Data Processing Addendum

Effective: 14 January 2025

DATA PROCESSING ADDENDUM

INTRODUCTION

(A) In providing the Services for the Customer under the Terms and Conditions (“Terms”), incident.io will process certain personal data on behalf of the Customer. This Data Processing Addendum including the data processing terms set out below and its Appendices (“DPA”) forms an integral part of the Terms.

(B) The Customer is either the controller or a processor in respect of that personal data and incident.io is a processor or sub-processor, as applicable.

DATA PROCESSING TERMS

NOW IT IS AGREED:

  1. Definitions

    • 1.1 In this DPA, all capitalised terms used without definition have the meanings ascribed to them: first, in the Data Protection Laws; second, as applicable in Appendix 2 (Jurisdiction Specific Terms); and third, in the Terms.

    • 1.2. The following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

      • 1.2.1. “controller”, “data subject”, “personal data”, “process(ing)” and “processor” all have the meanings given to them in Data Protection Laws;

      • 1.2.2. “Data Protection Laws” means any and all applicable laws relating to the processing, privacy, and use of personal data, that applies to the Customer, incident.io and/or the Services, from time to time, including: (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”), (ii) the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), (iii) the Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, (iv) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and implemented in national legislation, and (v) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), in each case, as in force and applicable, and as amended, supplemented or replaced from time to time;

      • 1.2.3. “Personal Data Breach” means a breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Protected Data;

      • 1.2.4. “Protected Data” means personal data received from or on behalf of the Customer, or otherwise obtained or created in connection with the performance of incident.io’s obligations under the Terms; and

      • 1.2.5. “Services” means any and all services to be provided by incident.io under the Terms.

  2. Processor/Controller

The parties agree that, in respect of Protected Data, the Customer shall be either the controller or a processor and incident.io shall be a processor or sub-processor, as applicable.

  1. Compliance

    • 3.1. Each party shall comply with Data Protection Laws and their respective obligations under this DPA.

    • 3.2. The parties hereby agree and acknowledge that to the extent incident.io transfers Protected Data internationally and/or makes Protected Data available to the Customer internationally, the activity does not amount to a restricted transfer under the UK GDPR and does not therefore require any appropriate safeguards to be implemented between the parties.

    • 3.3. The Customer warrants that:

      • 3.3.1. it will be solely responsible for ensuring the lawfulness of processing the personal data of its data subjects in order for incident.io to process the personal data;

      • 3.3.2. incident.io will have no liability for failure to obtain any consents or authorizations prior to the processing of personal data in connection with this DPA and/or performance of the Services;

      • 3.3.3. it has provided each data subject with appropriate information as to how incident.io will process the Protected Data; and

      • 3.3.4. that it has reviewed the technical and organizational security measures incident.io applies when it processes personal data and that it deems them appropriate and has taken steps to ensure that any data it or its affiliates and agents pass to incident.io are transferred securely.

  2. Processing Instructions

    • 4.1. The details of the Protected Data processing carried out by incident.io are set out in Appendix 1 to this DPA.

    • 4.2. incident.io shall:

      • 4.2.1. process the Protected Data only in accordance with the Customer’s written instructions and only as required to perform its obligations under this DPA;

      • 4.2.2. immediately inform the Customer:

        • a. of any requirement under Data Protection Laws that would require incident.io to process the Protected Data other than on the Customer’s written instructions; or

        • b. if the Customer’s written instructions are either unlawful or do not comply with the Data Protection Laws;

      • 4.2.3. implement and maintain appropriate technical and organizational measures in relation to its processing of Protected Data so as to ensure a proportionate level of security in respect of the possible risk posed to the Protected Data;

      • 4.2.4. not engage any sub-processor for carrying out any processing activities in respect of the Protected Data without written specific or general authorization from the Customer. The Customer hereby provides written general authorization for the appointment of the sub-processors set out at incident.io/legal/sub-processors from time to time. Incident.io shall inform the Customer of any intended changes concerning the addition or replacement sub-processors, thereby giving the Customer the opportunity to object to such changes. Specifically, following the Effective Date, any change to the sub-processors will be notified to the Customer by an announcement at incident.io/legal/sub-processors ten (10) days in advance of the change coming into effect and during such ten (10) day period, the Customer may object in writing to such change. If the Customer does not object during such period it shall be deemed to have approved the change;

      • 4.2.5. appoint sub-processors under binding written contracts which impose data protection obligations which are no less onerous than those set out in this DPA on the sub-processor;

      • 4.2.6. remain fully liable for the acts and omissions of its sub-processors to the extent that incident.io would be liable if performing the services of each sub-processor directly under this DPA;

      • 4.2.7. ensure that its personnel processing Protected Data have committed themselves to confidentiality obligations;

      • 4.2.8. at all times take reasonable steps to ensure the reliability of those of its personnel who have access to the Protected Data and shall use reasonable endeavours to ensure their compliance with the obligations set out in this DPA;

      • 4.2.9. provide reasonable assistance as the Customer reasonably requires, information and cooperation to the Customer to ensure compliance with its obligations under the Data Protection Laws, including with respect to (a) security of processing; (b) Personal Data Breach notification as controller to the appropriate supervisory authority or data subjects; (c) data protection impact assessments and prior consultation with the appropriate supervisory authority regarding high risk processing; and (d) handling of data subject rights requests.

