Last Updated May 2022
This Data Processing Addendum, including its Schedules (“DPA”) forms part of the
Terms of Service (the “Agreement”) between Status Hero, Inc. (“Status
Hero”, “us” or “we”) and you as a Status Hero Customer. Terms not defined herein shall have the meaning as set forth
in the Agreement. This DPA takes effect on the date Customer agrees to our Terms of Service as a Status Hero Customer,
and governs the collection, processing, or receipt of Personal Data by Status Hero on behalf of the Customer in the
course of providing the Services.
If you have questions or would like to receive a signed copy of this DPA, please contact us at
“Applicable Laws” means all laws, rules, regulations, and orders applicable to the subject matter
herein, including without limitation Data Protection Laws.
“California Personal Information” means Personal Data that is subject to the protection of the
"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer
Privacy Act of 2018).
“CPRA” means California Civil Code Sec. 1798.150 et seq. (also known as the California Privacy Rights
Act of 2020).
"Consumer", "Business", "Sell", and "Service Provider" shall have the meanings given to them in the CCPA.
“Controller”, “Data Subject”, “Processing”, and
“Processor” shall have the meanings given to them in the General Data Protection Regulation
(Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or
regulation implementing the General Data Protection Regulation) or “GDPR.”
“Customer Data” means all Personal Data, including without limitation California Personal Information
and European Personal Data, Processed by Status Hero on behalf of Customer pursuant to the Agreement.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and
privacy that apply to the respective Party in its role of Processing Personal Data in question under the Agreement,
including without limitation European Data Protection Laws and the CCPA; in each case as amended, superseded, or
replaced from time to time.
“Data Subject” means the Consumer or other individual to whom Personal Data relates.
“European Data” means Personal Data that is subject to the protection of European Data Protection
"European Data Protection Laws" means data protection laws applicable in Europe, including: (i)
Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data (GDPR); (ii) Directive 2002/58/EC concerning the
processing of personal data and the protection of privacy in the electronic communications sector; and (iii)
applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable
national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy
as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19
June 1992 and its Ordinance; in each case, as may be amended, superseded, or replaced.
“Instructions” means the written, documented instructions issued by Customer to Status Hero, and
directing Status Hero to perform a specific or general action with regard to Personal Data for the purpose of
providing the Services to Customer. The Parties agree that the Agreement (including this DPA), together with
Customer's use of the Services in accordance with the Agreement, constitute Customer’s complete and final Instructions
to Status Hero in relation to the Processing of Customer Data, and additional Instructions outside the scope of the
Instructions shall require prior written agreement between Status Hero and Customer.
“Personal Data” means any information relating to an identified or identifiable individual where such
information is contained within Customer Data and is protected similarly as personal data, personal information, or
personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed
by Status Hero and/or its Sub-Processors in connection with the provision of the Services. Personal Data Breach does
not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including
unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or
means any entity which provides processing services to Status Hero in furtherance of Status Hero’s processing of
“Standard Contractual Clauses” or “SCCs”
means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation
(EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU)
2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
“Supervisory Authority” means an independent public authority which is established by an EU Member
State pursuant to the GDPR.
Nature, Purpose, and Subject Matter.
The nature, purpose, and subject matter of Status Hero’s data processing activities performed as part of the Services
are set out in the Agreement. The Customer Data that may be processed may relate to (a) Customer’s employees,
contractors, and agents; (b) the personnel of Customer's customers, suppliers, and subcontractors; and (c) any other
end user granted access to the Services by Customer. Categories of Personal Data Processed may include identifiers,
internet and similar activity, and, if Customer or its end user chooses to submit it, employment information or
commercial information, as well as any other Personal Data that may be processed pursuant to the Agreement.
The term of this DPA shall follow the term of the Agreement. Status Hero will Process Personal Data for the duration
of the Agreement, unless otherwise agreed in writing.
Processing of Customer Data.
