Definitions
1.1 In this DPA:
a) “Controller”, “Data Subject”, “Processing”, “Processor”, “Service Provider”, and “Supervisory Authority” have the meaning given to them in Data Protection Law;
b) “Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other Data Protection Laws of the European Union, the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”); (ii) the California Consumer Privacy Act as amended by the California Privacy Rights Act (California Civil Code § 1798.100) (“CCPA”); and (iii) all laws implementing or supplementingthe foregoing and any other applicable data protection or privacy laws;
c) “Data Subject Rights” means all rights granted to Data Subjects by Data Protection Law, suchas the right to information, access, rectification, erasure, restriction, portability, objection, andnot to be subject to automated individual decision-making;
d) “Restricted Data Transfer” means any international transfer of Personal Data that would beprohibited under Data Protection Law in the EEA or UK without implementation of additionalsafeguards such as Standard Contractual Clauses.
e) “Personnel” means any natural person acting under the authority of Thena;
f) “Personal Data” means any information that constitutes “personal data” or “personalinformation” within the meaning of applicable Data Protection Law that Thena may access inperforming the services under the Agreement.
g) “Personal Data Breach” means actual or reasonable degree of certainty of unauthorized destruction, loss, control, alteration, disclosure of, or access to, Personal Data for which Thena is responsible. Personal Data Breaches do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
h) “Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;
i) “Sub processor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller;
j) “Standard Contractual Clauses” means the clauses annexed to the EU CommissionImplementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of theEuropean Parliament and of the Council as amended or replaced from time to time; and
k) “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner for parties making restricted transfers, available at https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fico.org.uk%2Fmedia%2Ffor-organisations%2Fdocuments%2F4019535%2Faddendum-international-data-transfer.docx&wdOrigin=BROWSELINK.
1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.Roles
2.1. Thena shall process Personal Data only as a processor acting on behalf of Customer and, with respect to CCPA and other applicable U.S. state privacy laws, as a service provider, in each case, regardless of whether Customer acts as a controller or as a data processor on behalf of a third-party controller with respect to Personal Data.Scope
3.1. This DPA applies to Processing of Personal Data by Thena in the context of the Agreement.3.2. The subject matter, nature and purpose of the Processing, the types of Personal Data and categoriesof Data Subjects are set out in Annex I, which is an integral part of this DPA.Instructions
4.1. Thena will only Process Personal Data to provide the services to the Customer.4.2. It is the parties’ intent that Thena is a service provider, and Thena certifies that it will not (a) “sell” or“share” (as defined in the CCPA) the Personal Data; (b) (b) retain, use, or disclose the Personal Data to any person other than as necessary to provide the services or outside of the direct business relationship between the parties, unless required by applicable laws; or (c) combine the Personal Data that Thena receives from or on behalf of Customer with personal data that Reveal AI collects or receives from another person .4.3. Customer’s instructions are documented in Annex I, the Agreement, and any applicable statement of work.4.4. Customer may issue additional instructions to Thena as it deems necessary to comply with Data Protection Law. Such instructions must be provided to Thena in writing and acknowledged in writing by Thena as constituting instructions for purposes of this DPA, and Thena may charge a reasonable fee to comply with any such additional instructions.4.5. The parties acknowledge and agree that the disclosure of Personal Data by the Customer to Thena does not form part of any monetary or other valuable consideration exchanged between the parties.Customer Responsibilities
5.1 Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under applicable Data Protection Law for Thena to lawfully process Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) have complied with all DataProtection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Thena and its Sub processors; and (iv) ensure its processing instructions comply with applicable laws(including applicable Data Protection Law).Subprocessing
Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.Restricted Data Transfers
Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.Personnel
Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.Security and Personal Data Breaches
Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.Assistance
Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.Accountability
Thena has implemented and maintains the information security controls listed below to protect personal data during storage, processing, and transmission.Audit
12.1. Upon Customer’s written request and no more than once in a calendar year, Thena will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations of Data Protection Law and this DPA and allow for and contribute to audits, including inspections, conducted by a Supervisory Authority, Customer or another auditor mandated byCustomer.
12.2. If Customer’s requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Page 4 of 10Customer’s audit request and Thena confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
12.3. Any Customer-requested audits are at Customer’s expense. Customer shall reimburse Thena for anytime expended by Thena or its Sub processors in connection with any Customer-requested audits or inspections at Thena’s then-current professional services rates, which shall be made available toCustomer upon request.
12.4. If Customer’s requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Page 4 of 10 Customer’s audit request and Thena confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.Liability
13.1. The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with Agreement and this DPA combined, will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement.Confidentiality
14.1. Thena must keep all Personal Data and all information relating to the Processing thereof, in strict confidence.Analytics
15.1. Customer acknowledges and agrees that Thena may create and derive from Processing related to the services anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve Thena’s products and services and for its other legitimate business purposes.Notifications
16.1. Thena must make all notifications required under this DPA as agreed to in the Agreement or the then-established daily point of contact with the CustomerTerm and Duration of Processing
17.1. The Processing will last no longer than the term of the Agreement.
17.2. Upon termination of the Processing, Thena will, as soon as reasonably practicable, return or securely delete and destroy all Personal Data in Thena’s possession or control, except as otherwise required by law or set out in the Agreement. Upon request from Customer, Thena will certify such secure deletion in writing within thirty (30) days of Customer’s request.