      • 4.2.10. refer any communications, requests or queries from data subjects or a competent regulatory authority relating to the Protected Data to the Customer within 5 business days of receipt;

      • 4.2.11. not transfer any Protected Data to any country outside the United Kingdom or the European Economic Area other than in accordance with Data Protection Laws;

      • 4.2.12. maintain, in accordance with Data Protection Laws, written records of all categories of processing activities carried out on behalf of the Customer;

      • 4.2.13. make available to the Customer the information necessary to demonstrate its compliance with the Data Protection Laws to the extent such information is not already available to the Customer;

      • 4.2.14. allow for and contribute to audits, at the Customer’s cost, including inspections, carried out by or on behalf of the Customer (subject to reasonable confidentiality undertakings) to determine incident.io’s compliance with its obligations under Data Protection Laws insofar as such processing relates to Protected Data and provided that: (a) such audits/inspections shall be carried out no more than once per calendar year unless otherwise directed by a regulatory authority; (b) shall require at least one calendar month’s advance written notice and shall be carried out during normal working hours on a business day in a manner that does not unreasonably disrupt the incident.io’s operations; and (c) shall not entail access to information concerning other clients of incident.io or information that incident.io is legally prohibited from disclosing;

      • 4.2.15. notify the Customer of any Personal Data Breach (and provide the Customer with details of such breach) without undue delay; and

      • 4.2.16. at the choice of the Customer, delete or return all the Protected Data to the Customer after the termination of this DPA, unless Data Protection Laws require continued storage of the Protected Data.

  3. Term

    • 5.1. This DPA shall continue in full force and effect until the later of:

      • 5.1.1. the termination or expiration of the Terms; or

      • 5.1.2. the termination of the last of the Services to be performed pursuant to the Terms.

    • 5.2. Clauses, 4.2.16 and 5.2 of this DPA will remain in full force and effect following termination or expiry of this DPA.

Appendix 1

DATA PROCESSING DETAILS

Nature and description of processing:As necessary for the provision of a product to facilitate incident management within the applicable Communications Platform.
Duration of processing:Subject to clause 4.2.16 of this DPA, the Protected Data will be processed for the period in which services are provided by incident.io to the Customer.
Subject matter and Purpose of processing:Providing a product to facilitate incident management within the applicable Communications Platform including showing user names and profile pictures in the app and enabling the functionality of the app.
Types of personal data being processed:

Basic information, such as:

  • The name of your company, and the applicable Communications Platform Team ID of your Communications Platform workspace. We use the installation to store an access token that grants us the permissions necessary to deliver the functionality of the app (for an up-to-date list of permission, please see our Security FAQ).
  • The name, applicable Communications Platform user ID, profile pictures and avatar URL of users who interact with the web app, or the bot.

Information that enables user functionality, such as:

  • A description of an action (a task that you would like someone to do during or after an incident), the current state of that action (outstanding, or completed), and who is assigned to be the owner of that action.
  • Any personal data in the name of an incident, the summary description of the incident or other free text entries, the URL of any document that you set to be associated with an incident, and the URL of any video conferencing call you set to be associated with an incident. We cannot view this document, or the call, as they are URLs: they should be internal to your organization.

Information regarding usage or exposure to messages related to our app, such as:

  • Who and when people joined or left incident channels (so we can determine who was involved in the incident at a particular time);
  • Who and when people sent messages in incident channels (so we can determine who is participating in the incident);
  • Who and when someone pinned a message within the applicable Communications Platform; and Who and when someone posted a message containing a link to a third party of interest (such as GitHub, or Sentry).

Call recordings, including information of who and when people were in the call, and information discussed in the call.

incident.io also generates auto generated IDs that link all of entities together. incident.io may anonymize usage data and use the anonymized data for its own purposes.

Types of data subjects:Customer personnel / employees who have an account with the applicable Communications Platform and any other individuals involved in an incident, including in the commencement of an incident and incident response process.
Additional instructions:incident.io takes user names and profile pictures of employees from the applicable Communications Platform, and shows them in the incident.io app. incident.io stores them both in a managed database and storage buckets, in Google Cloud Platform, both of which are encrypted at rest. Access to Google Cloud Platform is limited to incident.io staff, and all accounts are password protected, and protected by 2FA (two factor authentication).

