personal data to SoftComply is voluntary. However, SoftComply may not be able to offer App for the Customer unless Data Subject as the representative of the Customer provides certain data to SoftComply.
4. LEGAL GROUND AND PURPOSES OF PROCESSING
|4.1. Account information
4.1.1. to enter into the Agreement with the Customer
126.96.36.199-188.8.131.52. to perform the Agreement (GDPR S.6 (1)-b))
4.1.2. to contact the Customer regarding changes to the terms
4.1.3. to process complaints
|4.2. Payment details
4.2.1. to fulfil the obligations provided for in the Accounting Act or the Taxation Act
184.108.40.206. obligation arising from law (GDPR Art. 6(1)-c))
4.2.2. to process and resolve legal claims and disputes
220.127.116.11. to perform the Agreement (GDPR S.6 (1)-b))
|4.3. Correspondence data
4.3.1. to solve a complaint and to inform the Customer of any changes in the use of the App
|18.104.22.168. legitimate interest (GDPR Art. 6 (1)-f))
4.4. Cookie data
4.4.1. to improve Website, services, marketing, and user experience
22.214.171.124. legitimate interest (GDPR Art. 6 (1)-f))
5. RETENTION OF PERSONAL DATA
5.1. SoftComply will not retain personal data for longer than is necessary for the purpose of processing the personal data or under applicable law.
6. TRANSMISSION OF PERSONAL DATA
6.1. SoftComply may share the personal data of the Data Subjects with the following third parties that provide services to SoftComply, such as server hosts, payment intermediation service provider, marketing service provider; person providing legal assistance or a debt collector.
6.2. The above persons are mainly located in the European Economic Area. However, SoftComply cannot rule out the possibility that some of the service providers it uses may be located in countries where the European Commission has not assessed the level of data protection or considered it sufficient. Due to the lack of an adequate level of data protection, the security of personal data, including protection against any misuse, unauthorized access, disclosure, alteration or destruction, as guaranteed in the European Union, may not be guaranteed in these countries. SoftComply will ensure that appropriate safeguards are in place when the personal data of the Data Subject is transferred to countries outside the European Union.
7. SECURITY OF PERSONAL DATA
7.1. SoftComply has implemented necessary organizational, physical and IT security measures to protect the Data Subject’s personal data from any misuse, unauthorized access, disclosure, alteration or destruction.
7.2. Only authorized persons have access to the personal data of the Data Subject. Whereas, persons with access to personal data undertake to comply with the confidentiality obligation.
8. RIGHTS OF THE DATA SUBJECT
8.1. Upon processing of their personal data, the Data Subject has all the rights arising from the legislation applicable to the Data Subject, including the following rights:
8.1.1. The right of access: The Data Subject has the right at any time to ask whether or not SoftComply is storing personal data about them and to receive information about what personal data SoftComply processes about the Data Subject;
8.1.2. The right to have personal data rectified: The Data Subject has the right to request SoftComply to clarify or correct their personal data if it is insufficient, incomplete or incorrect;
8.1.3. The right to object: The Data Subject has the right to object to the processing of their personal data by SoftComply, for example if the use of the personal data is based on SoftComply’s legitimate interest;
8.1.4. The right to request the deletion of personal data: The Data Subject has the right to request the deletion of personal data, for example if the personal data are processed with the consent of the Data Subject and if they have withdrawn the consent;
8.1.5. The right to restrict processing: The Data Subject has the right to request that SoftComply restrict the processing of their personal data under applicable law, for example if SoftComply no longer needs the Data Subject’s personal data for processing purposes or if the Data Subject has objected to the processing of personal data;
8.1.6. The right to withdraw the consent given for the processing of personal data: If the processing of personal data is based on the consent given by the Data Subject, the Data Subject has the right to withdraw the consent given to SoftComply at any time;
8.1.7. The right to data portability: The Data Subject shall have the right to obtain from SoftComply personal data provided by the Data Subject to SoftComply itself and processed with the consent of the Data Subject or for the performance of an agreement signed with the Data Subject in writing or in a publicly available electronic format and, if technically possible, to require SoftComply to transfer such data to a third party;
8.1.1. The right to file a complaint: To file a complaint with the Data Protection Inspectorate (Tatari 39, Tallinn 10134, e-mail address: email@example.com) or a court in case of violation of your rights.
