Last Updated May 2024
If you need a signed copy of this Data Processing Agreement, please click here.
This Super Empleado LLC Data Processing Agreement and its Annexes A, B, and C (“DPA”) is between Super Empleado LLC. (“Super Empleado”) and the party executing this agreement as Customer (“Customer”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data by Super Empleado on behalf of Customer in connection with the Service under the contemporaneously-executed Terms of Service agreement between the parties (“Agreement”).
This DPA is part of the Agreement and is effective upon execution or another time as specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency, and it will supersede any previous DPA.
Both parties will comply with all applicable requirements of Data Protection Laws. This schedule is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Data Protection Laws.
The parties have determined that for the purposes of Data Protection Laws, Super Empleado shall process the Customer Personal Data as processor on behalf of the Customer. Customer may be either a Controller or Processor.
Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to Super Empleado, and the lawful collection of the same by the Customer using the Super Empleado Services for the duration and purposes of the Agreement and DPA, and shall indemnify Super Empleado against all loss and damage (including fines) arising from a failure to do so.
Annex A sets out the scope, nature, and purpose of Customer Personal Data Processing by Super Empleado, the duration of the Processing and the types of Customer Personal Data and categories of Data Subjects.
Super Empleado shall process Customer Personal Data only on the documented instructions of the Customer, unless Super Empleado is required by any applicable laws to otherwise process that Customer Personal Data. The Agreement and DPA are deemed to be the instructions of Customer; the parties may agree to additional instructions. Super Empleado shall inform the Customer if, in the opinion of Super Empleado, the instructions of the Customer breach Data Protection Laws;
Super Empleado will:
The parties agree that if the CCPA applies, Customer is a “business” and Super Empleado is a “service provider” as defined under the CCPA. Super Empleado will not retain, use, or disclose the California Personal Information it collects pursuant to the Agreement for any purposes other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; and (b) Super Empleado will not retain, use, or disclose the California Personal Information it collects pursuant to this the Agreement outside of the direct business relationship between Super Empleado and Customer, unless otherwise permitted by the CCPA. Super Empleado will not “sell” or “share” California Personal Information as those terms are defined in the CCPA or combine the California Personal Information with personal information obtained from sources other than Customer, except to the extent permitted by the CCPA. From time to time, Customer may ask for, and Super Empleado will provide, reasonable evidence of its compliance with this Section 8.
The Customer provides its prior, general authorization for Super Empleado to appoint Processors to process the Customer Personal Data, provided that Super Empleado shall ensure that the terms on which it appoints such processors comply with Data Protection Laws, and are consistent with the obligations imposed on Super Empleado in this paragraph; and shall remain responsible for the acts and omission of any such Processor as if they were the acts and omissions of Super Empleado. Super Empleado has currently appointed, as Sub-Processors, the third parties listed in Annex C to this DPA. Super Empleado will notify Customer if Super Empleado adds or replaces any Sub-Processors listed in Annex C at least 30 days prior to any such changes, if Customer opts-in to receive such emails by contacting Super Empleado. Super Empleado will include substantially the same protections for Customer Personal Data as those in the DPA.
Super Empleado will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such Personal Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
Customer acknowledges that in connection with the performance of the Service, Super Empleado is a recipient of European Data in the United States. Subject to sub-sections (c), the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:
If Super Empleado cannot comply with its obligations under the Standard Contractual Clauses or is breach of any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and Customer intends to suspend the transfer of European Data to Super Empleado or terminate the Standard Contractual Clauses, or UK Addendum, Customer agrees to provide Super Empleado with reasonable notice to enable Super Empleado to cure such non-compliance and reasonably cooperate with Super Empleado to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If Super Empleado has not or cannot cure the non-compliance, Customer may suspend or terminate the affected part of the Service in accordance with the Agreement without liability to either party (but without prejudice to any fees Customer have incurred prior to such suspension or termination).
