Legal

Dock Data Processing Agreement

THIS DATA PROCESSING AGREEMENT, including the selected modules of the Model Clauses and Annexes (“DPA”) forms part of and is subject to the Dock Terms of Service or other written or electronic agreement (“Main Agreement”) between Customer and Dock Labs, Inc. (“Dock,” “we,” “us,” “our”). Customer and Dock may be referred to herein as a “party” and together as the “parties.”

In the course of providing the Services to Customer under the Main Agreement, Dock may process Customer Personal Data (defined below) on behalf of Customer and the parties agree to comply with the following provisions with respect to any processing of Customer Personal Data by Dock. This DPA shall not replace any comparable or additional rights relating to processing of Customer Personal Data contained in the Main Agreement.

Annex 1 - Details of Processing

Annex 2 - Security Measures

Annex 3 - List of Sub-Processors

Annex 4 -UK Addendum

  1. Definitions

“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

“Business Purpose” has the meaning attributed to in Section 1798.140(d) of the CCPA.

“CCPA” means Sections 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time.

“Customer Personal Data” means any Customer Content that: (i) relates to   an identified or identifiable natural person; or (ii) that is otherwise protected as “personal data” or “personal information” (as such terms are defined in applicable Data Protection Laws), that Dock processes on behalf of Customer in the course of providing the Service.

“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question. The term “Controlled” will be construed accordingly.

“Data Protection Laws” means all data protection and privacy laws regulations applicable to a party and its processing of Personal Data under the Main Agreement, including, where applicable, GDPR (or in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data protection and privacy as a consequence of the United Kingdom leaving the European Union), implementations of the GDPR into national law, and the CCPA; in each case, as may be amended, superseded or replaced.

“EEA” means for the purposes of this DPA the European Economic Area, United Kingdom and Switzerland.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

“Model Clauses” means the selected and applicable modules, attached as Exhibit 1 to this DPA, from the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council C/2021/3972). 

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, stored or otherwise processed by Dock in connection with the provision of the Service.  “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.

“Subprocessor” means any Processor having access to Customer Personal Data and engaged by Dock to assist in fulfilling its obligations with respect to providing the Service pursuant to the Main Agreement or this DPA. Subprocessors may include third parties or Dock Affiliates but shall exclude any employee, consultant or independent contractor of Dock provided such individual is performing services in a capacity equivalent to those performed by employees.

“Controller”, “processor”, “processing” and “personal data” shall have the meanings given to them in Data Protection Laws or if not defined therein, the GDPR.

  1. Roles and Scope of Processing
  1. Processing Description. The type of personal data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1 to the Model Clauses, in Exhibit 1 of this DPA.
  2. Data Processing Roles. In respect of the parties’ rights and obligations under this DPA regarding the Customer Personal Data, the parties acknowledge and agree that Customer is the controller (where applicable Data Protection Laws recognizes such concept) and, with respect to the CCPA, a “business” as defined therein, and Dock is the processor (where applicable Data Protection Laws recognizes such concept) and, with respect to the CCPA, a “service provider” as defined therein.  
  3. Compliance with Laws.  Dock shall process Customer Personal Data in accordance with this DPA and Data Protection Laws applicable to its role under this DPA. For the avoidance of doubt, Dock is not responsible for complying with Data Protection Laws uniquely applicable to Customer by virtue of its business or industry, such as those generally applicable to online service providers.
  4. Processing Instructions. Dock shall process Customer Personal Data in accordance with Customer’s written lawful instructions and only for the following purposes: (i) processing to provide the Services in accordance with the Main Agreement; (ii) processing to perform any steps necessary for the performance of the Main Agreement; (iii) processing initiated by Authorized Users in their use of the Service; and (iv) processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Main Agreement and this DPA (individually and collectively, the “Permitted Purpose”). The parties agree that the Main Agreement (including this DPA) sets out Customer’s complete and final instructions to Dock in relation to the processing of Customer Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Dock.
  5. Customer Responsibilities. Customer, as a controller or as a business, is responsible for: (i) the accuracy, quality, and legality of the Customer Personal Data, (ii) the means by which Customer acquired such Customer Personal Data; and (iii) the instructions it provides to Dock regarding the processing of such Customer Personal Data.  Customer shall ensure (i) that it has provided notice and obtained (or will obtain) all consents and rights necessary for Dock to process Customer Personal Data pursuant to the Main Agreement and this DPA, (ii) its instructions are lawful and that the processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws, and (iii) where the CCPA applies, that the Customer Personal Data is provided to Dock in order to perform the Service for a valid “Business Purpose” (as defined in CCPA) only.

3. Subprocessing

  1. Notification of New Subprocessors. Dock’s authorized Subprocessors are listed in to this Data Processing Agreement. Dock shall provide Customer at least ten (10 days) written notice prior to authorizing any new Subprocessor to process Customer Personal Data.
  2. Subprocessor Obligations.  Dock will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective of Customer Personal Data as this DPA or the Data Protection Laws to the extent applicable to the nature of the services provided by such Subprocessor. Where a Subprocessor fails to fulfil its data protection obligations, Dock shall remain fully liable to Customer for the performance of that Subprocessor’s data protection obligations.
  3. Subprocessor Objection Right.  If Customer objects on reasonable grounds relating to data protection to Dock’s use of a new Subprocessor, then Customer shall promptly, and within ten (10) days following Dock’s notification pursuant to Section 3.1 above, provide written notice of such objection to Dock. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties cannot agree to a mutually acceptable resolution, Customer shall as its sole and exclusive remedy have the right to terminate the relevant affected portion(s) of the Service without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Upon termination by Customer pursuant to this Section, Dock shall refund Customer any prepaid fees for the terminated portion(s) of the Service that were provided after the effective date of the termination.