8.2. In order to exercise any rights referred herein the Data Subject is required to submit a written application to SoftComply. SoftComply has the right to decline this application by justifying the reasons for the refusal.
8.3. According to the article 12(3) of GDPR, SoftComply is obligated to respond to the application within 1 month. However, SoftComply will make its best efforts to respond to any request within 1 week.
9. AMENDMENTS TO THE POLICY
9.1. SoftComply reserves the right to unilaterally supplement and/or amend this Policy (incl. the Appendix) from time to time. When updating this Policy (incl. Appendix), SoftComply will notify the Data Subject of the new Policy via email.
10. CONTACT DETAILS
10.1. If you have any questions or requests regarding the processing of personal data, please contact by emailing to firstname.lastname@example.org.
10.2. For complaints on the processing of personal data, we recommend that you first contact SoftComply. The Data Subject also has the right to apply to the Data Protection Inspectorate or a court to resolve complaints.
DATA PROCESSING TERMS IN CASE SOFTCOMPLY IS CONSIDERED AS PROCESSOR
When the Customer is using Validation app for Confluence or other Validation apps developed by SoftComply (hereinafter “Extended App”), SoftComply gains access to Customer’s Confluence environment via “dummy” user in order perform the purpose of the App. The “dummy” user will perform the purposes agreed in the Agreement on test data and not real data. SoftComply cannot guarantee that in the course of perform the purposes agreed in the Agreement it will not gain access to real personal data stored in the Customer’s environment.
In the event, SoftComply gains access to real personal data (which is unlikely), SoftComply processes the personal data stored in Customer’s environment as processor authorized by the Customer.
By accepting the Policy and using the Extended App, the Customer confirms that they have carefully read these terms and agree with these terms:
1. ROLES AND RESPONSIBILITIES
1.1. In relation to the personal data processed under this Appendix, the Customer is the controller and SoftComply is a processor acting on behalf of Customer. For the avoidance of doubt, this Appendix shall not be applied on the personal data processing activities where SoftComply is acting as the controller.
1.2. SoftComply shall process personal data under this Appendix only in accordance with as set forth in this Appendix, as necessary to comply with applicable law, or as otherwise agreed in writing. This Appendix sets out Customer’s complete and final instructions to SoftComply in relation to the processing of personal data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
1.3. Within the scope of this Appendix and in its use of the Extended App, the Customer will be responsible for complying with all requirements that apply to it under applicable GDPR with respect to its processing of personal data and the instructions it issues to SoftComply.
1.4. The Customer acknowledge and agree that it will be solely responsible for: (i) the accuracy, quality, and legality of personal data and the means by which the Customer acquired personal data; (ii) complying with all necessary transparency and lawfulness requirements under applicable GDPR for the collection and use of the personal data, including obtaining any necessary consents and authorizations; (iii) ensuring that it has the right to transfer, or provide access to, the personal data to SoftComply for processing in accordance with the terms of the Agreement; (iv) ensuring that the instructions provided to SoftComply regarding the processing of personal data comply with applicable laws. The Customer undertakes to inform SoftComply without undue delay if it is not able to comply with its responsibilities under this sub-section or GDPR.
2. INSTRUCTIONS FOR THE PROCESSING
2.1. In the course of provision of Extended App, SoftComply may process any categories of personal data which is stored in the Customer’s Confluence environment, except special categories of personal data.
2.2. Personal data referred to in clause 2.1 of this Appendix shall be processed by SoftComply for the purposes agreed in the Agreement.
2.3. SoftComply shall retain the personal data only for the period necessary in order to achieve the purposes for which the personal data was collected unless legislation imposes mandatory retention period.
