# Data Processing Addendum (DPA) for Teamscale Cloud
Last updated: October 15th, 2022
The terms of this Data Processing Addendum (DPA) supplement the Subscription Agreement where Customer is entering into the Subscription Agreement on behalf of an Enterprise. Customer’s acceptance of the Subscription Agreement shall be treated as its execution of this DPA.
- Data Processor , for the purposes of the GDPR (General Data Protection Regulation), refers to the company as the legal person which alone or jointly with others processes the Personal Data.
- GDPR means EU General Data Protection Regulation 2016/679.
- Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to the company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
- Personal Data is any information that relates to an identified or identifiable individual, as defined in the definition of "personal data" under GDPR, which is used in this Service. This includes any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
- Service refers to the application Teamscale.
# Involved Parties
This DPA applies when CQSE processes Personal Data in the Service. In this context, CQSE acts as the Data Processor, while the customer of CQSE acts as the Data Controller.
# Subject and Duration of the Agreement
The contracted services comprise the operation of the Service in a cloud environment managed by CQSE. The Processor shall process personal data on behalf of the Controller pursuant to Article 4, 2 and Article 28 GDPR on the basis of this Contract. The contractually agreed Service shall be provided exclusively in a Member State of the European Union or in a Contracting Member State to the Agreement on the European Economic Area. Any transfer of the Service or part thereof in a third country shall be subject to the prior approval of the Customer and may only take place if the special requirements of Article 44 et seq. GDPR are fulfilled (such as the Commission decision on adequacy, standard data protection clauses, approved codes of conduct).
# Contract Duration
The duration of this contact shall be the same as that of the Subscription Agreement. Termination of the Subscription Agreement also implies the end of this addendum.
# Type of Personal Data and Data Subject Categories
The exact categories of personal data (according to the definition of Article 4, 1, 13, 14 and 15 GDPR) and data subjects (according to the definition of Article 4, 1 GDPR) collected and processed by Teamscale depend on the feature set used.
# Information You Provide Directly
We store the data You directly provide to us, including:
- Teamscale Account Information: This includes the username, the given name, the email address, and (unless an external authentication service is used) a hash or your password. This information might be entered by you or provided by a directory or identity service, using for example LDAP or SAML protocols.
- Profile Information: We collect information that you voluntarily provide in your user profile, including your public avatar (which may be a photo), and user aliases additional email addresses. Please note this information may be visible to other users of the same Teamscale instance.
- Payment Information: If you purchase a paid subscription, we will collect payment information from you that may include your name, billing address and credit card or bank information. Please note that CQSE does not directly process or store your entire credit card number, but we do direct that information to our third-party payment processors for processing.
- Marketing Contact Information: If you request CQSE to contact you, or sign up for marketing materials or events, CQSE may collect information such as name, address, email address, telephone number, company name, and size of company. This may be collected through the websites as well as through the use of the Teamscale product.
- Licensee Information: We collect licensee name, email address, and similar information associated with the individual that receives a license key for the paid users of Teamscale.
- Content you provide through the use of Teamscale: Examples of content we collect and store include but are not limited to: names and descriptions for projects and analysis profiles, rationale for finding tolerations, descriptions for quality tasks and reports.
- Teamscale Support: If you contact Teamscale support, we will collect information about you related to your account and to the requests you are making or the services being provided.
# Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
# Information from Third-Party Systems
Teamscale integrates data from third-party systems that you connect to it. The data of those systems will be processed and stored to some extent, including any personal data included there (even if not intentionally stored in these systems). Examples of these systems and data include:
- Version control systems and code collaboration platforms: source code, version history, commit meta-data such as author, message, and timestamp.
- Issue trackers, such as Jira: Ticket descriptions and fields, users with specific roles for a ticket, such as reporter or assignee.
- User management and authentication systems, using protocols such as LDAP or SAML: username, given names, email address.
# Type and Purpose of Processing
We process your personal data (according to the definition of Article 4, 2 GDPR) for the following purposes:
- To provide and maintain our Service, including to monitor the usage of our Service.
- To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
- For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
- To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
- To manage Your requests: To attend and manage Your requests to Us.
- For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.
We may share Your personal information in the following situations:
- With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, for payment processing, to contact You.
- For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of Our business to another company.
- With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
- With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside.
- With Your consent: We may disclose Your personal information for any other purpose with Your consent.
Both the Data Controller and Data Processor shall treat as confidential all knowledge of business secrets and data security measures of the other party, acquired within the scope of the contractual relationship. This obligation shall remain in force even after termination of this Contract.
