This Data Processing Addendum (“DPA”), forms part of the Agreement between Heartbeat Chat, Inc. (“Heartbeat”) and you, a Community Owner on Heartbeat. It was first effective on September 22, 2022.
All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Terms used but not defined in this DPA, such as “controller,” “data subject,” “personal data,” “processing,” and “processor” will have the same meaning as set forth in the Applicable Data Protection Legislation.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
"Applicable Data Protection Legislation" refers to laws and regulations applicable to Heartbeat's processing of personal data under the Agreement, including but not limited to (a) the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2019 (together, "UK Data Protection Laws"), (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"), (d) CCPA, and (e) Australian Privacy Principles and the Australian Privacy Act (1988), in each case, as may be amended, superseded or replaced.
“Europe” means, for the purposes of this DPA, the member states of the European Economic Area, Switzerland and the United Kingdom.
"Community Data” means any personal data that Heartbeat processes on behalf of Community Owner as a processor in the course of providing Services, as more particularly described in this DPA. Community Data means all personal data provided directly by Community Owner to Heartbeat, and all personal data that Members of Community Owner’s Community provide when they register for and participate in Community Owner’s Community.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Community Data.“Services” means any product or service provided by Heartbeat to Community Owner pursuant to the Agreement.
“Standard Contractual Clauses” means Schedule 1, attached to and forming part of this DPA pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Subprocessors” means the other processors that are used by Heartbeat to process Personal Data.
“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded or replaced from time to time.
2. Relationship with the Agreement
2.1 The parties agree that the DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 Community Owner further agrees that any regulatory penalties incurred by Heartbeat in relation to the Community Data that arise as a result of, or in connection with, Community Owner’s failure to comply with its obligations under this DPA or any Applicable Data Protection Legislation shall reduce Heartbeat’ liability under the Agreement.
2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms. Data subjects are third party beneficiaries of the Standard Contractual Clauses at Schedule I.
2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Legislation.
3. Scope and Applicability of this DPA
3.1 This DPA applies where and only to the extent that Heartbeat processes, on behalf of Community Owner, Community Data that originates from Europe or that is otherwise subject to EU Data Protection Law on behalf of Community Owner in the course of providing Services pursuant to the Agreement.
4. Roles and Scope of Processing
4.1 Role of the Parties.
As between Heartbeat and Community Owner, Community Owner is the controller of Community Data, and Heartbeat shall process Community Data only as a processor acting on behalf of Community Owner.
4.2 Community Owner Processing of Community Data.
Community Owner agrees that (i) it shall comply with its obligations as a controller under Applicable Data Protection Legislation in respect of its processing of Community Data and any processing instructions it issues to Heartbeat; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Applicable Data Protection Legislation for Heartbeat to process Community Data and provide the Services pursuant to the Agreement and this DPA.
4.3 Heartbeat Processing of Community Data.
Heartbeat shall process Community Data only for the purposes described in this DPA and only in accordance with Community Owner’s documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Community Owner’s complete and final instructions to Heartbeat in relation to the processing of Community Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Community Owner and Heartbeat.
4.4 Details of Data Processing
a. Subject matter: The subject matter of the data processing under this DPA is the Community Data.
b. Duration: As between Heartbeat and Community Owner, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
c. Purpose: The purpose of the data processing under this DPA is to provide the Services to the Community Owner, to perform Heartbeat’ obligations under the Agreement (including this DPA), to analyze the use of the Heartbeat, to comply with the law, to prevent misuse of the Services, and as otherwise agreed by the parties.
d. Nature of the processing: Heartbeat provides a platform for Community Owners to create and manage communities dedicated to an individual, identity, or interest. Community Owners invite people (“Members”) to connect with each other, to message, and to exchange information and content. Community Owners tailor their Community by the Members they invite, the conversations they organize, what they call their Community, and additional branding they may choose to use.
e. Categories of data subjects: Any individual accessing and/or using the Services through the Community Owner’s account (“Users”); and any individual who joins one of Community Owner’s Communities (collectively, Members).
f. Types of Community Data:
i. Community Owner and Users: Identification and contact data (name, email address); IT information (IP addresses, usage data, and browser data); financial information (credit card details, account details, payment information);
ii. Members: Identification and contact data (name, email address, links to social media if provided by Member); IT information (IP addresses, usage data, and browser data); financial information if Member must pay to join Community (credit card details, account details, payment information); content produced by Member during Community usage (bio, posts, comments, chat messages); and all other information provided by Member to Community.
4.5 Disclosures for Legitimate Business Purposes: Not withstanding anything to the contrary in the Agreement (including this DPA), Community Owner acknowledges that Heartbeat shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
4.6 Tracking Technologies.
5.1 Authorized Subprocessors.
Community Owner agrees that Heartbeat may engage Subprocessors to process Community Data on Community Owner’s behalf.
5.2 Subprocessor Obligations.
Heartbeat shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Community Data to the standard required by Applicable Data Protection Legislation; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Heartbeat to breach any of its obligations under this DPA.
5.3 The list of Subprocessors as of the Effective Date is here. Heartbeat shall provide an up-to-date list of the Subprocessors it has appointed upon written request from Community Owner. The Subprocessor list shall be updated on a regular basis.
5.4 Heartbeat shall give Community Owner prior written notice of the appointment of any new Subprocessor by posting the updated list. Community Owner may object in writing to Heartbeat’ appointment of additional Subprocessors, provided that such objection is based on reasonable grounds relating to data protection. If, within five (5) business days of receipt of that notice, Community Owner notifies Heartbeat in writing of any objections (on reasonable grounds) to the proposed appointment, Heartbeat shall take reasonable steps to address the objections raised by Community Owner. If Community Owner and Heartbeat are not able to resolve the appointment of a new Subprocessor within a reasonable period, Community Owner shall have the right to terminate the Agreement (without refund or prejudice to any fees incurred by Community Owner prior to suspension or termination).
6.1 Security Measures.
a. Measures of pseudonymisation and encryption of personal data:All datastores containing personal data are fully encrypted at rest and passwords are symmetrically encrypted within the tables. All intra application transfer of data is within Amazon Web Services’ secure networking environments and inter application transfers utilize SSL encryption.
b. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:All systems reside in Amazon Web Services virtual private networks and ingress traffic is controlled through edge network web application firewalls. Compute is highly available in multiple regions and load balanced via Amazon Web Services elastic load balancing. Databases are backed up daily.
c. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing:System and organizational measures are conducted through automation via Sqreen and penetration tests are conducted manually once a year.
d. Measures for the protection of data during transmission:All data transmission channels to and from processors are SSL encrypted.
e. Measures for the protection of data during storage:All datastores containing personal data are fully encrypted at rest.
f. Measures for ensuring physical security of locations at which personal data are processed:We rely on our data center provider (AWS) to ensure physical security. Below is a copy of the Physical Access Policy for AWS data centers.
EMPLOYEE DATA CENTER ACCESSAWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
THIRD-PARTY DATA CENTER ACCESSThird-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.
g. Measures for ensuring events logging:All source control changes are auditable through the Github audit trail. All infrastructure access, authorization, and authentication are auditable through Amazon Web Services Cloud Trail. All application traces are captured via Papertrail.
h. Measures for ensuring system configuration, including default configuration:We use standard industry best practices such as infrastructure as code to perform system
6.2 Updates to Security Measures.
Community Owner is responsible for reviewing the information made available by Heartbeat relating to data security and making an independent determination as to whether the Services meet Community Owner’s requirements and legal obligations under Applicable Data Protection Legislation. Community Owner acknowledges that the Security Measures are subject to technical progress and development and that Heartbeat may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
6.3 Community Owner Responsibilities.
Notwithstanding the above, Community Owner agrees that except as provided by this DPA, Community Owner is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of User Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any User Data uploaded to the Services. Community Owner understands that the Services are hosted on Amazon cloud servers.
