Data Processing Agreement
Last updated: September 30th, 2024
To access and use It Ducks’ platform and services, the Client accepts It Ducks’s General Conditions and Confidentiality Policy and the present Data Protection Agreement.
This document forms part of any other written or electronic agreement between It Ducks and the Client.
It Ducks ensures the protection of the Data Subjects’ Personal Data, in accordance with the applicable law and regulations, and specifically in accordance with the GDPR.
In the course of providing its Bump.sh Service, Bump.sh acts as a controller, in the sense given by the GDPR.
DEFINITIONS
| Definitions | Description of the definition |
|---|---|
| “The Bump.sh Service” | It Ducks is the owner and provider of the Bump.sh Service which is an API contract management platform that helps document and track APIs, by identifying changes in the APIs structure and keeping developers up to date. |
| “Client’s Personal Data” | all data provided to It Ducks through the Client’s and Users’ use of the Bump.sh Service. |
| “Data Protection Laws” | any applicable European data protection laws and regulations and notably the French Law n°78-17 dated January 6th, 1978 and the GDPR. |
| “Data Subject” | an identified or identifiable natural person. |
| “GDPR” | Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data. |
| “Personal Data” | any information relating to a Data Subject the Client provides to It Ducks. |
| “Personal Data Breach” | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. |
| “Processing” (or “Process”) | any operation or set of operations performed by It Ducks on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| “Standard Contractual Clauses” | standard contractual clauses for the transfer of Personal Data to Processors established in third countries as updated by the European Commission on 4 June 2021. |
| “Processor” | any third-party duly authorized to Process Personal Data on It Ducks’ behalf in accordance with the provision of the Bump.sh Service. |
| “Transfer” | a transfer of Personal Data to a third country or an international organization. |
| “User” | any regular or occasional user of the Bump.sh Service. |
1. Purpose and scope
1.1. The purpose of the DPA is to ensure compliance with the requirements of the Data Protection Laws.
1.2. The Appendix to this DPA containing the Annexes referred to therein forms an integral part of the DPA.
2. Effect and invariability of the DPA
The DPA sets out appropriate safeguards, including enforceable Data Subject rights and effective legal remedies pursuant to the GDPR.
3.Information of Data Subjects/ Privacy Policy
Data Subjects accept the terms and conditions of the Privacy Policy when accessing the Bump.sh Service.
4.Interpretation
4.1. Where these Clauses use terms that are defined in GDPR, those terms shall have the same meaning as in that Regulation.
4.2. These Clauses shall be read and interpreted in light of the provisions of GDPR.
4.3. These Clauses shall not be interpreted in a way that conflicts with the rights and obligations provided for in GDPR.
5. Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed upon or entered into thereafter, these Clauses shall prevail.
6. Description of the Processing
The details of the Processing, and in particular the categories of Personal Data that are processed and the Purpose(s) for which they are processed, are specified in Annex 1.2.
7. Docking clause
7.1. An entity that is not a Party to the DPA may, with the agreement of the Parties, accede to these Clauses at any time, by completing the Appendix and signing Annex 1.1.
7.2. Once it has completed the Appendix and signed Annex 1.1, the acceding entity shall become a Party to these Clauses.
7.3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
8. Data protection safeguards
It Ducks warrants that it is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under the DPA.
8.1. Purpose limitation
It Ducks shall process the Personal Data only for the specific purpose(s) of the Processing, as set out in Annex 1.2. It may only process the Personal Data for another purpose:
- where it has obtained the Data Subject’s prior consent;
- where necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- where necessary in order to protect the vital interests of the Data Subject or of another natural person.
8.2. Transparency
- In order to enable Data Subjects to effectively exercise their rights pursuant to Clause 10, It Ducks shall inform them, either directly or through the Client:
- of its identity and contact details;
- of the categories of Personal Data Processed;
- where it intends to Transfer the Personal Data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such Transfer and the ground therefore pursuant to Clause 8.7.
- Paragraph (a) shall not apply where the Data Subject already has the information, including when such information has already been provided by the Client, or providing the information proves impossible or would involve a disproportionate effort for It Ducks. In the latter case, It Ducks shall, to the extent possible, make the information publicly available.
- The above is without prejudice to the obligations of the Client under Articles 13 and 14 of the GDPR.
8.3. Accuracy and data minimization
- Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date. It Ducks shall take every reasonable step to ensure that Personal Data that is inaccurate, having regard to the purpose(s) of Processing, is erased or rectified without delay.
