Data Processing Agreement For AskCody Saas Solution For Meeting Management, Visitor Management, Indoor Wayfinding And Workplace Insights & Analytics

 

This Data Processing Agreement (“DPA”) reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under the AskCody Terms of Service as stated in ”Service Level Agreement and Terms & Conditions” (”SLA”). This DPA is an amendment to the SLA and is effective upon its incorporation into the SLA, which incorporation may be specified in an Order or an executed amendment to the SLA.

In all cases AskCody (“Processor”), or a third party acting on behalf of Processor, acts as the processor of Personal Data and Purchaser (“Controller”) remain controller of Personal Data.

This DPA shall form part of the Main Contract, in cases where a Main Contract is made, or as amendment to the SLA and Terms & Condition by and between AskCody Group (“AskCody”) and the Purchaser, entered by subscribing to the AskCody SaaS Solution (Including subscribing by ordering the service by Data Controller through a link or via an online order form, and made available online by Data Processor, via the applicable subscriber login link and other web pages designated by Data Processor), and set forth the terms and conditions pursuant to which the Personal Data will be Processed by AskCody as Data Processer.

Under this DPA, you, the Client or Purchaser, is Data Controller(s) (hereinafter the "Controller") and AskCody is Data Processor (hereinafter the "Processor").

This DPA supersedes any prior agreements regarding Personal Data security with regard to the Processors Processing of Personal Data on behalf of the Controller. 

 

Recitals

WHEREAS, the parties acknowledge that the Applicable Data Protection Law requires a Data Processing Agreement between a controller and a processor for the Processing of Personal Data;

AND WHEREAS, for the purposes of fulfilling the Service Level Agreement and Terms & Conditions (or Main Agreement), certain Personal Data for which the Controller is data controller will be processed by the Processor;

AND WHEREAS, the parties hereto have agreed to enter into this DPA with regard to the Processing of Personal Data, as required by the Applicable Data Protection law;

NOW THEREFORE, the parties hereto, agree as follows:

 

Definitions and interpretations

The following terms in this DPA shall have the following meaning:

“AskCody Group”

Means AskCody, Aps, Gasværksvej 30D, DK-9000 Aalborg, Denmark, a Danish Company registered under Company Number DK33757891, AskCody, Inc, 745 Atlantic Ave, MA02111, Boston, MA, and any company directly or indirectly owned by AskCody;

“Applicable Data Protection Law”

Means EU Data Protection Directive 95/46/EC, or other EU legislation that may be promulgated from time to time, any national or internationally binding data protection laws or regulations applicable at any time during the term of this DPA on, as the case may be, the Controller or the Processor. “Applicable Data protection laws” includes any binding guidance, opinions or decisions of regulatory bodies, courts or other bodies, as applicable, as well as the forthcoming European Union General Data Protection Regulation (hereinafter referred to as “GDPR”) when it enters into force on the 25th May 2018;

"Controller"

The party hereto as stated above which alone or jointly with others, determines the purposes and means of the processing of Personal Data;

“Data Subject”

Means an identified or identifiable natural person;

“Personal Data”

Means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Personal Data Breach”

Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

Process or Processing”

Means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"Processor"

The company within the AskCody Group which is party hereto as stated above which Processes Personal Data on behalf of the Controller;

Pseudonymisation

Means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

“Sub-processor”

Means a third-party subcontractor or a company within the AskCody Group engaged by the Processor which, as part of the subcontractor’s role of delivering the services, will Process Personal Data on behalf of the Controller.

“Supervisory Authority”

Means an independent public authority which is established pursuant to GDPR Article 51

 

 

 

1. Processing of Personal Data

1.1 The Processor guarantees that it has implemented and will continue to implement under the term of this DPA appropriate technical and organizational measures in such a manner that its Processing of Personal Data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the Data Subject.

1.2 The Processor undertakes to only Process Personal Data in accordance with documented instructions in Appendix 1-5, unless required to do so pursuant to the Applicable Data Protection Law. The Processor shall at any time be able to document the specific instructions. The guarantees that it is entitled to process the Personal Data under Applicable Data Protection Law before providing Personal Data to the Processor. The Controller hereby confirms that it is solely responsible for determining the purposes and means of processing Personal Data by the Processor. The Controller’s initial instructions to the Processor regarding the subject-matter and duration of the processing, the nature and purpose of the Processing, the type of Personal Data and categories of data subjects are set forth in this DPA and in Appendix 1 - 4.

