Data Processing Agreement

Global data privacy protection and compliance with the General Regulation on Data Protection (GDPR) is a responsibility that we take seriously at Content Snare.

The GDPR delivers significant oversight for global privacy rights and protections, while seeking to enhance individual rights and freedoms. We have tried to make our DPA easy to read and follow.

GDPR Standard Conditions

GDPR Standard Conditions, are intentionally incorporated by us into this DPA, and must be considered to be part of this DPA. If there is any inconsistency between the GDPR Standard Conditions and this DPA, then the GDPR Standard Conditions will apply. You can access the most recent version of the GDPR Standard Conditions at: www.gdpr.eu

Consent

Please take the time to read the GDPR Standard Conditions and this DPA before confirming you have read, you accept, understand and will abide by our DPA.

Unfortunately, we cannot change our DPA if individuals make requests for amendments, and we are unable to sign customer DPAs. This is because we need to have consistency in compliance across every part of our business.

If you disagree with any of the GDPR Standard Conditions or our DPA, your remedy is to stop working with us. Without your signed consent, we are also unfortunately unable to store any GDPR personal data for you.

Understanding our DPA

This Schedule tells you who Content Snare are, and how to reach our Data Privacy Officer.

Content Snare:Aktura Technology Pty Ltd trading as Content SnareABN:ABN: 99 146 513 868
Data Privacy Officer:Email:[email protected]Phone:+61731063450
Services:Data Storage by Content Snare, not including health or medical personal data.
Security Measures:See Schedule 2
Sub-Processors & AffiliatesSee Schedule 3

In this DPA we have grouped together some regularly used terms for convenience:

  • EU Data Protection Laws, including the EU’s General Data Protection Regulation, and GDPR Standard Conditions, all form part of this agreement, and are called “GDPR”.
  • Content Snare, the processor, we, our or us, we mean Aktura Technology Pty Ltd ABN: 99 146 513 868 trading as Content Snare, as provider of data storage services, together with our employees, contractors, agents and assigns.
  • Controller or you, means our customer, the user of our services, your employees, contractors, agents and assigns.

DPA Terms and Conditions

Everyone must be GDPR compliant

This DPA applies to controllers whether inside or outside of the EU who ask Content Snare to store personal data about EU residents. If you engage our services, then your organisation must also maintain GDPR compliant practices at all times.

If we need to Update this DPA

We will let you know via email about any changes and seek your consent.

If we do not receive a response from you, we may follow you up or discontinue providing our services to you, in so far as they relate to EU personal data. This would not affect our ability to provide storage services for non-EU personal data.

Working together with you

When you work with us, you promise that your practices are secure and GDPR compliant in relation to the collection, storage, transfer, access to and erasure of the personal data you provide to us. You warrant to us that you have all organisational, operational and technical measures (and GDPR compliance) embedded in your business operations. We do not assess the content of the personal data we are asked to store. This is your sole responsibility, not ours.

What we will do

As a processor within the meaning of the GDPR we will:

  1. store the data you provide to us and maintain data security by taking the steps set out in this DPA;
  2. implement technical and organisational measures to meet the requirements of the GDPR and ensure the protection of the rights of EU residents and not transfer personal data from EU residents to any country or recipient that we reasonably know will not recognise adequate protection of personal data in accordance with the GDPR;
  3. process the personal data as you tell us to, this happens when you use the functions of our website or App (“website”). By using our website, you are giving us documented instructions.
  4. appoint a data protection officer who you can contact about personal data privacy protection, data security, and incident reporting;
  5. make sure anyone authorised on our behalf, for example, our employees, contractors, agents or assigns, are committed to confidentiality;
  6. make sure we have technical and organisational support, to help you respond to requests from individuals who want to exercise their rights to access, amend or erase the personal data stored by us.
  7. take all reasonable and required steps by the GDPR to make sure that data transfer storage and security are protected;
  8. help you, if the GDPR requires it, in relation to data breach;
  9. provide access to, delete, erase or return all personal data when this agreement ends and securely destroy copies (unless we legally cannot);
  10. give you information to show our compliance as set out in Article 28 of GDPR;
  11. help you comply with Data Protection Impact Assessments as set out in Article 35 of GDPR;
  12. tell us if we believe that the services you seek infringe the GDPR;
  13. act quickly if you ask us to stop, mitigate or remedy any unauthorised storage or processing;
  14. always keep personal data confidential and not disclose personal data to third parties without your express consent (or if we are legally required to do so);
  15. if we feel we are legally required to process or disclose personal data that we store for you, we will tell you and give you time, if we reasonably can, to object or challenge the requirement. The exception to this is if the law prohibits us from telling you.
  16. process and store personal data as promised in our service agreement with you;
  17. not be responsible for GDPR laws that are your responsibility or industry specific (if they don’t also apply to us);
  18. tell you if we cannot process or store any information, give you a chance to object (where it is reasonably and legal to do so) and stop processing the personal data. We are not liable to you for any loss or damage if this happens. If we have to stop processing, then we will. We will not refund or compensate you for loss of use of our services or value / profit;
  19. keep reasonable operational and technical measures to protect personal data from breaches – you will find these measures in Schedule 2 of this DPA (our security measures). We may modify or update our security measures provided this does not result in material reduction of the protection we offer;
  20. consider risks, likelihood, variations, significant impact and mitigating measures when processing or storing personal data and we will take reasonable steps to ensure data is erased securely and permanently;
  21. take reasonable steps to restore and make data available if a physical or technical disruption occurs.

