GoodDay Data Processing Addendum (DPA)
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between Customer and GoodDay but has not signed its own agreement with GoodDay and is not a “Customer” as defined under the Agreement.
“CCPA” means the California Consumer Privacy Act 2018, Cal. Civ. Code § 1798.100 et seq., as it is amended by the California Privacy Rights Act of 2020 (“CPRA”), their implementing regulations, as further amended from time to time.
The terms, “Controller”, “Member State”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA. For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.
“Customer Data” means what is defined in the Agreement as “Customer Data”.
“User” means an individual who is authorized by Customer to use the GoodDay Services (whether defined User in the Agreement).
“Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including those of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, including the GDPR, the UK GDPR, and the CCPA, applicable to, and in effect at the time of, the Processing of Personal Data hereunder.
“Data Subject” means the identified or identifiable person to whom the Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by GoodDay solely on behalf of Customer under this DPA and the Agreement.
“Services” means the GoodDay cloud-based services including our platforms, products, services, applications, application programming interface (“API”), tools, and any ancillary or supplementary GoodDay products and services (including Upgrades (as defined in the Agreement)), offered online and via mobile application (“Platform”), and any other services provided to Customer by GoodDay under the Agreement.
“Security Documentation” means the security documentation, as updated from time to time setting forth the technical and organizational measures adopted by GoodDay that are applicable to the Processing of Personal Data by GoodDay under the Agreement and this DPA accessible via www.GoodDay/trustcenter/datasecure, or as otherwise made reasonably available to Customer by GoodDay.
“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, credit or debit card number; (c) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offences; (d) Personal Data relating to children; and/or (e) account passwords in unhashed form.
“Standard Contractual Clauses” means (a) in respect of transfers of Personal Data subject to the GDPR, the Standard Contractual Clauses between controllers and processors ( https://www.goodday.work/legal/scc-controller-processors ) and between processors and processors ( https://www.goodday.work/legal/scc-processor-processor ) as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I, II and V thereto, (”EU SCCs”); (b) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0) (“IDTA”), as incorporated into the EU SCCs through Annex III thereto (“UK Addendum”); and (c) in respect of transfers subject to the Federal Act on Data Protection (as revised as of 25 September 2020), the terms set forth in Annex IV of the EU SCCs (“Switzerland Addendum”).
“Sub-processor” means any third party that carries out specific Processing activities of Personal Data under the instruction of GoodDay.
“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
2. Processing of personal data
3. Data Subject Requests
4. GoodDay Personnel
6. Security & Audits
7. Data incident mananagement and notification
8. Return and deletion of personal data
9. Cross-border data transfers
10. Authorized affiliates
11. Other provisions
Schedule 1 - Details of the processing
- Providing the Services to Customer;
- Performing the Agreement, this DPA and/or other contracts executed by and between the Parties;
- Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement;
- Sharing Personal Data with third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Services and such third party services);
- Rendering Personal Data to be Anonymous Information;
- Complying with applicable laws and regulations;
- All tasks related to any of the above.
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Prospects, customers, business partners and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors
- Any other third party individual whose Personal Data is Processed by the Services.
Schedule 2 - Technical and Organisational Security Measures
The technical and organisational measures defined herein are implemented on the basis of the international standard ISO 27001 and ISO 9001. GoodDay shall maintain controls materially as protective as those provided in the ISO 27001 and ISO 9001 or other substantially similar or equivalent certification requirements.
Processor utilises third party data centres that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. GoodDay will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations.
The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available, however additional information regarding technical and organisational measures may be found in GoodDay Security Statement.
1. Entrance Control
Technical or organisational measures regarding access control, especially regarding legitimation of authorised persons:
The aim of the entrance control is to prevent unauthorised people from physically accessing such data processing equipment which processes or uses Personal Data.
Due to their respective security requirements, business premises and facilities are subdivided into different security zones with different access authorisations. They are monitored by security personnel. Access for employees is only possible with an encoded ID with a photo on it. All other persons have access only after having registered before (e.g. at the main entrance).
Access to special security areas for remote maintenance is additionally protected by a separate access area. The constructional and substantive security standards comply with the security requirements for data centres.
2. System Access Control
Technical and organisational measures regarding the user ID and authentication:
The aim of the system access control is to prevent unauthorised use of data processing systems, are used for the processing of Customer Data.
Remote access to the data processing systems is only possible through a secure protocol. All access attempts, successful and unsuccessful are logged and monitored.
Additional technical protections are in place using firewalls and proxy servers and state of the art encryption technology that is applied where appropriate to meet the protective purpose based on risk.
3. Data Access Control
Technical and organisational measures regarding the on-demand structure of the authorisation concept, data access rights and monitoring and recording of the same:
Measures regarding data access control are targeted on the basis that only such data can be accessed for which an access authorisation exists and that data cannot be read, copied, changed or deleted in an unauthorised manner during the processing and after the saving of such data.
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person.
To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.
4. Transmission Control
Technical and organisational measures regarding the transport, transfer, transmission, storage and subsequent review of Personal Data on data media (manually or electronically).
Transmission control is implemented so that Personal Data cannot be read, copied, changed or deleted without authorisation, during transfer or while stored on data media, and so that it can be monitored and determined as to which recipients a transfer of Personal Data is intended.
The measures necessary to ensure data security during transport, transfer and transmission of Personal Data as well as any other company or Customer Data are detailed in the Security Practices. This standard includes a description of the protection required during the processing of data, from the creation of such data to deletion, including the protection of such data in accordance with the data classification level.
For the purpose of transfer control, an encryption technology is used (e.g. remote access to the company network via two factor VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose.
The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, GoodDay provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the Standard Contractual Clauses.
5. Data Entry Control
Technical and organisational measures regarding recording and monitoring of the circumstances of data entry to enable retroactive review.
System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.
6. Data Processing Control
Technical and organisational measures to differentiate between the competences of principal and contractor:
The aim of the data processing control is to provide that Personal Data is processed by a commissioned data processor in accordance with the Instructions of the principal.
Details regarding data processing control are set forth in the Agreement and DPA.
7. Availability Control
Technical and organisational measures regarding data backup (physical/logical):
Data is stored in a fault-tolerant, Amazon (AWS) data centre, with no single point of failure.
8. Separation Control
Technical and organisational measures regarding purposes of collection and separated processing:
Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.
Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.
Customer Data is stored in a way that logically separates it from other customer data.
Schedule 3 - Infrastructure Sub-processors
GoodDay may use the following Sub-processors to host Customer Data or provide other infrastructure that helps with the delivery of our Services:
|USA, Germany, India, Australia
GoodDay may use the following Sub-processors to perform other Service functions:
|Cloud computing provider