1.3 The Processor shall, when processing Personal Data under this DPA, comply with Applicable Data Protection Law and applicable recommendations by the Supervisory Authority or other competent authorities. The Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Law.

1.4 The Processor shall assist the Controller in fulfilling its legal obligations under Applicable Data Protection Law, including but not limited to the Controller’s obligation to respond to requests for exercising the Data Subject's rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased.

1.5 The Processor shall immediately inform the Controller if the Processor does not have an instruction for how to process Personal Data in a particular situation or if any instruction provided under this DPA or otherwise infringes Applicable Data Protection Law.

1.6 If Data Subjects, competent authorities or any other third parties request information from the Processor regarding the Processing of Personal Data covered by this DPA, the Processor shall refer such request to the Controller. The Processor may not in any way act on behalf of or as a representative of the Controller. 

1.7 The Processor may not, without prior instructions from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party. In the event the Processor, according to Applicable Data Protection Law, is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor shall be obliged to inform the Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.

1.8 Upon the Controller’s reasonable request, the Processor shall implement additional reasonable technical and organizational security measures and adjustments to the processing activities. The Controller shall notify the Processor of any adjustments to the Controller’s instructions concerning security and the processing of Personal Data, without undue delay, for the Processor to enable the necessary amendments to procedures to be implemented.

1.9 The Processor undertakes to make available to the Controller all information and provide all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by the Controller or another auditor mandated by the Controller.

1.10 The Processor will demonstrate its compliance with the obligations in this DPA by certifications issued by approved certification bodies.

1.11 During the duration of the Main Agreement, the Controller grants to the Processor a limited, non-exclusive, non-sublicensable, non-transferable license to capture, copy, store, transmit, maintain, access and display the Controllers Data solely to the extent necessary to provide the Services to the Controller under this DPA.

 

2. Data Security

2.1 The Data Processor shall implement technical, physical, and organizational measures to ensure a high level of security of the Personal Data processing and to protect Personal Data against un-authorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The Data Processor's aforementioned security measures shall at all times meet or exceed the (i) requirements of any applicable laws and regulations; and (ii) security measures then prevalent in the Data Controller's industry to which the processing of Personal Data relates to.

The Data Processor shall implement at least the following measures:

  • pseudonymize and encrypt the Personal Data where so required under an assignment made in accordance with Appendix 2 and 3;
  • ensure at all times the confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
  • restore the availability and access to Personal Data in a timely manner in the event of a Disaster;
  • regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing.

2.2 The Data Processor shall ensure that any person acting under the authority of the Data Processor who has access to Personal Data shall not process them except on instructions from the Data Controller, unless he or she is required to do so by Laws.

2.3 The Data Processor shall document the activities taken to ensure its compliance with its obligations under this Section 2, and shall ensure such activities have been completed before starting to process the Personal Data, and upon request present the documentation to the Data Controller for review.

 

3. Sub-Processors

3.1 The Controller agrees that the Processor and companies within the AskCody Group respectively may engage the third-party Sub-processors as listed in Appendix 5 in connection with the provision of the services under this DPA and the Main Agreement.

3.2 The Processor may provide the Controller’s Data to third parties that perform operation and development services for the Processor for technical purposes, subject to confidentiality agreements between the Processor and such third parties.

In the event such third parties have/will have access to Personal Data, such third parties shall be identified in Appendix 5 as such and if the Processor is to engage other such third parties in the future, the Processor shall pre-notify the Controller hereof and obtain prior written approval from the Controller before such are engaged. The Controller shall have the right to veto such third parties on reasonable grounds only.

3.3 The Controller agrees that the provision of the Controllers Services can be reliant and/or depending on whether Sub-Processors (3rd party SaaS providers) can use the Controllers Data to carry out any requested task as a part of the Processors Services. The use of Controllers Data is limited to the same extent as the rights thereto is attributed to the Processor, cf. above.

3.4 The list of Sub-Processors is set out in Appendix 5. The Processor shall pre-notify inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors.

Prior to the Processor adding any new Sub-Processor to the list and engaging such, it shall obtain prior written approval from the. The Controller shall have the right to veto such Sub-Processors on reasonable grounds only.  In the event the Controller cannot accept such new Sub-Processor, the Processor shall substitute this Sub-Processor with a suitable Sub-Processor not part of the same group as the substituted Sub-Processor.

3.5 The Processor shall ensure that any approved Sub-Processors from time to time are bound by written agreements that require them to comply with corresponding data processing obligations to those contained in this DPA.

