To the extent that Draft SAS, L’Ouche Brûlée Str. 3, 44118 La Chevrolière, FRANCE – the Data Processor – hereinafter referred to as “Draft” or the “Supplier”, processes on behalf of the Customer – the Controller – hereinafter referred to as the “Customer”, in the provision of the service hereunder any Personal Data as part of customer data that is subject to the General Data Protection Regulation (the “GDPR”), the terms of the Data Processing Agreement apply.

The subject matter of this agreement results from the usage of Draft.io and the contract between the Supplier and the Customer, which was either concluded as an individual contract or is available within the framework of the Contract.

The duration of this agreement corresponds to the duration of the Contract.

Insofar as the regulatory content of individual regulations extends beyond the term of this agreement, the corresponding obligations remain unaffected by the termination of this agreement. This applies, in particular, to the obligation to delete data and return data carriers.

Unless otherwise defined herein, capitalized terms and expressions used in this agreement shall have the meaning given to them in the Definitions.

Draft offers services for creating visual documents and sharing them with other users. In doing so, Personal Data is requested and collected while registering for the services, using the services, and visiting the websites. Personal Data is used to operate the Services, improve the Services, for audience and usage statistics, and communicate with the users. This is done by Draft itself or by authorized service providers (see section 7 “Subprocessing”).

The undertaking of the contractually agreed Processing of Data shall be carried out essentially within a Member State of the EEA. Each and every Transfer of Data to a State that is not a Member State of the EEA requires the Customer’s prior agreement and shall only occur if the specific conditions of Article 44 et seq. GDPR have been fulfilled. In these cases, the appropriate level of protection is determined by an adequacy decision by the European Commission or based on special guarantees, such as contractual obligations through the so-called Standard Data Protection Clauses of the Commission, the existence of certifications, or binding internal data protection regulations.

Collaboration within Draft takes place within collaborative boards (the “drafts”). Users can transfer data to these drafts. Once the user shares a draft with other users, some of this data (e.g., email addresses, users’ names, the content they contributed, and information about when they contributed) is also shared to enable collaboration.

The Supplier has no influence on data sharing between users.

The subject matter of the processing of Personal Data comprises the following data types/categories:

• Personal and contact data (e.g., name, email);
• Key contract data (e.g., contact details, contractual/legal relationships, contractual or product interest);
• Customer history and usage behavior (e.g., modification history on content);
• Identification and authentication data (e.g., IP address, user ID, session cookie, login tokens);
• Content data within the drafts can include Personal Data depending on the actual use.

Please note that the services provided by Draft have not been designed to process special categories of Personal Data as defined in Article 9 and Article 10 of GDPR.

The categories of Data Subjects only comprise users.

As the case may be, the Personal Data of other Data Subjects may also be found in the content data of the drafts in the context of user collaboration. The Supplier has no influence on this type of use and, therefore, no knowledge of which persons are affected.

The Supplier shall establish the security per Article 28 Paragraph 3 Point C and Article 32 GDPR in conjunction with Article 5 Paragraph 1 and Paragraph 2 GDPR. The measures to be taken include data security and measures that guarantee a protection level appropriate to the risk concerning the systems’ confidentiality, integrity, availability, and resilience. The state of the art, implementation costs, the nature, scope, and purposes of the processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR, must be taken into account (details in the “Technical and Organizational Security Measures”).

The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement adequate alternative measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented and communicated to the Customer, at least in text form.

Please note that the services provided by Draft have not been designed to process special categories of Personal Data as defined in Article 9 and Article 10 of GDPR.

The Supplier may not, on its own authority, rectify, erase, or restrict the processing of data that is being processed on behalf of the Customer but only on documented instructions from the Customer. Insofar as a Data Subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Customer.

Erasure policy, ‘right to be forgotten,’ rectification, data portability, and access shall be ensured by the Supplier in accordance with documented instructions from the Customer without undue delay.

In addition to complying with the rules set out in this agreement, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:

1. Appoint a Data Protection Officer who performs his duties in compliance with Articles 38 and 39 of GDPR. His current contact details are always available and easily accessible on the Supplier’s website;
2. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier undertakes to maintain confidentiality when processing the Customer’s Personal Data in accordance with the order. This continues even after the contractual relationship with the Customer has ended. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The confidentiality obligation continues to exist even after the employment relationship has ended. The Supplier and any person acting under its authority who has access to Personal Data shall not process that data unless on instructions from the Customer, which includes the powers granted in this contract, unless required to do so by a Union or Member State law to which the contractor is subject;
3. Implementation of and compliance with all Technical and Organisational Measures necessary for this agreement in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR;
4. The Customer and the Supplier shall cooperate, on request, with the supervisory authority in the performance of its tasks;
5. The Customer shall be informed immediately of any inspections and measures conducted by the supervisory authority insofar as they relate to this agreement. This also applies insofar as the Supplier is under investigation or is a party to an investigation by a competent authority in connection with infringements to any civil or criminal law or administrative rule or regulation regarding the processing of Personal Data in connection with the processing of this agreement;
6. Insofar as the Customer is subject to an inspection by the supervisory authority, an administrative or summary offense or criminal procedure, a liability claim by a Data Subject or by a third party, or any other claim in connection with the agreement data processing by the Supplier, the Supplier shall make every effort to support the Customer;
7. The Supplier shall periodically monitor the internal processes and the Technical and Organizational Security Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the Data Subject’s rights;
8. Verifiability of the Technical and Organisational Measures conducted by the Customer as part of the Customer supervisory powers according to the section “Supervisory powers of the Customer” of this contract;
9. The Supplier informs the Customer, unless prohibited by a court or authority, if the Customer’s data should be endangered by seizure, confiscation, or the like;
10. The Supplier informs the Customer if the data protection officer or the contact person for data protection changes.

The Supplier may commission Subprocessors (additional contracted processors) only after prior explicit written or documented consent from the Customer. The Customer agrees to the commissioning of the Subprocessors named in the “List of Subprocessors” on the condition of a contractual agreement in accordance with Article 28, paragraphs 2-4 GDPR.

The transfer of Personal Data from the Customer to the Subprocessor and the Subprocessors’ commencement of the data processing shall only be undertaken after all requirements are met.

If the Subprocessor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures.

Further outsourcing by the Subprocessor requires the express consent of the main Customer (at the minimum, in text form); all contractual provisions in the contract chain shall be communicated to and agreed with each and every additional Subprocessor.

After consultation with the Supplier, the Customer has the right to carry out inspections or have them carried out by an auditor to be designated in each case. It has the right to convince itself of the compliance with this agreement by the Supplier in its business operations using random checks, which are ordinarily to be announced in good time.

The Supplier shall ensure that the Customer can verify compliance with the Supplier’s obligations in accordance with Article 28 GDPR. The Supplier undertakes to give the Customer the necessary request information and, in particular, demonstrate the execution of the Technical and Organizational Security Measures.

The Supplier may claim remuneration for enabling Customer inspections.

The Customer must document the results of the inspections.

The Supplier shall assist the Customer in fulfilling inquiries and claims of Data Subjects as per Chapter III of the GDPR as well as in complying with the obligations concerning the security of Personal Data, reporting requirements for data breaches, data protection impact assessments, and prior consultations referred to in Articles 32 to 36 of the GDPR. These include:

1. Ensuring an appropriate level of protection through Technical and Organizational Security Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable immediate detection of relevant infringement events;
2. The obligation to report a Personal Data breach immediately to the Customer;
3. The duty to assist the Customer with regard to the Customer’s obligation to provide information to the Data Subject concerned and to immediately provide the Customer with all relevant information in this regard;
4. Supporting the Customer with its data protection impact assessment;
5. Supporting the Customer with regard to prior consultation of the supervisory authority.

If a Data Subject should contact the Supplier directly with inquiries or requests for the transfer, restriction of processing, correction, or deletion of their data, the Supplier will immediately forward this request to the Customer and inform the Data Subject that the Customer is the responsible body within the meaning of the GDPR. If the Supplier cannot assign the Data Subject to a specific Customer, the Supplier will refer the Data Subject to the responsible body from their point of view. Information to third parties or Data Subjects may not be given without a corresponding instruction from the Customer.

The Supplier may claim compensation for support services that are not included in the description of the services and which are not attributable to failures on the part of the Supplier insofar as these do not insignificantly exceed the contractually agreed services. The Supplier must explain and prove his additional concrete expenditure and costs.

The Customer shall immediately confirm oral instructions (at the minimum, in text form).

The instructions are received via the Supplier’s customer support, preferably by e-mail to support@draft.io.

The Supplier shall inform the Customer immediately if he considers that an instruction violates the General Data Protection Regulation and other data protection provisions of the Union or of the member states. The Supplier is entitled to suspend the implementation of the specific instruction until it is confirmed or changed by the Customer.

Copies or duplicates of the data shall never be created without the knowledge of the Customer, with the exception of:

1. Copies or duplicates as far as they are temporarily necessary for the context of user collaboration;
2. Back-up copies as far as they are required to ensure orderly data processing;
3. Data required to meet Union or member state requirements to retain data.

After the conclusion of the contracted work, or earlier upon request by the Customer, at the latest upon the termination of the Main Agreement, the Supplier shall hand over to the Customer or – subject to prior consent – destroy all documents, processing, and utilization results, and data sets related to the contract that has come into its possession, in a data-protection compliant manner. As the case may be, exceptions to this rule can apply to content data in the context of user collaboration. This depends on the owning user (“Owner”) of the draft:

1. Drafts can be deleted by their owners. The deletion of the board triggers the deletion of the content data;
2. Drafts that are only accessible to the owning user are deleted when the user is deleted;
3. Drafts that are accessible to other users but not users within the organization of the owning user (“Team Members”) are deleted when the user is deleted.
4. Drafts that are accessible to Team Members will, upon deletion of the user, and either otherwise stated by the Customer, become the property of one of these other users.

Documentation that is used to demonstrate orderly data processing in accordance with the agreement shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Customer at the end of the contract duration to relieve the Supplier of this contractual obligation.

Reference is made to Article 82 GDPR.

The Customer can terminate the contract at any time without observing a notice period if the Supplier has seriously violated data protection regulations or the provisions of this contract, the Supplier cannot or does not want to carry out an instruction from the Customer, or the Supplier refuses control rights by the Customer contrary to the contract. In particular, non-compliance with the obligations stipulated in this contract and derived from Article 28 of GDPR constitutes a serious violation.

Data Protection Officer c/o 

Draft SAS Data Protection Officer 

L’Ouche Brûlée Str. 3 

44118 La Chevrolière 

FRANCE

E-Mail: support@draft.io