This Data Processing Addendum (the “Addendum” or “DPA”) forms part of the Favro Terms of Service available at https://help.favro.com/pricing-privacy-and-terms/favros-terms-of-service, (as updated from time to time) (the “Terms of Service”), or other agreement governing the use of Favro’s services, between Customer and Favro. This Addendum reflects the parties’ agreement with regard to the processing of Personal Data by Favro solely on behalf of the Customer, and is entered into by the parties in when the Terms of Services are entered into, in accordance with what is set out in the Terms of Service.

Background

The protection of individuals’ personal data is a fundamental right under EU law and currently regulated by the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). The GDPR specifies that the processing of personal data by a processor on behalf of a controller shall be governed by a written agreement regulating amongst others the circumstances and conditions under which such processing may take place.

The Parties have agreed that Favro shall provide Customer with a cloud-based project managing application (hereinafter referred to as the “Services”), under which Favro will be processing certain personal data on behalf of the Customer in the capacity of processor. As such, the Parties acknowledge the need to enter into this separate Addendum to regulate the processing of personal data by Favro on behalf of the Customer. By using the Services, Customer accepts this DPA and anyone who is entering into the Terms of Service on behalf of a company or other legal entity, represents to have the authority to bind such entity and its affiliates to these terms and conditions, in which case the terms “you” and “your” herein shall refer to such entity. If you cannot, or do not agree to, comply and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.

1. DEFINITIONS

Unless otherwise defined in the Terms of Service, all capitalized terms used in this Addendum will have the meanings given to them below:

a. “Customer Data” means the “Personal Data” (as defined in the GDPR) that is uploaded to the Services under Customer’s Favro accounts or otherwise processed by Favro on behalf of Customer, in connection with Customer’s use of the Services as set out in Section 2.3 below.

b. "GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any replacement regulation imposing equivalent obligations.

c. “processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

2. DATA PROCESSING

2.1 Scope and Roles. This Addendum applies when Customer Data is processed by Favro on behalf of Customer as part of performing the Services.

2.2 Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this Addendum, including all statutory requirements relating to data protection.

2.3 The Nature and Purpose of Data Processing. As long as Customer is using the Services, and as a consequence of Customer using the Services, Favro will process Customer Data on behalf of Customer. Customer Data includes but is not limited to names, addresses and contact information of the Customer’s invited users, as well as other kind of personal data which Customer will upload to the Services in different project, collections and boards. Customer Data can relate to Customer’s employees, directors, officers, customers and subcontractors, but also to third parties which are somehow part of or related to a project managed by Customer when using the Services. Customer Data may also include technical data, usage data, quality statistics and similar information (including but not limited to device related and location-based metrics) related to Customer’s access to and use of the Services.

2.4 Instructions for Data Processing. Favro will process Customer Data in accordance with Customer’s documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless required to do otherwise by applicable law. Any additional costs, which arise as a result of such restrictions, shall be borne by Customer. The parties agree that this Addendum is Customer’s complete and final instructions to Favro in relation to processing of Customer Data. Processing outside the scope of this Addendum (if any) will require prior written agreement between Favro and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to Favro for carrying out such instructions. Customer may terminate this Addendum if Favro declines to follow instructions requested by Customer that are outside the scope of this Addendum.

2.5 Access or Use. Favro will not access or use Customer Data, except as necessary to maintain, improve and provide the Services requested by Customer.

2.6 Details of the Processing. The duration of the processing, the nature and purpose of the processing, the types of Customer Data and categories of data subjects processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.

2.7 Assistance. Taking into account the nature of the processing, Favro shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights.

2.8 Disclosure. Favro will not disclose Customer Data to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement agency sends Favro a demand for Customer Data, Favro will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Favro may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Favro will give Customer reasonable Notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Favro is legally prohibited from doing so.

2.8 Favro shall have an authorization control system in place that impedes the unauthorized processing of personal data or unauthorized access to personal data. Favro shall use a logging system that makes it possible for the processing of personal data to be traced and shall also ensure that the logs have adequate security protection. Customer shall have the right to access logs relating to Customer Data for the purpose of ensuring that Processor adheres to the requirements set out in this Addendum.

2.9 Favro Personnel. Favro restricts its personnel from processing Customer Data without authorization by Favro. Favro will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

2.10 Customer Controls. Favro makes available a number of security features and functionalities that Customer may elect to use. Customer is responsible for properly (a) configuring the Services, (b) using the controls available in connection with the Services (including the security controls), and (c) taking such steps as Customer considers adequate to maintain appropriate security, protection, deletion and backup of Customer Data, which may include use of encryption technology to protect Customer Data from unauthorized access and routine archiving of Customer Data.

3. CROSS-BORDER DATA TRANSFERS

3.1 Transfers from the EEA and Switzerland to countries that offer

adequate level or data protection. Personal Data may be transferred from EU member

states, Norway, Liechtenstein and Iceland (collectively “EEA”), and Switzerland, to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, or Switzerland as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.

