Last updated: December 4, 2024
This Data Processing Agreement ("DPA") has two parts:
In case of inconsistencies, the Key Terms will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given in the Key Terms. If a term is omitted or not defined, it defaults to "none" or "not applicable," and the corresponding clause does not apply. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement.
| Agreement | This DPA applies to all users subscribing to or using the services of AfterActions. |
|---|---|
| Approved Subprocessors |
Name: Heroku Country of Location: USA Anticipated Processing Task: Hosting services Name: Mailgun Country of Location: USA Anticipated Processing Task: Email services Name: Microsoft Azure Country of Location: USA Anticipated Processing Task: File storage services |
| Provider Security Contact |
AfterActions, LLC 1820 Avenue M #780 Brooklyn, NY 11230 United States of America |
| Security Policy | Provider will use commercially reasonable efforts to secure the Service from unauthorized access, alteration, or use and other unlawful tampering. |
| Service Provider Relationship | To the extent the California Consumer Privacy Act ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA. |
| Restricted Transfers |
Governing Member State: EEA Transfers: Netherlands UK Transfers: England and Wales |
Data Exporter: You, the Customer using our services
Activities Relevant to Transfer: See Annex I(B)
Role: Controller
Data Importer: AfterActions, LLC
Contact Person: Adam Ilowite
Address: 1820 Avenue M #780, Brooklyn, NY 11230, USA
Activities Relevant to Transfer: See Annex I(B)
Role: Processor
The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.
Provider will use commercially reasonable efforts to secure the Service from unauthorized access, alteration, or use and other unlawful tampering, as outlined in the Security Policy.
The following terms constitute the full Data Processing Agreement between you ("Customer") and AfterActions, LLC ("Provider"). By using or subscribing to AfterActions' services, you agree to this DPA.
1.1 Provider as Processor. In situations where Customer is a Controller of the Customer Personal Data, Provider will be deemed a Processor that is Processing Personal Data on behalf of Customer.
1.2 Provider as Subprocessor. In situations where Customer is a Processor of the Customer Personal Data, Provider will be deemed a Subprocessor of the Customer Personal Data.
2.1 Processing Details. Annex I(B) describes the subject matter, nature, purpose, and duration of this Processing, as well as the Categories of Personal Data collected and Categories of Data Subjects.
2.2 Processing Instructions. Customer instructs Provider to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Provider about Processing Customer Personal Data under this DPA. Provider will abide by these instructions unless prohibited from doing so by Applicable Laws. Provider will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.
2.3 Processing by Provider. Provider will only Process Customer Personal Data in accordance with this DPA, including the details in the Key Terms.
2.4 Customer Processing. Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data.
2.5 Consent to Processing. Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Provider and/or the Service.
2.6 Subprocessors.
3.1 Authorization. Customer agrees that Provider may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. Provider will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.
3.2 Ex-EEA Transfers. Customer and Provider agree that if the GDPR protects the transfer of Customer Personal Data, certain clauses apply as outlined in the DPA Standard Terms.
3.3 Ex-UK Transfers. Customer and Provider agree that if the UK GDPR protects the transfer of Customer Personal Data, certain clauses apply as outlined in the DPA Standard Terms.
Upon becoming aware of any Security Incident, Provider will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident.
5.1 Audit Rights. Provider will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and will allow for and contribute to audits to assess compliance.
5.2 Security Reports. Upon written request, Provider will give Customer a summary copy of its then-current Report to verify compliance with the standards defined in the Security Policy.
6.1 Response to Inquiries. If Provider receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Provider will notify Customer about the request and will not respond without Customer’s prior consent unless required by Applicable Law.
7.1 Deletion by Customer. Provider will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services.
7.2 Deletion at DPA Expiration. After the DPA expires, Provider will return or delete Customer Personal Data at Customer’s instruction unless further storage is required or authorized by Applicable Law.
Each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.
This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.
This DPA will start when you agree to it by using or subscribing to our services and will continue until the Agreement expires or is terminated.
Capitalized terms used in this DPA have the meanings set forth in the DPA Standard Terms or the Agreement.
Common Paper Data Processing Agreement (Version 1.0) is free to use under CC BY 4.0.