Last Updated Date: June 21st 2022
As between the parties, with regard to EU Personal Data, Customer is a Data Controller and JangaApps may be either a Data Processor for a Customer entity located in the EU or a subprocessor with regard to EU Personal Data. As between the parties, with regard to CA Personal Data, Customer is a business and JangaApps is a service provider. JangaApps reserves the right to modify this Addendum in order to comply with applicable law and regulation. To the extent that JangaApps modifies this Addendum in order to ensure such compliance, JangaApps will provide notice to Customer of the modifications, and Customer’s continued use of the Services will constitute Customer’s agreement to those modifications. JangaApps may provide that notice in a variety of ways, including, among other things, sending Customer an email, posting a notice on the Service itself, or by posting the revised Addendum on JangaApps’s website and revising the date at the top of this Addendum.
The subject matter of the data processing, including the processing operations carried out by JangaApps on behalf of Customer and Customer’s data processing instructions for JangaApps, will be described in the Agreement, this Addendum, and each statement of work, order form, or equivalent document where Customer orders Services from JangaApps, which form integral parts of the Agreement.
Categories of data subjects: Individuals who may use JangaApps’s Services as provided to Customer under the Agreement. Types of Personal Data processed: Personal Data provided by Customer to JangaApps in connection with the Agreement, including name, surname, email address, other profile information, and content of messages sent by data subjects in connection with the Services under the Agreement.
The parties shall each comply with their respective obligations under all applicable laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data (“Privacy Laws”), including, without limitation, the California Consumer Privacy Act of 2018 (as amended) (“CCPA”). With regard to EU Personal Data, the parties will comply with each of their respective obligations under the EU Data Protection Directive 95/46/EC (as amended), (the “Directive”), any subordinate legislation and regulation implementing the Directive which may apply (“Local Data Protection Laws”), and, as of 25 May 2018 and thereafter, the European Union Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or “GDPR”) and any subordinate legislation and regulation implementing the GDPR which may apply (collectively, with Privacy Laws, the “Data Protection Requirements”).
provide instruction to JangaApps and determine the purposes and general means of JangaApps’s processing of Personal Data on behalf of Customer under the Agreement; and
comply with its personal data protection, data security and other obligations prescribed by Data Protection Requirements for Data Controllers by, without limitation, meeting its obligations under Data Protection Requirements to:
By entering into this Addendum, Customer instructs JangaApps to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as authorised by the Agreement, including this Addendum; and (c) as further documented in any other written instructions given by Customer and acknowledged in writing by JangaApps as constituting instructions for purposes of this Addendum.
JangaApps, in its capacity as a Data Processor or subprocessor of Personal Data, shall:
JangaApps shall inform Customer without delay if JangaApps becomes aware of:
JangaApps further agrees to notify Customer of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in JangaApps’s possession, custody or control (“Personal Data Breach”) without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
JangaApps shall reasonably assist Customer regarding:
If JangaApps is required by Data Protection Requirements to process any Personal Data other than as set forth in this Addendum, JangaApps shall inform Customer of this requirement in advance of any processing, unless JangaApps is legally prohibited from informing Customer of such processing.
Customer may audit JangaApps’s compliance with this Addendum up to once per year and on such other occasions as may be required by Data Protection Requirements. JangaApps will cooperate with the audit by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. Customer will reimburse JangaApps for its reasonable expenses incurred to cooperate with such an audit. For the purposes of this section, “Supervisory Authority” has the same meaning as given by Article 28 of the Directive or, from 25 May 2018, Article 51 of the General Data Protection Regulation. The audit must be conducted during regular business hours, subject to an agreed upon audit plan and JangaApps’s safety, security or other relevant policies, and may not unreasonably interfere with JangaApps’s business activities. JangaApps shall not be required to breach any duties of confidentiality in connection with such audit, and Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum.
JangaApps is located in the United States and may store and process Personal Data in the United States or anywhere JangaApps or its Subprocessors maintains facilities. To the extent Slack maintains the Customer’s Slack workspace in the EEA, Switzerland or the United Kingdom, transfers of EU Personal Data from the Customer’s Slack workspace to JangaApps in the US (or in another country not deemed by the European Commission to have adequate data protection) are governed by the Standard Contractual Clauses for the transfer of EU Personal Data to processors established in third countries in the form set out by European Commission Decision 2010/87/EU (“Standard Contractual Clauses”), the terms of which are hereby incorporated into this Addendum.
In furtherance of the forgoing, the parties agree that:
Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the lawful transfer of EU Personal Data outside the EEA (e.g., binding corporate rules) applies to the transfer.
Customer acknowledges and agrees that JangaApps may create and derive from processing under the Agreement anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve JangaApps’s products and services and for its other lawful business purposes.
This Addendum shall remain in effect as long as JangaApps carries out Personal Data processing operations on behalf of Customer or until the termination of the Agreement and all associated order forms (and all Personal Data has been returned or deleted in accordance with section 9 below).
The parties agree that upon the expiration or termination of the Agreement, JangaApps shall securely destroy all Personal Data and, at the request of Customer, certify that it has taken such measures, unless applicable laws prevent JangaApps from returning or destroying all or part of the Personal Data disclosed. In such case, JangaApps agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date in order to comply with the laws it is subject to.
The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with this Addendum and the Standard Contractual Clauses (if entered into as described in Section 6 of this Addendum) combined will be limited to the liability limitations or other liability caps agreed to by the parties in the Agreement.
Notwithstanding the foregoing, nothing in this Section 10 will affect any party’s liability to data subjects under the third-party beneficiary provisions of the Standard Contractual Clauses to the extent the limitation of such rights is prohibited by Privacy Laws or Local Data Protection Laws, where applicable.
JangaApps may update the Security Measures from time to time, provided the updated measures do not decrease the overall protection of Personal Data.