Data Processing Addendum
THIS DATA PROCESSING ADDENDUM ("DPA") is made between THEIRSTACK SL with offices at Sor Joaquina, 2, 15011 A Coruña, Spain ("TheirStack"), and the Customer identified in the Order Form. This DPA is incorporated into and made subject to the TheirStack Terms of Service or any other written agreement between TheirStack and Customer that governs Customer's use of the Services (as defined below) (the "Agreement").
BACKGROUND
-
TheirStack provides a technographic and job posting data platform ("Services") to the Customer under the Agreement. In connection with the Services, TheirStack processes certain personal data in respect of which Customer or any Customer Affiliate (as defined below), or customers of Customer or its Affiliates, may be a data controller under the Data Protection Laws (as defined below).
-
Customer and TheirStack have agreed to enter into this DPA in order to establish their respective responsibilities under the Data Protection Laws.
-
All capitalized terms used in this DPA but not otherwise defined have the meaning ascribed to them in the Agreement.
1. DEFINITIONS
1.1 For purposes of this DPA, the following initially capitalized words have the following meanings:
-
"Adequate Country" means a country or territory that is recognized under applicable Data Protection Laws from time to time as providing adequate protection for personal data.
-
"Affiliate" means any person, partnership, joint venture, corporation or other form of venture or enterprise, domestic or foreign, including subsidiaries, which directly or indirectly Control, are Controlled by, or are under common Control with a party. "Control" means the possession, directly or indirectly, of the power to direct or cause the direction of the management and operating policies of the entity in respect of which the determination is being made, through the ownership of more than fifty percent (50%) of its voting or equity securities, contract, voting trust or otherwise.
-
"TheirStack Platform" means the computer software applications, tools, application programming interfaces (APIs), databases, and connectors provided by TheirStack as its technographic and job posting data platform as a service offering, together with the programs, networks and equipment that TheirStack uses to make such platform available to its customers.
-
"Authorized Affiliate" means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and TheirStack, but has not signed its own Sales Order with TheirStack and is not a "Customer" as defined under this DPA.
-
"Customer" means the entity that executed the Agreement, together with its Affiliates (for so long as they remain Affiliates) that have signed Sales Orders with TheirStack.
-
"Customer Data" means any data that Customer or its Users input into the TheirStack Platform for Processing as part of the Services, including any Personal Data forming part of such data.
-
"Data Protection Laws" means all laws and regulations in any relevant jurisdiction applicable to the DPA, the Agreement, or the processing of Personal Data, including laws and regulations of the European Union, the European Economic Area, their member states, Switzerland, and/or the United Kingdom and California, including (where applicable) (i) the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Act 2018; and (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time.
-
"GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR") and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") (together, collectively, the "GDPR").
-
"Personal Data" means Customer Data consisting of any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws).
-
"Standard Contractual Clauses" or ("SCCs") means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs").
-
"Processing", "data controller", "data subject", "supervisory authority" and "data processor" have the meanings ascribed to them in the GDPR.
2. STATUS OF THE PARTIES
2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex A.
2.2 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties acknowledge and agree that Customer is the Data Controller and TheirStack is the Data Processor. TheirStack agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA.
2.3 As between the parties, Customer is solely responsible for obtaining, and has obtained or will obtain, all necessary consents, licenses and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of Personal Data. Without limiting the foregoing, each of Customer and TheirStack warrant in relation to Personal Data that it will comply with (and will ensure that any of its personnel comply with), the Data Protection Laws applicable to it.
3. THEIRSTACK OBLIGATIONS
3.1 Instructions. TheirStack will only process the Personal Data in order to provide the Services and will act only in accordance with the Agreement and Customer's written instructions. The Agreement, this DPA, and Customer's use of the TheirStack Platform's features and functionality, are Customer's written instructions to TheirStack in relation to the processing of Personal Data.
3.2 Contrary Laws. If the Data Protection Laws require TheirStack to process Personal Data other than pursuant to Customer's instructions, TheirStack will notify Customer prior to processing (unless prohibited from so doing by applicable law).