- If one of the Parties becomes aware that the Personal Data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
- It Ducks shall ensure that the Personal Data is adequate, relevant, and limited to what is necessary in relation to the purpose(s) of Processing.
8.4. Storage limitation
It Ducks shall retain the Personal Data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organizational measures to ensure compliance with this obligation, including erasure or anonymization of the data and all backups at the end of the retention period.
8.5. Security of processing
- It Ducks and, during transmission, also the Client shall implement appropriate technical and organizational measures to ensure the security of the Personal Data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter ‘Personal Data Breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of Processing and the risks involved in the Processing for the Data Subject. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner.
- The Parties have agreed on the technical and organizational measures set out in Annex II. It Ducks shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- It Ducks shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a Personal Data Breach concerning Personal Data processed by It Ducks under these Clauses, It Ducks shall take appropriate measures to address the Personal Data breach, including measures to mitigate its possible adverse effects.
- In case of a Personal Data Breach that is likely to result in a risk to the rights and freedoms of natural persons, It Ducks shall without undue delay notify both the Client and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and an approximate number of Data Subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for It Ducks to provide all the information at the same time, it may do so in phases without undue further delay.
- In case of a Personal Data Breach that is likely to result in a high risk to the rights and freedoms of natural persons, It Ducks shall also notify without undue delay the Data Subjects concerned by the Personal Data Breach and its nature, if necessary in cooperation with the Client, together with the information referred to in paragraph (e), points ii) to iv), unless It Ducks has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, It Ducks shall instead issue a public communication or take a similar measure to inform the public of the Personal Data Breach.
- It Ducks shall document all relevant facts relating to the Personal Data breach, including its effects and any remedial action taken, and keep a record thereof.
8.6. Sensitive data
Where the Processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offenses (hereinafter ‘sensitive data’), It Ducks shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the Data and the risks involved. This may include restricting the personnel permitted to access the Personal Data, additional security measures (such as pseudonymization), and/or additional restrictions with respect to further disclosure.
8.7. Transfers
It Ducks shall not disclose the Personal Data to a third party located outside the European Union unless the third party is or agrees to be bound by Standard Contractual Clauses, under the appropriate Module. Otherwise, a Transfer by It Ducks may only take place if:
- it is to a country benefitting from an adequacy decision pursuant to Article 45 of GDPR that covers the Transfer;
- the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of GDPR with respect to the Processing in question;
- the third party enters into a binding instrument with It Ducks ensuring the same level of Data Protection as under the DPA, and It Ducks provides a copy of these safeguards to the Client;
- it is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings;
- it is necessary in order to protect the vital interests of the data subject or of another natural person; or
- where none of the other conditions apply, It Ducks has obtained the explicit consent of the Data Subject for a Transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, It Ducks shall inform the Client and, at the request of the latter, shall transmit to it a copy of the information provided to the Data Subject.
Any Transfer is subject to compliance by It Ducks with all the other safeguards under these Clauses, in particular purpose limitation.
8.8 Processing under the authority of It Ducks
It Ducks shall ensure that any person acting under its authority, including a Processor, processes the data only on its instructions.
8.9. Documentation and compliance
- Each Party shall be able to demonstrate compliance with its obligations under the DPA. In particular, It Ducks shall keep appropriate documentation of the Processing activities carried out under its responsibility.
- It Ducks shall make such documentation available to the competent supervisory authority on request.
9. Use of Processors
- It Ducks has the Client’s general authorization for the engagement of Processor(s) from an agreed list that the Parties shall keep to date (Annex III). It Ducks shall specifically inform the Client in writing of any intended changes to that list through the addition or replacement of Processors at least fifteen days in advance, thereby giving the Client sufficient time to be able to object to such changes prior to the engagement of the Processor(s). It Ducks shall provide the Client with the information necessary to enable the Client to exercise its right to object.
- Where It Ducks engages a Processor to carry out specific Processing activities (on behalf of the Client), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding It Ducks under the DPA, including in terms of third-party beneficiary rights for Data Subjects. The Parties agree that, by complying with this Clause, It Ducks fulfills its obligations under Clause 8.8. It Ducks shall ensure that the Processor complies with the obligations to which It Ducks is subject pursuant to the DPA.
- It Ducks shall remain fully responsible to the Client for the performance of the Processor’s obligations under its contract with It Ducks. It Ducks shall notify the Client of any failure by the Processor to fulfill its obligations under that contract.
