This Data Processing Addendum (the “Addendum” or “DPA”) forms part of the Favro Terms of Service available at https://help.favro.com/pricing-privacy-and-terms/favros-terms-of-service, (as updated from time to time) (the “Terms of Service”), or other agreement governing the use of Favro’s services, between Customer and Favro. This Addendum reflects the parties’ agreement with regard to the processing of Personal Data by Favro solely on behalf of the Customer, and is entered into by the parties in when the Terms of Services are entered into, in accordance with what is set out in the Terms of Service.

The protection of individuals’ personal data is a fundamental priority of Favro. Favro complies with the (a) General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), (b) the GDPR, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018, including its respective amendments (the “UK GDPR”) and (c) all other legal acts applicable to the processing of Personal Data by Favro (together with the GDPR and UK GDPR hereinafter referred to as the “Applicable Data Protection Laws”). The Applicable Data Protection Laws specify that the processing of personal data by a processor on behalf of a controller shall be governed by a written agreement regulating amongst others the circumstances and conditions under which such processing may take place.

The Parties have agreed that Favro shall provide Customer with a cloud-based project managing application (hereinafter referred to as the “Services”), under which Favro will be processing certain personal data on behalf of the Customer in the capacity of processor. As such, the Parties acknowledge the need to enter into this separate Addendum to regulate the processing of personal data by Favro on behalf of the Customer. By using the Services, Customer accepts this DPA and anyone who is entering into the Terms of Service on behalf of a company or other legal entity, represents to have the authority to bind such entity and its affiliates to these terms and conditions, in which case the terms “you” and “your” herein shall refer to such entity. If you cannot, or do not agree to, comply and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.

Unless otherwise defined in the Terms of Service, all capitalized terms used in this Addendum will have the meanings given to them below:

a. “Customer Data” means the “Personal Data” (as defined in the Applicable Data Protection Laws) that is uploaded to the Services under Customer’s Favro accounts or otherwise processed by Favro on behalf of Customer, in connection with Customer’s use of the Services as set out in Annex 1 (Details of the Processing) to this DPA.

b. “processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

2.1 Scope and Roles. This Addendum applies when Customer Data is processed by Favro on behalf of Customer as part of performing the Services.

2.2 Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this Addendum, including all statutory requirements relating to data protection.

2.3 The Nature and Purpose of Data Processing. As long as Customer is using the Services, and as a consequence of Customer using the Services, Favro will process Customer Data on behalf of Customer.

2.4 Instructions for Data Processing. Favro will process Customer Data in accordance with Customer’s documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless required to do otherwise by applicable law. Any additional costs, which arise as a result of such instructions, shall be borne by Customer. The parties agree that this Addendum is Customer’s complete and final instructions to Favro in relation to processing of Customer Data. Processing outside the scope of this Addendum (if any) will require prior written agreement between Favro and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to Favro for carrying out such instructions. Customer may terminate this Addendum if Favro declines to follow instructions requested by Customer that are outside the scope of this Addendum.

2.5 Access or Use. Favro will not access or use Customer Data, except as necessary to maintain, improve and provide the Services requested by Customer.

2.6 Details of the Processing. The duration of the processing, the nature and purpose of the processing, the types of Customer Data and categories of data subjects processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.

2.7 Assistance. Taking into account the nature of the processing, Favro shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the data subject’s rights. Favro shall also assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and UK GDPR taking into account the nature of processing and the information available to Favro.

2.8 Disclosure. Favro will not disclose Customer Data to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement agency sends Favro a demand for Customer Data, Favro will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Favro may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Favro will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Favro is legally prohibited from doing so.

2.9 Favro shall have an authorization control system in place that impedes the unauthorized processing of personal data or unauthorized access to personal data. Favro shall use a logging system that makes it possible for the processing of personal data to be traced and shall also ensure that the logs have adequate security protection. Customer shall have the right to access logs relating to Customer Data for the purpose of ensuring that Favro adheres to the requirements set out in this Addendum.

2.10 Favro Personnel. Favro restricts its personnel from processing Customer Data without authorization by Favro. Favro will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

2.11 Customer Controls. Favro makes available a number of security features and functionalities that Customer may elect to use. Customer is responsible for properly (a) configuring the Services, (b) using the controls available in connection with the Services (including the security controls), and (c) taking such steps as Customer considers adequate to maintain appropriate security, protection, deletion and backup of Customer Data, which may include use of encryption technology to protect Customer Data from unauthorized access and routine archiving of Customer Data.

3.1 Transfers to countries that offer adequate level or data protection. Customer Data may be transferred to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions adopted by competent authorities under the Applicable Data Protection Laws (“Adequacy Decisions”), as applicable.

