ShareGate Data Processing Addendum
Published on October 3, 2023
What's in this page
Where applicable, this Data Processing Addendum is hereby incorporated in the ShareGate End User License, Maintenance and Support Agreement (the “EULA”), found on the Terms page of its website, unless Customer has entered into a superseding written agreement with Workleap, in which case, it forms a part of such written agreement. All capitalized terms not defined herein shall have the meaning set forth in the EULA.
Last update: 2023/10/30
1. Definitions and Interpretation
- "Customer Personal Information" means any Personal Information contained within the information submitted or transferred by Customer to Workleap in conjunction with the usage of ShareGate (as defined in the EULA);
- "Data Controller" has the meaning set out in Privacy Laws, as applicable to this Data Processing Addendum;
- "Data Processor" has the meaning set out in Privacy Laws, as applicable to this Data Processing Addendum;
- "Data Protection Regulator" means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;
- "Data Subject" has the meaning set out in Privacy Laws, as applicable to this Data Processing Addendum;
- "Personal Information" has the meaning set out in Privacy Laws;
- "Privacy Laws" means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information including but not limited to Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") and the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”);
- "Process", "Processing" or "Processed" have the meaning set out in Privacy Laws, as applicable to this Data Processing Addendum; and
- “2010 Standard Contractual Clauses” means Standard Contractual Clauses for Data Processors as approved by the European Commission in Implementing Decision 2010/87/EU.
- “2021 Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “Standard Contractual Clauses” means collectively the 2010 and 2021 Standard Contractual Clauses whichever is applicable.
2. Protection of Personal Information
2.1. Supersedence. If any provision contained in the following Section 2 (Protection of Personal Information) conflicts with any provision in the EULA, the provision contained in the following Section 2 shall prevail.
2.2. Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Workleap is the Data Processor of the Customer Personal Information. Workleap will Process Personal Information in accordance with Section 3 of this Data Processing Addendum.
2.3. Customer’s Obligations as Data Controller. The Customer warrants that the Customer Personal Information has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws. The Customer shall comply with all of its obligations under Privacy Laws and shall fully indemnify and hold Workleap harmless from and against any and all losses, damages, claims, costs and expenses (including, without limitation, reasonable legal expenses) suffered or incurred by or awarded against Workleap as a result of or in connection with any breach by the Customer of Section 2 of this Data Processing Addendum and/or the Privacy Laws.
2.4. Workleap’s Obligations as Data Processor. Workleap shall:
- 2.4.1. Process the Customer Personal Information only in accordance with Section 3 of this Data Processing Addendum and any other reasonable documented instructions as provided by the Customer to Workleap from time to time ("Instructions"), including with regard to transfers of Customer Personal Information to a third country, save where:
- 2.4.1.1. such Instructions are unlawful;
- 2.4.1.2. such Instructions would cause Workleap to breach its own obligations under Privacy Laws or the EULA or any other agreement with a third party;
- 2.4.1.3. Workleap is under a legal obligation to Process the Customer Personal Information, in which case Workleap shall inform the Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or
- 2.4.1.4. such Instruction delays or prevents performance of Workleap’s obligations under the EULA, in which case Workleap shall be granted relief from liability hereunder.
- 2.4.2. inform the Customer if, in its opinion, an Instruction received from the Customer infringes the Privacy Laws;
- 2.4.3. ensure that all Workleap employees and personnel who are involved in the Processing of Customer Personal Information have committed themselves to confidentiality or are under statutory obligations of confidentiality;
- 2.4.4. not provide any new third party with access to the Customer Personal Information or sub-contract any of its obligations under the EULA that involve Processing Customer Personal Information without providing at least thirty (30) days advance notice to the Customer via email. The Customer hereby approves those third parties listed in Schedule 1 hereto (the “Sub-processors”), which are compliant with requirements under Privacy Laws, as applicable to this Data Processing Addendum, regarding transfers of Customer Personal Information to a third country.