- Data Subject rights
It Ducks, where relevant with the assistance of the Client, shall deal with any inquiries and requests it receives from a Data Subject relating to the Processing of his/her Personal Data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the inquiry or request. It Ducks shall take appropriate measures to facilitate such inquiries, requests, and the exercise of Data Subject rights. Any information provided to the Data Subject shall be in an intelligible and easily accessible form, using clear and plain language.
In particular, upon request by the Data Subject It Ducks shall, free of charge:
- provide confirmation to the Data Subject as to whether Personal Data concerning him/her is being Processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if Personal Data has been or will be Transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the Personal Data has been or will be Transferred, the purpose of such Transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12;
- rectify inaccurate or incomplete data concerning the Data Subject;
- erase Personal Data concerning the Data Subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the Data Subject withdraws the consent on which the Processing is based.
Where It Ducks Processes the Personal Data for direct marketing purposes, it shall cease Processing for such purposes if the Data Subject objects to it.
It Ducks shall not make a decision based solely on the automated Processing of the Personal Data transferred (hereinafter ‘Automated Decision’), which would produce legal effects concerning the Data Subject or similarly significantly affect him/her, unless with the explicit consent of the Data Subject or if authorized to do so under the laws of the country of destination, provided that such laws lay down suitable measures to safeguard the Data Subject’s rights and legitimate interests. In this case, It Ducks shall, where necessary in cooperation with the Client:
- inform the Data Subject about the envisaged automated decision, the envisaged consequences, and the logic involved; and
- implement suitable safeguards, at least by enabling the Data Subject to contest the decision, express his/her point of view and obtain review by a human being.
Where requests from a Data Subject are excessive, in particular because of their repetitive character, It Ducks may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.
It Ducks may refuse a Data Subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of GDPR.
If It Ducks intends to refuse a Data Subject’s request, it shall inform the Data Subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.
11. Redress
11.1. It Ducks shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a Data Subject.
11.2. It Ducks agrees that Data Subjects may also lodge a complaint with an independent dispute resolution body at no cost to the Data Subject. It shall inform the Data Subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress. 11.3. In case of a dispute between a Data Subject and one of the Parties as regards compliance with the GDPR, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
12. Liability
12.1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of the DPA.
12.2. Each Party shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the Data Subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the Client under GDPR.
12.3. Where more than one Party is responsible for any damage caused to the Data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these Parties.
12.4. The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
12.5. It Ducks may not invoke the conduct of a Processor or sub-processor to avoid its own liability.
13. Supervision
13.1. The supervisory authority with responsibility for ensuring compliance by the Client with GDPR as regards the Data Transfer, as indicated in Annex I.C, shall act as the competent supervisory authority.
13.2. It Ducks agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, It Ducks agrees to respond to inquiries, submit to audits, and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
14. Obligations of It Ducks in case of access by public authorities
It Ducks agrees to notify the Client and, where possible, the Data Subject promptly (if necessary with the help of the Client) if it:
- receives a legally binding request from a public authority, including judicial authorities, for the disclosure of Personal Data Processed pursuant to this DPA; such notification shall include information about the Personal Data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to Personal Data processed pursuant to this DPA; such notification shall include all information available to It Ducks.
15. Non-compliance with the DPA and termination
15.1. It Ducks shall promptly inform the Client if it is unable to comply with these Clauses, for whatever reason.
15.2. In the event that It Ducks is in breach of these Clauses or unable to comply with these Clauses, the Client shall suspend the Processing of Personal Data to It Ducks until compliance is again ensured or the contract is terminated.
15.3. The Client shall be entitled to terminate the contract, insofar as it concerns the Processing of Personal Data under these Clauses, where:
- the Client has suspended the Transfer of Personal Data to It Ducks pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- It Ducks is in substantial or persistent breach of these Clauses; or
- It Ducks fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
15.4. Personal data that has been Transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the Client immediately be returned to the Client or deleted in its entirety. The same shall apply to any copies of the data. It Ducks shall certify the deletion of the data to the Client. Until the data is deleted or returned, It Ducks shall continue to ensure compliance with these Clauses.
16. Governing law
The DPA shall be governed by the laws of France.
17. Choice of forum and jurisdiction
Any dispute arising from the DPA shall be resolved by the courts of Paris.