Status Hero shall process Customer Data only for the purposes described in the Agreement (including this DPA) or as
otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required
by Applicable Law. If Status Hero is collecting Personal Data from end users on behalf of Customer, Status Hero shall
follow Customer’s Instructions regarding such Personal Data collection. Status Hero shall inform Customer without
delay if, in Status Hero’s opinion, an Instruction violates applicable Data Protection Laws and, where necessary,
cease all Processing until Customer issues new Instructions with which Status Hero is able to comply. If this
provision is invoked, Status Hero will not be liable to Customer under the Agreement for any failure to perform the
Services until such time as Customer issues new lawful Instructions.
Status Hero shall ensure that any personnel whom Status Hero authorizes to Process Customer Data on its behalf is
subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that
Customer Data. Additionally, Status Hero shall take reasonable steps to ensure that persons employed by Status Hero
and other persons engaged to perform on Status Hero’s behalf comply with the terms of the Agreement.
Within the scope of the Agreement (including this DPA) and in Customer’s use of the Services, Customer shall comply
with all Applicable Laws, including without limitation all requirements that apply to Customer under Data Protection
Laws with respect to its Processing of Personal Data and the Instructions it issues to Status Hero. In particular, and
without limiting the generality of the foregoing, Customer shall take sole responsibility for: (a) the accuracy,
quality, and legality of Customer Data and the means by which Customer acquired Personal Data; (b) complying with all
necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of
the Personal Data, including obtaining any necessary consents and authorizations; (c) ensuring Customer has the right
to transfer, or provide access to, the Personal Data to Status Hero for Processing in accordance with the terms of the
Agreement (including this DPA); (d) ensuring that Customer’s Instructions to Status Hero regarding the Processing of
Customer Data comply with Applicable Laws; and (e) complying with all Applicable Laws (including Data Protection Laws)
applicable to Customer’s use of the Services, including without limitation those relating to providing notice and
obtaining consents. Customer shall inform Status Hero without undue delay if it is not able to comply with this
section or applicable Data Protection Laws. For the avoidance of doubt, Status Hero is not responsible for compliance
with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to
Customer agrees that Status Hero may engage Sub-Processors to Process Customer Data. Where Status Hero engages
Sub-Processors, Status Hero will impose data protection terms on the Sub-Processors that provide at least the same
level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services
provided by such Sub-Processors. Status Hero will remain responsible for each Sub-Processor’s compliance with the
obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Status Hero to breach any of
its obligations under this DPA. Status Hero shall maintain on its website a list of current Sub-Processors engaged to
Process Customer Data and shall notify Customer of any changes to the Sub-processors list through in-product
notifications, email or other means.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of
Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,
Status Hero shall, in relation to the Customer Data, maintain appropriate technical and organizational security
measures designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of
Customer Data. In assessing the appropriate level of security, Status Hero shall take account of the risks that are
presented by Processing, in particular from a Personal Data Breach. Upon request, Status Hero shall provide Customer
with a summary of Status Hero’s security policies applicable to the Services.
Customer acknowledges and agrees that Status Hero may access and Process Personal Data on a global basis as necessary
to provide the Services in accordance with the Agreement, and in particular that Personal Data will be transferred to
and Processed by Status Hero in the United States and to other jurisdictions where Status Hero’s Sub-Processors have
Personal Data Breaches.
Status Hero will notify Customer without undue delay after Status Hero becomes aware of any Personal Data Breach
involving Customer Data and will provide timely information relating to such Personal Data Breach as it becomes known
or reasonably requested by Customer. At Customer’s request, Status Hero will promptly provide Customer with
commercially reasonable assistance as necessary to enable Customer to notify authorities and/or affected Data
Subjects, if Customer is required to do so under Data Protection Laws.
Data Subject Requests.
As part of the Services, Status Hero provides Customer and its end users with certain controls that Customer or end
users may use to access, correct, delete, or restrict Personal Data, which Customer or its end users may use to assist
in connection with Customer’s obligations under Data Protection Laws, including its obligations relating to responding
to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). To the extent that Customer is unable to independently address a Data Subject Request through the Services, then
upon Customer’s written request Status Hero shall provide reasonable assistance to Customer to respond to any Data
Subject Requests or requests from data protection authorities relating to the Processing of Customer Data under the
Agreement. Customer shall reimburse Status Hero for the commercially reasonable costs arising from this assistance. If
a Data Subject Request or other communication regarding the Processing of Customer Data under the Agreement is made
directly to Status Hero, Status Hero will promptly inform Customer. Customer shall be solely responsible for
facilitating any such Data Subject Requests or communications involving Personal Data.