3.2 Transfers to other countries. If the Processing of Personal Data by Favro includes

transfers (either directly or via onward transfer) from the EEA or Switzerland to

other countries which have not been subject to a relevant Adequacy Decision, and such

transfers are not performed through an alternative recognized compliance mechanism as may

be adopted by Favro for the lawful transfer of personal data (as defined in the GDPR)

outside the EEA or Switzerland, as applicable, then the “2021 Standard Contractual Clauses” (as approved by the European Commission in decision Implementing Decision (EU) 2021/914) and related annexes and appendices shall apply. The 2021 Standard Contractual Clauses are completed by Favro as set out for informative purposes in Annex 2.

Where the transfer of Personal Data is made subject to the 2021 Standard Contractual Clauses, the “data exporter” thereunder shall be Favro as processor and the “data importer” shall be the sub-processor receiving such Personal Data. Favro shall, and shall ensure that the relevant sub-processor shall (where applicable), comply with the data importer’s obligations, and itself comply with the data exporter obligations, in each case under the applicable 2021 Standard Contractual Clauses.

4. SECURITY RESPONSIBILITIES OF FAVRO

Favro will implement such technical and organizational measures to protect Customer Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized processing, disclosure and access, which are required by applicable law. Favro will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Favro Network, and (c) minimize security risks, including through risk assessment and regular testing. Favro will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include measures relating to both network and physical security, and will be reviewed periodically by Favro to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews. If Customer wishes Favro to take any further measures, Favro will do so to a reasonable extent, but any additional costs shall be borne by Customer. Customer confirms that it deems the measures set forth in Annex 3 as being appropriate technical and organizational safeguards in relation to the processing of Personal Data.

5. CUSTOMER’S RESPONSIBILITY

Customer is solely responsible for reviewing the information made available by Favro relating to data security and making an independent determination as to whether the Services meet Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security.

6. AUDIT OF TECHNICAL AND ORGANIZATIONAL MEASURES

Upon the request of Customer and during regular business hours, Favro will submit its data processing facilities for audit of the processing activities covered by the Addendum which shall be carried out by Customer at Customer’s expense.

7. SECURITY BREACH NOTIFICATION

7.1 If Favro becomes aware of either (a) any unlawful access to any Customer Data stored on Favro’s equipment or in Favro’s facilities; or (b) any unauthorized access to such equipment or facilities, where in either case such access results in loss, disclosure, or alteration of Customer Data (each a “Security Incident”), Favro will promptly: (a) notify Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

7.2 Customer agrees that:

(i) an unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Favro’s equipment or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and

(ii) Favro’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Favro of any fault or liability of Favro with respect to the Security Incident.

7.3 Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Favro selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Favro management console at all times.

8. SUB-PROCESSORS

8.1 Authorized Sub-processors. Customer agrees that Favro may use sub-processors to fulfil its

contractual obligations under this Addendum or to provide certain services on its behalf, such as providing support services. Favro maintains a list of sub-processors on its website (here: https://help.favro.com/en/articles/5603219-list-of-subprocessors). Favro shall notify Customer of any intended changes concerning the addition or replacement of sub-processors, to which the Customer may object. Customer is notified when Favro updating the list of sub-processors on its website. Customer can sign up to receive a notification regarding sub-processors via email, on the web page where the list of sub-processors is set out. If Customer has made no such objection within thirty (30) days from the date of receipt of the notification/date of update on the website, Customer is assumed to have made no objection. In case of an objection from the Customer, Favro has the right to cure the Customer’s objection at Favro’s sole discretion. If (i) no corrective option is reasonably available; or (ii) the parties have not been able to find a mutually agreeable solution, and (iii) the objection has not been cured within thirty (30) days after Favro receiving the objection, either Party may terminate the Terms of Service with immediate effect.

8.2 Sub-processor Obligations. Where Favro authorizes any sub-processor as described in this Section 8:

(i) Favro will restrict the sub-processor’s access to Customer Data only to what is necessary to maintain the Services or to provide the Services to Customer in accordance with the Terms of Service and Favro will prohibit the sub-processor from accessing Customer Data for any other purpose.

(ii) Favro will impose appropriate contractual obligations in writing upon the sub-processor that are no less protective than this Addendum, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and

(iii) Favro will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the sub-processor that cause Favro to breach any of Favro’s obligations under this Addendum.

9. DUTIES TO INFORM

Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Favro, Favro will inform Customer without undue delay. Favro will, without undue delay, notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.

10. DELETION AND RETURN OF DATA

When Favro is no longer performing the Services relating to the processing of Customer Data, then Favro shall at Customer’s choice either return or delete all Customer Data to Customer. However, Customer Data may still be retained by Favro for audit or archival purposes, to defend a legal claim, or as required by applicable laws.

11. NONDISCLOSURE

Customer agrees that the details of this Addendum are not publicly known and constitute Favro’s Confidential Information under the confidentiality provisions of the Terms of Service.

12. ENTIRE AGREEMENT; CONFLICT

Except as amended by this Addendum, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and this Addendum, the terms of this Addendum will control.


