At AskCody we care about data security! Nothing is more important than the success of our customers and the privacy of our customers’ data.
We know you may have questions about the Data Processing Addendum (“DPA”) that AskCody offers to its customers. To help you develop a better understanding of our DPA, we have outlined the most common questions asked. All defined terms used in this FAQ are as set out in our DPA.
GeneralQ: Does AskCody make a DPA available to its customers?
Yes, AskCody offers a DPA to its customers: the document can be found here. The DPA is an agreement that sets out the legal framework under which AskCody processes Personal Data. The DPA covers all of the services provided by AskCody. The DPA is part of the agreements that must be in place for customers to get access to and make use of our platform, the other Part being our Terms & Conditions.
Q: Is the DPA based on Standard Contractual Clauses?
Yes – AskCody has implemented the SCC’s as part of our DPA, and we always make sure to follow the most recent guidelines from the European Data Protection Board.
Q: Why can my organisation not use its own DPA?
A: The SCCs contain clauses regulating the transfer and processing of personal data which are deemed to be in compliance with the GDPR. The fact that they have to be adopted in an unaltered and complete manner to offer the required protection to data subjects, the lawful data protection standard cannot be changed negatively in case of negotiation. Their adoption effectively creates a contractual basis for transfers between data-exporting controllers and data-importing controllers/processors, regardless of their individual relationship.
Whilst assuring compliance with legal obligation for such entities and providing for effective safeguards to the data subject, irrespective of where processing activity may ultimately take place.
What this means: In case of negotiation, the adoption of SCC creates a contractual basis that makes both parties the winners - no need for negotiating terms that leaves one party with the lesser outcome.
The AskCody DPA is specific to our Platform and covers the specific processes and procedures in relation to, for example, specific notifications related to privacy; audits; certifications; security measures; and sub-processing activities, all of which are aligned to the way in which AskCody’s Platform and infrastructure work. The AskCody DPA also clearly identifies how our service is covered by the transfer mechanism: Standard Contractual Clauses. More information about this mechanism and supplementary measures is available in the ‘Transfer Mechanisms’ Article.
Q: What happens if we do not wish to sign AskCody’s DPA?
If a customer does not wish to sign our DPA, we will first of all enter into a dialogue about any concerns there may be with our DPA, to hopefully have these answered and eliminated. Without a signed DPA, AskCody unfortunately cannot make the Platform available, as we need to have a legal basis for processing your data as a customer, otherwise it leaves both us and you as a customer vulnerable.
The AskCody DPA should first and foremost be seen as a security for our customers, as it outlines the instruction for processing personal data, which we follow to a T.
Q:Where can I find additional legal documentation and information about AskCody’s services?
AskCody Terms and Conditions can be found here.
Information about our security measures may be found here
Information about our ISAE 3000 declaration may be found here, where you can also request a copy of the report, along with our Information Security Policy.
Q: What is the process for signing a DPA with AskCody?
During your signing process with us as a company, you will be presented to our DPA, and should you have any questions before signing, these will be directed to our sales representative. Along with the quote, we will send a DPA for signature, which is already signed on our part.
Our DPA is always dated to follow our annual ISAE 3000 report date.
Q: What if I have additional questions not answered in this FAQ?
You can always reach out to your Account Manager or email us at email@example.com and we will be happy to answer any questions you may have,
Body of the DPA
Q: Does the DPA apply to my organisation if we don’t have offices in the EU?
Yes, the majority of the DPA applies to customers, regardless of their connection to the EU. Most of the commitments in the DPA are general privacy related commitments which are not specific to EU laws. Our HQ is based in Denmark, and we are therefore subject to GDPR principles, and all of our customers are therefore subject to the same DPA, no matter their placement.
Q: What does the DPA contain?
The DPA consists of 4 parts:
Part 1 is based on the Standard Contractual Clauses and contains the rights and obligations of the data controller (The Customer) and the data processor (AskCody).
Part 2: Appendix A – Information about the processing
Part 3: Appendix B – Authorized sub-processors
Part 4: Appendix C – Instruction pertaining to the use of personal data
Part 5: Appendix D – The parties’ terms of agreement on other subjects
Q: What are AskCody’s and the customer’s respective roles under the DPA?
AskCody acts as the Processor with respect to Personal Data submitted by customers to AskCody’s Platform, and the customer acts as the Controller. This means that AskCody’s customers uniquely determine what Personal Data is submitted to and processed by AskCody’s services, and that AskCody processes Personal Data only in accordance with the customer’s documented instructions. This is set out in the DPA at Section 4: ‘The processors acts according to instructions’.
Q: If we are buying AskCody's services through a partner - why do we have to sign the DPA with AskCody, and not the partner?
It is key before signing up for any services that requires processing of data, that this is governed by a contract: "Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller."
When you are buying AskCody's software, the relationships between you and a partner of ours, does not have relevance, when it comes to the processing of data, as the relationship in this regard is Processor (AskCody) and Controller (You, the customer). The key to this understanding, is knowing who the integration and hence data processing is between - which is AskCody and you as a customer.
It is therefore of vital importance for you as a Controller that you are signing the DPA with AskCody directly, as this is the only way to be completely sure of how your data will be processed and protected.
Q: Does AskCody use Sub-processors?
An effective and efficient performance of AskCody’s services requires the use of Sub processors. These Sub-processors are third party organisations. AskCody’s use of Sub-processors may require the transfer of Customer Data to Sub-processors for purposes like hosting Customer Data, providing customer support, and ensuring the services are working properly. As described in the DPA, AskCody takes responsibility for the actions of its Sub-processors.
Up-to-date information about the hosting locations for each service that AskCody offers and the identities and the locations of Sub-processors can be found in Appendix B.
Q: What security measures are in place to protect Customer Data?
AskCody maintains appropriate technical and organisational measures to protect Customer Data, as set forth in our Information Security Policy, which can be requested here.
Q: How would AskCody notify its customers in the event of a security breach?
AskCody maintains security incident management policies and procedures, which are specified in Our Information Security Policy. AskCody commits to notifying its customers without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data processed by AskCody or its Sub-processors.
Q: What happens to Customer Data after termination or expiration of an agreement
After termination or expiration of the agreement, AskCody will delete all Customer Data in accordance with the procedures and timeframes specified in our Terms & Conditions and DPA.