Data Protection Impact Assessment and Prior Consultation.
To the extent Status Hero is required under Data Protection Law, Status Hero shall (at Customer's expense) provide
reasonably requested information regarding Status Hero’s processing of Customer Data under the Agreement to enable
Customer to carry out data protection impact assessments or prior consultations with data protection authorities as
required by law.
Deletion or Return of Personal Data.
At the expiry of termination of the Agreement, Status Hero will, at Customer's option, delete or return to Customer
all Customer Data Processed pursuant to this DPA in accordance with Customer’s reasonable Instructions. The
requirements of this section shall not apply to the extent that Status Hero is required by Applicable Law to retain
some or all of the Customer Data, or to Customer Data Status Hero has archived on back-up systems, which data Status
Hero shall securely isolate and protect from any further Processing and delete in accordance with Status Hero’s
Demonstration of Compliance.
Upon Customer's written request and with at least 45 days’ notice(or a shorter period if permitted by Applicable Law),
Status Hero shall make available to Customer (on a confidential basis) all information reasonably necessary and allow
for and contribute to audits (collectively, “ Audits”), to demonstrate Status Hero’s compliance with
this DPA, provided that Customer shall not exercise this right more than once per year. Such Audits shall solely of
the provision by Status Hero of written information that may include information relating to Third Parties and
interviews with Status Hero information technology employees and subcontractors. No access to any part of Status
Hero’s information system, data hosting sites or centers, or infrastructure will be permitted. Customer or its
designated and professionally qualified agent may carry out such Audit. Customer must conduct all Audits (a) during
normal business hours; (b) according to security and confidentiality terms and guidelines; and (c) taking reasonable
measures necessary to prevent unnecessary disruption to Status Hero’s operations. Customer shall be responsible for
all costs and expenses arising from such audit, including the reasonable costs and expenses of Status Hero in
complying with an Audit request. Customer shall take all reasonable measures to limit any impact on Status Hero by
combining several information and/or audit requests carried out on behalf of Customer in one single audit.
This Section 15 applies only with respect to Processing of European Data by Status Hero.
Roles of the Parties.
When Processing European Data under the Agreement, the Parties acknowledge and agree that Customer is the Controller
and Status Hero is the Processor.
In addition to the provisions of Section 7, within 30 days after posting an updated Sub-Processor List, Customer may
object to Status Hero’s engagement of a new Sub-Processor if Customer can demonstrate that such Sub-Processor’s
Processing of European Data does not comply with European Data Protection Laws. If Customer so objects, the Parties
will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no
such resolution can be reached, Status Hero will, at its sole discretion, either not appoint the new Sub-Processor, or
permit Customer to suspend or terminate the Agreement without liability to either party (but without prejudice to any
fees incurred by Customer prior to suspension or termination).
In addition to Section 9, for transfers of European Personal Data to Status Hero for processing by Status Hero in a
jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing
“adequate” data protection, Status Hero agrees it will: (i) use the form of the Controller-to-Processor SCCs; or (ii)
use another transfer mechanism that is approved by the European Commission as valid at the time of the transfer, as
applicable. If such data transfers rely on Controller-to-Processor SCCs to enable the lawful transfer of European
Personal Data, as set forth in the preceding sentence, the Parties agree that Data Subjects for whom Status Hero
Processes European Personal Data are third-party beneficiaries under the Controller-to-Processor SCCs. If Status Hero
is unable or becomes unable to comply with these requirements, then: (a) Status Hero shall notify Customer of such
inability; and (b) any movement of European Personal Data to a non-EU country requires the prior written consent of
Data Protection Impact Assessments and Consultation with Supervisory Authorities.
To the extent that the required information is reasonably available to Status Hero, and Customer does not otherwise
have access to the required information, Status Hero will provide reasonable assistance to Customer with any data
protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy
authorities to the extent required by European Data Protection Laws.
California Personal Information.
