This data processing addendum (the “Addendum”) applies exclusively to the processing of personal data (the “Customer Personal Data”) by Venier Technologies on behalf of the Customer where such processing is subject to European Union (EU) or Swiss data privacy law. This Addendum, including its annexes, forms part of, and is subject to, the provisions of the agreement between the parties (the “Services Agreement”) in respect of the performance of services (the “Services”) by Venier Technologies to the Customer that include the processing of such Customer Personal Data.
The Parties hereby agree to be bound by the provisions and obligations set forth in this Addendum in respect of all their data protection obligations and agree that any data protection and data processing obligations as agreed to previously amongst the Parties shall be deleted and repealed in its entirety and be replaced with this Addendum.
Any changes to this Addendum shall be made in accordance with the provisions of the applicable Services Agreement.
3.1 Subject matter of processing
Employee Engagement services by means of an online software application (the “Application”) and the fulfillment of contractual obligations under the Services Agreement and this Addendum.
3.2 Duration of processing
For the duration of the Services Agreement until terminated or once processing by Venier Technologiesof any Customer Personal Data is no longer required for the performance of its relevant obligations under the Services Agreement or Addendum.
3.3 Purpose of processing
The provision of the Services.
3.4 Categories of Personal Data
Employee Engagement data: Employees information (including their General Personal Data).
General Personal Data: data about an identified or identifiable Data Subject, including, but not limited to name, surname, title, date of birth, country of origin, telephone number, email.
Any other personal data requested by the Customer through its use of the Services and Application, provided always that the Customer should not use the Services or Application to process special category data.
3.5 Categories of Data Subjects
Employees and any other natural persons who access and use your account (e.g., advisors).
4.1 Storage Limitations
Venier Technologies confirms that it does not retain any sensitive data accessible from Slack, such as organization members' names and channel names. This includes any personal data that might be visible or accessible through integration with Slack's services. Specifically, Venier Technologies only stores IDs and does not retain user names or channel names.
4.2 Message Content
Venier Technologies does not have access to read or store the content of messages sent within the Customer's Slack workspace. Messages exchanged within Slack channels and direct messages remain solely within the control and access of the Customer and its authorized users.
4.3 Compliance with Slack's Terms
Venier Technologies adheres to Slack's terms of service and privacy policy regarding the handling and access to data within Slack workspaces. Any processing of Customer Personal Data through the Application does not involve accessing or storing message content or member information from Slack beyond what is strictly necessary for the provision of the Services under the Services Agreement and this Addendum.
The Customer and Venier Technologies hereby agree that for the purposes of this Addendum, the Customer shall be the Controller and Venier Technologies shall be the Processor.
Venier Technologies, acting as Processor, shall:
6.1: Only process Customer Personal Data on documented instructions from the Customer, unless required to do so by applicable laws to Venier Technologies (provided that Venier Technologies first informs the Customer of that legal requirement before processing, unless that law prohibits this on important grounds of public interest). The Services Agreement, this Addendum along with the Customer' s use of the Services constitute the Customer's documented instructions to Venier Technologies for the purpose of providing the Services. Venier Technologies shall immediately inform the Customer if instructions given by the Customer, in the opinion of Venier Technologies, contravene Data Privacy Law.
6.2: Ensure that all personnel who have access to Customer Personal Data have committed themselves to appropriate obligations of confidentiality;
6.3: Maintain appropriate technical and organizational measures to protect the Customer Personal Data. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Venier Technologies will, therefore, evaluate the measures on an on-going basis and will tighten, supplement and improve these measures as it deems necessary or appropriate in its sole discretion.