6.4 Confidentiality of processing.
Heartbeat shall ensure that any person who is authorized by Heartbeat to process Community Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
6.5 Security Incident Response.
Upon becoming aware of a Security Incident, Heartbeat shall notify Community Owner without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Community Owner. Heartbeat shall fully cooperate and assist with Community Owner’s investigation, containment and mitigation efforts.
6.6 Disaster Recovery
For all systems used in connection with the Services, Heartbeat shall establish and maintain arrangements for emergency backup services and resources that assure uninterrupted delivery of the Services to the extent reasonably practicable. If a disaster occurs at and/or affects the facilities and interrupts the Services, whether or not covered by a written disaster recovery plan in existence as of the effective date, Heartbeat shall take all commercially reasonable measures to minimize the damage caused by any impairment of the Services resulting from the disaster and avoid recurrence.
7.1 Upon reasonable request, Heartbeat will verify its compliance with this DPA, provided that Community Owner shall not exercise this right more than once per year.
8. International Transfers
8.1 Data center locations.
Heartbeat may transfer and process Community Data anywhere in the world where Heartbeat, its Affiliates or its Subprocessors maintain data processing operations. Heartbeat shall at all times provide an adequate level of protection for the Community Data collected, transferred, processed, or retained in accordance with the requirements of Applicable Data Protection Legislation.
8.2 Standard Contractual Clauses.
Heartbeat will not process Community Data related to personal data of data subjects located in Europe in a location outside of Europe, except pursuant to the Standard Contractual Clauses (attached as Schedule 1) or any replacement thereof.
8.3 UK Standard Contractual Clauses.
If the UK GDPR applies to the transferred Personal Data, the SCCs as incorporated under Section 8.2 shall apply with the following modifications: (i) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be populated with the information from Annex I & Annex II in Schedule 1; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “importer”; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
8.4 Changes in the Law.
To the extent that Community Owner or Heartbeat are relying on a specific statutory mechanism to normalize international data transfers (namely, Standard Contractual Clauses) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Heartbeat and Community Owner agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.
9. Return or Deletion of Data
9.1 Upon termination or expiration of the Agreement, Heartbeat shall (at Community Owner’s election) delete or return to Community Owner all Community Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Heartbeat is required by applicable law to retain copies of some or all of the Community Data, or to Community Data it has archived on back-up systems, which Community Data Heartbeat shall securely isolate and protect from any further processing, except to the extent required by applicable law.
10.1 The Services provide Community Owners and Members with controls that Community Owners and Members may use to retrieve, correct, delete or restrict Community Data, which Community Owner may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Community Owner is unable to independently access the relevant Community Data within the Services, Heartbeat shall (at Community Owner’s expense) provide reasonable cooperation to assist Community Owner to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under the Agreement. In the event that any such request is made directly to Heartbeat, Heartbeat shall not respond to such communication directly without Community Owner’s prior authorization, unless legally compelled to do so. If Heartbeat is required to respond to such a request, Heartbeat shall promptly notify Community Owner and provide it with a copy of the request unless legally prohibited from doing so.
10.2 If a law enforcement agency sends Heartbeat a demand for Community Data (for example, through a subpoena or court order), Heartbeat shall attempt to redirect the law enforcement agency to request that data directly from Community Owner. As part of this effort, Heartbeat may provide Community Owner’s basic contact information to the law enforcement agency. If compelled to disclose Community Data to a law enforcement agency, then Heartbeat shall give Community Owner reasonable notice of the demand to allow Community Owner to seek a protective order or other appropriate remedy unless Heartbeat is legally prohibited from doing so.
10.3 To the extent Heartbeat is required under Applicable Data Protection Legislation, Heartbeat shall (at Community Owner’s expense) provide reasonably requested information regarding the Services to enable the Community Owner to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
11. Changes in Data Protection Laws
11.1 Heartbeat may modify or supplement this Addendum, with reasonable notice to the Community Owner: (i) If required to do so by a supervisory authority or other government or regulatory entity; (ii) If necessary to comply with applicable law; (iii) To implement new or updated Standard Contractual Clauses approved by the European Commission; or (iv) To adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 GDPR.