17.3. This DPA is terminated upon Thena’s deletion of all remaining copies of Personal Data in accordance with Section 17.2.Modification of this DPA
18.1. This DPA may only be modified by a written amendment signed by both Customer and ThenaInvalidity and Severability
19.1. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or un enforceability will remain in full force and effect.
Thena’s provision of the Saas-based customer communication platform services to Customer.
Subject Matter
Duration of the Processing
Assessment
Frequency of the
Processing
Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
Thena will process Customer Personal Data for the purposes of providing the services to Customer in accordance with the DPA.
As and when the services are accessed.
Data relating to individuals provided to Thena in connection with the services, by (or at the direction of) Customer, including email address, name, user ID, and profile picture.
The services are not intended to Process special categories of data.
Customers’ end users
Categories of Data
Sensitive Data Processed
Data Subjects
Description
Security Control Category
Information Security
Program
In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.
Our information security framework includes periodic audits, assessments, and employee privacy and security training.
We undergo annual independent third-party SOC 2 Type II audits that include a risk assessment of the threats to the privacy, confidentiality, security, integrity and availability of personal data, the likelihood that these threats occur, and measures to mitigate these risks.We conduct penetration testing of the network and our application to evaluate the security of our production environment
Categories of Data
We only collect the personal data we need to accomplish our business purposes, including names, business email addresses, links to Slack profile pictures, and Slack user metadata. We do not store users’ conversation data on our systems.
When a customer uninstalls our solution, we securely dispose ofthe personal data in our possession by deleting the customer’sdata from our systems.
Data Collection,
Retention and Disposal
We conduct background checks on all of our employees using Checkr.
Personnel Background
Checks
We regularly train all our employees on our information security program, the importance of the security, confidentiality, and privacy of personal data, and the risks to our company and its customers associated with security incidents.
Personnel Training and
Education
We only permit access to personal data, sensitive information systems, and our premises to authorized employees based on their role and with prior approval.
Terminated employees are prevented from accessing personal data and lose access to all devices and applications upon termination.
Access Controls
In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.
Our information security framework includes periodic audits,assessments, and employee privacy and security training.
Secure User
Authentication
All communication between customer systems and our platform takes place using high levels of encryption (TLS 1.2/HPPS).
All stored data, session cookies, and backups are encrypted at rest. Our databases are also encrypted using custom keys for additional security.
We use industry-standard encryption and a monitoring agent to protect the data stored on company laptops.
Secure User
Authentication
We store all personal data on private networks that require VPN to access, and we conduct biannual penetration testing to evaluate the security of the network.
Network Security
We have implemented Snyk to detect and remedy malicious or unsecure code designed to perform an unauthorized function on, or permit unauthorized access to, any information system.
We remediate any malicious or unsecure code promptly upon identification.
Malicious Code Detection
We conduct biannual vulnerability assessments to detect vulnerabilities on the network, and we have implemented processes to remediate any detected vulnerabilities.
Vulnerability and Patch
Management
Application Security
Prior to implementing code changes, our employees follow a documented change management process to assess the potential security and product impact of such changes.
We document all changes to our information systems as part of merger requests.
Change Controls
We monitor and document the movement of records or media using Vanta, an automated security and compliance platform.
We have implemented strict password protection on all personal devices that access our systems.
Off-Premise Information
Security
We maintain restrictions on physical access to our offices and information systems through the implementation of strict access controls that are recorded in a digital registry
Off-Premise Information
Security
We maintain application security and software development controls, including private networks, custom key encryption, and biannual penetration testing, to detect and prevent the introduction of security vulnerabilities.
ANNEX II
SECURITY CONTROLS
Thena has implemented and maintains the information security controls listed below to protect personaldata during storage, processing, and transmission.
Vendor name
HQ
Description
Leadership
Description
Amazon Web Services (AWS)
Amazon Web Services (AWS)
Thena is hosted on AWS Cloud servers
Amazon Web Services (AWS)
Amazon Web Services (AWS)
410 Terry Avenue North Seattle, WA98109
United States
Thena is hosted on AWS Cloud servers
Amazon Web Services (AWS)
United States
San Francisco, California, USA
Version control and code hosting.
Github
Thomas Dohmke (CEO)
San Francisco, California, USA
Real-time PostgreSQL backend with auto APIs
Supabase
Paul Copplestone (Co-founder & CEO)
MongoDB, Inc.,1633 Broadway,38th Floor NewYork, NY 10019
Database for storing application metadata
MongoDB Atlas
United States
Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, California, 94105
Servers for processing
Heroku (Server Hosting)
United States
California
Communication platform for teams and customers
Slack
United States
California
Communication platform for teams and customers
Zoom
United States
California
Product ticketing platform
Linear
United States
San Francisco, California, USA
Data Platform
Sentry
United States
California
Product Analytics
Amplitude
United States
Amsterdam
Real time technology
Pusher
United States
Massachusetts
Product analytics
Logrocket
United States
California
Data Platform
Retool
United States
ANNEX III
LIST OF SUB-PROCESSORS