Legal Information

Data Processing Agreement (DPA) 

Agreement for the processing of personal data on behalf of a controller pursuant to Article 28(3) and (4) of Regulation (EU) 2016/679 (“General Data Protection Regulation”, or “GDPR”). 

This data processing agreement is effective as of the last signature date of a purchase order (“Order”) and is between inCTRL, Inc. (“inCTRL”) and the other signatory to the Order (“Customer”). inCTRL and Customer are parties to a Software as a Service Agreement (including the opsCTRL Terms & Conditions, Order or any other agreement referencing this DPA), hereinafter referred to as the “Main Agreement”.

 

1. SUBJECT MATTER OF THE AGREEMENT 

For the provision of services under the Main Agreement, it is necessary for inCTRL to process personal data for which the Customer acts as the controller within the meaning of the data protection regulations (hereinafter referred to as “Customer Data“). This contract specifies the rights and obligations of the parties under data protection law in connection with inCTRL’s handling of Customer Data for the purpose of providing services under the Main Agreement. 

 

2. SCOPE OF DATA PROCESSING 

2.1

inCTRL shall process the Customer Data on behalf of and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR. The Customer shall remain the responsible controller in the sense of applicable data protection law. 

2.2

The processing of Customer Data by inCTRL shall be carried out in the type, to the extent and for the purpose specified in Schedule 1 to this agreement; the processing concerns the types of personal data and categories of data subjects designated therein. The term of the processing shall correspond to the term of the Main Agreement. 

2.3

inCTRL is permitted to process Customer Data outside the EU/EEA in compliance with the provisions of this Agreement and the requirements of Articles 44 – 48 of the GDPR are met or an exception pursuant to Article 49 of the GDPR applies. In case inCTRL processes Customer Data outside the EU/EEA, inCTRL and Customer shall enter into the Standard Contractual Clauses, as set out at Schedule 4 to this agreement, such clauses being incorporated into and forming part of this agreement. To the extent that this agreement conflicts with the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail. 

 

3. INSTRUCTIONS OF THE CUSTOMER 

3.1

InCTRL shall process the Customer Data in accordance with the Customer’s instructions, unless inCTRL is required by law to process them otherwise. In the latter case, inCTRL shall notify the Customer of these legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest. 

3.2

In general, the instructions of the Customer regarding the inCTRL data processing on behalf of Customer are conclusively defined and laid down in the provisions of this agreement. Individual instructions which deviate from the provisions of this agreement, or which impose additional requirements shall require the prior consent of inCTRL. Any additional costs incurred by inCTRL because of such deviating instructions shall be borne by the Customer. 

3.3

InCTRL warrants that it will process the Customer Data in accordance with the Customer’s instructions. If inCTRL is of the opinion that an instruction of the Customer violates this agreement or the applicable data protection law, it shall be entitled, after notifying the Customer accordingly, to suspend the execution of the instruction until the Customer confirms the instruction. The parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Customer. 

 

4. CUSTOMER AS THE DATA CONTROLLER 

The Customer shall be solely responsible for the lawfulness of the processing of the Customer Data as well as for the protection of the rights of the data subjects in the relationship between the parties. Should third parties assert claims against inCTRL based on the processing of Customer Data in accordance with this Agreement, the Customer shall indemnify inCTRL against all such claims upon first request. 

 

5. REQUIREMENTS FOR PERSONNEL 

InCTRL shall require all person’s processing Customer Data to maintain confidentiality with respect to the processing of Customer Data. 

 

6. SECURITY OF PROCESSING 

6.1

InCTRL shall, in accordance with Article 32 of the GDPR, take the necessary, appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing of the Customer Data as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection for the Customer Data appropriate to the risk. Where inCTRL becomes aware that the implemented technical and organizational measures do not fulfil the requirements of Section 6.1, it will adopt such measures. 

6.2

InCTRL is permitted to change or adapt technical and organizational measures during the term of the contract if they continue to meet the legal requirements. inCTRL shall inform the Customer about significant changes of the implemented technical and organizational measures. 

 

7. SUBPROCESSORS 

7.1

The Customer hereby grants inCTRL general permission to involve further processors regarding the processing of Customer Data. The subprocessors engaged at the time of conclusion of the agreement are listed in Schedule 3 

7.2

InCTRL shall inform the Customer of any intended changes regarding the involvement or replacement of further subprocessors. In individual cases, the Customer shall have the right to object to the engagement of additional subprocessors. An objection may only be raised by the Customer for good cause to be proven to inCTRL, or if the Customer can demonstrate that the additional subprocessor does not comply with applicable data protection laws. If the Customer does not raise an objection within one month after receipt of the notification, its right to object to the corresponding sub-processor engagement shall expire. If the Customer raises an objection justified other than the lack of the subprocessors ability to fulfil applicable data security requirements and an amicable solution cannot be found, inCTRL shall be entitled to terminate the Main Agreement and this agreement with a notice period of 3 months. 

7.3

The agreement between inCTRL and the additional sub-processor shall impose the same obligations on the latter as are imposed on inCTRL by virtue of this agreement. The parties agree that this requirement is met if the contract has a level of protection corresponding to this agreement or if the obligations set out in Article 28 (3) of the GDPR are imposed on the sub-processor. 

7.4

Subject to compliance with the requirements of Section 2.3 of this Agreement, the rules in this Section 7 shall also apply if a sub-processor in a third country is involved.  

 

8. DATA SUBJECT RIGHTS 

8.1

InCTRL shall support the Customer with technical and organizational measures within the scope of what is reasonable to comply with its obligation to respond to legitimate data subject requests. 

8.2

Insofar as a data subject asserts a legitimate request directly against inCTRL, inCTRL shall forward this request to the Customer in a timely manner. 

8.3

InCTRL shall enable the Customer to correct, delete or restrict the further processing of the Customer Data within the scope of what is reasonable and necessary. 

 

9. NOTIFICATION AND SUPPORT OBLIGATIONS OF inCTRL

9.1

Insofar as the Customer is subject to a statutory obligation to report or notify a breach of the protection of Customer Data (in particular pursuant to Art. 33, 34 DSGVO), inCTRL shall inform the Customer in a timely manner of any reportable events in its area of responsibility. InCTRL shall support the Customer in fulfilling the reporting and notification obligations at the Customer’s request within the scope of what is reasonable and required. 

9.2

InCTRL shall assist the Customer within the scope of what is reasonable and required in any data protection impact assessments to be carried out by the Customer and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 of the GDPR against reimbursement of the expenses and costs incurred by inCTRL for such assistance. 

 

10. DELETION OF DATA 

10.1

InCTRL shall delete the Customer Data after termination of this Agreement, unless inCTRL is legally obliged to continue storing the Customer Data. 

10.2

Deletion of Customer Data shall take place within 30 days after termination of the Agreement. Upon request, inCTRL shall provide the Customer with a deletion certificate. 

10.3

Documentation which serves as proof of the proper processing of the Customer Data in accordance with the data processing may be retained by inCTRL even after the end of the contract. 

 

11. DEMONSTRATION OF COMPLIANCE 

11.1

InCTRL shall provide the Customer with all necessary information available to inCTRL to prove compliance with its obligations under this Agreement at the Customer’s request. 

11.2

The Customer shall be entitled to verify inCTRL’s compliance with the provisions of this agreement, in particular the implementation of the technical and organizational measures, including by means of inspections. 

11.3

In order to carry out inspections in accordance with Section 11.2, the Customer shall be entitled to enter inCTRL’s business premises where Customer Data are processed during normal business hours (Monday to Friday from 10 a.m. to 6 p.m.) after timely advance notice in accordance with Section 11.5 at its own expense, keeping the disruption of business course at a minimum and subject to strict confidentiality of inCTRL’s trade and business secrets. 

11.4

InCTRL shall be entitled, at its own discretion and taking into account the Customer’s statutory obligations, not to disclose information which is sensitive with regard to inCTRL’s business or if inCTRL would violate statutory or other contractual provisions by disclosing it. The Customer shall not be entitled to have access to data or information on other customers of inCTRL, to information regarding costs, to quality review and contract management reports as well as to any other confidential data of inCTRL which are not directly relevant for the agreed review purposes. 

11.5

The Customer shall inform inCTRL in due time (as a rule at least two weeks in advance) about all circumstances related to the performance of the review. The Customer may carry out one inspection per calendar year. Further inspections shall be carried out if the Customer bears the related costs and after coordination with inCTRL. 

11.6

If the Customer commissions a third party to carry out the inspection, the Customer shall obligate the third party in writing in the same way as the Customer is obligated to inCTRL on the basis of this Section 11 of this Agreement. In addition, the Customer shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. Upon request of inCTRL, the Customer shall immediately submit to inCTRL the obligation agreements with the third party. The Customer may not commission a competitor of inCTRL with the inspection. 

11.7

At inCTRL’s option, proof of compliance with the obligations under this contract may also be provided by providing a suitable, up-to-date certificate or report by an independent body (e.g., auditor, audit, data protection agency, etc.) instead of the above-mentioned inspection. 

 

12. TERM AND TERMINATION 

The term and termination of this Agreement shall be governed by the provisions governing the term and termination of the Main Agreement. Termination of the main contract shall automatically result in termination of this agreement. An isolated termination of this contract is excluded. 

 

13. LIABILITY 

The liability of inCTRL under this agreement shall be subject to the exclusions and limitations of liability under the Main Agreement. 

 

14. FINAL PROVISIONS 

14.1

Should individual provisions of this agreement be or become invalid or contain a gap in regulation, the remaining provisions shall remain unaffected. The parties undertake to replace the invalid provision with a legally permissible provision that comes as close as possible to the purpose of the invalid provision and meets the requirements of Article 28 of the GDPR. 

14.2

In the event of contradictions between this agreement and other agreements between the parties, in particular the Main Agreement, the provisions of this agreement shall prevail. 

 

SCHEDULE 1

DATA PROCESSING PARTICULARS  

The subject matter of the processing 

 

The subject matter of the processing is the performance of the Services pursuant to the Software License Agreement between inCTRL and Customer. For the service to properly function, personal data such as first and last name and email addresses have to be processed by inCTRL. In specific cases, Customer Data might include personal data captured via a camera. 

The nature of the processing 

 

Customer employee uploads personal data such as Customer employee data to a database that is controlled by inCTRL (Software-as-a-Service). 

The type of Customer Data being processed 

 

  • First and last name 
  • Email address 
  • Optional: Picture, job title, department, and name of manager 
  • Other personal data potentially entered by end users of the services into the services 
The categories of data subjects 
  • Customers’ employees 
  • Contractors 
  • Consultants 
  • Other individuals Customer grants access to the inCTRL services 

 

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL MEASURES

inCTRL together with its sub-processor Amazon Web Services maintains the following technical and organizational measures in order to ensure a level of protection appropriate to the risk: 

 

1. CONFIDENTIALITY (ARTICLE 32 PARAGRAPH 1 POINT B GDPR)  

  • Physical Access Control  
    • EMPLOYEE DATA CENTER ACCESS
      AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. 
    • THIRD-PARTY DATA CENTER ACCESS
      Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff. 
  • Surveillance and Detection 
    • CCTV
      Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). Images are retained according to legal and compliance requirements. 
    • DATA CENTER ENTRY POINTS
      Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open. 
    • INTRUSION DETECTION
      Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centers for immediate logging, analysis, and response. 
  • Monitoring and Logging 
    • DATA CENTER ACCESS REVIEW
      Access to data centers is regularly reviewed. Access is automatically revoked when an employee’s record is terminated in Amazon’s HR system. In addition, when an employee or contractor’s access expires in accordance with the approved request duration, his or her access is revoked, even if he or she continues to be an employee of Amazon. 
    • DATA CENTER ACCESS LOGS
      Physical access to AWS data centers is logged, monitored, and retained. AWS correlates information gained from logical and physical monitoring systems to enhance security on an as-needed basis. 
    • DATA CENTER ACCESS MONITORING
      We monitor our data centers using our global Security Operations Centers, which are responsible for monitoring, triaging, and executing security programs. They provide 24/7 global support by managing and monitoring data center access activities, equipping local teams and other support teams to respond to security incidents by triaging, consulting, analysing, and dispatching responses 
  • Electronic Access Control
    No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media. 
  • Internal Access Control (permissions for user rights of access to and amendment of data)
    No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events 
  • Isolation Control
    The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Client support, sandboxing; 

