This Data Processing Agreement and its annexes (“DPA”) reflects the parties’ agreement regarding the Processing of Personal Data by us on your behalf in connection with our Services under as set out in our Terms of Service (“General Terms”), available at https://www.licence.one/terms-of-service, between you and us; collectively referred to in this DPA as the “Agreement”.
This DPA is supplemental to, and forms an integral part of, the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
We update this DPA from time to time. We will let you know when we do so, in accordance with the ‘Amendments’ section of this DPA.
To help you navigate this document, we have outlined some of the key definitions of words we’ll use throughout. We’ll make them stand out by capitalising the first letter of the word from herein.
Within the scope of the Agreement and in your use of the Services, you will be responsible for complying with all requirements that apply to you under applicable Data Protection Laws regarding your Processing of Personal Data and the Instructions you issue to us.
In particular, but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for:
The parties agree that the Agreement constitutes your complete Instructions to us in relation to the Processing of Personal Data, so long as you may provide additional instructions during the subscription term that are consistent with the Agreement, the nature and lawful use of the Service.
You are responsible for independently determining whether the data security provided for in the Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Service, including protecting the security of Personal Data in transit to and from the Service (including to securely back up or encrypt any such Personal Data).
We will only Process Personal Data for the purposes described in this DPA, the Agreement or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us.
If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will:
If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Services until you issue new lawful Instructions with regard to the Processing.
We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under ‘Annex 2 - Technical and Organizational Provisions’.
Notwithstanding any provision to the contrary, we may modify or update our security provisions at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the security measures outlined in ‘Annex 2 - Technical and Organizational Provisions’.
We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether outlined in the General Terms, a separate contractual duty, or a statutory duty) regarding that Personal Data.
We will notify you without undue delay after we become aware of any Personal Data Breach, and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to the Supervisory Authority or affected Data Subjects, if you are required to do so under Data Protection Laws. We will not be responsible nor liable for your notification obligations to the relevant Supervisory Authority or Data Subjects.
The Service provides you with a number of controls that you can use to retrieve, correct, delete or restrict Personal Data, which you can use to assist it in connection with your obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests").
To the extent that you are unable to independently address a Data Subject Request through the Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You will reimburse us for the commercially reasonable costs arising from this assistance.
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
We may only respond to a Data Subject Request without your consent to confirm that such request relates to you, to which you hereby agree.
Upon the conclusion or termination of the Services under this Agreement, we will act in accordance with your Instructions to either delete or return all Personal Data we have processed within 180 days of service termination, provided that no legal obligation requires us to retain the data. Should data retention laws apply, we will ensure that any retained Personal Data remains secure and is processed only to the extent required by such laws.
In the case where Personal Data is retained on backup systems, we will secure and isolate this data from any further processing and adhere to our standard deletion practices, which are designed to safeguard the data until it can be permanently deleted in accordance with our data retention schedule.
You agree that we may engage Sub-Processors to Process Personal Data on your behalf.We have currently appointed, as Sub-Processors, the third parties listed in ‘Annex 3 - Our Sub-Processors’ of this DPA.
You may subscribe to receive notifications by email if we add or replace any Sub-Processors by completing the form available at https://www.licence.one/sub-processor-notifications.
If you opt in to receive such emails, we will notify you at least 30 days before any such change. We will give you the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution.
Until a decision is made regarding the new Sub-Processor, we may temporarily suspend the Processing of the affected Personal Data. You will have no further claims against us due to the termination of the Agreement (including, without limitation, requesting refunds) or the DPA in the situation described in this paragraph.
If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, or permit you to suspend or terminate the affected Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you before suspension or termination).
Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of our obligations under this DPA.
You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Service in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by us in France and to other jurisdictions where Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
We will not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation):
Upon your reasonable request, we will provide you, at your cost, with reasonable cooperation and assistance needed to fulfil your obligation under European Data Protection Laws and CCPA, to carry out a data protection impact assessment related to your use of the Services, to the extent you do not otherwise have access to the relevant information, and to the extent such information is available to us. We will provide you, at your cost, reasonable assistance in the cooperation or prior consultation with the Supervisory Authority in the performance of our tasks relating to this ‘Demonstration of compliance’ section to the extent required under European Data Protection Laws and CCPA.
Further, at your written request, we will provide written responses on a confidential basis to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect non-compliance with the DPA.
Upon notice, you will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of Personal Data.
The 'Additional Provisions for CPA' section of this DPA will apply to all Personal Data that is subject to the protection of the CCPA.
When processing Personal Data in accordance with your Instructions, the parties acknowledge and agree that you are a business, and we are a Service Provider for the purposes of the CCPA.
We certify that we will not combine the Personal Data that is subject to the protection of the CCPA with personal information that we collect or receive from another source, other than information we receive from another source in connection with our obligations as a Service Provider under the Agreement.
Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘3.1 Compliance with Instructions’ or 3.3 ‘Security’ sections of this DPA, we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Changes to these Terms’ section of the General Terms will apply.
This DPA will be enforced to the fullest extent permitted under the applicable law. If any provision in this DPA is deemed to be invalid or unenforceable by a court of competent jurisdiction, said provision will be modified with a valid and enforceable replacement that most closely accomplishes the objectives of the original; and the remaining provisions of the DPA will remain in effect.
The DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. For clarity, the DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the General Terms and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement. In no event will either party's liability be limited regarding any individual's data protection rights under this DPA or otherwise.
Even if this Agreement is terminated or expires, the following sections will continue to apply: Confidentiality, Intellectual property, Your This DPA will be governed by French law, unless required otherwise by Data Protection Laws.
To the extent permitted by applicable law, you hereby acknowledge and agree that any dispute relating to its validity, interpretation, and execution shall be submitted to the courts having jurisdiction over our registered headquarters in France, despite multiple defendants or the introduction of third parties. Both parties consent to personal jurisdiction in the same aforementioned courts., Limitation of Liability, No warranties, Severability, Entire agreement, Governing laws, Survivability and Waiver.
By agreeing with the Agreement, you enter into this DPA on behalf of yourself and in the name, and, on behalf of your Affiliates.
As the legal entity agreeing to this DPA, you represent that you are authorized to agree to and enter into this DPA for and on behalf of yourself, and, as applicable, each of your Affiliates. If you cannot, or do not have authority to, bind your organization or its Affiliates, you shall not supply or provide Personal Data to us.
The parties agree that:
The parties agree that you will, when reviewing our compliance with this DPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us by combining several audit requests carried out on behalf of your entity that is the contracting party to the Agreement and all of your Affiliates in one single audit.
Name: You, as defined in the General Terms (on behalf of yourself and Affiliates)
Address: Your registered address
Contact person’s name, position and contact details: Your contact details, as set out in your Account
Activities relevant to the data transferred under these clauses: Processing of Personal Data in connection with your use of the Service under our General Terms
Role (Controller/Processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)
Name: LicenceOne SAS.
Address: 1 rue Fleming - 17000 La Rochelle, France
Contact person’s name, position and contact details: Johnathan Bell, Data Protection Officer, LicenceOne SAS, 1 rue Fleming, 17000 La Rochelle France; or legal@licenceone.com
Activities relevant to the data transferred under these clauses: Processing of Personal Data in connection with your use of the Services under our General Terms
Role (Controller/Processor): Processor
Personal Data will be Processed in accordance with the Agreement and may be subject to the following Processing activities:
We will Process Personal Data as necessary to provide the Services pursuant to the Agreement and as further instructed by you in your use of the Services.
Subject to the 'Rectification, restitution, and erasure of data' section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
You may submit Personal Data to the Service, the extent of which is determined and controlled by you at your sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
In some limited circumstances Personal Data may also come from other sources, for example, in the case of anti-money laundering research, fraud detection or as required by applicable law. For clarity, you shall always be deemed the Data Controller, and we shall always be deemed the Data Processor.
You may submit Personal Data in the course of using the Service, the extent of which is determined and controlled by you at your sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
The Parties agree that the Services are not intended for the processing of Sensitive Data, and that if you wish to use the Services to Process Sensitive Data, you must first obtain our explicit prior written consent and enter into any additional agreements as required by us.
Continuous
We currently observe the Security Measures described in this ‘Technical and Organizational Provisions’ annex. All capitalized terms not otherwise defined herein will have the meanings as set forth in the General Terms.
Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors to provide the Service in accordance with this DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure with outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centres. The physical and environmental security controls are audited for ISO 27001 compliance, among other certifications.
Authentication: We implement a uniform password policy for our products. Customers who interact with the products via the user interface must authenticate before accessing non-public data.
Authorization: Your data is stored in storage systems accessible to you via only application user interfaces. You are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
We implement industry standard access controls and detection capabilities for the internal networks that support our Service:
Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.
Bug bounty: A bug bounty program, available at https://dub.sh/licenceone-bug-bounty invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a bug bounty program to widen the available opportunities to engage with the security community and improve the product defences against sophisticated attacks.
Penetration testing: You may conduct audits and penetration and security tests for the App. Such audits shall not occur more than once per calendar year, unless mandated by a supervisory authority or in response to a verifiable data breach. Audits will be carried out by an independent and impartial third-party mutually agreed upon by both parties, which shall not be our direct competitor or otherwise conflicted. For any audits or penetration tests, you are to inform us in advance in writing, with both parties agreeing on the scope, methodology, timing, and conditions.