Notwithstanding anything else to the contrary in the Agreement, Super Empleado reserves the right to make any updates and changes to this DPA, including to address changes in Data Protection Laws and to revise the security provisions in this DPA, so long as Super Empleado does not materially reduce the overall security level provided to Customer Personal Data.
Data exporter: |
Name: You, as defined in Super Empleado’s Terms of Service Address: Your address as specified by your Platform Account Contact person’s name, position and contact details: Your contact details, as specified by your Platform Account Activities relevant to the data transferred under these Clauses: Performance of the Agreement between the parties as a Controller. Role (controller/processor): Controller or Processor |
---|---|
Data importer: |
Name: Super Empleado LLC Address: 7190 W Sunset Blvd, Los Angeles, CA 90046 Contact person’s name, position and contact details: Raul Dominguez, Co-Founder Activities relevant to the data transferred under these Clauses: Performance of the Agreement between the parties. Role (controller/processor): Processor |
Description of the technical and organisational security measures implemented by the data importer in accordance with clause 4(d) and clause 5(c) (or documents/legislation attached):
Measure | Description |
---|---|
Measures of pseudonymisation and encryption of personal data | All personal data at rest is encrypted with: AES 256 CBC. All personal data in transit is encrypted with: TLS V1.2+. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Processor has endpoint protection on its APIs. Processor has uptime monitors to help ensure availability and to alert Processor if there is downtime. Processor has implemented access control measures such as user-based authentication and subaccount-base authentication. Processor uses managed services (AWS, GoogleCloud) to help ensure integrity. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Personal data backed up on AWS and GoogleCloud with 5 minute granularity to enable Processor to restore personal data in case of an incident. |
Measures for user identification and authorisation | Processor uses encrypted signed tokens and role-based authorizations, as well as password protection. |
Measures for the protection of data during transmission | SSL certificates and https are used during personal data transmission. Protected with TLS v1.2+. |
Measures for the protection of data during storage | Personal data is encrypted at rest with AES-256 CBC encryption. |
Measures for ensuring physical security of locations at which personal data are processed | Processor uses managed services to ensure physical security of server locations. All personal data stored on AWS and GoogleCloud, with physical security described in AWS and GoogleCloud Ts&Cs, respectively. |
Measures for ensuring events logging | Processor uses logging for all user actions and audit logs. In particular, Processor uses GoogleCloud ops for both application and infrastructure monitoring. In addition, Processor uses AWS’s Cloudwatch. |
Measures for ensuring system configuration, including default configuration | Processor has configurations stored in version control. All containers are created from standardized images hosted by AWS and GoogleCloud. Updates and upgrades are performed automatically and managed by GoogleCloud. Patching of any vulnerabilities is managed by GoogleCloud, according to its standard policies. |
Measures for internal IT and IT security governance and management | Processor uses a third-party vendor (iWerk) for internal IT and IT security. |
Measures for certification/assurance of processes and products | The Compliancy Group has issued Processor a HIPAA Seal of Compliance Certificate. |
Measures for ensuring data minimisation | Minimum data requirement set by Processor. Users can decide not to enter personal data into optional fields. |
Measures for ensuring data quality | Processor enables customers to update relevant personal data to the latest date, and Processor uses two-factor authentication. Application monitoring conducted by GoogleCloud and custom monitors. |
Measures for ensuring limited data retention | Data retention can be configured with respect to specific individuals by the customer administrator. |
Measures for ensuring accountability | Processor access to personal data is restricted based on rules. |
Measures for allowing data portability and ensuring erasure | Customers can download their personal data from within the Service. Customers can request a copy, or deletion, of their personal data upon separation Processor uses support tickets to ensure the foregoing. |
Describe the specific technical and organisational measures to be taken by Data Importer to be able to provide assistance to the Data Exporter | Self-Service Personal data can be downloaded by customers from within the Service. Customer admins can set data retention for terminated personnel. Customer and Product Support FAQs, support tickets for specific queries not addressed by collateral on Processor customer/product support website. |
Name of Authorized Subcontractor | Address | Contact information | Description of processing | Country in which subprocessing will take place |
---|---|---|---|---|
LeadConnector LLC | 400 North Saint Paul St. Suite 920 Dallas, TX 75201 | kiran.raparti@gohighlevel.com | Data storage; support for performance of this Agreement | US |
Name of Authorized Subcontractor | Address | Contact information | Description of processing | Country in which subprocessing will take place |
---|---|---|---|---|
Google LLC/Google Cloud Services | 1600 Amphitheatre Parkway Mountain View, CA 94043 United States | legal-notices@google.com | Data storage; support for performance of this Agreement | US |
Amazon Web Services, Inc. | 410 Terry Avenue North Seattle, WA 98109-5210 United States | 206.266.7010 | Data storage; support for performance of this Agreement | US |
Twilio | 101 Spear Street Fifth Floor San Francisco, CA 94105 United States | 1-903-500-7655 | Support for performance of this agreement | US |
Mailgun | 112 E Pecan Street #1135 San Antonio, TX, 78205 United States | (888) 571-8972 | Support for performance of this agreement | US |
Chargebacks911 | 18167 US Hwy 19 North #600 Clearwater, FL 33764 United States | legal@chargebacks911.com | Data storage; support for performance of this Agreement | US |
Pendo | 301 Hillsborough Street Raleigh, NC 27603 United States | (877) 320-8484 | Data storage; support for performance of this Agreement | US |
ChartMogul | ChartMogul GmbH & Co. KG c/o WeWork Kemperplatz 1 10785 Berlin, Germany | info@chartmogul.com | Data storage; support for performance of this Agreement | Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland |
Freshworks | 2950 S. Delaware Street Suite 201 San Mateo, CA 94403 United States | legal@freshworks.com | Data storage; support for performance of this Agreement | Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland, US |
Yext | 61 Ninth Avenue New York, NY 10011 United States | info@yext.com | Data storage; support for performance of this Agreement | US |
Zapier | 548 Market Street #62411 San Francisco, CA 94104 United States | privacy@zapier.com | Data transfer; support for performance of this Agreement | US |
Stripe | Corporation Trust Center 1209 Orange Street Wilmington, DE 19801 United States | privacy@stripe.com | Data storage and transfer of payment information | US |
Zoom | 55 Almaden Blvd. Suite 600 San Jose, CA 95113 United States | privacy@zoom.us | Support for performance of this agreement | US |
Authorize.net | 900 Metro Center Boulevard Foster City, CA 94404 United States | privacy@visa.com | Payment processing | US |
FirstPromoter | Igil Webs SRL, Str. Talmacelului, nr. 30, Talmaciu, Sibiu, Romania | hello@firstpromoter.com | Data storage and transfer to run the affiliate program | US |
ClickUp | 350 Tenth Ave Suite 500 San Diego, CA 92101 United States | data@clickup.com | Data storage for project management | US |
Loom | 5214F Diamond Heights Blvd #3391 San Francisco, CA 94131 United States | privacy@loom.com | Data storage and transfer for customer support | US |
Open AI | 3180 18th Street San Francisco, CA 94110 United States | privacy@openai.com | Data storage and transfer of payment information | US |
Meta (for Whats App) | Meta Platforms, Inc. ATTN: Privacy Operations 1601 Willow Road Menlo Park, CA 94025 United States | datarrequests@fb.com | Data storage and transfer for communications | US |
Mozart Data | 250 King Street #514 San Francisco, CA 94107 United States | security@mozartdata.com | Data storage; support for performance of this Agreement | US |
Accredible | 800 West El Camino Real Suite 180 Mountain View, CA 94040 United States | 1 (628) 214-2701 | Data storage; support for performance of this Agreement | US |