3.2 Transfers to other countries. If the processing of Customer Data by Favro includes transfers (either directly or via onward transfer) to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Favro for the lawful transfer of personal data (as defined in the Applicable Data Protection Laws), then the Standard Contractual Clauses (as approved by the European Commission in decision Implementing Decision (EU) 2021/914) and related annexes and appendices (the “SCC”) and the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (the “UK Addendum”), as applicable, shall apply.

Where the transfer of Customer Data is made subject to the SCC or the UK Addendum, the “data exporter” thereunder shall be Favro as processor and the “data importer” shall be the sub-processor receiving such Customer Data. Favro shall, and shall ensure that the relevant sub-processor shall (where applicable), comply with the data importer’s obligations, and itself comply with the data exporter obligations, in each case under the applicable SCC or the UK Addendum. More information on how Favro ensures the compliance of onward transfers with the SCC or the UK Addendum is provided in Annex 2.

Favro will implement such technical and organizational measures to protect Customer Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized processing, disclosure and access, which are required by applicable law. Favro will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Favro Network, and (c) minimize security risks, including through risk assessment and regular testing. Favro will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include measures relating to both network and physical security, and will be reviewed periodically by Favro to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews. If Customer wishes Favro to take any further measures, Favro will do so to a reasonable extent, but any additional costs shall be borne by Customer. Customer confirms that it deems the measures set forth in Annex 3 as being appropriate technical and organizational safeguards in relation to the processing of Personal Data.

Customer is solely responsible for reviewing the information made available by Favro relating to data security and making an independent determination as to whether the Services meet Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security.

Upon the request of Customer and during regular business hours, Favro will submit its data processing facilities for audit of the processing activities covered by the Addendum which shall be carried out by Customer at Customer’s expense. Favro shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA.

7.1 If Favro becomes aware of either (a) any unlawful access to any Customer Data stored on Favro’s equipment or in Favro’s facilities; or (b) any unauthorized access to such equipment or facilities, where in either case such access results in loss, disclosure, or alteration of Customer Data (each a “Security Incident”), Favro will promptly: (a) notify Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

7.2 Customer agrees that:

(i) an unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Favro’s equipment or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents, which do not constitute a Personal Data breach as defined in the Applicable Data Protection Laws; and

(ii) Favro’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Favro of any fault or liability of Favro with respect to the Security Incident.

7.3 Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Favro selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Favro management console at all times.

8.1 Authorized Sub-processors. The Customer agrees that Favro may use sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. Favro maintains a list of sub-processors on its website (here: https://help.favro.com/en/articles/5603219-list-of-subprocessors). Favro shall notify Customer of any intended changes concerning the addition or replacement of sub-processors, to which the Customer may object. The Customer is notified when Favro updates the list of sub-processors on its website. The Customer can sign up to receive a notification regarding sub-processors via email, on the web page where the list of sub-processors is set out. If Customer has made no such objection within thirty (30) days from the date of receipt of the notification/date of update on the website, Customer is assumed to have made no objection. In case of an objection from the Customer, Favro has the right to cure the Customer’s objection at Favro’s sole discretion. If (i) no corrective option is reasonably available; or (ii) the parties have not been able to find a mutually agreeable solution, and (iii) the objection has not been cured within thirty (30) days after Favro receiving the objection, either Party may terminate the Terms of Service with immediate effect.

8.2 Sub-processor Obligations. Where Favro authorizes any sub-processor as described in this Section 8:

(i) Favro will restrict the sub-processor’s access to Customer Data only to what is necessary to maintain the Services or to provide the Services to Customer in accordance with the Terms of Service and Favro will prohibit the sub-processor from accessing Customer Data for any other purpose.

(ii) Favro will impose appropriate contractual obligations in writing upon the sub-processor that are no less protective than this Addendum, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and

(iii) Favro will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the sub-processor that cause Favro to breach any of Favro’s obligations under this Addendum.

Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Favro, Favro will inform Customer without undue delay. Favro will, without undue delay, notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.

When Favro is no longer performing the Services relating to the processing of Customer Data, then Favro shall at Customer’s choice either return or delete all Customer Data to Customer. However, Customer Data may still be retained by Favro for audit or archival purposes, to defend a legal claim, or as required by applicable laws.

Except as amended by this Addendum, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and this Addendum, the terms of this Addendum will control.

Categories of Data Subjects

Customer may submit Personal Data to the Services which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

Categories of data

Any personal data comprised in Customer Data, i.e. Personal Data that is uploaded by the Customer to the Services under Customer’s Favro accounts or otherwise processed by Favro on behalf of Customer, in connection with Customer’s use of the Services.

