Skip to content
Trust Center
Data Processing Agreement

Data Processing Agreement

Last updated on

This Data Processing Agreement ("DPA") sets out the terms and conditions for the processing of Personal Data under and in connection with the Agreement between the Customer and AndonPulse. This DPA forms an inseparable part of the Agreement.

The Parties acknowledge that the provision of the Service involves Processing of Personal Data. To the extent Personal Data is processed in connection with the Service, the Customer acts as the Controller and AndonPulse acts as the Processor processing Personal Data on behalf of the Customer.

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails.

1. Definitions

  1. The terms used in this DPA — such as “Controller”, “Processor”, “Data Subject”, “Processing”, and “Personal Data Breach” — have the meanings defined in the applicable Data Protection Regulation.
  2. Personal Data” means any information relating to an identified or identifiable person, which AndonPulse processes on behalf of the Customer under the Agreement.
  3. Data Protection Regulation” means all applicable laws relating to protection of Personal Data, including without limitation the GDPR, the national laws supplementing the GDPR, the laws implementing EU Directive 2002/58/EC, and the CCPA.
  4. GDPR” means the EU General Data Protection Regulation (EU) 2016/679 and any amendments thereto.
  5. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., including any amendments and implementing regulations thereto.
  6. Standard Contractual Clauses” means the Decision (EU) 2021/914 issued by the European Commission on 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, or any successor decision and amendments thereto.

2. Description of Processing

  1. AndonPulse processes Personal Data under the Agreement for the purpose of providing the Service to the Customer. Processing in this context refers to access to and analysis of data provided by the Customer in connection with the Service.

  2. Data Subjects are employees or contractors of the Customer, or other individuals whose Personal Data the Customer has provided to AndonPulse in connection with the Service.

  3. Categories of Personal Data include metadata related to software development activities, such as:

    • identifiers of individuals (e.g. usernames, email addresses)
    • nature and timing of development activities (e.g. issue updates, pull request events, review history)
    • organizational metadata (e.g. team membership, project assignments)

    AndonPulse does not access or store source code. AndonPulse may also process other categories of Personal Data when such data is included in the Customer Material.

  4. For the purposes of the CCPA, AndonPulse acts as a “Service Provider” as defined in the CCPA. AndonPulse will not sell, share, or use Personal Data for any purpose other than providing the Service as set out in this DPA and the Agreement.

3. Responsibilities of the Customer

  1. The Customer shall comply with the obligations applicable to it as a Controller under the Data Protection Regulation.
  2. The Customer is responsible for ensuring it has obtained all necessary consents and provided all required notices for the lawful Processing of Personal Data by AndonPulse in accordance with the Agreement.
  3. The Customer’s documented instructions to AndonPulse on the processing of Personal Data are set out in this DPA. Additional instructions require prior written agreement between the Parties.
  4. The Customer is solely responsible for providing appropriate access rights to AndonPulse and limiting such access to Personal Data that is strictly necessary for the purpose of the Service.

4. Responsibilities of AndonPulse

  1. AndonPulse shall process Personal Data only in accordance with this DPA, the Agreement, and applicable Data Protection Regulation.

  2. AndonPulse shall ensure that all personnel with access to Personal Data are subject to appropriate confidentiality obligations.

  3. AndonPulse will not collect, combine, share, retain, or otherwise process Personal Data for any purpose not related to providing the Service. AndonPulse will not take any action that would cause transfers of Personal Data to qualify as “selling personal information” under the CCPA.

  4. AndonPulse shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or disclosure. Current security measures are described on our Security page.

  5. AndonPulse shall notify the Customer of a Personal Data Breach without undue delay after becoming aware of it and take reasonable steps to mitigate any resulting damage. The notification shall contain at least the information required by the Data Protection Regulation. If the full information is not immediately available, it may be provided in phases.

  6. AndonPulse shall, upon the Customer’s reasonable written request, assist the Customer in:

    • responding to Data Subject requests and supervisory authority inquiries
    • carrying out Data Protection Impact Assessments where required by the applicable Data Protection Regulation
    • demonstrating compliance with the Data Protection Regulation by making available relevant information reasonably necessary for such purpose

    The Customer shall reimburse AndonPulse for reasonable costs incurred in providing such assistance.

5. Subprocessors

  1. AndonPulse may use affiliates and third-party service providers as subprocessors to provide certain parts of the Service. The Customer hereby authorizes AndonPulse to engage these subprocessors for the processing of Personal Data.
  2. AndonPulse maintains an up-to-date list of subprocessors with access to Personal Data at /trust/subprocessors/, including their processing location and the activities they perform.
  3. AndonPulse will notify the Customer in writing at least fourteen (14) days prior to engaging a new subprocessor or replacing an existing one.
  4. The Customer may, on reasonable grounds related to the protection of Personal Data, object to a subprocessor. In such case, AndonPulse shall use reasonable efforts to find an alternative solution that does not involve the objected subprocessor. If no alternative is reasonably available, the Customer may terminate the Agreement with immediate effect.
  5. AndonPulse shall ensure that its subprocessors comply with obligations equivalent to those set out in this DPA, including security and confidentiality requirements. AndonPulse remains liable for its subprocessors as for its own actions.

6. International Data Transfers

  1. The Service is hosted on Amazon Web Services (AWS) in the United States.
  2. The Customer acknowledges that some subprocessors may be located outside the European Economic Area ("EEA"). Whenever Personal Data is transferred to or accessed from locations outside the EEA, AndonPulse will ensure that such transfers are protected by appropriate safeguards in accordance with Chapter V of the GDPR, including the Standard Contractual Clauses where applicable.

7. Auditing

  1. At the Customer’s written request and sole cost and expense, the Customer or a qualified third party appointed by the Customer is entitled, once every twelve (12) months, to audit AndonPulse’s compliance with this DPA. The Customer shall provide at least thirty (30) days’ prior written notice before conducting the audit, unless otherwise required by applicable law or regulatory authority. All audit findings and related information shall be treated as AndonPulse’s confidential information.

8. Term and Termination

  1. This DPA shall remain in effect for the duration of the Agreement, and for as long as AndonPulse processes Personal Data on behalf of the Customer.
  2. Upon termination or expiry of the Agreement, or upon the Customer’s written request, AndonPulse shall either delete or return all Personal Data processed on behalf of the Customer, unless retention is required by applicable law.

9. Changes

  1. Any changes to this DPA shall be made in writing and agreed by both Parties.

10. Contact

For questions about this DPA, contact us at [email protected] .

Last updated on
Privacy PolicySubprocessors