Introduction
This Data Processing Agreement (the “Agreement”) is a binding legal agreement which supplements HeroCoders’ Terms of Service (the “Terms”) or other agreement in place between HeroCoders Sp. z o. o., a company incorporated under the laws of Poland, with its registered office in Gdańsk, Poland (postal code: 80-119) at ul. Zosi 16, entered into the Register of Entrepreneurs of the National Court Register by the District Court Gdańsk-North in Gdańsk, VII Commercial Division of the National Court Register, under KRS number: 0000910925, Tax ID: 5833433174, National Business Registry Number: 389423957, with the share capital of PLN 75,000.00 (“HeroCoders”, “we”, “us” or the “Processor”) and a customer (“you” or the “Controller”), being a person, entity or organization using our Apps (as defined in the Terms), hereinafter referred to together as the “Parties” and individually as a “Party”.
If you are an individual using our Apps on behalf of your company, organization or other entity (wherein using an email address from your employer or another entity shall be deemed to represent that party), then “you” means your entity and you are binding your entity to the Agreement.
This Agreement sets out the additional terms, requirements and conditions on which we - acting as the data processor - shall Process the Controller’s Personal Data on your behalf under the Terms. This Agreement notably contains the mandatory clauses required by Article 28(3) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) for contracts between data controllers and data processors.
The date of execution of the Terms shall also constitute the date of execution of this Agreement.
1. Scope and term
1.1. We will Process Controller’s Personal Data as your data processor in accordance with your instructions as outlined herein. This Agreement basically refers to the data controller - data processor relation, however if you enter into this Agreement as a data processor, all of its provisions relating to the data controller shall apply to you - in this situation we shall act as a subprocessor and our subprocessors as further subprocessors.
1.2. You retain control of the Controller’s Personal Data and remain responsible for data controller’s compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents and authorizations.
1.3. The term of this Agreement coincides with the duration of the Terms and terminates upon expiration or earlier termination of the Terms (or, if later, the date on which we cease all Processing of Controller’s Personal Data according to the Agreement or applicable law).
1.4. All matters not regulated in this Agreement, shall be subject to the provisions of the Terms. If there is any conflict or inconsistency among the following documents, the order of precedence is: (1) the applicable provisions of the Terms (2) the main body of this Agreement.
2. Definitions
Unless otherwise specified, all capitalized terms used in this Agreement shall have the meaning given to them herein. Where this Agreement uses terms that are defined in the Terms, the mentioned terms shall have the same meaning as in the Terms.
“Controller’s Personal Data'' means any Personal Data contained in the data that we Process under the Terms solely on your behalf, including any Personal Data provided in the User Content.
“Data Protection Legislation” means all privacy and data protection laws applicable to the Processing, including the GDPR and any applicable national laws, regulations and secondary legislation relating to the Processing of the Personal Data and the privacy of electronic communications, as updated, amended or replaced from time to time.
“Data Subject” means an individual who is a subject of the Personal Data.
“Personal Data” means any information relating to an identified or identifiable natural person that is Processed; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as name, identification number, location data, online identifier, or to one or more factors specific to the physical, the physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, the Personal Data.
“Processing” (and “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction or any other operation on Personal Data as the Data Protection Legislation may otherwise define “processing”, “processes”, “process” or “processed”.
“SCCs” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.
“Subprocessor” means HeroCoders’ subcontractor in the performance of our obligations under the Terms and this Agreement, which operates as a further personal data processor. The list of our Subprocessors may be found at the Website.
“TOMs” means HeroCoders’ current technical and organizational measures that are described at the Website.For purposes of this Agreement any reference to notices, instructions or communication being “in writing” or “written” shall include electronic form (including email).
3. Processing scope and measures
3.1. We shall Process Controller’s Personal Data in accordance with the documented lawful instructions as stated in the Terms (including this Agreement) as necessary to (i) provide the Apps and related services to you and enable the use of various features and functionalities in accordance with the Apps’ documentation (including as directed by your authorized users), (ii) investigate security incidents and enforce applicable policies (e.g. enforce the prohibition on illegal content). Details regarding the Processing of Controller’s Personal Data are stated in the Schedule 1: Description of Processing.