2.4. As already mentioned in the preamble of this Appendix, SoftComply is using “dummy” user to carry out the purposes agreed in the Agreement. Thus, the Extended App does not use any real data to achieve its goal. All data transfers between the Customer’s system and SoftComply validation servers are done over HTTPS. Also, SoftComply servers are connected over VPC (Virtual Private Computers) networks in Google Cloud, therefore restricting access via the internet.
3. OBLIGATIONS OF SOFTCOMPLY
3.1. SoftComply understands and acknowledges that the personal data cannot be processed for any other purpose than described in this Appendix or as otherwise agreed within the scope of Customer’s lawful instructions, except where and to the extent otherwise required by applicable law. To ensure this, SoftComply shall:
3.1.1. refrain from any personal use, including commercial use, of the personal data processed for the provision of Extended App;
3.1.2. comply and ensure that its employees or any third parties used by it comply with the principles of the applicable data protection regulations, incl. comply with confidentiality clause;
3.1.3. provide the Customer with all necessary information to demonstrate that it complies with this Appendix.
3.2. For avoidance of doubt, SoftComply is not responsible for compliance with any data protection laws applicable to the Customer or Customer’s industry that are not generally applicable to SoftComply.
3.3. If SoftComply becomes aware that it cannot process personal data in accordance with Customer’s instructions due to a legal requirement under any applicable law, SoftComply will:
3.3.1. promptly notify the Customer of that legal requirement to the extent permitted by the applicable law, and where necessary, cease all processing (other than merely storing and maintaining the security of the affected personal data) until such time as the Customer issue new instructions with which SoftComply is able to comply;
3.3.2. promptly notify the Customer about any accidental or unauthorised access;
3.3.3. promptly notify the Customer about any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so.
3.4. SoftComply will implement and maintain appropriate technical and organizational measures to protect personal data from personal data breaches. SoftComply reserves the right to modify or update the security measures at its own discretion provided that such modification or update does not result in a material degradation in the protection offered by the security measures.
3.5. SoftComply undertakes to ensure, during the validity of the Agreement, the confidentiality of the personal data being processed on behalf of the Customer. To ensure this, SoftComply shall:
3.5.1. assign the access rights to the personal data to the minimum extent necessary for the provision of Extended App. SoftComply confirms that the access to the personal data is provided only to our employees and/or third-party service providers who need the access for the performance of their duties;
3.5.2. ensure that employees and/or third parties used for the provision Extended App protect the confidentiality and security of personal data. SoftComply confirms that all authorized persons are bound by confidentiality obligation.
3.6. SoftComply shall (taking into account the nature of the processing and the information available to SoftComply) provide all reasonably requested information regarding the Extended App to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by GDPR.
4.1. Taking into consideration the nature of service provided, the personal data being processed under this Appendix and available information, SoftComply shall cooperate with the Customer to ensure the performance of obligations specified in GDPR Articles 32–36. For this purpose and only to the extent specified in this Appendix, SoftComply shall provide requested information to the Customer which is necessary for proper performance of obligations of the Customer under GDPR. The Customer undertakes to reimburse SoftComply for the commercially reasonable costs arising from this assistance.
5. USE OF SUB-PROCESSORS AND PERSONAL DATA TRANSFER
5.1. The Customer grants SoftComply a general authorization to engage sub-processors. The Customer may request SoftComply to provide a list of third parties appointed as sub-processors and the role of each sub-processor.
5.2. SoftComply will notify the Customer if there’s any changes in the sub-processor’s list. The Customer can object to the engagement of the new sub-processor on reasonable grounds relating to the protection of personal data within 14 days after updating the list. If the Customer objects the engagement of the new sub-processor, SoftComply will consider the Customer’s concerns and SoftComply will give its best effort to find commercially reasonable resolution. If no such resolution can be reached, SoftComply is entitled to, at its sole discretion, either not appoint the new sub-processor, or permit the Customer to terminate the Agreement without liability to either party.
