Cet ATD ne s'applique pas à toute activité de traitement des données soumise à la Politique de confidentialité de PaceMkr (par exemple, à toute activité effectuée par PaceMkr en tant que responsable du traitement des données). Cet ATD fait partie intégrante des Conditions d'utilisation et en acceptant les Conditions d'utilisation, l'Utilisateur accepte également cet ATD.
1.1 “The Terms of Service” are the Terms of Service of PaceMkr LTD. to which this DPA is an integral part.
1.2 Personal data processing (“Data Processing”/ “Processing”) refers to any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3 “Applicable Rules/ Applicable Personal Data Rules”, within the meaning of the present DPA, are the Regulation, as well as all other applicable legislative acts in effect (regulations, laws, ordinances, etc.), documented orders issued by the User, etc., regulating the personal data protection and processing.
1.4 “User’s Personal Data” (User’s Data”) are any personal data contained in the User Content that were synced with the Product in the User Account.
1.5 All terms and definitions used in the present DPA which are not defined shall have the meaning used in the Terms of Service, and if a definition is not provided in the Terms of Service, they shall have the meaning provided in the Regulation, or if not defined in Regulation – the meaning pursuant to the other relevant Applicable Rules. This shall apply to terms, including “Personal Data”, “Controller”, “Processor”, “Processing”, etc.
2.1 To provide its Product and Services, in certain cases PaceMkr processes personal data as a Data Controller. These cases are arranged in the Privacy Policy and include among others the following:
* when it is necessary for the conclusion and performance of the contract concluded between the User and PaceMkr under the Terms of Service with regard to the use of the Product;
* when it is necessary for protecting and exercising the legitimate interests of PaceMkr and third parties (e.g. ensuring PaceMkr’s website and Product’s security and normal functioning);
* when it is necessary for fulfilment of PaceMkr’s legal obligations (e.g. fulfilling legal obligations with regard to accounting, tax, financial and invoice activities)
* when PaceMkr gathers explicit consent (e.g. sending marketing communications and newsletters).
The present DPA does not apply in cases where PaceMkr processes personal data as Data Controller. PaceMkr processes Personal data as Data Controller as described in and in accordance with its Privacy Policy, which is an integral part of the Terms of Service.
2.2 The present DPA does not apply to the relations between the User and/or the Platform Users and third-party service providers – Platforms, whose services are used (such as Jira, Azure DevOps, etc.). PaceMkr is not a party to the contractual relations between User and/or Platform Users and such third parties and is not in any way responsible for any personal data processing carried out by such third parties.
2.3 In regard to User’s Data as defined in this DPA, PaceMkr processes personal data as Data Processor on behalf of the User. The present DPA applies only to processing operations carried out by PaceMkr as Data Processor.
3.1 By entering into the Agreement and this DPA, the User acknowledges that (i) the User is the sole Controller of User‘s Data or (ii) has been dully instructed by and obtained authorization from the relevant Controller(s) to act and assign on behalf of the relevant Controller(s) the processing of User‘s Data by PaceMkr as set out in this DPA.
3.2 The User:
* undertakes to ensure and bear full responsibility that the requirements of the Regulation, the Terms of Service and this DPA will be respected and complied with by the User, its Representatives, personnel, the Platform Users and all other persons to whom it might provide personal data;
* undertakes to bear full responsibility for Data Subject’s request under the Regulation in regard to User’s Data;
* shall not process special categories of personal data within the meaning of Art. 9 and Art. 10 of the Regulation through the Product. The Product is not intended for collecting, processing and storing of such types of data.
3.3 The User shall be fully responsible to ensure that all User’s Data that are synced with the Product in the User Account are appropriate to be synched and that their synchronization in the User Account is lawful and compliant with the Applicable Rules. The User shall be fully responsible for any actions of synchronization or deletion of User’s Data in the User Account, this also involving any such actions performed by Platform Users. For avoidance of any doubt the actions of any person to whom an access to User Account has been granted (e.g. legal representatives, Platform Users) shall be considered actions of the User, therefore any action of synchronization or deletion of User’s Data is under the sole control of the User.
3.4 The User is solely responsible to check whether the measures for protection of the User’s Data specified in this DPA are appropriate to the risk of processing the User’s Data. In cases where those measures or other terms and provisions relevant to the processing of the User’s Data within the use of the Product do not comply or are incompatible with the requirement applicable to the processing and protection of the respective User’s Data or to the activities of the User, the User shall not use the Product or respectively shall restrict the use of the Product solely to User’s Data for which the applied measures are sufficient to ensure the compliance with the Applicable Rules for their processing.
4.1 The User assigns to PaceMkr to process the User’s Data for the purposes of providing the Services on the User’s behalf, strictly complying with the Terms of Service, this DPA and the User’s Instructions.
4.2 PaceMkr undertakes not to process User’s Data for purposes other than those specified in the Terms of Service and this DPA, except when required to do so under applicable law.
4.3 Documented instructions for data processing: The instructions that are binding for PaceMkr regarding the processing of the User’s Data are only the instructions outlined in this DPA and the instructions made through very use of the functionalities available when using the Product (e.g. button/ functions for synchronization, deletion, etc). The User agrees that they will submit their instructions in the manner provided for within the Product and that these instructions shall be in compliance with the Regulation. No instruction submitted in text form, incl. such as instructions sent via email or the online chat option will be binding for PaceMkr, unless explicitly confirmed in writing by PaceMkr.
4.4 The User declares that they have been informed that in some occasions set forth by law, PaceMkr may be required to keep and disclose certain data that it has processed on their behalf to the competent authorities. PaceMkr undertakes to inform the User of such orders, except in the cases when it is prohibited by law.
4.5 The Data Processing, related to the provision of the Services, takes place in North America. PaceMkr shall not use any equipment located outside North America to process User’s Data.
4.6 Subcontractors. PaceMkr works with Amazon as subcontractor for the service Amazon Web Services (a data center service). PaceMkr’s contract with Amazon requires Amazon to carry out data processing under the contract only within North America and to ensure the necessary level of security. The User agrees to the use of Amazon and generally authorizes PaceMkr to engage other eventual sub contractors (e.g. sub-processors) for the provision of the Product and the Services. In the event of any change, the User will be explicitly notified prior to the change. If User does not object against such change within 5-working days, then the change shall be deemed permitted by the Client.
5.1 The User assigns and PaceMkr undertakes to:
* provide technical solution to enable the storage and processing of User Content for the duration for which the User uses the Services and up to 3 (three) months after the termination of the Agreement between the User and PaceMkr regardless of the reason for such termination. Unless it is manually deleted earlier by the User, upon the expiry of this term the User Content, including all User’s Data, that may be contained therein shall be automatically deleted by PaceMkr in a secure manner so that the deleted User’s Data is not recoverable. This obligation of PaceMkr does not waive the User’s obligation as Data Controller to retain or delete personal data in accordance with the requirements of the Regulation;
* provide technological functionality in the Product to enable Users to delete User Content, including User’s Data at any time during the use of the Services. The deletion of User’s Data in the Product is done by using the functionality in the User Account for deleting already created dashboards. To avoid future storage and processing of User Content by PaceMkr, the User must de-synchronize the Product with the respective Platform. Otherwise, deleting specific User Data without de-synchronizing an entire set of User Content in the Product (for example, removing only elements of the dashboard, instead of removing the entire dashboard in Trello,) could be done in the respective Platform where this User Content is originally stored by using of the deletion functionalities therein (if any);
5.2 The User shall not store in their User Account and not to retrieve and process User’s Data for the processing of which the User has no legal ground or the same has become invalid. In such cases, the User shall be obliged to immediately take measures for deletion of the respective User’s Data.
5.3 Upon the termination of this Agreement, the User is entitled at any time before the expiration of a period established herein above in item 5.1. (a) to request from PaceMkr to delete any User’s Content that is in User Account and to de-synchronize from the terminated User Account all the Platforms that have been synchronized therein before the termination of the Agreement, if this was not done by the User before the termination of the Agreement. The de-synchronization and/or deletion of the User Content in the User Account does not affect the availability of this content in the respective Platforms.
The scope of the processing activities assigned by the User to PaceMkr with the acceptance of these Terms of Service and with the use of the Product is defined as follows:
6.1 **Objective**: the use of the Product by the User.
6.2 **Data subjects**: persons whose personal data is contained in the User Content who may be any person whose personal data is contained in the boards which are synced with the Product in the User’s Account.
6.3 **Data**: User’s Data as defined in this DPA;
6.4 **Subject and nature**: Provision of a technical solution (the Product) that enables the User to generate visualizations through the creation of cumulative flow diagrams, cycle time scatterplots, throughput histograms and others associated with the Platforms’ boards. The User Content (along with any User’s Data included therein) that is synched from the User’s Platforms’ boards is stored and available within the Product during the use of the Services. The User Content is processed automatically by the means of the analytical functionalities of the Product to generate the respective visualization. Besides the above processing, PaceMkr may access the User’s content for the purposes of ensuring the maintenance of the Product and its normal functioning, incl. in cases where the User reports problems with the use of the Product (e.g. to check and fix bugs) etc.
6.5 **Term**: for the duration of the Agreement between the User and PaceMkr and for a period of up to 3 months after the termination.
PaceMkr undertakes to:
7.1 apply technical and organizational measures (with regard to personnel, buildings, software, hardware, networks, servers, encryption, control, reporting and monitoring, etc.) to ensure level of protection against unauthorized or incidental access, loss, change, disclosure or erasure of data, that takes into consideration the relevant risks. Detailed description of the technical and organizational measures that PaceMkr undertakes to apply can be found in Annex I to this DPA;
7.2 guarantee that all persons authorized by PaceMkr to process data shall be bound by obligation of confidentiality and shall undergo regular trainings on the protection of personal data in accordance with their activities;
7.3 not disclose personal data belonging to the User to any third party in any circumstances, except for the provided for in the Terms of Service or by law.
8.1 PaceMkr undertakes to provide the necessary assistance to a competent supervisory authority in carrying out audits and checks of the personal data processing activities assigned by the User.
8.2 PaceMkr shall upon request provide information necessary to demonstrate compliance with the obligations applicable to it under the Regulation. In case in relation to the User’s personal data processing obligations additional checks are required, it is possible to assign an audit after signing a preliminary agreement with PaceMkr, specifying the scope, duration and a mutually agreed certified auditor under the Regulation. In performing such an audit, the User undertakes to pay all fees, remunerations and costs for the performed activities and services, both by the auditor and by PaceMkr. An audit may be conducted only in a manner and to an extent that do not prejudice the obligations and rights of other users of the Product and Services with regards to personal data protection.
PaceMkr undertakes to inform the User:
9.1 in the event of an inspection undertaken by a supervisory authority in relation to the processing of User’s Data, except in cases where this is prohibited by law;
9.2 if it is unable to fulfil its obligations under this DPA for any reason;
9.3 without undue delay (but no later than 24 hours of becoming aware) if it detects a security breach concerning the User’s Data.
10.1 To the extent relevant and directly related to the provided Services and the assigned data processing, PaceMkr undertakes to:
* assist the User, if the User needs to demonstrate the performance of their obligations in relation to the data processing assigned to PaceMkr;
* assist the User in performing their obligations to notify the supervisory authority in the event of a security breach;
* assist the User in performing their obligations to notify the Data Subjects in the event of a security breach;
* assist the User in performing their obligations to conduct a Data Protection Impact Assessment and Prior Consultation with the supervisory authority;
* assist the User, as far as possible and reasonably expected, by providing technical and organizational measures and functionalities within the Product, in performing their obligations related to requests regarding data protection rights by Data Subjects;
10.2 The User assigns and PaceMkr undertakes, upon receipt of a request for exercising of rights of a Data Subject under the Regulation to inform the Data Subject that he/she should contact the User directly.
11.1 A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller. Where a Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controllers or Processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.
11.2 If a User violates any of its obligations and acknowledgments under this DPA, the User undertakes to indemnify and hold harmless PaceMkr and its subcontractors from all liabilities, claims, expenses and similar from a third party claim and/or administrative/pecuniary sanction arising of or relating to the violation of the User’s obligations or acknowledgments under of the present DPA.
12.1 If any provision of this DPA is held to be void or unenforceable for any reason, such provision shall be reformed only to the extent necessary to make it enforceable. This shall have no effect on the other provisions hereof or of the Terms of Service. The invalid clause will be replaced by the mandatory rules of the law or by the established practice.
12.2 This DPA is governed by the law applicable to the Terms of Service.
| Type de protection | Catégorie de mesures | Types de mesures implémentées | Commentaires |
| Physical protection | Mesures techniques | Verrouillage des locaux | Les données utilisateur sont stockées uniquement sur la plateforme Amazon Web Services |
| Extincteurs et systèmes de détection d'incendie | Les données utilisateur sont stockées uniquement sur la plateforme Amazon Web Services | ||
| Équipement des locaux où les données personnelles sont traitées | Les données utilisateur sont stockées uniquement sur la plateforme Amazon Web Services | ||
| Mesures organisationnelles | Allocation des locaux où sont situés les systèmes informatiques pour le traitement des données personnelles | Les données utilisateur sont stockées uniquement sur la plateforme Amazon Web Services. Les dispositifs de PaceMkr à partir desquels les données utilisateur pourraient être consultées sont situés sur des locaux où ils ne peuvent être accessibles que par leur utilisateur respectif (employé de PaceMkr). | |
| Contrôle d'accès physique | Les données utilisateur sont stockées uniquement sur la plateforme Amazon Web Services | ||
| Moyens techniques de protection physique | Les données utilisateur sont stockées uniquement sur la plateforme Amazon Web Services | ||
| Protection du personnel | Mesures organisationnelles | Connaissance de la législation relative à la protection des données personnelles | |
| Connaissance des menaces pesant sur les données personnelles | |||
| Consentement à assumer une obligation de non-divulgation des données personnelles | |||
| Introduction de qualifications spécifiques et d'exigences en matière d'expérience pour les personnes qui traiteront les données personnelles | |||
| Protection documentaire | Mesures organisationnelles | Interdiction d'imprimer les données synchronisées à partir du compte utilisateur, sauf dans les cas où cela est explicitement exigé par une autorité compétente ou nécessaire pour l'exercice, l'établissement ou la protection contre les réclamations. | |
| Procédures de destruction | |||
| Règles de reproduction et de distribution | |||
| Procédures d'inspection et de contrôle du traitement | |||
| Protection des systèmes d'information et/ou des réseaux automatisés | Mesures techniques | Identification et authentification | Nous imposons des exigences en matière de mots de passe pour protéger tous nos comptes. Nous demandons des mots de passe forts en surveillant la force des mots de passe des utilisateurs et nous empêchons les utilisateurs de réutiliser d'anciens mots de passe. Nous exigeons également l'authentification à deux facteurs. |
| Copies/sauvegardes pour la récupération | PaceMkr utilise le système de sauvegarde d'Amazon. Des sauvegardes sont effectuées et définitivement détruites de manière hebdomadaire. | ||
| Protection cryptographique | PaceMkr stocke toutes les données de l'utilisateur sur un serveur dédié géré par la plateforme Amazon Web Services. La plateforme Amazon Web Services chiffre par défaut les données des clients stockées au repos et en transit. Les données sont automatiquement chiffrées avant d'être écrites sur le disque. Chaque clé de chiffrement est elle-même chiffrée avec un ensemble de clés maîtresses. Les clés et les politiques de chiffrement sont gérées de la même manière, dans le même trousseau de clés, que pour les services de production d'Amazon. Le système de sauvegarde d'Amazon garantit que les données restent chiffrées tout au long du processus de sauvegarde. Le système de sauvegarde chiffre en outre chaque fichier de sauvegarde indépendamment avec sa propre clé de chiffrement de données (DEK), dérivée d'une clé stockée dans le service de gestion des clés (KMS) d'Amazon plus une graine générée de manière aléatoire par fichier au moment de la sauvegarde. Une autre DEK est utilisée pour toutes les métadonnées des sauvegardes, qui sont également stockées dans le KMS d'Amazon. | ||
| Accès à distance uniquement via des canaux sécurisés | L'accès à nos serveurs est établi via VPN ou SSH. | ||
| Contrôle d'accès | L'accès à la production est limité au rôle d'administrateur dans la structure organisationnelle de l'utilisateur. Lorsqu'un employé de l'utilisateur est désactivé, ses comptes sont supprimés de notre plateforme. Les mots de passe de tous les comptes de l'utilisateur auxquels l'employé avait accès sont ensuite modifiés. | ||
| Mesures organisationnelles | Procédures de destruction/suppression/deletion des supports | ||
| Plans d'urgence/contingence | |||
| Plans d'action pour les événements imprévus liés aux applications système et aux appareils | |||
| Conservation des journaux pour les activités effectuées |
French 
English