# Data Processor’s Obligations
The Data Processor shall process personal data solely within the scope of the contracted agreements and according to the Data Controller’s instructions, unless they are subject to other processing under Union or Member State law to which the Processor is bound (such as investigations by criminal prosecutors or state security authorities); in such a case, the Data Processor shall notify the Data Controller of these legal requirements prior to processing, providing that the relevant law does not prohibit said notification on important grounds of public interest (Article 28, 3, 2, a GDPR).
The Data Processor shall not use the personal data provided for processing for any other purposes, in particular not for their own purposes. Copies or duplicates of personal data shall not be created without the Data Controller's knowledge.
The Data Processor shall ensure performance of all agreed measures relating to the contracted processing of personal data as set out in the Contract.
They shall ensure that the data processed on behalf of the Data Controller is kept strictly separate from other data.
The Data Processor shall duly cooperate with and provide appropriate assistance (Article 28, 3, 2, e and f GDPR) to the Data Controller in their compliance with the rights of data subjects according to Article 12 to 22 GDPR, in the drafting of a directory of processing activities and of the data protection impact assessments required of the Customer.
They shall immediately forward the necessary information to the Data Controller.
The Data Processor shall immediately inform the Data Controller should they be of the opinion that an instruction issued by the Data Controller breaches legal provisions (Article 28, 3, 3 GDPR).
The Data Processor shall be entitled to suspend execution of the said instruction until it is confirmed or changed by the Data Controller.
The Data Processor must correct, delete or restrict the processing of personal data arising from the contractual relationship if the Data Controller requires this by means of an instruction and it does not conflict with the legitimate interests of the Data Processor.
The Data Processor may only provide information about personal data arising from the contractual relationship to third parties or to the data subject on the Data Controller's prior instruction or approval.
The Data Processor confirms that they are aware of the GDPR data protection regulations relevant to commissioned processing of data. The Data Processor shall maintain confidentiality in their processing of the Data Controller's personal data in accordance with the contract. This obligation shall remain in force after termination of the Contract. The Data Processor shall familiarise employees engaged to perform the contracted services with the relevant data protection regulations and shall suitably pledge them to confidentiality for the duration of their work and after termination of the employment relationship (Article 28, 3, 2, b and Article 29 GDPR) before they commence their processing activities. The Data Processor shall supervise compliance with data protection regulations in their company.
The Data Processor has appointed a data protection officer:
Phone: +49 711 13203200
The Customer must be notified immediately if a new data protection officer is appointed.
# Data Breach
The Data Processor shall immediately inform the Data Controller of any breaches of data protection provisions or of provisions set out in the contract, and any suspicions of data protection breaches or irregularities in the processing of personal data. This applies in particular to any reporting and notification obligations of the Data Controller according to Article 33 and Article 34 GDPR. If required, the Data Processor shall appropriately assist the Data Controller (Article 28, 3, 2, f GDPR) to fulfil their obligations in accordance with Article 33 and Article 34 GDPR.
# Subcontractors (Article 28, 3, 2, d GDPR)
The Data Processor employs subcontractors to provide the Service. The current list of subcontractors is available here. The Data Processor will inform the Data Controller of any changes in the list of subcontractors.
# Technical and Organizational Measures according to Article 32 GDPR (Article 28, 3, 2, c GDPR)
The current set of technical and organizational measures is provided here.
The Data Processor shall conduct a review, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure processing security (Article 32, 1, d GDPR) as the occasion demands, however at least once a year. Major changes agreed between the Contractor and Customer shall be documented (in writing, electronically). Such agreements shall be kept for the duration of this Contract.
# Contractor’s Obligations on Termination of the Contract, Article 28, 3, 2, g GDPR
On conclusion of the contracted services, the Data Processor shall delete all data obtained in connection with this Contract in their or their subcontractor’s possession.
Reference is made to Article 82 GDPR.
# Other Provisions
- Side agreements must be set out in writing or in electronic form.
- The Data Processor shall issue and document all orders, part orders and instructions in writing or in electronic form.
- Verbal instructions shall be confirmed immediately and documented in writing or in electronic form.
- The Data Processor shall immediately inform the Data Controller should their property or personal data be endangered by the actions of third parties (such as seizure or confiscation), by insolvency or settlement proceedings or by other events when on the Contractor's premises.
- Pleas of right of retention pursuant to Article 273 of the German Civil Code (BGB) are excluded for data processed on the Customer's behalf and for the data media on which they are stored.
- Should individual parts of this Agreement be ineffective, the validity of the remaining parts shall not be affected.