This Data Processing Addendum (“DPA”), forms part of the Agreement between Heartbeat Chat, Inc. (“Heartbeat”) and you, a Community Owner on Heartbeat. It was first effective on September 22, 2022.
1. Definitions
All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Terms used but not defined in this DPA, such as “controller,” “data subject,” “personal data,” “processing,” and “processor” will have the same meaning as set forth in the Applicable Data Protection Legislation.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
“Agreement” means Heartbeat’s Terms of Use, which govern the provision of the Services to Community Owner, as such terms may be updated by Heartbeat from time to time.
“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
"Applicable Data Protection Legislation" refers to laws and regulations applicable to Heartbeat's processing of personal data under the Agreement, including but not limited to (a) the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2019 (together, "UK Data Protection Laws"), (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"), (d) CCPA, and (e) Australian Privacy Principles and the Australian Privacy Act (1988), in each case, as may be amended, superseded or replaced.
“Europe” means, for the purposes of this DPA, the member states of the European Economic Area, Switzerland and the United Kingdom.
"Community Data” means any personal data that Heartbeat processes on behalf of Community Owner as a processor in the course of providing Services, as more particularly described in this DPA. Community Data means all personal data provided directly by Community Owner to Heartbeat, and all personal data that Members of Community Owner’s Community provide when they register for and participate in Community Owner’s Community.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Community Data.“Services” means any product or service provided by Heartbeat to Community Owner pursuant to the Agreement.
“Standard Contractual Clauses” means Schedule 1, attached to and forming part of this DPA pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Subprocessors” means the other processors that are used by Heartbeat to process Personal Data.
“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded or replaced from time to time.
2. Relationship with the Agreement
2.1 The parties agree that the DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 Community Owner further agrees that any regulatory penalties incurred by Heartbeat in relation to the Community Data that arise as a result of, or in connection with, Community Owner’s failure to comply with its obligations under this DPA or any Applicable Data Protection Legislation shall reduce Heartbeat’ liability under the Agreement.
2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. Data subjects are third party beneficiaries of the Standard Contractual Clauses at Schedule I.
2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Legislation.
3. Scope and Applicability of this DPA
3.1 This DPA applies where and only to the extent that Heartbeat processes, on behalf of Community Owner, Community Data that originates from Europe or that is otherwise subject to EU Data Protection Law on behalf of Community Owner in the course of providing Services pursuant to the Agreement.
4. Roles and Scope of Processing
4.1 Role of the Parties.
As between Heartbeat and Community Owner, Community Owner is the controller of Community Data, and Heartbeat shall process Community Data only as a processor acting on behalf of Community Owner.
4.2 Community Owner Processing of Community Data.
Community Owner agrees that (i) it shall comply with its obligations as a controller under Applicable Data Protection Legislation in respect of its processing of Community Data and any processing instructions it issues to Heartbeat; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Applicable Data Protection Legislation for Heartbeat to process Community Data and provide the Services pursuant to the Agreement and this DPA.
4.3 Heartbeat Processing of Community Data.
Heartbeat shall process Community Data only for the purposes described in this DPA and only in accordance with Community Owner’s documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Community Owner’s complete and final instructions to Heartbeat in relation to the processing of Community Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Community Owner and Heartbeat.
4.4 Details of Data Processing
a. Subject matter: The subject matter of the data processing under this DPA is the Community Data.
b. Duration: As between Heartbeat and Community Owner, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
c. Purpose: The purpose of the data processing under this DPA is to provide the Services to the Community Owner, to perform Heartbeat’ obligations under the Agreement (including this DPA), to analyze the use of the Heartbeat, to comply with the law, to prevent misuse of the Services, and as otherwise agreed by the parties.
d. Nature of the processing: Heartbeat provides a platform for Community Owners to create and manage communities dedicated to an individual, identity, or interest. Community Owners invite people (“Members”) to connect with each other, to message, and to exchange information and content. Community Owners tailor their Community by the Members they invite, the conversations they organize, what they call their Community, and additional branding they may choose to use.
e. Categories of data subjects: Any individual accessing and/or using the Services through the Community Owner’s account (“Users”); and any individual who joins one of Community Owner’s Communities (collectively, Members).
f. Types of Community Data:
i. Community Owner and Users: Identification and contact data (name, email address); IT information (IP addresses, usage data, and browser data); financial information (credit card details, account details, payment information);
ii. Members: Identification and contact data (name, email address, links to social media if provided by Member); IT information (IP addresses, usage data, and browser data); financial information if Member must pay to join Community (credit card details, account details, payment information); content produced by Member during Community usage (bio, posts, comments, chat messages); and all other information provided by Member to Community.
4.5 Disclosures for Legitimate Business Purposes: Not withstanding anything to the contrary in the Agreement (including this DPA), Community Owner acknowledges that Heartbeat shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
4.6 Tracking Technologies.
Community Owner acknowledges that in connection with the performance of the Services, Heartbeat and its service providers employ the use of cookies, unique identifiers, and similar tracking technologies (“Tracking Technologies”). Heartbeat shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable it and its service providers to deploy Tracking Technologies lawfully.
5. Subprocessing
5.1 Authorized Subprocessors.
Community Owner agrees that Heartbeat may engage Subprocessors to process Community Data on Community Owner’s behalf.
5.2 Subprocessor Obligations.
Heartbeat shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Community Data to the standard required by Applicable Data Protection Legislation; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Heartbeat to breach any of its obligations under this DPA.
5.3 The list of Subprocessors as of the Effective Date is here. Heartbeat shall provide an up-to-date list of the Subprocessors it has appointed upon written request from Community Owner. The Subprocessor list shall be updated on a regular basis.
5.4 Heartbeat shall inform Community Owner of any intended changes concerning the addition or replacement of Subprocessors. Such notification shall be provided by posting the updated list on Heartbeat's website and sending written notice to Community Owner at least five (5) business days in advance of the intended change, thereby giving Community Owner the opportunity to object to such changes on reasonable data protection grounds.
Community Owner may object in writing to Heartbeat's appointment of additional or replacement Subprocessors, provided that such objection is based on reasonable grounds relating to data protection. If Community Owner notifies Heartbeat in writing of any objections within five (5) business days of receipt of the notice, Heartbeat shall take reasonable steps to address the objections raised by Community Owner, including but not limited to:
a. Providing additional safeguards or contractual protections;
b. Seeking alternative Subprocessors; or
c. Modifying the scope of processing by the objected Subprocessor.
If Community Owner and Heartbeat are not able to resolve the appointment of a new Subprocessor within thirty (30) days of Community Owner's objection, Community Owner shall have the right to terminate the Agreement with respect to those Services that cannot be provided without the use of the objected Subprocessor, without penalty and with a pro-rata refund of any prepaid fees.
6. Security
6.1 Security Measures.
a. Measures of pseudonymisation and encryption of personal data:All datastores containing personal data are fully encrypted at rest and passwords are symmetrically encrypted within the tables. All intra application transfer of data is within Amazon Web Services’ secure networking environments and inter application transfers utilize SSL encryption.
b. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:All systems reside in Amazon Web Services virtual private networks and ingress traffic is controlled through edge network web application firewalls. Compute is highly available in multiple regions and load balanced via Amazon Web Services elastic load balancing. Databases are backed up daily.
c. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing:System and organizational measures are conducted through automation via Sqreen and penetration tests are conducted manually once a year.
d. Measures for the protection of data during transmission:All data transmission channels to and from processors are SSL encrypted.
e. Measures for the protection of data during storage:All datastores containing personal data are fully encrypted at rest.
f. Measures for ensuring physical security of locations at which personal data are processed:We rely on our data center provider (AWS) to ensure physical security. Below is a copy of the Physical Access Policy for AWS data centers.
EMPLOYEE DATA CENTER ACCESSAWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
THIRD-PARTY DATA CENTER ACCESSThird-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.
g. Measures for ensuring events logging:All source control changes are auditable through the Github audit trail. All infrastructure access, authorization, and authentication are auditable through Amazon Web Services Cloud Trail. All application traces are captured via Papertrail.
h. Measures for ensuring system configuration, including default configuration:We use standard industry best practices such as infrastructure as code to perform system
6.2 Updates to Security Measures.
Community Owner is responsible for reviewing the information made available by Heartbeat relating to data security and making an independent determination as to whether the Services meet Community Owner’s requirements and legal obligations under Applicable Data Protection Legislation. Community Owner acknowledges that the Security Measures are subject to technical progress and development and that Heartbeat may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
6.3 Community Owner Responsibilities.
Notwithstanding the above, Community Owner agrees that except as provided by this DPA, Community Owner is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of User Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any User Data uploaded to the Services. Community Owner understands that the Services are hosted on Amazon cloud servers.
6.4 Confidentiality of processing.
Heartbeat shall ensure that any person who is authorized by Heartbeat to process Community Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
6.5 Security Incident Response.
Upon becoming aware of a Security Incident, Heartbeat shall notify Community Owner without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Community Owner. Heartbeat shall fully cooperate and assist with Community Owner’s investigation, containment and mitigation efforts.
6.6 Disaster Recovery
For all systems used in connection with the Services, Heartbeat shall establish and maintain arrangements for emergency backup services and resources that assure uninterrupted delivery of the Services to the extent reasonably practicable. If a disaster occurs at and/or affects the facilities and interrupts the Services, whether or not covered by a written disaster recovery plan in existence as of the effective date, Heartbeat shall take all commercially reasonable measures to minimize the damage caused by any impairment of the Services resulting from the disaster and avoid recurrence.
7. Audit Rights
7.1 Information Access and Demonstration of Compliance.
Heartbeat shall make available to Community Owner all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Community Owner or another auditor mandated by Community Owner.
7.2 Audit Rights.
Community Owner may conduct an audit of Heartbeat's compliance with this DPA no more than once per calendar year, upon reasonable written notice of at least thirty (30) days. Such audits shall be conducted during regular business hours and in a manner that does not unreasonably interfere with Heartbeat's business operations. Community Owner may appoint a qualified third-party auditor to conduct the audit on its behalf, provided such auditor is bound by confidentiality obligations at least as restrictive as those set forth in the Agreement.
7.3 Alternative Compliance Verification.
In lieu of an audit, Heartbeat may provide Community Owner with certifications, audit reports, or other documentation from recognized standards organizations (such as ISO 27001, SOC 2, or equivalent) that demonstrate Heartbeat's compliance with relevant security and data protection standards.
7.4 Confidentiality of Audit Information.
All information obtained during an audit shall be treated as confidential and proprietary to Heartbeat. Community Owner and any third-party auditor shall not disclose such information to any third party without Heartbeat's prior written consent, except as required by applicable law or regulation.
7.5 Records of Processing Activities.
Heartbeat shall maintain records of all categories of processing activities carried out on behalf of Community Owner in accordance with Article 30(2) of the GDPR and shall make such records available to Community Owner or competent supervisory authorities upon request.
8. International Transfers
8.1 Data center locations.
Heartbeat may transfer and process Community Data anywhere in the world where Heartbeat, its Affiliates or its Subprocessors maintain data processing operations. Heartbeat shall at all times provide an adequate level of protection for the Community Data collected, transferred, processed, or retained in accordance with the requirements of Applicable Data Protection Legislation.
8.2 Standard Contractual Clauses.
Heartbeat will not process Community Data related to personal data of data subjects located in Europe in a location outside of Europe, except pursuant to the Standard Contractual Clauses (attached as Schedule 1) or any replacement thereof.
8.3 UK Standard Contractual Clauses.
If the UK GDPR applies to the transferred Personal Data, the SCCs as incorporated under Section 8.2 shall apply with the following modifications: (i) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be populated with the information from Annex I & Annex II in Schedule 1; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “importer”; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
8.4 Changes in the Law.
To the extent that Community Owner or Heartbeat are relying on a specific statutory mechanism to normalize international data transfers (namely, Standard Contractual Clauses) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Heartbeat and Community Owner agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.
9. Return or Deletion of Data
9.1 Upon termination or expiration of the Agreement, Heartbeat shall (at Community Owner's election) delete or return to Community Owner all Community Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Heartbeat is required by applicable law to retain copies of some or all of the Community Data.
With respect to Community Data contained in backup systems, Heartbeat shall:
a. Securely isolate such Community Data from any further processing, except to the extent required by applicable law;
b. Delete such Community Data from backup systems as soon as technically feasible in accordance with Heartbeat's standard backup retention policies, but in no event longer than ninety (90) days after termination or expiration of the Agreement; and
c. Upon Community Owner's written request, provide written confirmation of the deletion of Community Data from backup systems.
This requirement shall not apply to the extent that Heartbeat is required by applicable law to retain copies of some or all of the Community Data, in which case Heartbeat shall inform Community Owner of any such legal requirement and shall continue to protect such Community Data in accordance with this DPA for as long as such retention is legally required.
10. Cooperation
10.1 The Services provide Community Owners and Members with controls that Community Owners and Members may use to retrieve, correct, delete or restrict Community Data, which Community Owner may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Community Owner is unable to independently access the relevant Community Data within the Services, Heartbeat shall (at Community Owner’s expense) provide reasonable cooperation to assist Community Owner to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under the Agreement. In the event that any such request is made directly to Heartbeat, Heartbeat shall not respond to such communication directly without Community Owner’s prior authorization, unless legally compelled to do so. If Heartbeat is required to respond to such a request, Heartbeat shall promptly notify Community Owner and provide it with a copy of the request unless legally prohibited from doing so.
10.2 If a law enforcement agency sends Heartbeat a demand for Community Data (for example, through a subpoena or court order), Heartbeat shall attempt to redirect the law enforcement agency to request that data directly from Community Owner. As part of this effort, Heartbeat may provide Community Owner’s basic contact information to the law enforcement agency. If compelled to disclose Community Data to a law enforcement agency, then Heartbeat shall give Community Owner reasonable notice of the demand to allow Community Owner to seek a protective order or other appropriate remedy unless Heartbeat is legally prohibited from doing so.
10.3 To the extent Heartbeat is required under Applicable Data Protection Legislation, Heartbeat shall (at Community Owner's expense) provide reasonably requested information regarding the Services to enable the Community Owner to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
10.4 Heartbeat shall, taking into account the nature of the processing, assist Community Owner by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Community Owner's obligations to respond to requests for exercising data subject rights, including but not limited to:
a. Right of access (Article 15 GDPR);
b. Right to rectification (Article 16 GDPR);
c. Right to erasure/right to be forgotten (Article 17 GDPR);
d. Right to restriction of processing (Article 18 GDPR);
e. Right to data portability (Article 20 GDPR);
f. Right to object to processing (Article 21 GDPR); and
g. Rights related to automated decision making, including profiling (Article 22 GDPR).
11. Changes in Data Protection Laws
11.1 Heartbeat may modify or supplement this Addendum, with reasonable notice to the Community Owner: (i) If required to do so by a supervisory authority or other government or regulatory entity; (ii) If necessary to comply with applicable law; (iii) To implement new or updated Standard Contractual Clauses approved by the European Commission; or (iv) To adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 GDPR.