3.6 The Processor shall remain fully liable to the Controller for the performance of the Sub-Processor's obligations.

3.7 In addition, the Processor may use data stored on the Services (and statistics about the use of the Services) in order to operate and improve the Services, including for the purpose of verification of compliance with this Service Agreement.  As part of the Processors operations, it may sell, transfer or merge particular businesses and/or other assets (including its rights to use Controllers Data and any related personal and business information) to a third party and make such information available to a third party under confidentiality restrictions. The Processor may not use the Controllers Data for any other purpose.

 

4. Auditing

4.1 At any time during the term of the DPA, the Data Controller and/or a recognized, independent third party auditor appointed by the Data Controller with proven experience and procedures shall have the right (exercisable by giving prior written notice to the Data Processor, such notice to be given at least fourteen (14) calendar days prior to any audit) to perform audits and inspections of the Data Processor in order to verify compliance of the Data Processor with the DPA and especially with the technical and organizational security measures required to be implemented.

4.2 The Data Processor shall ensure that the Data Controller is able to conduct an audit in accordance with Section 4.1 and undertakes to assist the Data Controller in the execution of such inspections and audits. In the event of an audit request directly from a relevant supervisory authority, the Data Processor shall assist the Data Controller in answering the request and organizing the audit.

4.3 Each Party shall bear its own costs in connection with an audit. However, if there are more than one (1) audit per year, the Data Controller shall bear the costs starting from the second (2nd) audit.

4.4 Audit for Sub-processors: The Controller may request that the Processor audit the Sub-Processor or provide confirmation that such an audit has occurred, or, where available, obtain or assist the Controller in obtaining a third-party audit report concerning Sub-Processor’s operations to ensure compliance with Applicable Data Protection Laws. The Controller will also be entitled, upon written request, to receive copies of the relevant terms of the Processors agreement with Sub-Processors that may Process Personal Data.

 

5. Information Security and Confidentiality

5.1 The Processor shall, in order to assist the Controller to fulfil its legal obligations including but not limited to; security measures and privacy impact assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data.

  • The measures shall at least result in a level of security which is appropriate taking into consideration:
  • the technical possibilities available;
  • the cost to implement the measures;
  • the special risks involved with processing of personal data; and
  • the sensitivity of the personal data.

5.2 The Processor shall maintain adequate security for the Personal Data appropriate to the risk of processing. The Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Having regard to the state of art and the costs of implementation and taking into account the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by the Processor shall include, inter alia, as appropriate:

  • the Pseudonymisation and encryption of Personal Data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

5.3 The Processor shall prepare and keep updated an Information Security Policy that maintain compliant with the Applicable Data Protection Law.

5.4 The Processor undertakes not to, without the Controller’s prior written consent disclose or otherwise make Personal Data Processed under this DPA available to any third party, except for Sub-Processors engaged in accordance with this DPA. When new third parties enter into this agreement, the Controller will within reasonable time be notified and updated. Thirds parties will only be able to enter into this agreement as Sub Processers if the Sub Processer complies with GDPR and a Data Processing Agreements is in place.

5.5 The Processor shall be obliged to ensure that only persons that directly require access to Personal Data in order to fulfil the Processor’s obligations in accordance with the Main Agreement have access to such information. The Processor shall ensure that any persons involved in the Processing of Personal Data have committed themselves to confidentiality or are under proper statutory obligation of confidentiality.

5.6 The duties of confidentiality set forth in this section 5 shall survive the expiry or termination of the DPA.

 

6. Personal Data Breach

6.1 In case of a Personal Data Breach involving Personal Data Processed on behalf of the Controller the Processor shall taking into account the nature of Processing and the information available to the Processor assist the Controller in ensuring compliance with the Controllers obligations pursuant to article 33 in the GDPR. Further the Processor shall notify the Controller without undue delay, but not later than 24 hours (Standard Article 33 GDPR states not later than 72 hours where feasible[1]) after becoming aware of such a Personal Data Breach. The notification shall at least:

  • describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
  • communicate the name and contact details of the contact point where more information can be obtained; describe the likely consequences of the Personal Data Breach;
  • describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.2 Should Controller security team need additional logs for investigation of an incident determined to affect Controllers organization, the Processors security team will coordinate responsibly provide access as needed. 

6.3 Where, and in so far as, it is not possible to provide the information listed at the same time, the information may be provided in phases without undue further delay.