Erasing Data

We strongly recommend that you retrieve all personal data prior to the end of this DPA or any scope of work we are providing to you. Here is an article that may assist you:

  • Export your Request data: https://contentsnare.com/help/knowledge-base/exporting-requests/

We will help you if you need assistance retrieving personal data. If there is a cost associated with this, we will only charge that cost if the GDPR allows us to.

Your obligations

As a controller within the meaning of the GDPR you are warranting to us that you will:

  • observe and comply with all of GDPR laws or regulations when using our services, and that you know the GDPR laws and regulations and are complying with them. You will maintain confidentiality and privacy in relation to all personal data that you obtain and provide to us for storage (including protecting data in transit);
  • give us accurate information that you are legally authorised to give us and that you will obtain the personal data in a secure and GDPR compliant way with all required consent/s obtained by you;  
  • appoint your own data protection officer to liaise with our data protection officer (about data privacy protection, data security, incident report etc);
  • make sure your own organisational, operational and technical security measures meet GDPR requirements, including but not limited to using reputable, professional, tested and secure backup and encryption (amongst other risk and mitigation measures) at your expense and risk, not ours.

Who are Sub-processors

Sometimes we may use sub-processors to process personal data. If we do so, they are listed in Schedule 3 of this DPA. Sub-processors may help us with processing, hosting and infrastructure, support product features or integrations, and provide other services and support. You can opt out of sub-processor support by telling us you do not agree with sub-processor support. If you do not agree, and we require sub-processor support, we may not be able to continue providing our services to you. Any sub-processor we engage will have at least the same level of protection of personal data and confidentiality that we do.

Data Transfers

You agree that we may access and process (store) personal data on a global basis as necessary to provide our services to you. Personal data may be transferred to and stored by us in Australia, the United States, or other jurisdictions where we or our affiliates have operations.

Data Protection Impact Assessments and Consultation

We will assist, to the extent required by the GDPR, with data protection impact assessments and consultations with supervisory authorities / data privacy authorities.

Auditing and compliance

We will assist you, to the extent required by the GDPR, by making information reasonably necessary to demonstrate compliance with this DPA available. This includes information for audits and inspections and agree to supply (on a confidential basis) any security reports or summaries that may also assist. We may charge a fee, based on our reasonable costs, for any audit or inspection. You will be responsible for any fees charged by any auditor appointed by you.

Data Subject Access Rights

We have in place reasonable technical and organisational measures to assist you and us in ensuring that the rights of data subjects under GDPR to be protected. This includes the measures to ensure the data subject has a right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object to processing and the right to object to automated individual decision making.

We will notify you about any data subject access request as early as possible, usually within three (3) working days (unless it is not reasonably possible for us to do this within this time frame). We will assist you, to the extent required by the GDPR, to give you information so that you can respond to communication with the data subject, and comply with your information or assessment notices served by any supervisory authority.

 Personal data breach

We will notify you within 72 hours (unless it is not legally or reasonably possible to do so) if data is:

  • lost, destroyed, damaged, corrupted, compromised or corrupted or unusable; or
  • we become aware of any unauthorised or unlawful processing of the personal data.  

A notification by us is not an acknowledgement of fault or liability. You are responsible for complying with your own GDPR third-party obligations and notifications (including to the data subject, supervisory authorities, regulators, legal enforcement agencies or any other third party) and when offering any remedy to affected data subjects, unless we are expressly required by the GDPR to do this. To the fullest extent permitted by the GDPR, we are not responsible for any loss and damage occurring in relation to any form of personal data breach.

Limitation of liability  

To the fullest extent permitted by the GDPR:

  • we are not liable for any personal data you provide to us and you agree that our total maximum aggregate liability to you for any action is the amount you paid for our services in the three (3) months before the dispute (or latest dispute, if more than one);
  • neither party is responsible to the other for lost revenues, profits, or savings, nor for any indirect, exemplary, punitive, special, or consequential loss or damages of any party, including third parties, even if a party has been advised of the possibility of that loss or damages;
  • this limitation of liability survives any termination or expiration of this agreement, or your use of the services.  

Assignment

If the controller seeks to assign its rights under this DPA, the assignee will need to provide its own consent to this DPA.

Notices

Notices are served electronically and are deemed to have been received on the same business day if sent before 4.00pm, otherwise on the next business day (except for public holidays, Saturday or Sunday, in which case the day after).

Severance

If a part of this DPA is not legally enforceable, it will be replaced with an enforceable provision that most closely matches the intent of the original clause and the remainder of the terms and conditions will continue in effect.

No Waiver

Any time or other extension granted by us will not in any way amount to a waiver of any of our rights or remedies under this agreement.

Consent & Signing this DPA

May be given by digital acceptance via our App or electronic signature. To electronically sign the DPA, please contact us.

Authority

Each person signing this agreement on behalf of a party warrants to the other parties that on the date of signing, that person has full authority to sign this agreement on behalf of that party.

Governing Law & Relevant Jurisdiction

This DPA shall be governed by the law of the EU Member State in which the controller is or has most of its operations established or failing, which the EU Member State where a majority of the data subjects from whom personal data is collected by the processor resides. If the law of the EU Member State does not allow for third-party beneficiary rights, then the geographically closest EU Member State to this (and which allows for third-party beneficiary rights).

 End.  


SCHEDULE 2 – Security Measures

Data Encryption and Pseudonymisation

Personal data is encrypted in transit using SSL/TLS. Data is encrypted at rest, including database, stored files and communication. User and company information is pseudonymised in logs to enhance privacy.

Access Control 

Access to data is strictly controlled according to internal policies & processes which limit staff access to what is necessary for their duties. Support staff access to data is granted only upon controller request. 

Authentication & Identification

Authentication measures include hashed and salted passwords, exclusion of passwords in logs, TOTP, and 2FA with anti-brute force measures. All endpoints are secured to return data scoped to authenticated users only, enhancing protection against unauthorized access. Operational application access keys are stored in an encrypted vault with extremely limited and controlled access.

Monitoring and Response

Comprehensive application and infrastructure monitoring detect anomalies and potential security threats. Regular manual reviews are conducted to identify malicious activities. An incident response plan is in place for unauthorized or incorrect data processing, including a framework to identify lessons learned. Policies cover response times, communications (to the public, affected parties, and authorities) and retroactive actions.

Data Backup

Encrypted backups for databases and files ensure data integrity and limit data loss. Files are backed up to a separate storage location for redundancy. 

Data Quality, Minimisation and Retention

Backups have a structured retention policy that includes two weeks for database backups and defined procedures for the removal of cancelled accounts after 90 days of inactivity. 

Compliance and Risk Management

A dedicated Data Protection Officer (DPO) oversees GDPR compliance, with privacy and GDPR considerations integrated into director meetings and a risk register for compliance-related risks. Regular testing and evaluation of our measures are conducted to ensure effectiveness.

Data Transmission Security

Data transmission leverages HTTPS, rotating bearer tokens, and OAuth 2.0 authorization, with support for strong TLS protocols and ciphers. Direct paths to files are securely managed with signed URLs for time-limited access.

Physical Security

Data is processed on AWS and Google, which adhere to high physical security standards, and maintain ISO 27001 and SOC 2 compliance. 

Data Portability and Erasure

Documented processes support data portability and erasure, with a clear identity verification process for data subject requests. Secure file-sharing methods are used for data transfer requests. Records are kept for all portability and erasure requests.

Staff Training and Internal Audits

An internal auditing program assesses adherence to privacy policies, and a training register maintains records on data privacy protection and compliance.

Continuous Improvement

Our robust Continuous Improvement Program encompasses regular testing, assessment, and evaluation of our technical and organisational measures. We maintain a comprehensive list of data processors, including third-party service providers, to ensure all parties involved in data handling meet our strict security standards. Through regular reviews of internal processes, security assessments of our applications, and vigilant monitoring of third-party compliance, we proactively identify and address any gaps or weaknesses.


SCHEDULE 3 – Sub-Processors

ENTITYRELATIONSHIP (sub-processor / affiliate)PURPOSE
Amazon (AWS)Sub-processorApplication, database and file hosting
GoogleSub-processorFile backups, analytics
IntercomSub-processorCustomer support
Active CampaignSub-processorEmail marketing, customer support
PostmarkSub-processorTransactional email
MixPanelSub-processorAnalytics
RollbarSub-processorError reporting
ZapierSub-processorWorkflow and data sync
MakeSub-processorWorkflow and data sync
ChargebeeSub-processorSubscription Management & Invoicing
StripeSub-processorBilling, Identity Verification (only when using ID feature)
FirstPromoterSub-processorReferral tracking (email address only)
OpenAISub-processorOnly when using Smart Request feature
lockcrossmenuchevron-uparrow-right