5.3. SoftComply will impose data protection terms on the sub-processors that provide at least the same level of protection for personal data as this Appendix, to the extent applicable to the nature of the services provided by such sub-processors. SoftComply will evaluate the security, privacy and confidentiality practices of a sub-processor prior to establishing that it is capable of providing the level of protection of personal data required by this Appendix. SoftComply will remain responsible for each sub-processor’s compliance with the obligations of this Appendix and for any acts or omissions of such sub-processor that cause us to breach any of its obligations under this Appendix.
5.4. The Customer acknowledge and agree that SoftComply is entitled to transfer the personal data to sub-processors locating in the European Economic Area (“EEA”) as well as outside of EEA, unless otherwise expressly agreed between the Parties. When transferring personal data outside of the EEA, SoftComply shall ensure the application of the appropriate safeguards.
6.1. SoftComply will make available to the Customer all information reasonably necessary to demonstrate compliance with this Appendix and allow for and contribute to audits, including inspections by the Customer in order to assess compliance with this Appendix.
6.2. Audit can be carried out during the normal business hours without unreasonable disturbance to SoftComply business activities and only upon advance notice. Customer undertakes to inform SoftComply about the wish to conduct audit at least 14 calendar days in advance. The Customer may use internal or external auditors for the audit.
6.3. In the course of audit, the Customer is entitled to review materials and documents concerning the security practices, procedures, disaster recovery and backup procedures. The Customer is not entitled to audit SoftComply premises.
6.4. All costs related to the organization of an audit shall be borne by the Customer.
7. PERSONAL DATA BREACH
7.1. SoftComply undertakes to notify the Customer without undue delay if it becomes aware of any personal data breach. The notification shall describe the nature of the personal data breach, incl., where possible the following:
7.1.1. the description of the nature of the personal data breach;
7.1.2. the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;
7.1.3. the name and contact details of the data protection officer or other contact point where more information can be obtained;
7.1.4. the description of the likely consequences of the personal data breach; and
7.1.5. the description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.2. SoftComply undertakes to submit the personal data breach notice as soon as possible, but where feasible, within 72 hours as of becoming aware of the breach. In case SoftComply is not able to provide all information mentioned in clause1 with one notice, SoftComply is entitled to provide the information in phases without undue further delay.
7.3. SoftComply shall document all personal data breaches, including facts pertaining to the personal data breach, its impact and corrective actions taken. In cases provided for in legislation, SoftComply shall provide such documents to supervisory authority.
7.4. The Customer shall be responsible for the compliance with legislation regulating the delivery of notifications or information to the data subjects about the personal data breach.
8. DELETION OF DATA
8.1. Upon termination or expiration of the Agreement, SoftComply shall delete all personal data (including copies) in its possession or control, unless SoftComply is required by applicable law to retain some or all of the personal data. Forenamed requirement shall not apply to the extent or to personal data SoftComply has archived on back-up systems which SoftComply shall securely isolate, protect from any further processing and eventually delete in accordance with SoftComply’s deletion policies, except to the extent required by applicable law.
9.1. SoftComply shall assume liability for damage, administrative fines or any other claims with regard to SoftComply’s violation of the Agreement, this Appendix or requirements of the applicable law. If SoftComply and the Customer have agreed on limitation of SoftComply’s liability in the Agreement, then such limitation shall also be applied to a liability arising from this Appendix.
9.2. SoftComply shall not be liable in any case for an administrative fine imposed on the Customer, damage caused to the Customer or a claim submitted with regard to the Customer if these are based on a violation by the Customer and/or if SoftComply has not committed such violation.
9.3. The Customer shall assume liability for damage, administrative fines or any other claims with regard to the Customer’s violation of the Agreement, this Appendix or requirements of the applicable law.
10.1. This Appendix shall remain in effect for as long as SoftComply carries out personal data processing operations on behalf of the Customer or until termination of the Agreement.
10.2. This Appendix shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Extended App.
10.3. This Appendix shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement.