Data Processing Agreement (DPA)

The parties agree that the Controller shall not include any Personal Data of minors under 16.

1.2 Except where the DPA stipulates obligations beyond the term of the Agreement, the duration of this DPA shall be the same as the term of the Agreement.

1.3 Processor shall process Data on behalf of Controller. Such Contract Processing shall include all activities detailed in the Agreement. Within the scope of this DPA, Controller shall be solely responsible for compliance with its obligations under the applicable statutory requirements on data protection, including, but not limited to, the lawful disclosure and transfer of Data by Controller to Processor.

1.4. Controller’s individual instructions on Contract Processing of Personal Data shall, initially, be as detailed in this DPA. Controller shall, subsequently, be entitled to, in writing or in a machine-readable format (in text form), modify, amend or replace such individual instructions on Contract Processing of Personal Data by issuing such instructions to the point of contact designated by Processor.

2. Processor's obligations

2.1 Except where expressly permitted by Article 28 para. (3) lit. (a) GDPR, Processor shall process data subjects’ Data only within the scope of this DPA and the instructions issued by Controller. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Controller of such belief without undue delay. Processor shall be entitled to suspend performance on such instruction until Controller confirms or modifies such instruction.

2.2 Processor shall, within Processor’s scope of responsibility, organize Processor’s internal organization so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational measures to ensure the adequate protection of Controller's Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Processor shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Controller is familiar with these technical and organizational measures, and it shall be Controller's responsibility that such measures ensure a level of security appropriate to the risk. The parties agree to refer to the technical and organizational measures. Please get in touch for details via legal [at] birdeatsbug.com.

2.3 Processor reserves the right to modify the measures and safeguards implemented, provided, however, that the level of security shall not be less protective than initially agreed upon.

2.4 Processor shall support and assist the Controller, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling compliance with the obligations enumerated in articles 35 and 36 GDPR, taking into account the nature of the data processing and the information available to the Processor.

2.5 Processor shall ensure that all employees involved in Contract Processing of Controller’s Data and other such persons as may be involved in Contract Processing within Processor's scope of responsibility shall only do so within the scope of the instructions. Furthermore, Processor shall ensure that any person entitled to process Data on behalf of Controller has undertaken a commitment to confidentiality under terms similar to the confidentiality terms of the Agreement. All such confidentiality obligations shall survive the termination or expiration of such Contract Processing.

2.6 In the event of a personal data breach concerning data within Processor’s scope of responsibility, the processor shall notify the Controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);(b) the details of a contact point where more information concerning the personal data breach can be obtained;(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay the Processor shall cooperate with and assist the Controller for the controller to comply with its obligations under Articles 33 and 34 GDPR.

2.7 Processor shall notify to Controller the point of contact for any issues related to data protection arising out of or in connection with this DPA.

2.8 Processor shall correct or erase Data if so instructed by Controller and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Controller's instructions, and unless agreed upon differently by writing, destroy, in compliance with data protection requirements, all carrier media and other material or return the same to Controller.

2.9 In specific cases designated by the Controller, such Data shall be stored or handed over. The associated cost for doing so and protective measures to put in place shall be agreed upon separately, unless already agreed upon in this DPA.

2.10 Processor shall, upon termination of Contract Processing and upon Controller's instruction, return all Data, carrier media and other materials to Controller or delete the same.

2.11 Where a data subject asserts any claims against Controller in accordance with Article 82 GDPR, Processor shall support Controller in defending against such claims.

3. Controller's obligations

3.1 Controller shall notify Processor without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Controller in the results of Processor’s work.

3.2 Section 2.12 above shall apply mutatis mutandis, to claims asserted by data subjects against Processor in accordance with Article 82 GDPR.

3.3 Controller shall notify the Processor of the point of contact for any issues related to data protection arising out of or in connection with this DPA.

3.4 Controller is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the parties in the framework of this DPA. Controller, previously to the engagement with the service or the approval of the sub-processor list, is the party responsible for ensuring and assessing the implementation of appropriate technical and organizational measures to provide adequate guarantees for the processing of personal data.

4. Enquiries by data subjects

The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.

Where a data subject asserts claims for rectification, erasure, restriction of processing or access against Processor, and where Processor is able to correlate the data subject to Controller, based on the information provided by the data subject, Processor shall refer such data subject to Controller. Processor shall forward the data subject's claim to Controller without undue delay. Processor shall support Controller, where possible, and based upon Controller's instruction insofar as agreed upon. Processor shall not be liable in cases where Controller fails to respond to the data subject's request completely, correctly, or in a timely manner.

5. Options for documentation

5.1 Processor shall document and prove to the Controller Processor’s compliance with the obligations agreed upon in this DPA by appropriate measures.

5.2 Where, in individual cases, audits and inspections by Controller or an auditor appointed by Controller are necessary, such audits and inspections will be conducted upon prior notice during regular business hours, and without interfering with Processor's operations. Processor may also determine that such audits and inspections are subject to prior notice and the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organizational measures and safeguards implemented. Processor shall be entitled to reject auditors that are competitors of Processor. Controller hereby consents to the appointment of an independent external auditor by Processor, provided that Processor provides a copy of the audit report to Controller.

5.3 Processor shall be entitled to request from Controller a reimbursement of costs for its support in conducting inspections where such costs have been agreed upon in this DPA or otherwise in writing by the parties. Processor shall endeavor to limit its time and effort for such inspections to one day per calendar year, unless agreed upon otherwise.

5.4 Where a data protection or other applicable supervisory authority conducts an inspection, section 5.2 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.

6. Subprocessors

6.1 Processor shall use subcontractors as further processors on behalf of Controller only where approved in advance by Controller.

6.2 If Processor engages further Processors or subcontractors to perform any of its obligations under this DPA, it shall seek Controller’s prior consent. Processor shall conclude, with such subcontractors, contractual terms necessary to ensure an appropriate level of data protection and information security.

6.3 Controller hereby consents to Processor’s use of the sub-processors listed here in connection with the performance of the service within the framework of this DPA (see table below).

6.4 Processor shall, prior to the use of further processors, obtain Controller’s prior approval. Processor will provide Controller with information on sub-processors at least in text form (for example via email or the user account). Controller may object to Processor’s use of a new subcontractor by notifying promptly in writing within 2 weeks after receipt of Processor’s notice in accordance with the prior sentence, whereas such objection shall not burden Processor in an unreasonable way (with a reasonable rejection constituting in important reasons related to compliance with EU General Data Protection Legislation (GDPR) and any applicable laws and acts for the protection of Personal Data (“Data Protection Laws”)).

6.5 Where Processor commissions subcontractors, Processor shall be responsible for ensuring that Processor's obligations on data protection resulting from this DPA are valid and binding upon subcontractor.

6.6 Controller acknowledges and agrees that according to the sections above, the Processor may engage with sub-processors in the framework of the provision of the services that may entail a transfer of personal data outside the European Economic Area (EEA).  Processor provides information about the existence of any further transfer of personal data outside the EEA in relation to each sub-processor (see “List of Sub-processors” in the table below).

Processor shall not transfer Personal Data outside the EEA to any country or recipient which is not considered to provide an adequate level of protection according to European Data Protection Laws, unless previously adopts the necessary and adequate safeguards, including, without limitation, the adoption of appropriate standard contractual clauses approved by the European Commission or other legally transfer mechanism, to ensure that the transfer is in compliance with applicable European Data Protection Laws.

7. Bug Capture Service Integrations

7.1 For the performance of the Service according to the provisions of the Agreement, the Controller may voluntarily engage with integrated services within the Bug Capture Service which are owned and managed by third parties. The use of a third-party integrated service implies the establishment of a direct and independent relationship between the Controller and the third-party service which is governed by its own terms of service and its privacy policy.

7.2 When integrated services are used by the Controller on a voluntary basis, the Controller authorises the communication of data necessary for the connection and operation of the third party's integrated service within the framework of the provision of the Processor's service. The Processor acts under the instructions of the Controller who voluntarily enables the interconnection with the third-party service.

8. Liability and damages

The liability provisions of the Agreement shall apply except as explicitly agreed otherwise in this DPA.

9. Obligations to inform; written form; choice of law; jurisdiction

9.1 Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller's sole property and area of responsibility, that data is at Controller's sole disposition, and that Controller is the responsible body in the sense of the GDPR.

9.2 No modification of this DPA and/or any of its components - including, but not limited to, Processor's representations and obligations, if any- shall be valid and binding unless made in writing or in a machine-readable format (in text form), and furthermore only if such modification expressly states that such modification applies to the regulations of this DPA. The foregoing shall also apply to any waiver or change of this mandatory written form.

9.3 In case of any conflict, the data protection provisions of this DPA shall take precedence over the provisions of the Agreement. Where any specific provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of the other provisions shall not be affected.

9.4 Any disputes arising out of or in connection with this DPA will be resolved in accordance with the Agreement.

List of approved sub-processors (Bug Capture)

Apart from the BrowserStack Inc, and its sub-processors mentioned here, below is the list of additional third party Data Sub-Processors: