This Data Processing Addendum (“Addendum”) forms part of the agreement (“Agreement”) between you (“Controller”) and Honeycommb LLC, a Deleware limited liability company located at 43 Broad Street, Suite B201, Hudson, Massachusetts, USA (“Processor”). It sets out the terms under which Honeycommb LLC processes personal data on behalf of its customers in compliance with applicable data protection legislation.
1. Definitions
1.1. Data Protection Legislation means the GDPR (Regulation (EU) 2016/679), the UK GDPR and the UK Data Protection Act 2018, and any other applicable laws implementing or supplementing these regulations, including national laws that replace or amend them.
1.2. Personal Data means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
1.3. Processing means any operation performed on Personal Data, whether or not by automated means, including collection, storage, retrieval, disclosure, or destruction.
1.4. Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
1.5. Standard Contractual Clauses (SCCs) means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission on June 4, 2021 (Commission Implementing Decision (EU) 2021/914) and any subsequent amendments or replacement decisions.
1.6. Supplementary Measures means technical, contractual, or organizational measures (e.g., encryption, pseudonymization, access controls) required to ensure essentially equivalent protection for personal data when transferred internationally.
2. Scope of Processing
2.1. The Processor will process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by law.
2.2 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.
2.3. The Processor may engage Sub-processors only if the Controller is informed of and has the opportunity to object to the new Sub-processor. The Processor remains fully responsible for the actions of any Sub-processor.
2.4. Upon termination or expiration of the Agreement, the Processor shall, at the choice of the Controller, return all Personal Data to the Controller or securely delete/anonymize the data within 60 days, unless applicable law requires retention.
3. International Data Transfers
3.1 Where Personal Data is transferred outside the European Economic Area (EEA) or UK, the Processor shall rely on the Standard Contractual Clauses (SCCs 2021) and implement any Supplementary Measures required to ensure an essentially equivalent level of protection for the data.
3.2 The Processor will notify the Controller of any legally binding request for access to Personal Data by public authorities unless prohibited by law and will provide sufficient information to allow the Controller to challenge such requests.
3.3 The Parties agree to cooperate in conducting a Transfer Impact Assessment where required by Data Protection Legislation and to implement any Supplementary Measures reasonably requested by the Controller.
4. Sub-processors
4.1 The Processor may engage Sub-processors to assist in processing Personal Data.
4.2 The Processor maintains a list of current Sub-processors, available to the Controller on request, and listed below "List of Sub-processors".
4.3 The Processor will ensure Sub-processors comply with equivalent data protection obligations as set out in this Addendum and SCCs.
5. Data Subject Rights
5.1 The Processor will assist the Controller in responding to requests from data subjects to exercise their rights under applicable Data Protection Legislation.
5.2 This includes, where applicable, assisting with access, rectification, erasure, restriction of processing, data portability, and objection requests.
6. Data Subject Rights
6.1 The Processor will make available all information necessary to demonstrate compliance with this Addendum and allow for audits by the Controller or an auditor mandated by the Controller.
6.2 The Processor may provide up-to-date attestations, audit reports, or certifications (e.g., SOC 2, ISO 27001) to demonstrate compliance with Data Protection Legislation.
7. Governing Law
This Addendum shall be governed by and construed in accordance with the law specified in the Agreement. In case of conflict, the provisions of this Addendum prevail to the extent necessary to comply with Data Protection Legislation.
List of Sub-processors
Amazon Web Services
Cloud Hosting
410 Terry Avenue North, Seattle, WA 98109
Heroku
Cloud Application Services
Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
Sendgrid
Email Service Provider
1801 California Street, Suite 500, Denver, CO 80202
Stripe
Payments, Billing, and Invoices
510 Townsend Street, San Francisco, CA 94103
Active Campaign
CRM & Marketing
1 N Dearborn St, 5th Floor, Chicago, IL 60602, United States
Flodesk
Email Marketing
1592 Union Street, San Francisco, CA 94123
###