ANNEX I
1. LIST OF PARTIES
1.1. Client
Name: [company name], a company under [country] law under number [registration number], represented by,
Address: [full address]
Contact person’s name, position, and contact details: [first and last name], [position], [contact details]
Activities relevant to the data transferred under these Clauses: performance of the service agreement/ access to the Solution.
Signature and date: [signature and date]
Role (controller/processor): controller.
1.2. IT DUCKS
Name: IT DUCKS, a simplified joint-stock company under French law registered with the trade and companies register of Angers under number 831 116 330;
Address: 25, rue Lenepveu 49100 Angers;
Contact person’s name, position and contact details: Sébastien Charrier, Chief Executive Officer, [email protected]
Activities relevant to the data transferred under these Clauses: performance of the service agreement/ access to the Solution.
Signature and date: [to be completed]
Role (controller/processor): controller.
2. DESCRIPTION OF THE PROCESSING
| Processing | Description of the processing | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Nature of Processing | collection, recording, organization, structuring, storage, consultation. | ||||||||||
| Purpose of Processing |
|
||||||||||
| Duration of Processing | Entire duration of the use of the Bump.sh Service and/or any duration provided by law. | ||||||||||
| Categories of Data Subjects |
|
||||||||||
| Categories of Personal Data |
|
||||||||||
| Frequency of Transfers | Continuous basis |
Transfers to Processors:
Personal Data is transferred to Processors so they can provide It Ducks with their services (web analytics service, messaging management, payment provider services etc.). Personal Data is collected, recorded, processed, and stored by Processors in compliance with the principles laid out in the present DPA, in accordance with the GDPR provisions and the Standard Contractual Clauses. Personal Data is Processed for the duration of the contract It Ducks concluded with Processors and/or any duration provided by law.
3. COMPETENT SUPERVISORY AUTHORITY
The French « Commission nationale de l'informatique et des libertés » (« CNIL »).
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Access Control
Infrastructure
- Who has access:
- The Bump.sh Service and Personal Data are hosted in Heroku’s facilities in Ireland and protected by Heroku in accordance with their security protocols.
- It Ducks’ employees' access to the infrastructure and databases is strictly limited to the engineering team.
- How we secure the access:
- The list of people with access to infrastructure and database is kept up to date.
- The engineering team follows best practices when accessing the platform: mandatory multi-factor authentication (“MFA”), short living sessions enforced by Heroku, and strong password policy enforced by Heroku.
Back-office tool
The back-office tool is built by It Duck’s employees to perform support, account management, and maintenance activities on Client’s Personal Data.
- Who has access:
- It Ducks’ employees’ access to the back office is strictly limited to the engineering team, support team, and account management team. It Ducks restricts access to Client’s Personal Data to only those people with a “need-to-know” for a permitted purpose and following least privileges principles.
- It Ducks regularly reviews at least every one hundred and eighty (180) days the list of people and systems with access to Client’s Personal Data and removes accounts upon the termination of employment or a change in job status that results in employees no longer requiring access to Client’s Personal Data.
- How we secure the access:
- The back-office tool has a software-enforced strong password policy (12 characters minimum, including special characters, numbers, upper case and lower case letters). Yearly renewal of passwords is enforced.
- Access to the back-office is automatically blocked to a user when several erroneous passwords are entered. Such events are logged.
- Back-office access logs keep track of who logged in, and at which date, and time. All accesses are logged in our HTTP logging system and can be reviewed if needed.
- Back-office access is secured with mandatory MFA.
- An off-boarding procedure guarantees that all access is disabled for employees leaving It Ducks.
- It Ducks’ employees having access to the back office have the obligation to use a password manager.
- It Ducks keeps its systems and software up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications necessary to ensure security of the Client’s Personal Data.
- It Ducks monitors their production systems and implements and maintains security controls and procedures designed to prevent, detect, and respond to identified threats and risks.
- Strict privacy controls exist in the application code that are designed to ensure data privacy and to prevent one Client from accessing another Client’s Personal Data (i.e., logical separation).
Personal computers
- Who has access:
- Each employee has exclusive access to a personal computer, and is not allowed to let other people access it.
- How we secure the access:
- It Ducks has a strong password policy rule for gaining personal computer access (12 characters minimum, including special characters, numbers, upper case and lower case letters). Yearly renewal of passwords is strongly recommended.
- Every personal computer is setup with state-of-the-art hard disk encryption algorithms.
Transmission and storage of Personal Data
Infrastructure
- All data sent to or from It Ducks is encrypted in transit using TLS 1.2 or TLS 1.3 as per Heroku policy.