6.4 The Data Processor take all the necessary steps to protect the Data after having become aware of the Breach. After having notified the Controller in accordance with above, the Processor will, in consultation with the Controller, take appropriate measures to secure the Data and limit any possible detrimental effect to the Data Subjects. The Processor will cooperate with the Controller, and with any third parties designated by the Controller, to respond to the Breach. The objective of the Breach response will be to restore the confidentiality, integrity, and availability of the Services, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to Data Subjects or the Controller.

 

7. Term and duration

7.1 The provisions in this DPA shall apply during such time the Processor Processes Personal Data on behalf of the Controller.

 

8. Effect On Termination

8.1 Upon termination or expiry of this DPA, the Processor shall cease its processing activities, and, at the choice of the Controller delete or return all the personal data to the Controller and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data. The Processor shall ensure that any Sub-Processor does the same.

8.2 Upon request by the Controller, the Processor shall provide a written notice of the measures taken regarding the Personal Data upon the completion of the Processing. 

 

9. Changes

9.1 If a Change Management processes is agreed in the Main Agreement, the Change Management Process shall apply for any changes in the Processors obligations under this DPA.

9.2  Request for change can be submitted and changes made for the following reasons:

  • As a result of business requirements or requests by the Processor
  • Introduction of new services, products or projects
  • Correction of technical problems or improvement of functionality
  • Updating of existing services
  • Statutory changes or requirements, hereunder changes in Applicable Data Protection Law

 

10. Limitation of Liability

10.1 Unless otherwise agreed, the parties shall be liable according to the general rules of the governing law according to the section 6 of the DPA. The parties exclude however any liability for operational loss, profit loss, loss of goodwill, and any other indirect loss and consequential damage. Data loss shall be considered an indirect loss.

10.2  Each party liability arising out of or in relation to this DPA shall be subject to the agreed financial limitation of liability of the Main Agreement and any reference in such section to the liability of a party means the aggregate liability of that party under the Main Agreement and DPA together.

10.3 Claims for compensation can in no case exceed 50 % of the agreed annual fee, excluding VAT, in the billing profile.

10.4 Notwithstanding any opposing terms in the contractual basis the Processor shall not be liable to the Controller for any indirect loss, including loss of production, sales, profits, time or goodwill, unless they are caused intentionally or by gross negligence.

10.5 For the avoidance of doubt, and notwithstanding the above, data subject claims arising from either party´s negligence, gross negligence and/or willful misconduct shall be subject to GDPR art. 82 (or its successor) solely. 

 

11. Miscellaneous

11.1 No delay or failure of either party to enforce any provision of this DPA will operate as a waiver of the right to enforce that or any other provision of this DPA, nor will any single or partial exercise of any such rights preclude any other or further exercise thereof. To be effective, any waiver must be in writing, signed by the party providing the waiver.

11.2 In the event that any provision of this DPA is held by a court of competent jurisdiction to be invalid, illegal and/or unenforceable, such provision(s) shall be changed mutatis mutandis and such provision(s) shall be substituted with new provision(s) giving equivalent economic and legal effect as the substituted provision(s), to the extent permissible by law.

11.3 Without prejudice to other provisions of this Agreement, any obligations which either expressly or by their nature are to continue after the termination or expiration of this DPA shall survive and remain in effect.

11.4 This DPA may be executed contemporaneously in one or more counterparts, each of which shall be deemed an original, but which together shall constitute one instrument. The parties may rely on a facsimile or scanned signature to bind the other party and may deliver such signatures electronically.

 

12.Notices

12.1 All notices, requests, claims, demands and other communications under this DPA from one Party to the other shall be in writing, in English.

 

13.Governing law And Dispute Resolution

13.1 If one or more provisions of this DPA is declared to be invalid, illegal or unenforceable in any respect under any applicable law, the validity, legality or enforceability of the remaining provisions contained therein shall not in any way be affected. In such event, the Parties, meaning the Controller and the Processor, shall use its best efforts to immediately and in good faith negotiate a legally valid provision in replacement, without affecting the spirit of this Agreement.

13.2  Danish law governs this DPA. Any dispute regardless of form, arising from the DPA and amendments is to be resolved by City Court of Aalborg, Denmark in accordance with applicable Danish civil procedure.

13.3 The parties agree that the City Court of Aalborg, Denmark shall have sole and exclusive jurisdiction and venue over any matter arising out of this DPA and each party hereby submits itself and its property to the venue and jurisdiction of such court of law. Each party irrevocably waives any objection that it may now or hereafter have to the laying of venue of any such proceeding in such court, including any claim that such proceeding has been brought in an inappropriate or inconvenient forum.

 

14. Signature

The authorized signatures for Controller and Processor below signify their acceptance of the terms of this Data Processing Agreement.

Please contact Information Security Officer, Rune Spliid, rs@askcody.dk to sign DPA

 

 

Appendix 1 - Data processing instructions: Purposes and subject matter

AskCody will process Personal Data as necessary to perform the Services pursuant to the agreement, as further specified in the Documentation, and as further instructed by Controller in its use of the AskCody Services.

The purposes of the Processing of data from the Controller is to provide a SaaS Subscription Service (which may include the detection, prevention and resolution of security and technical issues) to de-liver a Modern Workplace Platform that reduce office friction, improves work pleasure, productivity, and workplace utilization and otherwise to fulfill the obligations under the terms of service as stated in the SLA and Terms & Conditions or in the Main Contract.

AskCody process data to provide and improve the services we offer and perform essential business operations. This includes operating the services, maintaining and improving the performance of the services, including developing new features, research and providing customer support.

The AskCody Platform Consist different modules and elements that enables organizations to under-stand their workplace better, seeing it in its full context, including:

  • Meeting Room Booking and Management
  • Workspace Insights and Analytics
  • Indoor Wayfinding
  • Meeting Room Displays
  • Canteen Management
  • Facilities Overview and Management
  • Vendor and Service Management
  • Visitor Management and Front Desk Software

The SaaS solution integrates seamlessly with Microsoft Outlook, Office 365, and Microsoft Exchange, enabling organizations to transform to a digital workplace. The AskCody SaaS solution comes as a Cloud Based solution. The SaaS solution is built-on Microsoft Azure.

AskCody use the information collected from all of the services to provide, maintain, protect and improve them, to develop new ones, and to protect AskCody and our users.

AskCody uses the data we collect for two basic purposes:

(1) To operate our business and provide (including improving and personalizing) the services we offer to you,

(2) to send communications for AskCody solutions, that will help you improve the utilization of the AskCody solution.

In carrying out these purposes, we combine data we collect through the various AskCody services you use to give you a more seamless, consistent and personalized experience.

Providing and improving our services:

We use data to provide and improve the services we offer and perform essential business operations. This includes operating the services, maintaining and improving the performance of the services, including developing new features, research, and providing customer support. Examples of such uses include the following.

Providing the Services:

We use data to carry out your transactions with us and to provide our services to you. Often, those services include personalized features that enhance your productivity and enjoyment, and tailor your service experiences based on your activities, interests and location.

Customer support. We use data to diagnose service problems and provide other customer care and support services.

Product activation. We use data - including device and application type, location, and unique device, application, network and subscription identifiers - in order to activate soft-ware and devices that require activation.

Service Improvement. We use data to continually improve our services, including adding new features or capabities.

Security, Safety and Dispute Resolution. We use data to protect the security and safety of our services and our customers, to detect and prevent fraud, to confirm the validity of software licenses, to resolve disputes and enforce our agreements. Our communications and data syncing services systematically scan content in an automated manner to identify suspected spam, viruses, abusive actions, or URLs that have been flagged as fraud, phishing or malware links. We may block delivery of a communication or remove content if it violates our terms.

Investigations of Questionable Activity.  We disclose information that we, in good faith, believe is appropriate to cooperate in investigations of fraud or other illegal activity, or to conduct investigations of violations of our user agreements. For example, this means that if we conduct a fraud investigation and conclude that one side has engaged in deceptive practices, we can give that person or entity’s contact information to victims who request it. In addition, we reserve the right to disclose aggregate information and personally identifiable information to third parties as required or permitted by this DPA and when we believe that disclosure is necessary to protect our rights.

Legal Requests.  We disclose information in response to a subpoena, warrant, court order, levy, attachment, order of a court-appointed receiver or other comparable legal process (“Legal Request”), including Legal Requests from private parties in a civil action, and in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.  If the Legal Request seeks information about an identified user or limited group of users, we’ll make reasonable business efforts to contact the user(s) before providing information to the party that requests it. We cannot guarantee that we will be able to contact the user(s) in all cases, whether because of a time limit, court order, inability to effectively contact a user, or for any other reason. We may disclose information to an individual’s agent or legal representative (such as the holder of a power of attorney that an individual grants, or a guardian appointed for an individual). 

Business Operations. We use data to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.

Sale of Business.  As with any other business, it is possible that in the future we could merge with or be acquired by another company.  If such an acquisition occurs, the successor company would have access to the information maintained by us, including customer account in-formation, but would continue to be bound by this Policy unless and until it is amended.

Communications. We use data we collect to deliver and personalize our communications with you. For example, we may contact you by email or other means to inform you when a subscription is ending, let you know when security updates are available, update you or inquire about a service or repair request, invite you to participate in a survey, or tell you that you need to take action to keep your account active. Additionally, you can sign up for email subscriptions and choose whether you wish to receive communications from AskCody by email.

Advertising. AskCody services are not supported by advertising. We don't use the data we collect to help select ads - whether on our own services or on services offered by third parties. We don't support adds based on your current location, search, or the content you are viewing. We don't target adds based on your likely interests or other information that we learn about you over time using demo-graphic data, search queries, usage data, and location data. AskCody does not use what you say in emails or chats, or your documents, or other files to target ads to you. AskCody does not do data sharing, either in terms of sharing reports about the data we have collected, or in terms of directly with service providers to permit them to provide services on our behalf or to a partner.

For an extended walk-through of how data is being used a Privacy Policy can be found here:

https://www.goaskcody.com/privacy-policy

 

Appendix  2 – Types of Personal Data

The Data Processor will be processing the following types of personal data:

The Processer use and collect Personal Data from the Controller to operate effectively and provide Controller the best experiences with the services. The Controller provide some of this data directly, such as when you create an AskCody account, submit a room search, order meeting room services, use our web portal, or contact us for support. We get some of it by recording how you interact with our services by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device. 

Customer may submit Personal Data to the AskCody services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Contact information (company, email, phone, physical business address)
  • Professional life data (Meeting data)
  • ID data
  • Connection data
  • Localization data

 

Meeting data is defined as:

  • Organizer name
  • Organizer email address
  • Meeting Title/Subject
  • Description
  • Visibility (Private/Not Private)
  • Start and end times
  • Location (e.g. “Meeting Room Charlie”)
  • Attendees (Name and email for attendees)
  • Resources (Name and email of exchange resources)
  • Exchange ID
  • Exchange Object ID (Immutable Exchange identifier for the meeting)

 

Processor do not store attachments to meetings in Outlook.

 

Controller may apply additional controls by changing the permissions of the associated Service Account Proceser uses to access Controllers calendar system. When “Private Meetings” are booked with Office 365 and Outlook these meetings stay private.

 

Appendix  3 - Categories of data and data subjects

The Data Processor will be processing personal data regarding the following categories of data subjects:

Data Subjects

Controller may submit Personal Data to the AskCody Services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Employees of Customer and Customer’s Users authorized by Customer to use the Services (who are natural persons)
  • Internal service vendors (Canteen, Facilities Management or others)
  • Visitor and meeting attendees of Customer (who are natural persons)

The Processor process Personal Data based on Personal Data being defined as:

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier of that person.

The Processor, AskCody, does not process Sensitive Personal Data, following the definition of  "Sensitive Personal Data" as personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).

The Processor, AskCody, does not process data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including identifiers such as genetic data and all data pertaining to a data subject’s health status.

Categories of Data

The data we collect depends on the services and features used by the Controller, and may include the following categories:

o   Name and contact data (If you have an AskCody account or is granted with an employer-account). We collect your first and last name, email address, phone number, and other similar contact data.

o   Credentials. We collect login and passwords (for admin users) and similar security information used for authentication and account access.

o   Billing data (For organizational owner accounts only). We collect data necessary to process your payment if you make purchases.

o   Usage data. We collect data about how you and your device interact with our services. This includes data, such as the features you use. This also includes data about your device and the network you use to connect to our services, regional and language settings. It includes information about the operating systems and other software installed on your device, including product keys. And it includes data about the performance of the services and any problems you experience with them.

o   Location data. We collect data about your location. Location data includes, for example, a location derived from your IP address or data that indicates where you are located with less precision, such as at a city or postal code level.

o   Content. We collect content of your meetings and communications when necessary to provide you with the services you use. For example, if you find a room using RoomFinder, order services for your meeting with Meeting+, or invite guests to your meeting with Welcome+. The content and data can include:

  • Organizer name
    • Organizer email address
    • Subject
    • Meeting Start Time
    • Meeting End Time
    • Attendees (Name and email for attendees)
    • Resources (Name and email of exchange resources)
    • Exchange ID
    • Exchange Object ID (Immutable Exchange identifier for the meeting)
    • Location (Location String for the meeting)
    • Private status (Whether the meeting is private in Outlook. Will mask organizer, subject, location, and description on signage products)
    • Description (The meeting description)

 

A full list of datatypes can always be found at: https://www.goaskcody.com/data-types

 

Appendix 4 - Location of Processing Operations

Personal data collected by The Processor may be stored and processed in either Europe or in the United States, or in any other country where Microsoft Azure has data centers used as Data center for Microsoft.

AskCody comes as a Software as a Service is built on Microsoft Azure and hosted in the Microsoft Azure cloud. To get a full list of compliance offering and to find audit information, go to the related certification on  https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

In Europe, AskCody utilize the North Europe (Primary) and West Europe (Secondary) Azure regions. (Please see infrastructure document for details - https://www.goaskcody.com/askcody-on-azure.) The service is fully managed by us. Maintenance and updates are included in your subscription.

In North America, we utilize East US (Primary) and West US (Secondary). Learn more about regions here - http://azuredatacentermap.azurewebsites.net/. Also, this service is fully managed by us. Maintenance and updates are included in your subscription.

Controllers Data will never leave the Data Region on which the Controllers Data is placed based on the location of the Controller, meaning the Customers in Europe will only be using Data Centers in Europe, and Customers in North America will only be using Data Centers in North America.

We benefit from Microsoft’s unmatched scale and experience running trusted enterprise cloud services around the globe. This is why AskCody is built on Microsoft Azure. We leverage Microsoft’s deep investments in technology, operational processes, and expertise to provide a trusted platform for the AskCody solution. With Microsoft as our supplier of cloud services, we can take advantage of the Azure Cloud more quickly while reducing security and compliance costs and minimizing risk to your organization.

We understand that to realize the benefits of cloud computing you as a company must be willing to trust your cloud provider with your data. When you invest in a cloud service, you must be able to trust that your data is safe, that data privacy is protected, and that you own and control your data in all its uses. AskCody is divided into a European and North American setup due to data regulations. AskCody fully supports EU Model Clauses.

All secondary datacenters (West Europe and West U.S.) works as a storage and geographically redundant backup.

In the case of emergency and disaster recovery is needed, the recovery time is 12 hours maximum. Loss of data will be limited to latest 15 minutes.

Replication between primary and secondary datacenters in a Region is happening at a maximum delay of 15 minutes.

 

Appendix 5 - Sub-processors

AskCody, the Processor, may leverage and use other SaaS-solutions or third party applications, Sub-Processors, to provide limited services on its behalf, surrounding the functionality of the very core of the AskCody suite. Third party applications of this kind could be an email service to send out emails to the users at the right time with the right information, or a Google Analytics, to monitor behavior and use that data to optimize the experience using the Processors services.

The Controller gives the Processor the mandate to enter into agreements with Sub-Processors for the performance of its obligations under this DPA under the condition that the Processor maintains a list of Sub-Processors and notifies any intended changes to the Controller.

These third-party applications from Sub-Processors or other SaaS-vendors can occasionally access limited Controllers data only to deliver the services we have hired them to provide, and are prohibited from using Controllers data for any other purpose.

Any such sub-processors will be permitted to obtain Controllers Data only to deliver the services the Processor has retained them to provide, and they are prohibited from using Controllers Data for any other purpose. In the list below we have listed the purpose of using and leveraging the services.

These sub-processors are required to maintain the confidentiality of Controllers' information and are contractually obligated to meet our privacy requirements meaning all Controllers data are anonymized and/or pseudonymized when a third-party vendor access it.

To ensure sub-processors accountability, we require all sub-processors who handle Controllers data to comply with the same rules and policies that the Processor complies with. For example, sub-processors with access to Controllers data must agree to the EU Model Clauses and GDPR.

This initiative is designed to standardize and strengthen the handling of Controllers personal information and to bring vendor business processes and systems into compliance with those of the Processor.

The list below does not apply to Previews or other services not yet in general release or general availability.

 

Providers and services:

HubSpot – Website and Marketing Platform

Google Analytics - Web site statistics

Logentries – Logging

Postmark – Email Service Provider

Pusher – Websockets Service Provider

Twilio – SMS Service Provider

Zendesk – Support Service

Microsoft Azure – Cloud Platform

 

Please contact Information Security Officer, Rune Spliid, rs@askcody.dk to get access to a table setting out the sub-processors’ processing of personal data under the DPA.


 

Appendix 6 – Data Security

 

This Appendix 6 (Data Security) sets out the minimum security requirements that the Data Processor and its sub-processors will adhere to in relation to the processing of personal data.