3.3 Infringing Instructions. TheirStack will immediately inform Customer if, in TheirStack's opinion, any instructions provided by Customer under Clause 3.1 infringe the GDPR or other applicable Data Protection Laws.
3.4 Appropriate Technical and Organizational Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, TheirStack will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in TheirStack's possession or under its control. Such measures include security measures equal to or better than those specified in Annex B below.
3.5 Confidentiality. TheirStack will ensure that any person who has access to Personal Data has committed to confidentiality or is under an appropriate statutory obligation of confidentiality.
3.6 Sub-processors. Customer provides general authorization for TheirStack to engage sub-processors to process Personal Data, provided that TheirStack: (a) provides at least 30 days' prior written notice of the addition of any new sub-processor; (b) ensures that every sub-processor is bound by a written agreement that requires the sub-processor to provide at least the same level of data protection as is required by this DPA; and (c) remains fully liable for the performance of each sub-processor. Customer may object to TheirStack's appointment of a new sub-processor by notifying TheirStack in writing within 30 days of such notice, provided that such objection is based on reasonable grounds relating to data protection.
3.7 Data Subject Rights. TheirStack will assist Customer in responding to requests for exercising the data subject's rights under the Data Protection Laws by implementing appropriate technical and organisational measures, insofar as this is possible, taking into account the nature of the processing.
3.8 Data Breach Notification. TheirStack will notify Customer without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed by TheirStack on behalf of Customer ("Personal Data Breach"). TheirStack will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform data subjects of the Personal Data Breach under the Data Protection Laws.
3.9 Data Protection Impact Assessment. TheirStack will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data protection authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of other Data Protection Laws.
3.10 Records of Processing. TheirStack will maintain records of all categories of processing activities carried out on behalf of Customer, containing the information specified in Article 30(2) of the GDPR.
4. CUSTOMER OBLIGATIONS
4.1 Instructions and Compliance. Customer will ensure that its instructions comply with Data Protection Laws. Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
4.2 Data Subject Rights. Customer will be responsible for complying with any data subject request, and will not disclose TheirStack's confidential information to any data subject or third party.
4.3 Data Transfers. If Personal Data is transferred outside the EEA, Customer acknowledges that TheirStack will process such Personal Data in accordance with the safeguards set out in Section 6 below.
5. INTERNATIONAL TRANSFERS
5.1 Cross-Border Transfers. TheirStack may transfer Personal Data to, and process Personal Data in, countries other than the country in which the Personal Data was collected, including countries that may not have been deemed to provide an adequate level of protection by the European Commission or other relevant supervisory authority.
5.2 Safeguards. For transfers of Personal Data subject to the GDPR from the EEA to countries that have not received an adequacy decision from the European Commission, the parties will ensure that appropriate safeguards are in place. Where such transfers occur, the Standard Contractual Clauses will apply, as detailed in Annex C.
6. AUDIT RIGHTS
6.1 Audit Rights. Customer may, no more than once per year, during normal business hours and with reasonable prior notice, conduct an audit of TheirStack's compliance with this DPA. Customer may also request information regarding TheirStack's compliance with this DPA. TheirStack will provide reasonable cooperation and assistance in relation to such audits.
6.2 Third-Party Audits. Customer acknowledges that TheirStack undergoes regular third-party security audits and certifications. Upon request, TheirStack will provide Customer with copies of relevant audit reports or summaries thereof.
7. TERM AND TERMINATION
7.1 Term. This DPA will remain in effect until the termination of the Agreement.
7.2 Data Return and Deletion. Upon termination of the Agreement, TheirStack will, at Customer's choice, return or delete all Personal Data in its possession or control, except where TheirStack is required by law to retain copies of Personal Data.
7.3 Survival. The provisions of this DPA will survive termination of the Agreement to the extent necessary to comply with Data Protection Laws.
8. LIABILITY AND INDEMNIFICATION
8.1 Liability. Each party's liability under this DPA will be subject to the limitations and exclusions set out in the Agreement.
8.2 Indemnification. Customer will indemnify, defend and hold harmless TheirStack from and against all claims, costs, damages, losses, liabilities and expenses arising out of or in connection with any breach of this DPA by Customer.
9. MISCELLANEOUS
9.1 Amendments. This DPA may only be amended in writing signed by both parties.
9.2 Governing Law. This DPA will be governed by and construed in accordance with the laws specified in the Agreement.
9.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will continue in full force and effect.
ANNEX A - PROCESSING DETAILS
Categories of data subjects whose personal data is processed:
- End users or individuals purporting to be end users of Customer's applications or services
- Employees, consultants, agents and representatives of companies in TheirStack's database
- Customer's employees, consultants, agents and representatives authorized to use the Services
- Individuals whose personal data is contained in job postings collected by TheirStack
Categories of personal data processed:
- Contact information (names, job titles, email addresses, LinkedIn profiles)
- Professional information (employment history, skills, qualifications)
- Company affiliation information
- Any other personal data that Customer uploads to or accesses through the TheirStack Platform
Sensitive data processed: None intentionally, although job postings may occasionally contain sensitive personal data which is processed only to the extent necessary to provide the Services.
Frequency of transfer: Continuous during the term of the Agreement.
Nature of processing: TheirStack provides a technographic data platform that analyzes job postings and company information to create business intelligence about technology adoption and usage patterns. TheirStack processes Personal Data to:
- Provide access to company and job posting databases
- Generate analytics and insights about technology adoption
- Enable Customer to search and filter data
- Provide API access to data
- Maintain and improve the Services
Purpose of processing: The processing is necessary for the provision of the TheirStack Services to Customer and the performance of TheirStack's obligations under the Agreement.
Retention period: Personal Data will be retained for the duration of the Agreement and as necessary to provide the Services, unless earlier deletion is required by applicable law or requested by Customer.
ANNEX B - SECURITY MEASURES
Infrastructure Security:
- TheirStack hosts its services in secure, geographically distributed data centers operated by leading cloud providers (AWS)
- Automated monitoring systems detect failure conditions and trigger failover mechanisms
- Regular backups are performed
Access Controls:
- Role-based access control with principle of least privilege
- Regular access reviews and automatic deprovisioning of unused accounts
- Encrypted communications for all administrative access
Data Protection:
- Encryption in transit using TLS 1.2 or higher for all data transmissions
- Encryption at rest for all databases and storage systems
- Logical data isolation between customer environments
- Secure key management with regular key rotation
Network Security:
- Web application firewall and DDoS protection
- Intrusion detection and prevention systems
- Network segmentation and micro-segmentation
- Regular vulnerability scanning and penetration testing
Application Security:
- Secure software development lifecycle (SDLC) practices
- Code review requirements for all changes
- Regular security testing and vulnerability assessments
- Automated security scanning in CI/CD pipelines
Monitoring and Incident Response:
- 24/7 security monitoring and alerting
- Incident response plan and procedures
- Regular security training for all personnel
- Annual third-party security audits
Compliance:
- Regular compliance assessments
- Privacy by design principles in system architecture
- Data minimization and purpose limitation controls
ANNEX C - STANDARD CONTRACTUAL CLAUSES
DATA EXPORTER:
- Name: [Customer Name]
- Address: [Customer Address]
- Contact person: [Customer Contact]
- Role: Controller
DATA IMPORTER:
- Name: THEIRSTACK SL
- Address: Sor Joaquina, 2, 15011 A Coruña, Spain
- Contact person: Legal Team, hi @ theirstack.com
- Role: Processor
DESCRIPTION OF TRANSFER: As detailed in Annex A above.
COMPETENT SUPERVISORY AUTHORITY: Spanish Data Protection Authority (Agencia Española de Protección de Datos)
How is this guide?
Last updated on
Cookies Policy
Cookies Policy for TheirStack
GDPR
Ensuring GDPR compliance, TheirStack.com prioritizes lawful data processing, transparency, data minimization, robust security, and respect for individual rights. Our practices include regular audits to maintain the highest standards of data protection and privacy.