The Customer acknowledges and understands that the Services are used for collaboration and planning, and that they are not designed or intended for the processing of special categories of personal data.

Duration of Processing

Subject to any Section of the DPA and/or the Agreement dealing with the duration of the processing and the consequences of the expiration or termination thereof, Favro will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing. Customer will itself delete Personal Data uploaded to the Services, in accordance with its own retention policies.

Processing operations and frequency

The processing takes place continuously, as Customer avails itself of the Services.

The personal data may be subject to the following processing activities:

Sub-processing operations

Sub-processors are engaged by Favro for customer support, servers and hosting, email functionalities and other services. Please see Section 8.1 for more information.

Social Logins

If you sign in or sign up to Favro with Google or GitHub we will use your email address to verify your identity and your name and profile picture so that users know who they are collaborating with.

If you integrate Favro with Google calendar you will thereby grant us permission to manage your Google calendars and share data with Google. We will use this information to create calendar events from cards in Favro.

When you integrate Favro with Google Drive you will thereby grant us permission to view the files in your Google drive. We will use this information so that you can attach Google drive files to cards in Favro.

Synchronization with JIRA

If your organization has chosen to integrate Favro as a third-party app in Atlassian’s Jira, we will retrieve email addresses and display names from Jira and match them to users in Favro that have the same email address. If an email address received from Jira does not have a match within the Favro system, the email address and display name will be stored within the Favro system so that such users can easily be invited to Favro. Please see Atlassian’s privacy policy for more information about how personal data is processed by Atlassian.

Kindly note that it is your organization who is the controller for the processing of personal data that ensues from the integration of Favro as a third-party app in Atlassian’s Jira. Favro is a processor to your organization in this regard. Therefore, please see your own organization’s privacy notice for more details regarding the processing of personal data in connection with the use of Favro.

Favro is established in the EU, therefore, when our Customers transfer Customer Data directly to Favro, such transfers:

However, as discussed in Section 8 of this DPA, Favro uses sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. A full list of its sub-processors may be found here: https://help.favro.com/en/articles/5603219-list-of-subprocessors.

Some of the sub-processors of Favro are established outside of the EU/EEA or the UK, as applicable, therefore, the use of such sub-processors will result in the transfer of Customer Data outside of the EU/EEA or the UK, as applicable (the “Restricted Transfer”). Please note that the location for processing of the respective sub-processors is also provided in the abovementioned list.

Favro shall and will comply with the following requirements concerning Restricted Transfers:

Please note that the data processing contractual arrangements with Favro’s sub-processors established in third countries may be publicly available. In this case Favro will include the link in the list of the sub-processors.

Measures of pseudonymization and encryption of personal data.

Favro maintains customer data encrypted at rest using a cipher strength equivalent to 256 bit symmetric crypto or better. Data is encrypted in transit using TLS 1.2 or later.

Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services.

The infrastructure for the Favro services spans multiple data centers in different EU countries on both AWS and CityCloud cloud platforms.

Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

Favro backups up customer data in real time to two separate cloud providers (AWS and CityCloud). Backups are retained redundantly across multiple data centers and are encrypted in transit and at rest with industry standard ciphers with cipher strength equivalent to 256 bit symmetric crypto.

Measures for internal IT and IT security governance and management.

Including processes for regular testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of processing.

Favro maintains a security program based on the ISO 27001 standard. This includes administrative, organizational, technical and physical security safeguards designed to protect the confidentiality, integrity and availability of customer data. In addition to annual external audits, Favro performs annual third party application and network penetration tests.

Measures for user identification and authorization.

Favro personnel are required to use unique user credentials and secrets for authentication. Favro uses the principles of least privilege through role-based access models to access customer data based on their job function and responsibilities. Access is promptly removed upon role change or termination.

Measures for the protection of data during transmission.

Customer data is encrypted with TLS 1.2 or later encryption during transmission between the customer and Favro as well as internally between Favro systems.

Measures for the protection of data during storage.

Customer data is stored encrypted using industry standard 256 bit symmetric ciphers.

Measures for ensuring physical security of locations at which personal data are processed.

The Services operate on Amazon Web Services and CityCloud and are protected by the security and environmental controls of Amazon and CityCloud, respectively.

Measures for ensuring event logging.

Favro monitors cloud service, system and application logs. Logs are investigated and when necessary escalated appropriately.

Measures for ensuring systems configuration, including default configuration.

Favro applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new services are deployed; (b) annual penetration testing by independent third parties; and (c) threat models for new services to detect any potential security problems.