The testing shall not involve any live or production environments unless explicitly authorized by us at our sole discretion. All costs and expenses we incur as a result of any such audit or penetration test shall be fully reimbursed by you.
Product access: A subset of our personnel have access to the products and your data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.
Accessing other products: Where available, we require all personnel to use Google SSO as their primary sign-in method for other products and applications. If Google SSO can't be used for any reason, our personnel must then use a randomly generated, secure, and lengthy password, which is generated and stored in our mandated password manager.
Two-factor Authentication (2FA): Our security policy requires that any product we use with capabilities for 2FA has it enabled for each user. In cases where it is enforceable, we make it mandatory for all personnel via the administration console of each product. In cases where 2FA isn't enforceable by the product but can be set up by our personnel individually, we oblige each employee to activate this feature.
All of our personnel have adopted a dedicated 2FA authenticator app, which must be used to generate 2FA access codes. The sole exception is when a product offers only SMS-based 2FA, in which case we will use that method. In which instances, we ensure that personnel have implemented a SIM-lock for the phone number associated with their SMS-based 2FA.
We ensure that the 2FA authenticator app that personnel use is always a different product to our password manager product.
Background checks: Where permitted by applicable law, our personnel undergo a criminal background record check or provide a recent extract of their criminal background records to us before beginning their employment. All of our personnel are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces. Our HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that our databases are also encrypted at rest using aes-xts encryption.
Detection: We designed our infrastructure to log extensive information (using SIEM logs) about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data, which can be further analysed to detect any intrusion attempts.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and damage to you or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
Infrastructure availability: Our infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. We programmatically monitor our web application, and rectify any downtimes in an expedited manner.
Online replicas and backups: Production databases are designed to back up at least daily. All databases are backed up and maintained using industry standard methods.
Patches: When necessary, we patch infrastructure in an expedited manner in response to the disclosure of critical vulnerabilities (determined to have a score equal to or greater than 8.5 according to the CVSS v3.1, available at https://www.first.org/cvss/v3.1/specification-document) to ensure system uptime and reliability is preserved.
Personal Data Training: We ensure that our personnel and contractors are informed of the confidential nature of Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality.
Phishing Training: We regularly test and train personnel on phishing attacks and the risk that they post to security and, consequently, Personal Data.
Password policy: In addition to our Authentication measures outlined in section 1.1 of this annex, and 2FA measures outlined in section 1.3 of this annex, we also ensure that personnel receive internal training on building a secure password. As a rule of thumb, our password policy makes use of the most recent version of the United States Department of Commerce's National Institute of Standards and Technology (NIST) password guidelines.
Workstation timeout: All employee workstations are set up to automatically require re authentication after a prolonged period of inactivity.
Physical access: All physical access to our offices is monitored and managed through an electronic badge system, for which only our personnel and contractors are granted access to. Additionally, our offices are also equipped with intrusion detection systems.
Purpose limitation: Data collection is limited to the purposes of Processing (or the data that you choose to provide). In instances where we can reasonably limit the amount of data Sub-Processed, we will do so. For example, by only referring to internal User IDs or Company IDs when taking meeting notes.
Principle of least privilege: Security measures are in place to provide only the minimum amount of access (least privilege) necessary to perform required functions by our personnel and contractors.
Data erasure: As outlined in ‘4. Rectification, restitution, and erasure of data’, we will delete or return all Personal Data to you unless we are under a legal obligation to retain the Personal Data.
Last modified: 01 April 2024
This Annex 3 - ‘Our Sub-Processors’ is incorporated into the DPA and Agreement. This annex explains how we engage with Sub-Processors.
Please review each section for additional details.
Entity | Address | Use | Location | Transfer mechanism |
---|---|---|---|---|
Clever Cloud SAS | 4 rue Voltaire, 44000 Nantes, France | Hosting for our web application, database; as well as some internal tooling | France | DPA |
New Relic, Inc. | 188 Spear Street, Suite 1000, San Francisco, CA 94105, USA | Monitoring and alerting for application and database performance | Germany | DPA + DPF |
Functional Software, Inc. dba Sentry | 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA | Detecting and debugging technical errors | Germany | DPA + SCCs + DPF |
Stripe Payments Europe Limited | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland | Processing your payments to us | USA | DPA + SCCs + DPF |
Chargebee B.V | Piet Heinkade 55, 1019GM, Amsterdam, Netherlands | Generating invoices for your subscription and managing your subscription status | Germany | DPA + SCCs |
Mailjet SAS | 43 rue de Dunkerque, 75010 Paris, France | Sending notification emails (such as app renewal alerts and new app detected alerts) | Germany and Belgium | DPA |
Twilio Ireland Limited dba Segment | 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland | Logs interactions with the Service and sends them to Sub-Processors listed in this annex (when applicable) | USA | DPA + SCCs + DPF |
Some of our features and integrations require the use of additional Sub-Processors. Some Sub-Processors will apply to you as a default, and some Sub-Processors will apply to you only if and when you opt in.