6.4: Assist the Customer, to the extent possible, to fulfill the Customer’s obligations in responding to requests for exercising of Data Subject rights set out in the applicable Data Privacy Law;
The Customer, acting as the Controller, hereby warrants and represents:
7.1: That all processing of Customer Personal Data will be in compliance with all Data Privacy Law, and that the processing of the Customer Personal Data by Venier Technologies in accordance with this Addendum will not breach Data Privacy Law;
7.2: That Customer Personal Data provided to Venier Technologies are accurate and will be updated to ensure continued accuracy as and when required;
7.3: That it has notified Data Subjects of any applicable period for which Customer Personal Data or any element of Customer Personal Data will be stored by Venier Technologies;
7.4 That the Customer has the right to provide Customer Personal Data to Venier Technologies and has provided Data Subjects with all necessary information and data protection notices on or in connection with the collection of such Customer Personal Data from data subjects including, but not limited to, the supply of Customer Personal Data to Venier Technologies and details of the purposes for which such Customer Personal Data will be processed by Venier Technologies including, if applicable, as set out in Venier Technologies’s retention policy;
7.5: That the Customer will not provide Venier Technologies with nor request Venier Technologies to process the types and categories of Personal Data listed, defined, or referenced to in Articles 8–10 of the GDPR or respective definitions in the UK and the Swiss Data Privacy Law, and that where applicable, the Customer will not enter any personal data into free text fields embedded in relevant Venier Technologies products and/or Services and will not incorporate any personal data outside of the scope of Personal Data as contemplated in the Services Agreement and this Addendum into any attachments that are to be uploaded into Venier Technologies’ Application;
7.6: That the Customer shall, and shall procure its employees, contractors, and/or agents to keep the login credentials used to access to the Services secure and shall be liable for the access to the Services through such login credentials. The Customer further shall promptly notify Venier Technologies of any unauthorized use of any login credentials, or other breaches of security, including loss, theft or unauthorized disclosure of login credentials.
8.1 Consent to Use of Sub-Processors
The Customer hereby grants to Venier Technologies permission to utilize Sub-Processors to fulfill Venier Technologies's contractual obligations under this Addendum, and the Services Agreement. If Venier Technologies proposes to utilize a Sub-Processor, Venier Technologies will inform the Customer of any addition, replacement, or deletion of the Sub-Processor and give the Customer the opportunity to object to such changes. The Customer understands and agrees that its consent to this use is a condition of Venier Technologies's processing of Customer Personal Data.
8.2 Security and Control
Venier Technologies is responsible for its Sub-Processors’ compliance with the obligations of this Addendum, and Venier Technologies shall remain responsible for such compliance, except for the Customer's request, as per instructions given to Venier Technologies in the provision of Services to the Customer.
8.3 Documentation
To the extent that a Sub-Processor fails to fulfill its data protection obligations,Venier Technologies shall remain liable to the Customer for the performance of the Sub-Processor's obligations, unless the Sub-Processor is not under any obligation of confidentiality and security when processing Customer Personal Data, then, for this matter, Venier Technologies is exempt.
Venier Technologies shall notify the Customer, without undue delay after becoming aware of any security incident involving personal data (the “Incident”). Venier Technologies shall provide the Customer with the following information:
(a) notify the Customer after it (or any of the Sub-Processors' or Venier Technologies' personnel) becomes aware of a Personal Data Breach in respect of any Customer Personal Data;
(b) provide all information as the Customer requires (to the extent that it is available to Venier Technologies) to report the circumstances to a supervisory authority and to notify affected data subjects under Data Privacy Law; and
(c) provide the Customer with reasonable assistance in responding to and mitigating the Personal Data Breach.
The Customer acknowledges that Venier Technologies is reliant on the Customer for instructions as to the extent to which Venier Technologies is entitled to use and process the Customer Personal Data.
Consequently, Venier Technologies will not be liable for losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature incurred by Venier Technologies or for which Venier Technologies may become liable due to any claim brought by a Data Subject or Supervisory Authority arising from the Customer’s instructions or use of the Services or Application in breach of the Data Privacy Law.
To the extent of any conflict between this Addendum and any parts of the Services Agreement, this Addendum shall prevail, govern, and supersede.
This Addendum and the obligations hereunder shall survive the termination or expiry of the Services Agreement however effected or arising, and shall continue until Venier Technologies no longer processes any Customer Personal Data. The Customer Personal Data will be returned to the Customer and deleted by Venier Technologies in accordance with the Services Agreement.
If you have any questions, concerns, or requests regarding this Terms of use, please contact us at:
Venier Technologies
Zwinglistrasse 21 Zürich 8004
security@simpleworkapps.com