This Section 16 applies only with respect to Processing of California Personal Information by Status Hero in Status
Hero’s capacity as a Service Provider.
Roles of the Parties.
When Processing California Personal Information in accordance with Customer's Instructions, the Parties acknowledge
and agree that Customer is a Business and Status Hero is the Service Provider for the purposes of the CCPA.
Additionally, for the purposes of interpreting this DPA with respect to Processing of California Personal Information,
the term “Controller” is replaced with “Business” and “Processor” is replaced with “Service Provider” wherever those
terms appear in Sections 2 through 14 and Section 17 of this DPA.
The Parties agree that Status Hero will process California Personal Information as a Service Provider strictly for the
business purpose of performing the Services under the Agreement and as set forth in
not: (i) Sell California Personal Information; (ii) retain, use, or disclose California Personal Information for a
commercial purpose other than for such business purpose or as otherwise permitted by the CCPA; or (iii) retain, use,
or disclose California Personal Information outside of the direct business relationship between Customer and Status
Status Hero hereby certifies that it understands and will comply with the restrictions of Section 16(b).
No CCPA Sale.
The Parties agree that Customer does not sell California Personal Information to Status Hero because, as a Service
Provider, Status Hero may only use California Personal Information for the purposes of providing the Services to
Customer represents that it is authorized to, and hereby agrees to, enter into and be bound by this DPA for and on
behalf of itself and each of its affiliates and subsidiaries, thereby establishing a separate DPA between Status Hero
and Customer and each of Customer’s affiliates and subsidiaries subject to the Agreement, as applicable. The
limitations of liability set forth in the Agreement shall apply to Status Hero’s liability arising out of or relating
to this DPA and the Standard Contractual Clauses (where applicable), taken in the aggregate along with the Agreement
and any other agreement between the Parties. In case of any conflict or inconsistency with the terms of the Agreement,
this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. If any
individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of
the other provisions of this DPA shall not be affected. We periodically update this Agreement. If you are a current
Customer, you will be informed of any modification by email, alert on the Services or by other means.
Status Hero, Inc.
Founder and CEO
TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS
STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS
For the purposes of the Standard Contractual Clauses, Customer is the data exporter and Status Hero is the data
importer and the Parties agree to the following:
Reference to the Standard Contractual Clauses. The relevant provisions contained in the SCCs are incorporated by reference and are an integral part of this DPA.
The information required for the purposes of the Appendix to the SCCs are set out in Schedule 2.
Docking clause. The option under clause 7 shall not apply.
Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of
the Standard Contractual Clauses shall be provided by Status Hero to Customer only upon Customer’s written
Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the
Agreement to Status Hero for the Processing of Personal Data. Any additional or alternate instructions must be
consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by
Customer to Process Personal Data are set out in Section 4 of this DPA and include onward transfers to a third party
located outside Europe for the purpose of the provision of the Services.
Security of Processing. For the purposes of clause 8.6(a), You are solely responsible for making an independent determination as to whether
the technical and organisational measures provided by Status Hero meet Your security requirements and You agree that
(taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of
the Processing of its Personal Data as well as the risks to individuals) the security measures and policies
implemented and maintained by Status Hero provide a level of security appropriate to the risk with respect to the
Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with Section 10
of this DPA.
Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out
in accordance with Section 14 of this DPA.
General authorisation for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Status Hero has Customer’s general
authorisation to engage Sub-processors in accordance with Section 7 of this DPA. Status Hero shall make available to
Customer the current list of Sub-processors in accordance with Section 7 of this DPA. Where Status Hero enters into
Standard Contractual Clauses with a Sub-processor in connection with the provision of the Services, Customer grants
Status Hero authority to provide a general authorisation on Customer’s behalf for the engagement of sub-processors by
Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the
addition or replacement of any such sub-processors.
Notification of New Sub-processors and Objection Right for new Sub-processors . Pursuant to clause 9(a), Customer acknowledges and expressly agrees that Status Hero may engage new Sub-processors
as described in Section 7 of this DPA. Status Hero shall inform Customer of any changes to Sub-processors following
the procedure provided for in Section 7 of this DPA.