- Infrastructure redundancy: two (2) clustered database servers are used for storing the Personal Data. As per our infra provider Heroku Postgres Cluster policy.
Processing
- Personal Data collection is limited to the Purposes of Processing (or to Personal Data that the Client chooses or is required to provide It Ducks with).
- It Ducks has a process that allows Data Subjects to exercise their privacy rights (including a right to amend and update their Personal Data), as described in It Ducks’ Privacy Policy.
- It Ducks will permanently and securely delete all live (online or network accessible) instances of the Client’s Personal Data within ninety (90) days upon Client’s in-app deletion request.
- It Ducks does not store plain Users’ passwords and only keeps an encrypted salted hash which can then be re-computed during User identification (login).
- It Ducks will restrict the Processor’s access to Client’s Personal Data only to what is strictly necessary to provide the Bump sh. service, and It Ducks will prohibit the Processor from Processing Personal Data for any other Purpose.
- It Ducks requires all its Processors to comply with GDPR and to have a Data Protection Agreement in compliance with the Standard Contractual Clauses.
Security procedures and Personal Data Breaches
- It Ducks has implemented a formal procedure for handling Personal Data Breaches. When Personal Data Breaches are detected, they are escalated to the engineering team alias, relevant parties are notified (including the relevant authority if required), and assembled to rapidly address the Personal Data Breach. After a Personal Data Breach is contained and mitigated, relevant teams write up an analysis, which is reviewed in person and distributed across It Ducks and includes action items that will make the detection and prevention of a similar Personal Data Breach easier in the future.
- All Client’s Personal Data is permanently stored in the EU and is backed up in the US (per Heroku policy) for disaster recovery.
- It Ducks relies on Heroku, a Platform-As-A-Service (“PaaS”) provider. Every component in It Ducks’ infrastructure is designed and built for high availability. It Ducks benefits from the ability to completely re-provision its infrastructure resources on an as-needed basis, using the same vendor, tools, and APIs. It Ducks’ infrastructure scales up and down manually as required as part of day-to-day operations and does so in response to any changes in our Clients’ needs. This includes not just compute resources, but storage and database resources.
- It Ducks has no direct reliance on specific office locations to sustain operations. All operational access to production resources can be exercised at any location on the Internet. It Ducks leverages a range of best-of-breed technologies and other critical cloud tools to deliver uninterrupted remote work for all employees.
- It Ducks uses continuous automation for application and operating systems deployment for new releases. Integration testing and unit testing are done upon every build with safeguards in place for availability and reliability. It Ducks has a process for critical emergency fixes that can be deployed to Clients within minutes. As such It Ducks can roll out security updates as required based on criticality.
- It Ducks uses a public, independent website (https://status.bump.sh/) for any platform status update and availability monitoring of the Bump sh. Service.
- It Ducks platform is continuously monitored both via system logs and also application logs. Relevant engineering teams are notified of any unexpected behaviors detected and action is taken based on their criticality.
- Database backups are in place thanks to our PaaS provider Heroku Postgres Data Safety policy to ensure data resiliency.
- It Ducks development procedures enforce the usage of automatic dependency scanning tools for any potentially vulnerable libraries on all its software. Security patches are applied and deployed as soon as they are available.
ANNEX III
LIST OF PROCESSORS
The Client has authorized the use of the following Processors:
| Processor | Description of processing | Country of processing |
|---|---|---|
| Fathom | Visitors analytics (limited to IP address and Userg-Agent, not including any Personally Identifiable Information) to track ads conversion. | United States |
| Heroku | User Account information storage (First Name, Last Name, email address) for providing service access. | United States |
| Hubspot | User Account information storage (First Name, Last Name, email address) for sales activities. | United States |
| Intercom | User Account information storage (First Name, Last Name, email address) for customer support activities. | United States |
| MixPanel | User Account information storage (First Name, Last Name, email address) for analytics purposes. | United States |
| Segment | User Account information storage (first name, last name, email address) for transfer to other processors listed below. | United States |
| Sendgrid | User Account information storage (first name, last name, email address) for emailing activities, directly related to the usage of the service. | United States |
| Sentry | User Account basic information (email and internal id) to monitor application errors. | United States |
| Stripe | User Account information storage (First Name, Last Name, email address) for subscription payment processing, including credit card and/or IBAN details. | United States |
| Typeform | User Account information storage (First Name, Last Name, email address) for sales activities. | United States |