 

2. INTEGRITY (ARTICLE 32 PARAGRAPH 1 POINT B GDPR) 

  • Device Management 
    • ASSET MANAGEMENT
      AWS assets are centrally managed through an inventory management system that stores and tracks owner, location, status, maintenance, and descriptive information for AWS-owned assets. Following procurement, assets are scanned and tracked, and assets undergoing maintenance are checked and monitored for ownership, status, and resolution. 
    • MEDIA DESTRUCTION
      Media storage devices used to store customer data are classified by AWS as Critical and treated accordingly, as high impact, throughout their life-cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned. 
  • Operational Support Systems 
    • POWER
      AWS data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. AWS ensures data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility. 
    • CLIMATE AND TEMPERATURE
      AWS data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages. Personnel and systems monitor and control temperature and humidity at appropriate levels. 
    • FIRE DETECTION AND SUPPRESSION
      AWS data centers are equipped with automatic fire detection and suppression equipment. Fire detection systems utilize smoke detection sensors within networking, mechanical, and infrastructure spaces. These areas are also protected by suppression systems. 
    • LEAKAGE DETECTION
      In order to detect the presence of water leaks, AWS equips data centers with functionality to detect the presence of water. If water is detected, mechanisms are in place to remove water in order to prevent any additional water damage. 
  • Data Transfer Control 
    No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature. 
  • Data Entry Control
    Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management. 

 

3. AVAILABILITY AND RESILIENCE (ARTICLE 32 PARAGRAPH 1 POINT B GDPR) 

  • Availability Control 
    Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site, virus protection, firewall, reporting procedures and contingency planning. 
  • Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR). 
  • Infrastructure Maintenance 
    • EQUIPMENT MAINTENANCE
      AWS monitors and performs preventative maintenance of electrical and mechanical equipment to maintain the continued operability of systems within AWS data centers. Equipment maintenance procedures are carried out by qualified persons and completed according to a documented maintenance schedule. 
    • ENVIRONMENT MANAGEMENT
      AWS monitors electrical and mechanical systems and equipment to enable immediate identification of issues. This is carried out by utilizing continuous audit tools and information provided through our Building Management and Electrical Monitoring Systems. Preventative maintenance is performed to maintain the continued operability of equipment. 

 

4. PROCEDURES FOR REGULAR TESTING, ASSESSMENT AND EVALUATION (ARTICLE 32 PARAGRAPH 1 Point D GDPR; ARTICLE 25 PARAGRAPH 1 GDPR) 

  • Data Protection Management; 
  • Incident Response Management; 
  • Data Protection by Design and Default (Article 25 Paragraph 2 GDPR); 
  • Order or Contract Control 
    No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks. 
  • Governance & Risk 
    • ONGOING DATA CENTER RISK MANAGEMENT
      The AWS Security Operations Center performs regular threat and vulnerability reviews of data centers. Ongoing assessment and mitigation of potential vulnerabilities is performed through data center risk assessment activities. This assessment is performed in addition to the enterprise-level risk assessment process used to identify and manage risks presented to the business as a whole. This process also takes regional regulatory and environmental risks into consideration. 
    • THIRD-PARTY SECURITY ATTESTATION
      Third-party testing of AWS data centers, as documented in our third-party reports, ensures AWS has appropriately implemented security measures aligned to established rules needed to obtain security certifications. Depending on the compliance program and its requirements, external auditors may perform testing of media disposal, review security camera footage, observe entrances and hallways throughout a data center, test electronic access control devices, and examine data center equipment. 

 

SCHEDULE 3

SUB-PROCESSORS 

Name HQ Location Services Link to DPA Data Hosting Location 
inCTRL Solutions Inc.  80 Atlantic Ave, Toronto ON M6K 1X9 Canada Support Services N/A N/A 
inCTRL Solutions Corp.  2825 East Cottonwood Parkway Suite 500, Cottonwood Heights, UT 84151 Support Services N/A N/A 
inCTRL Solutions LTD c/o Enpure LTD
Enpure House|
Parkland Business Park 
Rubery Birmingham
B45 9PZ 		Support Services N/A N/A 
Twilio/Sendgrid San Francisco, USA Processing text messages and voice alerts for system alarms and warnings. 

https://www.dataprivacyframework.gov/participant/5394  

https://www.twilio.com/en-us/legal/privacy  

https://www.twilio.com/en-us/legal/data-protection-addendum  

USA 
PIWIK PRO Kurfürstendamm 21
10719 Berlin 		Shows anonymized analytics of application usage. Tracks analytic cookies. 

https://piwik.pro/privacy-policy/  

https://piwik.pro/privacy-security/  

The collection and storage of said personal data by the Contractor takes place exclusively within a processing region. Piwik PRO offers the following data storage locations: 

  • EU West Netherlands & Ireland or 
  • DE Central  
  • Germany or 
  • US East United States or 
  • Southeast Asia Hong Kong or 

 

Stonly 36 rue Chaptal, 92300 Levallois, USA Overlays instructional documentation within our applications. Uses cookies to track logins but anonymizes the data to us. 

https://trust.stonly.com/  

Privacy and data protection policy | Stonly 

USA, France, EU 
Google Maps API 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Plant and asset locations transmitted for mapping. 

https://www.dataprivacyframework.gov/participant/5780  

https://cloud.google.com/terms/data-processing-addendum  

N/A 
Termly 906 W 2nd Ave Ste 100, Spokane, Washington, 99201, United States Consent records for cookie management 

https://www.dataprivacyframework.gov/participant/874  

https://termly.io/our-privacy-policy/  

Data can be stored in the USA and Europe based on the customer location 
Atlassian  Service desk, which contains user name, email address, etc. https://www.privacyshield.gov/ps/participant?id=a2zt00000008RdQAAU  Atlassian’s Data Residency feature to pin data to specific regions, including the US, EU, Germany, Australia, Singapore, Canada, Japan, South Korea, and the UK. 
Amazon Web Services Seattle, USA Database storage of user activity, contact details, and account association. https://aws.amazon.com/compliance/gdpr-center/#:~:text=How%20can%20I%20prove%20to,on%20protection%20of%20customer%20data Ireland 
Tawk.to Chat USA Enables chat discussions for support of the application. 

https://www.dataprivacyframework.gov/participant/4876  

https://www.tawk.to/data-protection/dpa-data-processing-addendum/  

USA 
Vimeo New York, USA Video storage of individuals uploading content.  

https://www.dataprivacyframework.gov/list  

https://vimeo.com/legal/enterprise-terms/dpa  

USA 
Onesignal Netherlands Service for push notification 

https://documentation.onesignal.com/docs/en/data-questions  

https://onesignal.com/privacy_policy  

https://onesignal.com/dpa  

Netherlands 
Zapier  Only used when there are phone-call alarm delivery methods (not for SMS, email, or Push) https://zapier.com/legal/data-privacy  USA 
Hubspot 2 Canal Park Cambridge, MA 02141 USA Sales and Licensing data   

https://www.dataprivacyframework.gov/participant/5812  

https://trust.hubspot.com/?_gl=1*isuezz*_ga*Nzk1MTIxMDMyLjE3NzQ4MjEzOTI 

https://legal.hubspot.com/privacy-policy  

https://legal.hubspot.com/dpa  

USA 
Airtable 1 Front Street, Floor 28. San Francisco, CA 94111 USA Licensing data for billing 

https://www.airtable.com/company/msa  

https://support.airtable.com/docs/gdpr-at-airtable  

USA 

The Provider warrants that any subprocessors located in the United States are either certified under the EUU.S. Data Privacy Framework or that the Provider has implemented appropriate safeguards to ensure an adequate level of data protection, including, as applicable, the EU Standard Contractual Clauses.