3.2. We shall treat Controller’s Personal Data as Confidential Information under the Terms.
3.3. We have implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Controller’s Personal Data and protect against Personal Data Breach in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk involved. TOMs are described at our Website on the Technical and Organizational Measures page. You acknowledge that the TOMs, as well as security measures described in our Security Statement, are subject to technical progress and development and that we may update or modify them from time to time, provided that such updates and modifications do not materially decrease the overall security of the Apps and related services. You hereby confirm that technical and organizational measures specified by HeroCoders are sufficient and appropriate under the Data Protection Legislation and this Agreement in light of the nature of Controller’s Personal Data. You acknowledge that you are responsible for configuring the Apps and using features and functionalities made available to you to help maintain appropriate security in light of the nature of Controller’s Personal Data.
4. Processor's obligations
4.1. We shall only Process Controller’s Personal Data in accordance with the Terms, this Agreement, applicable law and the Controller’s written instructions as per Article 28(9) of the GDPR. We shall promptly notify you if, in our opinion, your instructions infringe the GDPR.
4.2. We ensure that persons authorized to Process the Controller’s Personal Data on our behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. We shall reasonably assist you with meeting Controller’s compliance obligations under the Data Protection Legislation, notably obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the Processing and information available to HeroCoders.
4.4. Upon your reasonable request, taking into account the nature of the Processing, we shall provide you a reasonable and timely assistance to enable the Controller to respond to requests for exercising Data Subject’s rights under the Data Protection Legislation (including rights of access, rectification, erasure, restriction, objection and data portability) with respect to Controller’s Personal Data. We shall notify you in a timely manner and without undue delay if we receive a request from a Data Subject for access to their Personal Data contained in the Controller’s Personal Data or to exercise any of their related rights under the Data Protection Legislation.
4.5. Upon your reasonable request, we shall, insofar as it is possible, make available to you all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Legislation, in accordance with section 8 (Audit).
4.6. We shall notify you without undue delay if we receive any complaint, notice or communication that relates directly or indirectly to the Processing of the Controller’s Personal Data or to either Party’s compliance with the Data Protection Legislation under this Agreement.
4.7. Unless prohibited by law, we will promptly notify you of any valid, enforceable subpoena, warrant, court or administrative order from law enforcement or public authorities compelling us to disclose Controller’s Personal Data.
4.8. We shall ensure that all our staff with access to the Controller’s Personal Data:
(i) are informed of the confidential nature of the Controller’s Personal Data and are bound by confidentiality obligations and use restrictions;
(ii) have undertaken training on handling and protection of the Personal Data and know how to apply it to their particular duties;
(iii) are aware of both the data processor’s obligations and their personal obligations under the GDPR and this Agreement.
4.9. To the extent that required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities (for example, the French Data Protection Agency (CNIL), the Berlin Data Protection Authority (BlnBDI) and the UK Information Commissioner's Office (ICO)) or other competent data privacy authorities to the extent required by the GDPR and applicable Data Protection Legislation.
5. Subprocessing
5.1. By entering into this Agreement, you provide a general authorization for HeroCoders to engage Subprocessors to Process Controller’s Personal Data. We shall enter into a written agreement, with each Subprocessor we engage, which imposes on the Subprocessor data protection obligations that provide at least the same level of protection for Controller’s Personal Data as those set out in this Agreement.
5.2. We maintain an up-to-date list of our Subprocessors at the Subprocessors tab at our Website and undertake to keep this list updated regularly to enable you to stay informed of the scope of subprocessing. HeroCoders also provides a mechanism to subscribe to notifications about the new Subprocessor or its replacement at our Trust Center. We will provide a notice of the Subprocessor addition or replacement via (i) updates to the abovementioned Subprocessors list at our Website and (ii) notice to the email addresses that subscribe to our Trust Center notification, at least fourteen (14) days before allowing any new Subprocessor to Process Controller’s Personal Data (the “Subprocessor Notice Period”). To ensure you receive timely notifications of any new Subprocessor we may appoint from time to time, you should check our Website and our Trust Center periodically for any changes or subscribe to receive mentioned email notifications.
5.3. You may object to our appointment of a new Subprocessor during the Subprocessor Notice Period. You acknowledge that due to the nature and scale of HeroCoders’ operation, it is technically not feasible to provide different Subprocessors to different data controllers or not to appoint a new Subprocessor as a result of an objection by a single data controller. Thus, if you object to our appointment of a new Subprocessor, your sole and exclusive remedy is to terminate the Terms (including this Agreement) prior to the date on which the changes are to take effect by withdrawing from using all of our Apps affected by the change. Otherwise, your continuing use of the Apps following the appointment of a new Subprocessor after the Subprocessor Notice Period will constitute your acceptance of the appointment of the new Subprocessor.
6. Personal Data Breaches
6.1. We shall promptly and without undue delay notify you if we become aware of any Personal Data Breach that applies to the Controller’s Personal Data (the “Breach”).
6.2. Where we become aware of any Breach we shall, without undue delay and to the extent possible and known to us, also provide you with the following information:(i) the description of the causes and nature of the Breach, including, where possible, the categories and approximate number of both the Data Subjects and Personal Data records concerned;(ii) the likely consequences; and(iii) the description of the measures taken or proposed to be taken to address the Breach, including measures to mitigate the possible adverse effects.
6.3. We shall reasonably cooperate with you in handling of the matter, including:(i) reasonable assisting with any investigation; (ii) making available relevant records, logs, files, data reporting and other materials required to comply with all the Data Protection Legislation or as otherwise reasonably required by you; and (iii) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Breach.
6.4. We shall not inform any third party of the Breach without your prior written consent or instruction, unless we are explicitly required to do so by law or by the Partner Platforms Terms, which may impose on us certain Breach notification duties. 6.5. You have the sole right to determine:(i) whether to provide a notice of the Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation, including the contents and delivery method of the notice; and(ii) whether to offer any type of a remedy to the affected Data Subjects, including the nature and extent of such remedy.
7. Cross-border transfers of the Controller's Personal Data
7.1. You hereby authorize us to transfer or otherwise Process Controller’s Personal Data outside the European Economic Area (the “EEA”) subject to the conditions laid down in this Agreement.
7.2. We will only Process, or permit the Processing of, the Controller’s Personal Data outside the EEA under one of the following conditions:
(i) Controller’s Personal Data is being Processed in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals, or
(ii) We use, where appropriate, one of the safeguards specified by the Data Protection Legislation, notably by Article 46 of the GDPR.
7.3. If any Controller’s Personal Data transfer between you and HeroCoders requires the execution of the SCCs in order to comply with the Data Protection Legislation, the Parties shall take all actions required to legitimize the transfer.
8. Audit
8.1. Upon request, and on the condition that you have entered into an applicable non-disclosure agreement with us, we will supply you with a summary copy of the relevant audit report(s) and penetration testing report(s) so that you can verify our compliance with the applicable Data Protection Legislation and this Agreement. You may download copies of these documents from our Trust Center. If you cannot reasonably verify our compliance with the Data Protection Legislation or this Agreement through these means, we shall also provide necessary written responses (on a confidential basis) to all your reasonable requests for information related to the Processing of Controller’s Personal Data, provided that such right may be exercised no more than once every twelve (12) months (unless such need arises from applicable Data Protection Legislation or regulatory authority requirements).
8.2. Only to the extent you cannot reasonably verify our compliance with the applicable Data Protection Legislation or this Agreement through the exercise of your rights under the provision 8.1 above, or where required by applicable Data Protection Legislation or by the regulatory authority, you, or your authorized representatives, may, at your expense, conduct a remote audit (the “Audit”) to assess our compliance with the Data Protection Legislation and this Agreement, using a combination of commercially reasonable features such as documentation and records review via screen-sharing, screenshots, sending of documents or remote interviews with appropriately sampled representatives of management and operational personnel. Please note that due to HeroCoders nature and scale of operation, we do not anticipate an on-site audit, as it would not be technically feasible. Any audit must:
(i) be conducted during our regular business hours, with reasonable advance written notice of at least thirty (30) calendar days (unless applicable Data Protection Legislation or a regulatory authority requires a shorter notice period);
(ii) be subject to reasonable confidentiality controls obligating you (and your authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential;
(iii) occur no more than once every twelve (12) months (unless such need arises from applicable Data Protection Legislation or regulatory authority requirements); and(iv) restrict its findings to only information relevant to you.