  1. Security Measures and Security Incident Response
  1. Security Measures. Dock has implemented and will maintain appropriate technical, and organizational security measures intended to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with the security measures described in Annex 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Dock may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
  2. Personnel.  Dock restricts its personnel from processing Customer Personal Data without authorization by Dock as set forth in the Security Measures and shall ensure that any person who is authorized by Dock to process Customer Personal Data is under an appropriate obligation of confidentiality.
  3. Customer Responsibilities.  Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Personal Data transmitted via the systems it administers and maintains (i.e. email encryption), and taking any appropriate steps to securely encrypt or back up any Customer Personal Data uploaded to the Service.
  4. Security Incident Response.  Upon becoming aware of a Security Incident, Dock will notify Customer without undue delay and, in any case within seventy-two (72) hours after becoming aware. Dock will provide information relating to the Security Incident to Customer promptly as it becomes known or as is reasonably requested by Customer to fulfil Customer’s obligations as controller. Dock will also take appropriate and reasonable steps to contain, investigate, and mitigate any Security Incident.

  1. Audit and Records. 
  1. Audit Rights.  Dock shall make available to Customer all information in Dock’s possession or control and provide all assistance in connection with audits of Dock’s premises, systems, and documentation as Customer may reasonably request to enable Customer to assess Dock’s compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 5 and where applicable, the Model Clauses) by instructing Dock to comply with the audit measures described in the Security Measures and Section 5.2 below.
  2. Audit Procedures.  Where required under any applicable Data Protection Laws or where a data protection authority requires under applicable Data Protection Laws, Customer may, on giving at least thirty (30 days) prior written notice, request that Customer’s personnel or a third party (at Customer’s expense) conduct an audit of Dock’s facilities, equipment, documents and electronic data relating to the processing of Customer Personal Data under the Main Agreement to the extent necessary to inspect and/or audit Dock’s compliance with this DPA, provided that: (i) Customer shall not exercise this right more than once per calendar year; (ii) such additional audit enquiries shall not unreasonably impact in an adverse manner Dock’s regular operations and do not prove to be incompatible with applicable Data Protection Laws or with the instructions of the relevant data protection authority; and (iii) before the commencement of such additional audit, the parties shall mutually agree upon the scope, timing, and duration of the audit, and (iv) at all times during the scope of the audit, Customer and any appointed third party will comply with Dock’s policies, procedures, and reasonable instructions governing access to its systems and facilities, including limiting or prohibiting access to information that is confidential information. Without prejudice to the foregoing, Dock will provide all assistance reasonably requested by Customer to accommodate Customer’s request.

  1. Data Transfers.

Customer acknowledges and agrees that Dock may transfer and process Customer Personal Data to and in the United States and other locations in which Dock, its Affiliates, or its Subprocessors maintain data processing operations as more particularly described in the Subprocessor Site (defined above). Dock shall ensure that such transfers are made in compliance with Data Protection Law and this DPA.

  1. Return or Deletion of Data. 

Promptly upon Customer’s request, or within one hundred eighty (180) days after the termination or expiration of the Main Agreement, Dock shall delete or return Customer Personal Data in its possession or control. This requirement shall not apply to the extent Dock is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data Dock shall securely isolate and protect from any further processing, except to the extent required by such laws.

  1. Cooperation
  1. Data Subject Rights Requests.  Dock shall, taking into account the nature of the processing, reasonably assist Customer in responding to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Main Agreement. In the event that any such request is made to Dock directly, Dock will not respond to such communication directly (except to direct the data subject to contact Customer) without Customer’s prior authorization, unless legally compelled to do so. If Dock is required to respond to such a request, Dock will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
  2. Requests by Law Enforcement.  As a matter of general practice, Dock does not voluntarily provide government agencies or authorities (including law enforcement) with access to Customer Personal Data. If a government agency or authority (including law enforcement) sends Dock a compulsory demand for Customer Personal Data (for example, through a subpoena, court order, search warrant, or other valid legal process), Dock will: (i) inform the government agency that Dock is a processor or service provider (as applicable of the Customer Personal Data) and (ii) attempt to redirect the law enforcement agency to request that Customer Personal Data directly from Customer. As part of this effort, Dock may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, Dock will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Dock is legally prohibited from doing so or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or Dock’s property, product, or services. Dock shall not provide access to the Customer Personal Data until the earlier of: (a) Customer provides authorization to Dock; (b) Dock is informed or affirmatively learns that a protective order or other appropriate remedy is being sought or has been issued; or (c) thirty (30) days have elapsed since notice of the compulsory request to Customer and Customer has not responded.
  3. Data Protection Impact Assessments (DPIAs).  To the extent required under Data Protection Laws applicable to the EEA, Dock will provide requested information regarding the Service necessary to enable Customer to carry out data protection impact assessments and prior consultations with data protection authorities.

  1. Europe
  1. Scope.  The terms in this Section 9 apply only if and to the extent Customer is established in the EEA or the Customer Personal Data is otherwise subject to Data Protection Laws applicable to the EEA.
  2. Processing Instructions.  Without prejudice to Section 2.4 (Customer Responsibilities), Dock shall notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any processing instructions from Customer violates applicable Data Protection Laws.
  3. Transfer Mechanism.  To the extent that Dock is a recipient of and processes any Customer Personal Data that originated from the EEA in a country that does not provide an adequate level of protection under applicable Data Protection Laws, the parties agree that Dock shall abide by and process such Customer Personal Data in compliance with the Model Clauses, which are incorporated into and form an integral part of this DPA. For the purposes of the Model Clauses, the parties agree that: (i) Dock is a “data importer” and Customer is the “data exporter” (notwithstanding that Customer may be an entity located outside the EEA); and (ii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the Model Clauses and, accordingly, if and to the extent the Model Clauses conflict with any provision of the Main Agreement (including this DPA) the Model Clauses shall prevail to the extent of such conflict.
  4. Model Clauses. For purposes of the Model Clauses, (i) in Clause 7, the optional docking clause will apply; (ii) in Clause 9 of Module Two, Option 2 will apply and the time period for prior notice of Sub-processor changes is identified in Section 3.2 of this DPA; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the 2021 Controller-to-Processor Clauses will be Lattice DPA 5 governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I shall be deemed completed with the information set out in Annex 1 (Details of Processing) of this DPA; and (vii) Annex II shall be deemed completed with the information set out in Annex 2 (Security Measures) (as applicable) of this DPA; and Annex 3 (Subprocessors) shall be deemed completed with the information set out in Annex 3 of this DPA.
  5. Alternative Data Transfer Arrangements.  To the extent Dock adopts an alternative data export mechanism (including any new version of or successor to the Model Clauses adopted pursuant to Data Protection Laws) for the transfer of personal data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall automatically apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Laws applicable to the EEA and extends to territories to which Customer Personal Data is transferred).
  6. UK Data Transfers. Dock shall process Customer Data originating in the UK in accordance with terms set forth in Annex 4 to this Agreement.