- 2.4.5. ensure that any sub-contract entered into by Workleap (where Customer Personal Information is Processed by a Sub-processor) contains provisions which comply with Privacy Laws and in any event are no less onerous than those imposed under Section 2 of this Data Processing Addendum, and where a Sub-processor fails to fulfil its data protection obligations under the GDPR, the UK GDPR or the relevant subcontract, Workleap shall remain liable to Customer for the performance of that Sub-processor’s obligations;
- 2.4.6. implement and maintain appropriate technical and organizational security measures to protect against unauthorised or unlawful Processing of the Customer Personal Information and against accidental loss, disclosure or destruction of, or damage to, the Customer Personal Information, taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing, as described in the Privacy Policy;
- 2.4.7. taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, as further described in Schedule 2 hereto, to enable the Customer to comply with its obligations under Privacy Laws in responding to requests from Data Subjects (insofar as this is possible);
- 2.4.8. assist the Customer (at the Customer's cost), to comply with the following obligations under the GDPR and/or UK GDPR, taking into account the nature of Processing and information available to Workleap, including:
- 2.4.8.1. notification to the Data Protection Regulator and Data Subjects of a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Information transmitted, stored or otherwise Processed; and
- 2.4.8.2. the Customer's obligations to carry out data protection impact assessments and any subsequent consultation with the Data Protection Regulator;
- 2.4.9. make available to the Customer, all information necessary to demonstrate compliance with the obligations imposed on Workleap under Section 2 of this Data Processing Addendum and/or Privacy Laws and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer (but not being a competitor of Workleap) for the purposes of demonstrating such compliance;
- 2.4.10. unless required by law, at Customer’s request following termination or expiry of the EULA for whatever reason, securely delete all of the Customer Personal Information ; and
- 2.4.11. comply with the relevant Controller to Processor provisions of the Standard Contractual Clauses which are incorporated by reference and are an integral part of this Data Processing Addendum, for the purpose of which the Parties agree that:
- 2.4.11.1. Customer is the data exporter and Workleap is the data importer.
- 2.4.11.2. Module Two of the 2021 Standard Contractual Clauses will apply where Customer is a Controller and Workleap is a Processor.
- 2.4.11.3. Clause 7 of the 2021 Standard Contractual Clauses will apply.
- 2.4.11.4. For the purpose of Clause 9, paragraph (a) of the 2021 Standard Contractual Clauses, option 2 shall apply, as per the time period specified under section 2.4.4 hereof.
- 2.4.11.5. The Parties agree that any direct claims brought under the Standard Contractual Clauses by a Party shall be subject to the limitation of liability set out in the EULA, provided however that nothing in this Data Processing Addendum shall be construed as a limitation or exclusion of a Party’s liability toward a Data Subject under the Standard Contractual Clauses.
- 2.4.11.6. For the purpose of Clause 17 of the 2021 Standard Contractual Clauses the parties choose option 1 and the law of the Republic of Ireland.
- 2.4.11.7. For the purpose of Clause 18 of the 2021 Standard Contractual Clauses, paragraph (b), the Parties choose the courts of the Republic of Ireland.
- 2.4.11.8. The contents of Appendix I of the Standard Contractual Clauses are deemed completed with the information found in Sections 2 and 3 hereof. The contents of Appendix II are described in Schedule II hereof.
- 2.4.11.9. In the event of any conflict between the provisions of the Standard Contractual Clauses and this Data Processing Addendum, the Standard Contractual Clauses shall prevail.