Complaints - Redress. For the purposes of clause 11, Status Hero shall inform data subjects on its website of a contact point authorised
to handle complaints. Status Hero shall inform Customer if it receives a complaint by, or a dispute from, a Data
Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer.
Status Hero shall not otherwise have any obligation to handle the request (unless otherwise agreed with You). The
option under clause 11 shall not apply.
Liability. Status Hero’s liability under clause 12(b) shall be limited to actual and proven damage caused by Status Hero’s
Processing of Personal Data on Customer’s behalf as a Processor where Status Hero has not complied with its
obligations under the GDPR specifically directed to Processors, or where Status Hero has acted outside of or contrary
to Customer’s lawful Instructions, as specified in Article 82 GDPR.
Supervision. Clause 13 shall apply as follows:
Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring
compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory
Where Customer is not established in an EU Member State but falls within the territorial scope of application of
Regulation (EU) 2016/679 in accordance with its Article 3(2) and have appointed a representative pursuant to Article
27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within
the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
Where Customer is not established in an EU Member State but falls within the territorial scope of application of
Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative
pursuant to Article 27(2) of Regulation (EU) 2016/679: The Data Protection Commission of Ireland, 21 Fitzwilliam
Square South, Dublin, 2 D02 RD28, Ireland shall act as competent supervisory authority.
Where Customer is established in the United Kingdom or fall within the territorial scope of application of UK Data
Protection Laws and Regulations, the Information Commissioner's Office shall act as competent supervisory authority.
Where You are established in Switzerland or fall within the territorial scope of application of Swiss Data
Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent
supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
Notification of Government Access Requests
. For the purposes of clause 15.1(a), Status Hero shall notify Customer only, and not the Data Subject(s), in case of
government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as
. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of
the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be
governed by either (a) the laws of Ireland; or (b) where the Agreement is governed by the laws of the United Kingdom,
the laws of the United Kingdom.
Choice of forum and jurisdiction
. The courts under clause 18 shall be those designated in the Venue section of the Agreement. If the Agreement does
not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out
of or in connection with this Agreement, the parties agree that the courts of either (a) Ireland; or (b) where the
Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive
jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually
resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of
The Appendix shall be completed as follows:
- The contents of section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses
- The contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to the Standard Contractual Clauses
- The contents of section 10 of Schedule 2 shall form Annex I.C to the Standard Contractual Clauses
The contents of section 11 of Schedule 2 to this Exhibit shall form Annex II to the Standard Contractual Clauses.
Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses . In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland
subject exclusively to the Data Protection Laws and Regulations of Switzerland (“
Swiss Data Protection Laws”), (a) general and specific references in the Standard Contractual Clauses
to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Data Protection Laws
and Regulations of the United Kingdom (“ UK Data Protection Laws”) or Swiss Data Protection Laws, as
applicable; and (b) any other obligation in the Standard Contractual Clauses determined by the Member State in which
the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss
Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard
Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity
where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are
amended to no longer apply to a legal entity.
Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights
and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless
stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard
Contractual Clauses, the Standard Contractual Clauses shall prevail.
DESCRIPTION OF PROCESSING/TRANSFER
LIST OF PARTIES
Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer
and/or representative in the European Union
Name: Customer as identified in registration
Address: Customer’s address listed in registration
Role: For the purposes of the Standard Contractual Clauses, Customer is a Controller.
Activities relevant to the data transferred under these clauses: Provision of the Services pursuant to the Agreement
(including the DPA).
Contact person's name, position, and contact details: Customer’s designated point of contact listed at registration
Signature: By agreeing to the Agreement and the DPA, Customer agrees to this Schedule 2, effective as of the date of
Identity and contact details of the data importer(s), including any contact person with responsibility for data
Name: Status Hero, Inc.
Address: 228 Park Ave S, Ste 24881, NY, NY 10003
Role: For the purposes of the Standard Contractual Clauses, Status Hero is a Processor.