  1. Controller Affiliates
  1. Affiliate Communications.  Customer is responsible for coordinating all communications with Dock on behalf of its Affiliates with regard to this DPA. Customer represents that it is authorized to issue instructions as well as make and receive any communications in relation to this DPA on behalf of its Affiliates.
  2. Affiliate Enforcement.  Customer Affiliates may enforce the terms of this DPA directly against Dock, subject to the following provisions:
  3. Customer will bring any legal action, suit, claim, or proceeding which the Affiliate would other have it if were a party to the Main Agreement (each an “Affiliate Claim”) directly against Dock on behalf of such Affiliate, except where Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate bring or be a party to such Affiliate Claim; and for the purpose of any Affiliate Claim brought directly against Dock by Customer on behalf of such Affiliate in accordance with this Section, any losses suffered by the relevant Affiliate may be deemed to be losses suffered by Customer.

  1. Limitation of Liability
  1. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
  2. Any claim or remedies Customer or its Affiliates may have against Dock and its respective employees, agents, or Subprocessors arising under or in connection with this DPA including: (i) for breach of this DPA; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Customer; (iii) under GDPR (or UK GDPR), including any claims relating to damages paid to a data subject; and (iv) breach of its obligations under the Model Clauses, will be subject to any limitation and exclusion of liability provisions (including any agreed aggregate financial cap) that apply under the Main Agreement.
  3. For the avoidance of doubt, Dock and its Affiliates’ total overall liability for all claims from Customer and its Affiliates arising out of or related to the Main Agreement and each DPA shall apply in the aggregate for all claims under the Main Agreement and this DPA together, including by Customer and its Affiliates.

  1. RESTRICTIONS
  1. Dock is prohibited from:
  2. selling Customer Personal Data;
  3. retaining, using, or disclosing Customer Personal Data for any purposes other than the specific purposes of performing the Service or as otherwise permitted under Main Agreement and this DPA, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Service; or
  4. retaining using or disclosing Customer Personal Data outside the direct business relationship between Dock and Customer.
  5. Dock hereby certifies that it understands the restrictions set out in Section 12.1 and will comply with them.

  1. General
  1. As between Customer and Dock, this DPA is incorporated into and subject to the terms of the Main Agreement and shall be effective and remain in force for the term of the Main Agreement or the duration of the Service. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Customer Personal Data.
  2. Each party acknowledges that the other party may disclose the Model Clauses, this DPA, and any privacy related provisions in the Main Agreement to any regulator or supervisory authority upon request.
  3. Notwithstanding anything to the contrary in the Main Agreement and without prejudice to Section 2.3, Dock may periodically make modifications to this DPA as may be required to comply with Data Protection Laws.
  4. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto, respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
  5. Other than as required by the Model Clauses, the dispute mechanisms, including those related to venue and jurisdiction, set forth in the Main Agreement govern any dispute pertaining to this DPA.  

ANNEX 1

DETAILS OF PROCESSING

A. LIST OF PARTIES

Data exporter: 

Name: The entity listed as “Customer” in the applicable Order Form and/or Main Agreement

Address: The address listed on any applicable Order Form. 

Contact person’s name, position and contact details: The point of contact listed on any applicable Order Form or the Main Agreement. 

Activities relevant to the data transferred under these Clauses: Receive Dock Services as specified in the Main Agreement and Order Form. 

Signature and date: By signing the Main Agreement or any Applicable Order Form, Customer hereby agrees to be bound by this Data Processing Agreement.  

Role (controller/processor): Controller. 

Data importer(s): 

Name: Dock Labs, Inc. 

Address: 548 MARKET STREET PMB36932, SAN FRANCISCO, CA, 94104

Contact person’s name, position and contact details: Victor Kmita, CTO, legal@dock.us 

Activities relevant to the data transferred under these Clauses: Provide Dock Services to Customer as specified in the Main Agreement and applicable Order Form. 

Signature and date: By signing the Main Agreement or any Applicable Order Form, Dock hereby agrees to be bound by this Data Processing Agreement.  

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Dock Customers and Employees of Dock Customers. 

Categories of personal data transferred

The information specified in the Dock Privacy Policy

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous.

Nature of the processing

Software as a Service for collaborative online workspaces. 

Purpose(s) of the data transfer and further processing

To provide the Dock Software as a Service to Customers. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

From the Effective Date of the Main Agreement until its termination. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

From the Effective Date of the Main Agreement until its termination. 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located shall act as competent supervisory authority. 

ANNEX 2

SECURITY MEASURES

The technical and organizational measures implemented by Dock (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows: 

Encryption of personal data

  • Data at rest encrypted using AES-256 algorithm.
  • Employee laptops are encrypted using full disk AES-256 encryption.
  • HTTPS encryption on every web login interface, using industry standard algorithms and certificates.
  • Secure transmission of credentials using by default TLS 1.2.
  • Access to operational environments requires use of secure protocols such as HTTPS.
  • Data that resides in Amazon Web Services (AWS) encrypted at rest as stated in AWS' documentation and whitepapers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected, and protected by AWS-provided HSM certified under FIPS 140-2.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Strong access controls based on the use of the 'Principle of Least Privilege'.
  • Differentiated rights system based on security groups and access control lists.
  • Employee is granted only amount of access necessary to perform job functions.
  • Unique accounts and role-based access within operational and corporate environments.
  • Access to systems restricted by security groups and access-control lists.
  • Authorization requests are tracked, logged and audited on a regular basis.
  • Removal of access for employee upon termination or change of employment.
  • Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources.
  • Strong and complex passwords required. Initial passwords must be changed after the first login.
  • Passwords are never stored in clear-text and are encrypted in transit and at rest.
  • Account provisioning and de-provisioning processes.
  • Automatic account locking.
  • Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse.
  • Confidentiality requirements imposed on employees.
  • Mandatory security trainings for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities inside and outside of Dock.
  • Non-disclosure agreements with third parties.
  • Separation of networks based on trust levels.

  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Event reports are enabled and available to customers in their Dock instance. These reports can be periodically downloaded.
  • User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems.
  • Certain activities on Dock are not available directly to customers such as timestamps, IPs, login/logouts, and errors. These logs are available only to authorized employees, stored off-system, and available for security investigations.
  • All logs can be accessed only by authorized Dock employees and access controls are in place to prevent unauthorized access.
  • Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures.
  • Network segmentation and interconnections protected by firewalls.
  • Annual penetration testing for all components of the Dock SaaS, including web and mobile applications.

Measures for user identification and authorisation

  • Access to operational and production environments is protected by use of unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA), role-based access, and least privilege principle.
  • Authorization requests and provisioning is logged, tracked and audited.
  • Customer-generated OAuth tokens, are stored in an encrypted state.
  • Keys required for decryption of those secrets are stored in a secure, managed repository (such as AWS KMS) that employs industry-leading hardware security models that meet or exceed applicable regulatory and compliance obligations.
  • Access keys used by production Dock applications (e.g. AWS Access Keys) are accessible only to authorized personnel. They are rotated (changed) as required (e.g., pursuant to a security advisory or personnel departure) and at least yearly.
  • User activity in operational environments including access, modification or deletion of data is being logged.
  • Web Application Firewall (WAF), in addition to the network-based firewalls.

Measures for the protection of Data during transmission

  • HTTPS encryption for data in transit (using TLS 1.2 or greater).

Measures for the protection of Data during storage

  • Dock customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Measures are in place to ensure executable uploads, code, or unauthorized actors are not permitted to access unauthorized data - including one customer accessing files of another customer.
  • Endpoint security software
  • System inputs recorded via log files
  • Access Control Lists (ACL)
  • Multi-factor Authentication (MFA)

Measures for ensuring events logging

  • Remote logging
  • A central Security Information and Event Management (SIEM) system and other product tools monitor security or activities

Measures for ensuring system configuration, including default configuration

  • Dock has in place a Change Management Policy.
  • Dock monitors changes to in-scope systems to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked in our change platform.
  • Access Control Policy and Procedures

Measures for ensuring data minimisation

  • Detailed privacy assessments are performed related to implementation of new products/services and processing of personal data by third parties. 
  • Data collection is limited to the purposes of processing (or the data that the customer chooses to provide).
  • Security measures are in place to provide only the minimum amount of access necessary to perform required functions.
  • Data retention time limits restricted and
  • An automatic deletion has been implemented to enforce data retention time limits (see below on Measures for ensuring limited data retention).
  • All deleted customer data follows a similar retention schedule of a recoverable delete between 0-90 days and a permanent delete within 91- 180 days.
  • Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.

Measures for ensuring Data quality

  • Dock has a process that allows individuals to exercise their privacy rights (including a right to amend and update information), as described in Dock's Privacy Policy.
  • Applications are designed to reduce/prevent duplication. Many application level checks are in place to ensure data integrity.
  • QA team that helps to ensure these items are working as designed and implemented before reaching our production environment.

Measures for ensuring limited data retention

  • After termination of all subscriptions associated with an environment, customer data submitted to the Services is retained in inactive status within the Services for 60 days, after which it is securely overwritten or deleted from production within90 days (up to a max of 180 days) and from backups within 180 days.
  • All deleted customer data follows a similar retention schedule of a recoverable delete between 0-90 days and a permanent delete within 91- 180 days.

Measures for ensuring accountability

  • Customer Privacy Assessments are required when introducing any new product/service that involves processing of personal data.
  • Data protection impact assessments are part of any new processing initiative.

Measures for allowing Data portability and ensuring erasure

  • Ability to export data to JSON format
  • Dock has a process that allows individuals to exercise their privacy rights (e.g. right of erasure or right to data portability), as described in Dock's Privacy Policy.

ANNEX 3

SUBPROCESSORS


THIS DATA PROCESSING AGREEMENT, including the selected modules of the Model Clauses and Annexes (“DPA”) forms part of and is subject to the Dock Terms of Service or other written or electronic agreement (“Main Agreement”) between Customer and Dock Labs, Inc. (“Dock,” “we,” “us,” “our”). Customer and Dock may be referred to herein as a “party” and together as the “parties.”

In the course of providing the Services to Customer under the Main Agreement, Dock may process Customer Personal Data (defined below) on behalf of Customer and the parties agree to comply with the following provisions with respect to any processing of Customer Personal Data by Dock. This DPA shall not replace any comparable or additional rights relating to processing of Customer Personal Data contained in the Main Agreement.

Annex 1 - Details of Processing

Annex 2 - Security Measures

Annex 3 - List of Sub-Processors

  1. Definitions

“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

“Business Purpose” has the meaning attributed to in Section 1798.140(d) of the CCPA.

“CCPA” means Sections 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time.

“Customer Personal Data” means any Customer Content that: (i) relates to   an identified or identifiable natural person; or (ii) that is otherwise protected as “personal data” or “personal information” (as such terms are defined in applicable Data Protection Laws), that Dock processes on behalf of Customer in the course of providing the Service.

“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question. The term “Controlled” will be construed accordingly.

“Data Protection Laws” means all data protection and privacy laws regulations applicable to a party and its processing of Personal Data under the Main Agreement, including, where applicable, GDPR (or in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data protection and privacy as a consequence of the United Kingdom leaving the European Union), implementations of the GDPR into national law, and the CCPA; in each case, as may be amended, superseded or replaced.

“EEA” means for the purposes of this DPA the European Economic Area, United Kingdom and Switzerland.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

“Model Clauses” means the selected and applicable modules, attached as Exhibit 1 to this DPA, from the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council C/2021/3972). 

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, stored or otherwise processed by Dock in connection with the provision of the Service.  “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.

“Subprocessor” means any Processor having access to Customer Personal Data and engaged by Dock to assist in fulfilling its obligations with respect to providing the Service pursuant to the Main Agreement or this DPA. Subprocessors may include third parties or Dock Affiliates but shall exclude any employee, consultant or independent contractor of Dock provided such individual is performing services in a capacity equivalent to those performed by employees.

“Controller”, “processor”, “processing” and “personal data” shall have the meanings given to them in Data Protection Laws or if not defined therein, the GDPR.

  1. Roles and Scope of Processing
  1. Processing Description. The type of personal data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1 to the Model Clauses, in Exhibit 1 of this DPA.
  2. Data Processing Roles. In respect of the parties’ rights and obligations under this DPA regarding the Customer Personal Data, the parties acknowledge and agree that Customer is the controller (where applicable Data Protection Laws recognizes such concept) and, with respect to the CCPA, a “business” as defined therein, and Dock is the processor (where applicable Data Protection Laws recognizes such concept) and, with respect to the CCPA, a “service provider” as defined therein.  
  3. Compliance with Laws.  Dock shall process Customer Personal Data in accordance with this DPA and Data Protection Laws applicable to its role under this DPA. For the avoidance of doubt, Dock is not responsible for complying with Data Protection Laws uniquely applicable to Customer by virtue of its business or industry, such as those generally applicable to online service providers.
  4. Processing Instructions. Dock shall process Customer Personal Data in accordance with Customer’s written lawful instructions and only for the following purposes: (i) processing to provide the Services in accordance with the Main Agreement; (ii) processing to perform any steps necessary for the performance of the Main Agreement; (iii) processing initiated by Authorized Users in their use of the Service; and (iv) processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Main Agreement and this DPA (individually and collectively, the “Permitted Purpose”). The parties agree that the Main Agreement (including this DPA) sets out Customer’s complete and final instructions to Dock in relation to the processing of Customer Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Dock.
  5. Customer Responsibilities. Customer, as a controller or as a business, is responsible for: (i) the accuracy, quality, and legality of the Customer Personal Data, (ii) the means by which Customer acquired such Customer Personal Data; and (iii) the instructions it provides to Dock regarding the processing of such Customer Personal Data.  Customer shall ensure (i) that it has provided notice and obtained (or will obtain) all consents and rights necessary for Dock to process Customer Personal Data pursuant to the Main Agreement and this DPA, (ii) its instructions are lawful and that the processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws, and (iii) where the CCPA applies, that the Customer Personal Data is provided to Dock in order to perform the Service for a valid “Business Purpose” (as defined in CCPA) only.

3. Subprocessing

  1. Notification of New Subprocessors. Dock’s authorized Subprocessors are listed in to this Data Processing Agreement. Dock shall provide Customer at least ten (10 days) written notice prior to authorizing any new Subprocessor to process Customer Personal Data.
  2. Subprocessor Obligations.  Dock will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective of Customer Personal Data as this DPA or the Data Protection Laws to the extent applicable to the nature of the services provided by such Subprocessor. Where a Subprocessor fails to fulfil its data protection obligations, Dock shall remain fully liable to Customer for the performance of that Subprocessor’s data protection obligations.
  3. Subprocessor Objection Right.  If Customer objects on reasonable grounds relating to data protection to Dock’s use of a new Subprocessor, then Customer shall promptly, and within ten (10) days following Dock’s notification pursuant to Section 3.1 above, provide written notice of such objection to Dock. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties cannot agree to a mutually acceptable resolution, Customer shall as its sole and exclusive remedy have the right to terminate the relevant affected portion(s) of the Service without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Upon termination by Customer pursuant to this Section, Dock shall refund Customer any prepaid fees for the terminated portion(s) of the Service that were provided after the effective date of the termination.

  1. Security Measures and Security Incident Response
  1. Security Measures. Dock has implemented and will maintain appropriate technical, and organizational security measures intended to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with the security measures described in Annex 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Dock may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
  2. Personnel.  Dock restricts its personnel from processing Customer Personal Data without authorization by Dock as set forth in the Security Measures and shall ensure that any person who is authorized by Dock to process Customer Personal Data is under an appropriate obligation of confidentiality.
  3. Customer Responsibilities.  Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Personal Data transmitted via the systems it administers and maintains (i.e. email encryption), and taking any appropriate steps to securely encrypt or back up any Customer Personal Data uploaded to the Service.
  4. Security Incident Response.  Upon becoming aware of a Security Incident, Dock will notify Customer without undue delay and, in any case within seventy-two (72) hours after becoming aware. Dock will provide information relating to the Security Incident to Customer promptly as it becomes known or as is reasonably requested by Customer to fulfil Customer’s obligations as controller. Dock will also take appropriate and reasonable steps to contain, investigate, and mitigate any Security Incident.

  1. Audit and Records. 
  1. Audit Rights.  Dock shall make available to Customer all information in Dock’s possession or control and provide all assistance in connection with audits of Dock’s premises, systems, and documentation as Customer may reasonably request to enable Customer to assess Dock’s compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 5 and where applicable, the Model Clauses) by instructing Dock to comply with the audit measures described in the Security Measures and Section 5.2 below.
  2. Audit Procedures.  Where required under any applicable Data Protection Laws or where a data protection authority requires under applicable Data Protection Laws, Customer may, on giving at least thirty (30 days) prior written notice, request that Customer’s personnel or a third party (at Customer’s expense) conduct an audit of Dock’s facilities, equipment, documents and electronic data relating to the processing of Customer Personal Data under the Main Agreement to the extent necessary to inspect and/or audit Dock’s compliance with this DPA, provided that: (i) Customer shall not exercise this right more than once per calendar year; (ii) such additional audit enquiries shall not unreasonably impact in an adverse manner Dock’s regular operations and do not prove to be incompatible with applicable Data Protection Laws or with the instructions of the relevant data protection authority; and (iii) before the commencement of such additional audit, the parties shall mutually agree upon the scope, timing, and duration of the audit, and (iv) at all times during the scope of the audit, Customer and any appointed third party will comply with Dock’s policies, procedures, and reasonable instructions governing access to its systems and facilities, including limiting or prohibiting access to information that is confidential information. Without prejudice to the foregoing, Dock will provide all assistance reasonably requested by Customer to accommodate Customer’s request.

  1. Data Transfers.

Customer acknowledges and agrees that Dock may transfer and process Customer Personal Data to and in the United States and other locations in which Dock, its Affiliates, or its Subprocessors maintain data processing operations as more particularly described in the Subprocessor Site (defined above). Dock shall ensure that such transfers are made in compliance with Data Protection Law and this DPA.

  1. Return or Deletion of Data. 

Promptly upon Customer’s request, or within one hundred eighty (180) days after the termination or expiration of the Main Agreement, Dock shall delete or return Customer Personal Data in its possession or control. This requirement shall not apply to the extent Dock is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, which Customer Personal Data Dock shall securely isolate and protect from any further processing, except to the extent required by such laws.

  1. Cooperation
  1. Data Subject Rights Requests.  Dock shall, taking into account the nature of the processing, reasonably assist Customer in responding to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Main Agreement. In the event that any such request is made to Dock directly, Dock will not respond to such communication directly (except to direct the data subject to contact Customer) without Customer’s prior authorization, unless legally compelled to do so. If Dock is required to respond to such a request, Dock will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
  2. Requests by Law Enforcement.  As a matter of general practice, Dock does not voluntarily provide government agencies or authorities (including law enforcement) with access to Customer Personal Data. If a government agency or authority (including law enforcement) sends Dock a compulsory demand for Customer Personal Data (for example, through a subpoena, court order, search warrant, or other valid legal process), Dock will: (i) inform the government agency that Dock is a processor or service provider (as applicable of the Customer Personal Data) and (ii) attempt to redirect the law enforcement agency to request that Customer Personal Data directly from Customer. As part of this effort, Dock may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, Dock will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Dock is legally prohibited from doing so or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or Dock’s property, product, or services. Dock shall not provide access to the Customer Personal Data until the earlier of: (a) Customer provides authorization to Dock; (b) Dock is informed or affirmatively learns that a protective order or other appropriate remedy is being sought or has been issued; or (c) thirty (30) days have elapsed since notice of the compulsory request to Customer and Customer has not responded.
  3. Data Protection Impact Assessments (DPIAs).  To the extent required under Data Protection Laws applicable to the EEA, Dock will provide requested information regarding the Service necessary to enable Customer to carry out data protection impact assessments and prior consultations with data protection authorities.

  1. Europe
  1. Scope.  The terms in this Section 9 apply only if and to the extent Customer is established in the EEA or the Customer Personal Data is otherwise subject to Data Protection Laws applicable to the EEA.
  2. Processing Instructions.  Without prejudice to Section 2.4 (Customer Responsibilities), Dock shall notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any processing instructions from Customer violates applicable Data Protection Laws.
  3. Transfer Mechanism.  To the extent that Dock is a recipient of and processes any Customer Personal Data that originated from the EEA in a country that does not provide an adequate level of protection under applicable Data Protection Laws, the parties agree that Dock shall abide by and process such Customer Personal Data in compliance with the Model Clauses, which are incorporated into and form an integral part of this DPA. For the purposes of the Model Clauses, the parties agree that: (i) Dock is a “data importer” and Customer is the “data exporter” (notwithstanding that Customer may be an entity located outside the EEA); and (ii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the Model Clauses and, accordingly, if and to the extent the Model Clauses conflict with any provision of the Main Agreement (including this DPA) the Model Clauses shall prevail to the extent of such conflict.
  4. Model Clauses. For purposes of the Model Clauses, (i) in Clause 7, the optional docking clause will apply; (ii) in Clause 9 of Module Two, Option 2 will apply and the time period for prior notice of Sub-processor changes is identified in Section 3.2 of this DPA; (iii) in Clause 11, the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the 2021 Controller-to-Processor Clauses will be Lattice DPA 5 governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex I shall be deemed completed with the information set out in Annex 1 (Details of Processing) of this DPA; and (vii) Annex II shall be deemed completed with the information set out in Annex 2 (Security Measures) (as applicable) of this DPA; and Annex 3 (Subprocessors) shall be deemed completed with the information set out in Annex 3 of this DPA.
  5. Alternative Data Transfer Arrangements.  To the extent Dock adopts an alternative data export mechanism (including any new version of or successor to the Model Clauses adopted pursuant to Data Protection Laws) for the transfer of personal data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall automatically apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Laws applicable to the EEA and extends to territories to which Customer Personal Data is transferred).
  6. UK and Swiss Data Transfers.  For the avoidance of doubt, when the European Union law ceases to apply to the UK upon the UK’s withdrawal from the European Union and until such time as UK is deemed to provide adequate protection for personal data (within the meaning of applicable UK Data Protection Laws) then to the extent Dock processes (or causes to be processed) any Customer Personal Data protected by Data Protection Laws applicable to European Economic Area and Switzerland in the United Kingdom, Dock shall process such Customer Personal Data in compliance with the Model Clauses or any applicable Alternative Transfer Mechanism implemented in accordance with Section 9.3 above.

  1. Controller Affiliates
  1. Affiliate Communications.  Customer is responsible for coordinating all communications with Dock on behalf of its Affiliates with regard to this DPA. Customer represents that it is authorized to issue instructions as well as make and receive any communications in relation to this DPA on behalf of its Affiliates.
  2. Affiliate Enforcement.  Customer Affiliates may enforce the terms of this DPA directly against Dock, subject to the following provisions:
  3. Customer will bring any legal action, suit, claim, or proceeding which the Affiliate would other have it if were a party to the Main Agreement (each an “Affiliate Claim”) directly against Dock on behalf of such Affiliate, except where Data Protection Laws to which the relevant Affiliate is subject require that the Affiliate bring or be a party to such Affiliate Claim; and for the purpose of any Affiliate Claim brought directly against Dock by Customer on behalf of such Affiliate in accordance with this Section, any losses suffered by the relevant Affiliate may be deemed to be losses suffered by Customer.

  1. Limitation of Liability
  1. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
  2. Any claim or remedies Customer or its Affiliates may have against Dock and its respective employees, agents, or Subprocessors arising under or in connection with this DPA including: (i) for breach of this DPA; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Customer; (iii) under GDPR (or UK GDPR), including any claims relating to damages paid to a data subject; and (iv) breach of its obligations under the Model Clauses, will be subject to any limitation and exclusion of liability provisions (including any agreed aggregate financial cap) that apply under the Main Agreement.
  3. For the avoidance of doubt, Dock and its Affiliates’ total overall liability for all claims from Customer and its Affiliates arising out of or related to the Main Agreement and each DPA shall apply in the aggregate for all claims under the Main Agreement and this DPA together, including by Customer and its Affiliates.

  1. RESTRICTIONS
  1. Dock is prohibited from:
  2. selling Customer Personal Data;
  3. retaining, using, or disclosing Customer Personal Data for any purposes other than the specific purposes of performing the Service or as otherwise permitted under Main Agreement and this DPA, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Service; or
  4. retaining using or disclosing Customer Personal Data outside the direct business relationship between Dock and Customer.
  5. Dock hereby certifies that it understands the restrictions set out in Section 12.1 and will comply with them.

  1. General
  1. As between Customer and Dock, this DPA is incorporated into and subject to the terms of the Main Agreement and shall be effective and remain in force for the term of the Main Agreement or the duration of the Service. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Customer Personal Data.
  2. Each party acknowledges that the other party may disclose the Model Clauses, this DPA, and any privacy related provisions in the Main Agreement to any regulator or supervisory authority upon request.
  3. Notwithstanding anything to the contrary in the Main Agreement and without prejudice to Section 2.3, Dock may periodically make modifications to this DPA as may be required to comply with Data Protection Laws.
  4. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto, respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
  5. Other than as required by the Model Clauses, the dispute mechanisms, including those related to venue and jurisdiction, set forth in the Main Agreement govern any dispute pertaining to this DPA.  

ANNEX 1

DETAILS OF PROCESSING

A. LIST OF PARTIES

Data exporter: 

Name: The entity listed as “Customer” in the applicable Order Form and/or Main Agreement

Address: The address listed on any applicable Order Form. 

Contact person’s name, position and contact details: The point of contact listed on any applicable Order Form or the Main Agreement. 

Activities relevant to the data transferred under these Clauses: Receive Dock Services as specified in the Main Agreement and Order Form. 

Signature and date: By signing the Main Agreement or any Applicable Order Form, Customer hereby agrees to be bound by this Data Processing Agreement.  

Role (controller/processor): Controller. 

Data importer(s): 

Name: Dock Labs, Inc. 

Address: 548 MARKET STREET PMB36932, SAN FRANCISCO, CA, 94104

Contact person’s name, position and contact details: Victor Kmita, CTO, legal@dock.us 

Activities relevant to the data transferred under these Clauses: Provide Dock Services to Customer as specified in the Main Agreement and applicable Order Form. 

Signature and date: By signing the Main Agreement or any Applicable Order Form, Dock hereby agrees to be bound by this Data Processing Agreement.  

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Dock Customers and Employees of Dock Customers. 

Categories of personal data transferred

The information specified in the Dock Privacy Policy

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous.

Nature of the processing

Software as a Service for collaborative online workspaces. 

Purpose(s) of the data transfer and further processing

To provide the Dock Software as a Service to Customers. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

From the Effective Date of the Main Agreement until its termination. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

From the Effective Date of the Main Agreement until its termination. 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located shall act as competent supervisory authority. 

ANNEX 2

SECURITY MEASURES

The technical and organizational measures implemented by Dock (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons, are as follows: 

Encryption of personal data

  • Data at rest encrypted using AES-256 algorithm.
  • Employee laptops are encrypted using full disk AES-256 encryption.
  • HTTPS encryption on every web login interface, using industry standard algorithms and certificates.
  • Secure transmission of credentials using by default TLS 1.2.
  • Access to operational environments requires use of secure protocols such as HTTPS.
  • Data that resides in Amazon Web Services (AWS) encrypted at rest as stated in AWS' documentation and whitepapers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected, and protected by AWS-provided HSM certified under FIPS 140-2.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Strong access controls based on the use of the 'Principle of Least Privilege'.
  • Differentiated rights system based on security groups and access control lists.
  • Employee is granted only amount of access necessary to perform job functions.
  • Unique accounts and role-based access within operational and corporate environments.
  • Access to systems restricted by security groups and access-control lists.
  • Authorization requests are tracked, logged and audited on a regular basis.
  • Removal of access for employee upon termination or change of employment.
  • Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources.
  • Strong and complex passwords required. Initial passwords must be changed after the first login.
  • Passwords are never stored in clear-text and are encrypted in transit and at rest.
  • Account provisioning and de-provisioning processes.
  • Automatic account locking.
  • Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse.
  • Confidentiality requirements imposed on employees.
  • Mandatory security trainings for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities inside and outside of Dock.
  • Non-disclosure agreements with third parties.
  • Separation of networks based on trust levels.

  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Event reports are enabled and available to customers in their Dock instance. These reports can be periodically downloaded.
  • User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems.
  • Certain activities on Dock are not available directly to customers such as timestamps, IPs, login/logouts, and errors. These logs are available only to authorized employees, stored off-system, and available for security investigations.
  • All logs can be accessed only by authorized Dock employees and access controls are in place to prevent unauthorized access.
  • Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures.
  • Network segmentation and interconnections protected by firewalls.
  • Annual penetration testing for all components of the Dock SaaS, including web and mobile applications.

Measures for user identification and authorisation

  • Access to operational and production environments is protected by use of unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA), role-based access, and least privilege principle.
  • Authorization requests and provisioning is logged, tracked and audited.
  • Customer-generated OAuth tokens, are stored in an encrypted state.
  • Keys required for decryption of those secrets are stored in a secure, managed repository (such as AWS KMS) that employs industry-leading hardware security models that meet or exceed applicable regulatory and compliance obligations.
  • Access keys used by production Dock applications (e.g. AWS Access Keys) are accessible only to authorized personnel. They are rotated (changed) as required (e.g., pursuant to a security advisory or personnel departure) and at least yearly.
  • User activity in operational environments including access, modification or deletion of data is being logged.
  • Web Application Firewall (WAF), in addition to the network-based firewalls.

Measures for the protection of Data during transmission

  • HTTPS encryption for data in transit (using TLS 1.2 or greater).

Measures for the protection of Data during storage

  • Dock customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Measures are in place to ensure executable uploads, code, or unauthorized actors are not permitted to access unauthorized data - including one customer accessing files of another customer.
  • Endpoint security software
  • System inputs recorded via log files
  • Access Control Lists (ACL)
  • Multi-factor Authentication (MFA)

Measures for ensuring events logging

  • Remote logging
  • A central Security Information and Event Management (SIEM) system and other product tools monitor security or activities

Measures for ensuring system configuration, including default configuration

  • Dock has in place a Change Management Policy.
  • Dock monitors changes to in-scope systems to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Changes are tracked in our change platform.
  • Access Control Policy and Procedures

Measures for ensuring data minimisation

  • Detailed privacy assessments are performed related to implementation of new products/services and processing of personal data by third parties. 
  • Data collection is limited to the purposes of processing (or the data that the customer chooses to provide).
  • Security measures are in place to provide only the minimum amount of access necessary to perform required functions.
  • Data retention time limits restricted and
  • An automatic deletion has been implemented to enforce data retention time limits (see below on Measures for ensuring limited data retention).
  • All deleted customer data follows a similar retention schedule of a recoverable delete between 0-90 days and a permanent delete within 91- 180 days.
  • Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.

Measures for ensuring Data quality

  • Dock has a process that allows individuals to exercise their privacy rights (including a right to amend and update information), as described in Dock's Privacy Policy.
  • Applications are designed to reduce/prevent duplication. Many application level checks are in place to ensure data integrity.
  • QA team that helps to ensure these items are working as designed and implemented before reaching our production environment.

Measures for ensuring limited data retention

  • After termination of all subscriptions associated with an environment, customer data submitted to the Services is retained in inactive status within the Services for 60 days, after which it is securely overwritten or deleted from production within90 days (up to a max of 180 days) and from backups within 180 days.
  • All deleted customer data follows a similar retention schedule of a recoverable delete between 0-90 days and a permanent delete within 91- 180 days.

Measures for ensuring accountability

  • Customer Privacy Assessments are required when introducing any new product/service that involves processing of personal data.
  • Data protection impact assessments are part of any new processing initiative.

Measures for allowing Data portability and ensuring erasure

  • Ability to export data to JSON format
  • Dock has a process that allows individuals to exercise their privacy rights (e.g. right of erasure or right to data portability), as described in Dock's Privacy Policy.

ANNEX 3

SUBPROCESSORS

Pendo

Product analytics

https://www.pendo.io/

US

Vercel

Cloud hosting and data storage

https://vercel.com/

US

Courier

Product emails

https://www.courier.com/

US

Postmark

Email delivery

https://postmarkapp.com/

US

FullStory

Product analytics

https://www.fullstory.com/

US

GitHub

Issue management

https://github.com/

US

HelpScout

Customer support

https://www.helpscout.com/

US

Heroku

Application hosting

https://www.heroku.com/

US

Loom

Video sharing

https://www.loom.com/

US

Hubspot

Customer relationship management

https://www.hubspot.com/

US

Outreach

Email outreach

https://www.outreach.io/

US

Linear

Issue management

https://linear.app/

US

Slack

Internal communication

slack.com

US

Salesforce

Customer relationship management

salesforce.com

US

Stripe

Billing

stripe.com

US

Polytomic

Data sync

https://www.polytomic.com/

US

WorkOS

Single-sign on connections

https://workos.com/

US

ANNEX 4

View addendum