3. Instructions for Processing of Customer Personal Information
Workleap will Process Customer Personal Information in accordance with the following instructions:
Categories of Customer Personal Information collected by Workleap | Categories of Data Subjects for which Customer Personal Information is Processed | Purposes for which Workleap Processes Customer Personal Information | Nature of Processing | Duration of Processing |
---|---|---|---|---|
Users credentials (such as emails, names, etc.) User credentials permit the users to access ShareGate and include emails and authentication tokens. For further clarity, users’ passwords are NOT part of such user credentials. | All Users of ShareGate | - provide, maintain and improve ShareGate - prevent or address service, security, support or technical issues with ShareGate | handling, storing, sharing with Sub-processors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent | As long as necessary for the purposes described in the EULA and/or Privacy Policy, unless a longer retention is required by law. |
User profiles ShareGate uses the permission granted to Microsoft Azure to create a profile for each User, which contains the first name, last name, company name and email of the User. | Users of ShareGate which have activated the Services, as described in the EULA. This category of Customer Personal Information is not collected where Customer only uses the Migration Tool. | - provide, maintain and improve the Services provided via ShareGate - prevent or address service, security, support or technical issues with ShareGate | handling, storing, sharing with Sub-processors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent | As long as necessary for the purposes described in the EULA and/or Privacy Policy, unless a longer retention is required by law. |
Diagnostic data (Migration Tool) - In the context of providing support services, Workleap’s support team does not have access to Customer Data (as defined in the EULA) nor to the machine hosting the Migration Tool, but may require Users to provide Diagnostic Data (as defined below) to investigate what prevents the normal functioning of the Migration Tool. When Users activate the diagnostic mode in the Migration Tool, the migration report, the Migration Tool error log, the copy manifest and the capture of the Migration Tool’s HTTP/HTTPS traffic stream (collectively, the “Diagnostic Data”) may be transmitted to Workleap. - Given that the Diagnostic Data may sometimes contain Customer Data, it is possible that Workleap has access to Customer Personal Information that was included in the documents and data stored in Customers’ own Microsoft SharePoint and Microsoft 365. Workleap doesn’t have any control over who would be the Data Subject related to such Customer Personal Information, since the Customer Personal Information would be in the Users’ documents. - The Diagnostic Data may also include Users’ credentials that permit Users to access ShareGate or the Migration Tool. | Any User of the Migration Tool | - provide, maintain and improve the Migration Tool - prevent or address service, security, support or technical issues with the Migration Tool | handling, storing, sharing with Sub-processors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent | As long as necessary for the purposes described in this Data Processing Addendum, unless a longer retention is required by law. |
Diagnostic data (Services) - In the context of providing support services, Workleap’s support team may request access to Customer Data (as defined in the EULA) or Diagnostic Data (as defined below) to investigate what prevents the normal functioning of the Services. “Diagnostic Data” means the migration report, the error log, the copy manifest which may be transmitted to Workleap. - Given that the Diagnostic Data may sometime contain Customer Data, it is possible that Workleap has access to Customer Personal Information that was included in the documents and data stored in Customers’ own Microsoft SharePoint and Microsoft 365. Workleap doesn’t have any control over who would be the Data Subject related to such Customer Personal Information, since the Customer Personal Information would be in the users’ documents. | Users of Services accessed through ShareGate | - provide, maintain and improve the Services - prevent or address service, security, support or technical issues with the Services | handling, storing, sharing with Sub-processors, accessing and reviewing Customer Personal Information for the Processing purposes set out adjacent | As long as necessary for the purposes described in the Terms, unless a longer retention is required by law. |
Data Contained in Migrated Files (Services) - By using certain functionalities of the Services, Customer may transfer files containing Customer Personal Information. Such files are hosted temporarily by Workleap as a migration is performed. Hosting is done on Microsoft Azure cloud infrastructure located in Canada, in conjunction with database management services provided by MongoDB in Canada. - Workleap does not access or otherwise use Customer Personal Data processed in this context, and has no control over, or knowledge of, the nature of Customer Personal Data processed in this context. | Categories will vary depending on the Customer, but may include Users, Customer employees, Customer’s customers, etc. | Provide the Services via ShareGate | Temporary storing of data in the course of a migration | As long as necessary to perform the migration operation |
SCHEDULE 1: ShareGate Sub-processors
Sub-processor | Type of processing | Country | Transfer Mechanism |
---|---|---|---|
Microsoft, Inc. | Cloud Provider | United States of America and Canada | Standard Contractual Clauses |
MongoDB, Inc. | Database management service | United States of America and Canada | Standard Contractual Clauses |
Slack Technologies, LLC | Internal communications | United States of America | Standard Contractual Clauses |
Atlassian, Inc. | Team collaboration tool | United States of America | Standard Contractual Clauses |
Box, Inc. | Cloud content management and internal file sharing | United States of America | Standard Contractual Clauses |
Zendesk, Inc. | Customer service tool | United States of America | Standard Contractual Clauses |
Inversoft, Inc. (d.b.a. FusionAuth) | Security access management tool | Canada (data hosting and processing) and United States of America (remote access for support) | Standard Contractual Clauses |
trycourier.com, Inc. | Notification delivery service | United States of America | Standard Contractual Clauses |
SCHEDULE 2: General Description of the Technical and Organizational Security Measures in Place
All capitalized terms not defined herein shall have the meaning set forth in the End User License, Maintenance and Support Agreement and in the Data Processing Addendum, as applicable.