Contact person's name, position, and contact details:
Henry Poydar, Founder and CEO
CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in
Customer’s sole discretion, and which may include, but is not limited to Personal Data relating to the following
categories of data subjects:
- Customer's employees, contractors, and agents
- Personnel of Customer's customers, suppliers, and subcontractors
- Other end users granted access to the Services by Customer
CATEGORIES OF PERSONAL DATA TRANSFERRED
You may submit Personal Data to the Services, the extent of which is determined and controlled by You in Your sole
discretion, and which may include, but is not limited to the following categories of Personal Data:
- Identifiers (e.g., IP address, email address, full name, username)
- Internet and similar activity (e.g., browser agents, browser and operating system identifiers)
- Employment information (to the extent the Customer or end user chooses to submit it)
- Commercial history (to the extent the Customer or end user chooses to submit it)
SENSITIVE DATA TRANSFERRED
The parties do not anticipate the transfer of sensitive Personal Data.
FREQUENCY OF THE TRANSFER
Data is transferred on a continuous basis depending on Customer’s use of the Services.
NATURE OF THE PROCESSING
The nature of the Processing is the provision of the Services pursuant to the Agreement
PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING
Status Hero will Process Personal Data as necessary to provide the Services pursuant to the Agreement and as further
instructed by Customer in Customer’s use of the Services.
DURATION OF PROCESSING
Subject to Section 3 of the DPA, Status Hero will Process Personal Data for the duration of the Agreement, unless
otherwise agreed in writing.
Sub-processor(s) will Process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to
section 5 of this DPA, the Sub-processor(s) will Process Personal Data for the duration of the Agreement, unless
otherwise agreed in writing. Identities of the Sub-processors used for the provision of the Services and their country
of location are available to Customer upon request.
COMPETENT SUPERVISORY AUTHORITY
Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for
ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as
competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of
application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative
pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the
representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the
competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of
application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a
representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Data Protection Commission, 21 Fitzwilliam
Square South, Dublin 2, D02 RD28, Ireland shall act as the competent supervisory authority.
Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of
UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent
Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss
Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as
competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and
TECHNICAL AND ORGANISATIONAL MEASURES
In addition to the administrative, physical, and technical safeguards for protection of the security, confidentiality
and integrity of Personal Data described in the DPA and Status Hero’s Privacy Notice, Status Hero also had implemented
the following technical and organizational measures:
Organizational management and dedicated staff responsible for the development, implementation, and maintenance of
Company’s information security program.
Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Company
organization, monitoring and maintaining compliance with Company policies and procedures, and reporting the
condition of its information security and compliance to senior internal management.
Maintain Information security policies and make sure that policies and measures are regularly reviewed and where
necessary, improve them.
Communication with Company applications utilizes cryptographic protocols such as TLS to protect information in
transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS
protection are used to filter attacks. Within the internal network, applications follow a multi-tiered model which
provides the ability to apply security controls between each layer.
Data security controls which include logical segregation of data, restricted (e.g. role-based) access and
monitoring, and where applicable, utilization of commercially available and industry-standard encryption
Logical access controls designed to manage electronic access to data and system functionality based on authority
levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and
passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes
in job functions occur).
Password controls designed to manage and control password strength, and usage including prohibiting users from
System audit or event logging and related monitoring procedures to proactively record user access and system
activity for routine review.
Physical and environmental security of data center, server room facilities and other areas containing client
confidential information (if any) designed to: (i) protect information assets from unauthorized physical access,
(ii) manage, monitor and log movement of persons into and out of Company facilities, and (iii) guard against
environmental hazards such as heat, fire and water damage.
Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and
information systems according to prescribed internal and adopted industry standards, including secure disposal of
systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to
final disposal or release from Company possession.
Change management procedures and tracking mechanisms to designed to test, approve and monitor all changes to Company
technology and information assets.
Incident / problem management procedures to enable Company to investigate, respond to, mitigate and notify of events
related to Company technology and information assets.
Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and
intrusion detection systems and other traffic and event correlation procedures designed to protect systems from
intrusion and limit the scope of any successful attack.
Vulnerability assessment, patch management, and threat protection technologies and scheduled monitoring procedures
designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious
Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or
recovery from foreseeable emergency situations or disasters.
- Customer-specific security measures shall be subject to a separate agreement between the parties.