 

Minimum security requirements

The Data Processor shall ensure by itself, and on behalf of all of its Sub-processors, that the Processor at all times complies with the following minimum security requirements:

 

Availability

AskCody leverages the Microsoft Azure platform, and all their implemented security features. As such the Processor have security features in place including, but not limited to firewall, DDOS protection, Antimalware protection, anomaly detection on server behaviour and anti-virus. Further the Controller have access restrictions implemented throughout the platform in terms of authenticating both users and applications access to services which interacts with data. The Controller monitors every service and have alarm systems in place if anything out of the ordinary occurs. The Processor continuously evaluate the measures in place based on the implemented Information Security Policy.

 

Integrity

Every application in the Controllers services has logging services implemented, which record all operations on the data.

A simplified general flow can be seen in the diagram below.

Services has both audit logs and application logs, logging historical events. Further access to manipulating data is restricted to specific user roles, and hence governed by managed access in form of both implemented systems and organizational structures, preventing unintended and/or malicious or accidental access to data.

 

Confidentiality

The Controller leverages different technologies in terms of securing data, depending on the nature of the data. All databases are encrypted. Data stored in the database is further encrypted using industry-standard encryption algorithms.

Extremely sensitive data such as Exchange Credentials are secured by an encryption service, using Microsoft Key Vault and Hardware Secured Modules. The architecture of the KeyVault usage can be seen below.

The Controller has confidentiality agreements with all employees. Furthermore, the Controller maintain automatic access and security logs in multiple locations. All AskCody employees are required to use two-factor authentication and strong passwords that are unique from other services.

Customer data access is governed by our documented security policies, and limited to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and require public key authentication.

Individual employee access follows a principle of least access, and access rights are reviewed quarterly.

 

Transparency

The Controller has a DPA in place for all Sub-processors. This DPA requires all the Sub-processors to comply with the EU Model Clauses and GDPR. An updated list of all third party and providers is available at www.goaskcody.com. The Controller may request that AskCody audit third-party providers / sub-processors, or provide confirmation that such an audit has occurred, or, where available, obtain or assist the Controller in obtaining a third-party audit report concerning the sub-processors operations, to ensure compliance with applicable data protection laws. The Controller will also be entitled, upon written request, to receive copies of the relevant terms of AskCody's agreement with Sub-processors that may process personal data

 

Isolation (purpose limitation)

The Controller has implemented user roles granting access to individual parts of the system. This includes persons managing the product, and employees at AskCody maintaining the product. Authorization to any given data is granted only if the user has access to said data, as such personal data can only be accessed by either a person with adequate roles (Customer Owner, Administrator etc.) or AskCody employees with special work tasks. This includes employees in Support, in order to give meaningful support, and some developers for advanced support or development.

To administrate this privileged access, organizational structures are in place to govern who is granted access to what in accordance to ISO27002.

 

Intervenability

All Personal Data in the AskCody platform is based on the integration with either Microsoft Exchange or Active Directory. Both systems are systems and platforms, that the Controller fully manage themselves, therefore having the full ability to access, rectify, delete, block and manage the processing of personal data.  Full access to all data types and data subjects is therefore controlled by the Controller.

 

Portability

AskCody supports export of data in CSV.

 

Accountability

AskCody has audit logs on all applications as well as application logs detailing what the application has done. Further, access to any services, such as specific Microsoft Azure Services or AskCody administration features, has been granted based on organizational investigations. As such only the relevant and required amount of people have access to any given service, in accordance with ISO27002:

 

Data retention and deletion

AskCody stores all data with redundancy on Microsoft Azure. Our databases support point-in-time backups to the minute, with a 31-day retention. All data is stored digitally and as such can easily be deleted or moved.

 

Physical security

Security measures are in place according to ISO27002: These includes physical key-cards for entry to the building, personal computers with two factor authentication and encryption as well as personal lockers for storage of computers. Further all storage of data is on the Azure Cloud and hence protected by their respective certifications in terms of physical breaches of data-centres. The Controller hosts no data, and has no on-premise servers on the Controllers locations.

 

Resilience of systems

All AskCody services operate on a redundant server setup on Microsoft Azure. For European customers and users, the primary server cluster is Europe NORTH and our secondary backup is Europe WEST. For customers in North and South America, the primary server cluster is East US and our secondary backup is West US.

The availability of this system is guaranteed through the Microsoft Azure Cloud.

 

 

[1] https://gdpr-info.eu/art-33-gdpr/