To help you differentiate if each Sub-Processor applies to your use of the Service, we have included mention of Opt-in only in the ‘Entity’ column, in bold, to indicate the Sub-Processors that will Process your Personal Data once you have activated the feature they help us deliver (outlined in the ‘Use (When applicable)’ column).
Entity | Address | Use (if applicable) | Location | Transfer mechanism |
---|---|---|---|---|
GoCardless SAS | 7 rue de Madrid, 75008, Paris, France | Securely retrieve payment data from European bank accounts falling under DSP2 regulations | EU | DPA |
Plaid, Inc. | PO Box 7775 Suite 35278, San Francisco, California 94105, USA | Securely retrieve payment data from American and Canadian bank accounts | USA | DPA + SCC |
Knock Labs, Inc. | 175 Varick St, #413 New York, NY 10014 | Send Slack notifications if you integrate Slack on the App | USA | DPA |
API Hub, Inc. dba Clearbit | 548 Market St. #95879, San Francisco CA 94104, USA | Automatically recuperate the logos of the applications displayed in our App | USA | DPA + SCCs + DPF |
Sleekplan GmbH | Georgenstrasse 66 80799, München, Germany | Display our changelog and notify users who have subscribed to be notified when updates are published to the App | Ireland | DPA |
Delighted LLC | 333 W. River Park Drive, Provo, UT 84604, USA | Provide in-app and email satisfaction surveys | USA | DPA + SCC |
Delighted LLC | Philipp-Loewenfeld-Straße 19, 80339 Munich, Germany | Manage our referral and rewards program | EU | DPA |
Entity | Address | Use | Location | Transfer mechanism |
---|---|---|---|---|
Crisp IM SAS | 2 Boulevard de Launay, 44100 Nantes, France | Provide in-app support via chat and email, hosts our help articles available at https://faq.licence.one/, as well as send email newsletters | EU | DPA |
Fullview ApS | Kultorvet 11, 2. TV 1175, København K, Denmark | Initiate in-app support sessions and co browse with users upon request | Germany | DPA |
Fullstory, Inc. | 1745 Peachtree ST NE, STE N, Atlanta, GA 30309 USA | Capture and analyse user interactions on our App, and identify issues with the App | USA | DPA + SCC + DPF |
So that we can efficiently operate, collaborate and communicate between personnel, we may employ the following Sub-Processors. You may refer to the 'Use (when applicable)' column in the table below to determine whether each Sub-Processor will apply to you.
Entity | Address | Use (if applicable) | Location | Transfer mechanism |
---|---|---|---|---|
Pipedrive OÜ | Paldiski maantee 80, 10617 Tallinn, Estonia | Manage prospects, partners, and customers; and track communications between said parties and us | USA and Europe | DPA |
Google Cloud France SARL dba Google Workspace | 8 Rue de Londres, 75009 Paris, France | Storing copies of any contracts signed between the parties | Europe | DPA + SCC |
Notion Labs, Inc | 2300 Harrison Street San Francisco, CA 94110, USA | Storing any notes and feature suggestions provided during user interviews or communications with our support team | USA | DPA |
Slack Technologies Limited | Salesforce Tower, 60 R801, North Dock, Dublin, Ireland | Internal notifications that help us rapidly improve the product and keep our team up-to-date; such as when an app that doesn’t exist in our database is added, when users delete an application, when you subscribe to the Service | USA | DPA + SCCs + DPF |
ChartMogul GmbH & Co. KG | WeWork Kemperplatz, 1 10785 Berlin, Germany | Reporting on our business financial performance, such as tracking MRR, churn, and net cash flow | Europe | DPA |
Amplitude, Inc. | 201 3rd Street, Suite 200, San Francisco, CA 94103, USA | Analysing and reporting on interactions and events on our platform | Germany | DPA + SCC + DPF |
Due to the nature of our global business and our ongoing efforts to delight our customers, our business needs and service providers may change from time to time. For example, we may deprecate a service provider to consolidate and minimize our use of Sub-Processors. Similarly, we may add a service provider if we believe that doing so will enhance our ability to deliver our Service.
You may subscribe to receive notifications by email if we update our Sub-Processors, add or replace any Sub-Processors, if any of our Sub-Processors materially change the services that they provide, or if they change the country from which they provide them. To subscribe, please complete the form available at https://www.licence.one/sub-processor-notifications. If you opt in to receive such emails, we will notify you according to the provisions outlined in ‘5. Sub-Processors’ in this DPA.
For more information on our privacy practices, please visit our Privacy Policy. If you have any questions regarding this annex, please contact us at legal@licenceone.com