Data Processing Addendum
Last Updated: August 23, 2023
This Data Processing Addendum ("DPA") forms part of the Terms of Use ("Agreement") available at https://Hidynotes.com/terms-service, entered into by and between the Customer and Hidy Pty Ltd (“Hidy”), pursuant to which Customer has accessed Hidynotes' Application Services. The purpose of this DPA is to reflect the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation.
When we write “Hidynotes” or “we” or “us”, we’re referring to “Hidy”.
Definitions
In this DPA, the following terms (and derivations thereof) have the meanings set out below:
“California Consumer Privacy Act of 2018” or “CCPA” means Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018;
"Contracted Processor" means Hidynotes or a Subprocessor;
“Customer” means the individual or entity that has executed the Agreement and this DPA;
“Customer Content” means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted on the Site or/and Service by Customer or Customer Users and is processed by Hidynotes on behalf of Customer. For the avoidance of doubt, Customer Content does not include usage, statistical, or technical information that does not reveal the actual contents of the Customer Content;
"Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
“Data Subject” means (i) an identified or identifiable natural person who is in AUS or whose rights are protected by the GDPR; or (ii) a “Consumer” as the term is defined in the CCPA;
“Data Subject Rights” means those rights identified in the GDPR and the CCPA granted to Data Subjects;
"AUS" means Australia;
"EU Data Protection Laws" means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), as transposed into domestic legislation of each Member State and the laws implementing the GDPR;
“Personal Data” means Customer Content that directly or indirectly identifies or relates to a Data Subject;
“Site” means website https://Hidynotes.com;
"Services" means Hidynotes browser extension, Trello Power-Up, Hidynotes web app or Hidynotes mobile app;
"Subprocessor" means any person (including any third party but excluding independent contractors of Hidynotes subject to Section 4) appointed by or on behalf of Hidynotes to Process Personal Data on behalf of Customer in connection with the Agreement; and
“Supervisory Authority” means either (as applicable): (i) an independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR; or (ii) the California Attorney General.
The terms, "Commission", "Controller", "Member State", "Personal Data Breach", and "Processing" have the meanings given in the GDPR.
Capitalized terms not defined herein have the meaning given in the Agreement. The word "include" shall be construed to mean “include without limitation,” and any derivations thereof shall be construed accordingly. All “Section” references shall be to this DPA unless otherwise specified.
General The parties agree that Customer is the data controller and that Hidynotes is its data processor in relation to personal data that is processed in the course of providing the Application Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Hidynotes pursuant to the Agreement.
The subject-matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Site or through an Ordering Document and provided by Hidynotes to Customer via https://Hidynotes.com or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Customer’s ordering of the Application Services ceases.Processing of Personal Data
Subprocessors will be permitted to process personal data only to deliver the services Hidynotes has retained them to provide, and they shall be prohibited from using personal data for any other purpose.
As necessary for the provision of the Services, Customer instructs Hidynotes (and authorizes Hidynotes to instruct each Subprocessor) to:
Process personal data, including disclosing such data to sub-processors and other third parties;
transfer Personal Data to any country or territory subject to Section 4; and
Engage any Subprocessors in accordance with Section 7;
as reasonably necessary for the provision of the Services and consistent with the Principal Agreement;
and warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction
International Transfers DPA between Hidynotes and subprocesses is included in the Terms of Service and takes effect automatically.
Hidynotes may transfer personal data from the AUS, FRANCE and the US for the purposes of this DPA. Hidynotes agrees it will provide at least the same level of privacy protection for AUS Personal Data as required for the U.S., FRANCE & AUS.Hidynotes Personnel Persons authorized by Hidynotes to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security Hidynotes shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, damage, theft, alteration, access or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
Subprocessing Hidynotes may hire other companies to provide limited services on its behalf, provided that Hidynotes complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Hidynotes has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Hidynotes remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Hidynotes transfers personal data will have entered into written agreements with Hidynotes requiring that the subcontractor abide by terms substantially similar to this DPA.
A list of Hidynotes current Subprocessors is available at https://Hidynotes.com/gdpr (as updated from time to time).
If Customer requires prior notification of any updates to the list of subprocessors, Customer can request such notification in writing by emailing Hidynotes support ([email protected]). Hidynotes will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Hidynotes reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Hidynotes, terminate the Agreement.Data Subject Rights Customer is responsible for responding to Data Subject requests using its own access to the relevant Personal Data. At Customer’s request, Hidynotes will provide reasonable assistance to Customer, to the extent Customer is unable to access the relevant Personal Data after diligent reasonable efforts. Taking into account the nature of the Processing, and solely to the extent Customer cannot access Personal Data itself, Hidynotes shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the GDPR and the CCPA. To the extent legally permitted, Customer shall be responsible for any costs arising from Hidynotes’s provision of such assistance.
Hidynotes will without undue delay notify Customer if Hidynotes receives a request directly from a Data Subject under Data Protection Laws in respect of Personal Data. Hidynotes will not respond to such request except on the documented instructions of Customer or as required by applicable law.Personal Data Breach If Hidynotes becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Hidynotes in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Hidynotes shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
At the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy or return such personal data to Customer. If the Customer wants to destroy his personal data, see paragraph 11 "Privacy Policy".Audit Rights Hidynotes shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Hidynotes in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Hidynotes is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (a) the provision by Hidynotes of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (b) interviews with Hidynotes’ IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Hidynotes’ IT system, data hosting sites or centers, or infrastructure will be permitted. Before the commencement of any such audit, Customer and Hidynotes shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Hidynotes with information regarding any non-compliance discovered during the course of an audit. Customer may not audit Hidynotes more than once annually. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Hidynotes expends for any such audit, in addition to the rates for services performed by Hidynotes.
California Consumer Privacy Act of 2018
Hidynotes is a “Service Provider” as defined in CCPA Section 1798.140(v).
Customer discloses Personal Data to Hidynotes solely for: (i) a valid business purpose; and (ii) Hidynotes to perform the Services.
Hidynotes is prohibited from: (i) selling Personal Data; (ii) retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the Personal Data outside of the Agreement between Hidynotes and Customer.
Hidynotes understands the prohibitions outlined in Section 12.3.
General Terms
Governing law and jurisdiction
The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity; and
This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of precedence
Nothing in this DPA reduces Hidynotes's obligations under the Agreement in relation to the protection of Personal Data or permits Hidynotes to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement.
Subject to Section 12.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Changes in Data Protection Laws.
If any variation is required to this DPA as a result of a change in Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes. If Customer gives notice under this Section 12.5, the parties shall without undue delay discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer's notice (to the extent such variations are reasonable with regard to Hidynotes’s business operations) as soon as is reasonably practicable.
Severance
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Liability
For the avoidance of doubt, as between the parties to this DPA, each party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.
Term This DPA shall remain in effect as long as Hidynotes carries out Personal Data processing operations on behalf of Customer or until the termination of the Hidynotes Contract (and all Personal Data has been deleted in accordance).