Workleap has implemented and maintains the following technical and organizational security measures:
Pseudonymisation and encryption of Customer Personal Information | |
Pseudonymisation | - It is Workleap’s policy to pseudonymize Customer Personal Information whenever possible. - Workleap cannot however pseudonymize the “diagnostic” data because it cannot control what will be included in the diagnostic logs. |
Encryption | - The data is encrypted in transit with HTTP over SSL. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. - The data is also encrypted at rest by Workleap and the Sub-processors. - Encryption keys are managed with limited number of employees and secured in a vault with regular rotations. |
Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services | |
Confidentiality | Workleap has measures in place to ensure that no person is allowed to access Customer Personal Information without authorization. Such measures include, without limitation: - Workleap manages accesses to Customer Personal Information based on the role-based access control (RBAC) permissions model on a need to access basis and least privileged basis. In order to perform technical investigations, Workleap’s customer success agents and developers may request Customer’s consent to access Customer Personal Information for investigative purposes only. - Workleap has a secure authentication process in place. - All Workleap employees are subject to a criminal background check to ensure that they are not guilty of a job-related offense. - Workleap’s internal database is located at a Microsoft Azure data center. Microsoft Inc. conforms to global security standards such as ISO 27001, FedRAMP, SOC 1 and SOC 2. - Workleap has measures in place to control physical security at its office (including security guard at building entrance, alarm system, visitor registration). - Workleap, all Workleap employees and the Sub-processors have signed a non-disclosure agreement. - The data is encrypted in transit with HTTP over SSL. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. The data is also encrypted at rest. Encryption keys are managed with limited number of employees and secured in a vault with regular rotations. - Regular updates concerning current security attacks are sent to Workleap’s employees to raise awareness. - Workleap adopted a comprehensive data breach response plan as part of its Security Program. |
Integrity | Data integrity is enforced through our Sub-processors’ own systems in accordance with industry standards. |
Availability | ShareGate has measures in place to ensure that Customer Personal Information is available and is used properly in the intended Process. Such measures include, without limitation: - Workleap has implemented Azure Security Center to prevent malware in the hosting environment and a centralized antimalware solution to prevent malware in the office with periodic full scans and firewall integration. - Workleap is in the process of adopting and operationalizing a disaster recovery plan. It is Workleap’s objective that this disaster recovery plan be fully operationalized as quickly as possible. |
Resilience | Workleap has measures in place to ensure resilience. Such measures include: - Workleap’s infrastructure can scale depending on the load. - Workleap’s infrastructure is redundant in the same data center. - Workleap’s database server is redundant. |
Ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident | |
If causes of outage are within Workleap’s control, its recovery time objective (RTO) is about 8 hours or less. See measures described above with respect to “availability”. | |
Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing | |
- Access control: Accesses are reviewed regularly and every time a team changes. - Vulnerability assessment: External tests are performed at least once a year - Logs centralization: Workleap uses SIEMs to aggregate its logs. |