ANNEX 1 - DETAILS OF THE PROCESSING

Categories of Data Subjects

Customer may submit Personal Data to the Service which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

  • Customer’s invited users

  • Employees of Customer

  • Consultants of Customer

  • Agents of Customer

  • Advisors of Customer

  • Business partners and vendors of Customer (who are natural persons)

  • Any other third party individual with whom Customer decides to communicate through the Service.

Categories of data

Any personal data comprised in Customer Data, i.e. Personal Data that is uploaded by the Customer to the Services under Customer’s Favro accounts or otherwise processed by Favro on behalf of Customer, in connection with Customer’s use of the Services.

The Customer acknowledges and understands that the Services are used for collaboration and planning, and that they are not designed for the processing of special categories of personal data.

Duration of Processing

Subject to any Section of the DPA and/or the Agreement dealing with the duration of the processing and the consequences of the expiration or termination thereof, Favro will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing. Customer will itself delete Personal Data uploaded to the Services, in accordance with its own retention policies.

Processing operations and frequency

The processing takes place continuously, as Customer avails itself of the Services.

The personal data may be subject to the following processing activities:

  • storage and other processing necessary to provide, maintain and improve the Services provided to the Data Exporter;

  • to provide customer and technical support to the Data Exporter; and

  • disclosures in accordance with the Agreement, as compelled by law.

Sub-processing operations

Sub-processors are engaged by Favro for web analytics, ERP, customer data analytics, customer support, servers and hosting, and email functionalities.


ANNEX 2 - DETAILS OF THE 2021 STANDARD CONTRACTUAL CLAUSES

This Annex 2 sets out, for informative purposes, how the 2021 Standard Contractual Clauses are designed in relation to each Sub-processor outside of the EU/EEA, where the 2021 Standard Contractual Clauses are the transfer mechanism used to safeguard the transfer.

Options regarding clauses in the 2021 Standard Contractual Clauses

For each module 3 of the 2021 Standard Contractual Clauses, where applicable:

in Clause 7, the option docking clause will not apply;

in Clause 9(a), Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 8 (Sub-processors) of this Addendum;

in Clause 11, the optional language will not apply;

in Clause 17, Option 1 will apply, and the 2021 Standard Contractual Clauses will be governed by Swedish law, without application of its conflict of laws principles.

in Clause 18(b), disputes will be resolved before the courts of Sweden.

The Appendix to the 2021 Standard Contractual Clauses

In Annex I, Part A shall be populated as follows:

Data Exporter: Favro.

Data Exporter Role: Processor.

Data Importer: the Sub-processor based outside of the EU/EEA.

Data Importer Role: Processor.

In Annex I, Part B shall be populated with the information set forth in Annex 1 to this Addendum, as applicable for the Sub-processor’s assignment.

In Annex I, Part C, the competent supervisory authority is that of the country where data exporter is registered as a company.

Annex 3 to this Addendum shall serve also as Annex II of the 2021 Standard Contractual Clauses.


ANNEX 3 – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Measures of pseudonymization and encryption of personal data.

Favro maintains customer data encrypted at rest using a cipher strength equivalent to 256 bit symmetric crypto or better. Data is encrypted in transit using TLS 1.2 or later.

Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services.

The infrastructure for the Favro services spans multiple data centers in different EU countries on both AWS and CityCloud cloud platforms.

Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

Favro backups up customer data in real time to two separate cloud providers (AWS and CityCloud). Backups are retained redundantly across multiple data centers and are encrypted in transit and at rest with industry standard ciphers with cipher strength equivalent to 256 bit symmetric crypto.

Processes for regular testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of processing.

Favro maintains a security program based on ISO 27001 standards. This includes administrative, organizational, technical and physical security safeguards designed to protect the confidentiality, integrity and availability of customer data. Favro performs annual third party application and network penetration tests.

Measures for user identification and authorization.

Favro personnel are required to use unique user credentials and secrets for authentication. Favro uses the principles of least privilege through role-based access models to access customer data based on their job function and responsibilities. Access is promptly removed upon role change or termination.

Measures for the protection of data during transmission.

Customer data is encrypted with TLS 1.2 or later encryption during transmission between the customer and Favro as well as internally between Favro systems.

Measures for the protection of data during storage.

Customer data is stored encrypted using industry standard 256 bit symmetric ciphers.

Measures for ensuring physical security of locations at which personal data are processed.

The Services operate on Amazon Web Services and CityCloud and are protected by the security and environmental controls of Amazon and CityCloud, respectively.

Measures for ensuring event logging.

Favro monitors cloud service, system and application logs. Logs are investigated and when necessary escalated appropriately.

Measures for ensuring systems configuration, including default configuration.

Favro applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new services are deployed; (b) annual penetration testing by independent third parties; and (c) threat models for new services to detect any potential security problems.

Measures for internal IT and IT security governance and management.

Favro maintains a security program based on ISO 27001 standards. This includes administrative, organizational, technical and physical security safeguards designed to protect the confidentiality, integrity and availability of customer data. Favro performs annual third party application and network penetration tests.

Did this answer your question?