8.3. You acknowledge that our Subprocessors may maintain independently validated security programs (including, e.g. SOC 2 or ISO 27001).
8.4. You acknowledge and agree that your information and audit rights only arise under this section 8 to the extent that the Terms, this Agreement or other materials made available to you do not give sufficient information meeting the relevant requirements of the Data Protection Legislation (including, where applicable, article 28(3)(h) of the GDPR).
9. Non-compliance with the Agreement and termination
9.1. Without prejudice to any provisions of the applicable Data Protection Legislation, notably GDPR, we shall be entitled to terminate the Agreement where, after having informed you that your instructions infringe on applicable Data Protection Legislation, you insist on proceeding with these instructions.
9.2. In the event of (i) a change in any Data Protection Legislation that prevents either Party from fulfilling all or part of this Agreement’s obligations and the Parties are unable to bring the Processing into compliance with the Data Protection Legislation; (ii) your dissatisfaction with any term of this Agreement, your sole remedy is to terminate the Terms (including this Agreement) by withdrawing from using any and all of our Apps.
9.3. During the term of this Agreement you and your authorized users may, through the features of our Services including, but not limited to, the Apps access, retrieve or delete Controller’s Personal Data. Upon termination of this Agreement for any reason or expiry of its term, we shall securely delete or destroy or, if directed in writing by you, return and not retain all or any Controller’s Personal Data related to this Agreement in our possession. If any law, regulation or governmental or regulatory body requires us to retain any documents or materials that we would otherwise be required to return or destroy, we shall notify you in writing of that retention requirement. Notwithstanding the foregoing, you acknowledge that some or all Controller’s Personal Data may be retained as part of automated back-ups, which occurs in accordance with the current backup routine of ours or of our Subprocessors, and thus it is not something that we can affect manually, in which case data will be securely isolated and protected from any further Processing and deleted in accordance with applicable back-up deletion policies.
Schedule 1: Description of Processing
1. Categories of Data Subjects whose Personal Data is Processed: your authorized users, any other natural persons whose Personal Data is Processed as part of the User Content (as controlled by you and determined by you or your authorized user on your behalf).
2. Categories of Controller’s Personal Data Processed: IP address, name, username, email address, any other Personal Data Processed as part of the User Content (as controlled by you and determined by you or your authorized user on your behalf).
3. Sensitive data transferred: you or your authorized users may input - as part of the User Content - Controller’s Personal Data which may include Personal Data falling into the special category of Personal Data as specified in Article 9 of the GDPR, the extent of which is determined and controlled solely by you. You represent and warrant that by the time of entering by you or your authorized user any such data to our Services including, but not limited to, the Apps, you will obtain all rights and consents necessary to use and share such data with us and our Subprocessors.
4. Frequency of the Processing: Continuous.
5. Duration of the Processing: The duration of this Agreement (as indicated in its provision 1.3.) shall constitute the duration of the Processing, unless otherwise agreed by the Parties.
6. Subject matter and nature of the Processing: Performance of the Services to the Controller under the Terms. We will Process Controller’s Personal Data in order to provide the Apps and related services in accordance with the Terms, including this Agreement. Additional information regarding the nature of the Processing (including transfer) is described in relevant App documentation referring to the technical capabilities and features, including but not limited to collection, structuring, storage, transmission, or otherwise making available of Controller’s Personal Data by automated means.
7. Purpose(s) of the Processing: We will Process Controller’s Personal Data as the data processor in accordance with your instructions as set out in the provision 3.1. of this Agreement.