For sub-processors located outside the United Kingdom and European Economic Area, the transfer of personal data shall be done according to the regulation on transfers to third countries in Article 45 to 47 and 49 of the GDPR or the UK GDPR (as applicable).

Appendix 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, incident.io shall implement measures to ensure an appropriate level of security for the provision of the Services. These measures shall include but are not limited to the following:

  • Ensuring incident.io’s production systems can only be remotely access by authorized employees via an approved encrypted connection;

  • Encryption of data at incident.io’s datastores;

  • Logging of system activity;

  • Regular pen testing of the Services; and

  • SOC2 type II compliance.

Appendix 3

JURISDICTION SPECIFIC TERMS

  1. Australia:

    • 1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

    • 1.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.

    • 1.3 The definition of “Sensitive Information” includes “Sensitive Information” as defined under Data Protection Laws.

  2. Brazil:

    • 2.1 The definition of “Data Protection Laws” includes the Lei Geral de Proteção de Dados (LGPD).

    • 2.2 The definition of “Personal Data Breach” includes a security incident that may result in any relevant risk or damage to data subjects.

    • 2.3 The definition of “processor” includes “operator” as defined under Data Protection Laws.

  3. California:

    • 3.1 The definition of “ Data Protection Laws” includes the California Consumer Privacy Act (CCPA).

    • 3.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Personal Data, and Customer Usage Data.

    • 3.3 The definition of “data subject” includes “Consumer” as defined under the Data Protection Laws. Any data subject rights, as described in Section 4 (Processing Instructions) of this DPA, apply to Consumer rights. In regards to data subject requests, incident.io can only verify a request from the Customer and not from the Customer’s end user or any third party.

    • 3.4 The definition of “controller” includes “Business” as defined under the Data Protection Laws.

    • 3.5 The definition of “processor” includes “Service Provider” as defined under the Data Protection Laws.

    • 3.6 incident.io will process, retain, use, and disclose personal data only as necessary to provide the Services under the Terms, which constitutes a business purpose. incident.io agrees not to (a) sell (as defined by the CCPA) the Customer’s Personal Data or the Customer end users’ personal data; (b) retain, use, or disclose the Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose the Customer’s personal data outside of the scope of the Terms. incident.io understands its obligations under Data Protection Laws and will comply with them.

    • 3.7 incident.io certifies that its sub-processors appointed under clause 4.2 of this DPA, are Service Providers under Data Protection Laws, with whom incident.io has entered into a written contract that includes terms substantially similar to this DPA. incident.io conducts appropriate due diligence on its sub-processors.

    • 3.8 incident.io will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 4 (Processing Instructions)) of this DPA.

  4. Canada:

    • 4.1 The definition of “Data Protection Laws” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

    • 4.2 incident.io’s sub-processors, as described in Section 4 (Processing Instructions)) of this DPA, are third parties under Data Protection Laws, with whom incident.io has entered into a written contract that includes terms substantially similar to this DPA. incident.io has conducted appropriate due diligence on its sub-processors.

    • 4.3 incident.io will implement technical and organizational measures as set forth in Section 4 (Processing Instructions) of this DPA.

  5. Israel:

    • 5.1 The definition of “Data Protection Laws” includes the Protection of Privacy Law (PPL).

    • 5.2 The definition of “controller” includes “Database Owner” as defined under Data Protection Laws.

    • 5.3 The definition of “processor” includes “Holder” as defined under Data Protection Laws.

    • 5.4 incident.io will require that any personnel authorized to process personal data comply with the principle of data secrecy and have been duly instructed about Data Protection Laws. Such personnel sign confidentiality agreements with incident.io in accordance with Section 4 (Processing Instructions) of this DPA.

    • 5.5 incident.io must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 4 (Processing Instructions) of this DPA and complying with the terms of the Terms.

    • 5.6 incident.io must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with incident.io pursuant to Section 4 (Processing Instructions) of this DPA.

  6. Japan:

    • 6.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

    • 6.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

    • 6.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, incident.io is responsible for the handling of Personal Data in its possession.

    • 6.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of Personal Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, incident.io will ensure that the use of the entrusted Personal Data is securely controlled.

  7. Mexico:

    • 7.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).

    • 7.2 When acting as a processor, incident.io will:

      • (a) treat personal data in accordance with the Customer’s instructions set forth in Section 4 (Processing Instructions) of this DPA;

      • (b) process personal data only to the extent necessary to provide the Services;

      • (c) implement security measures in accordance with Data Protection Laws and Section 4 (Processing Instructions) of this DPA;

      • (d) keep confidentiality regarding the personal data processed in accordance with the Terms;

      • (e) delete all Personal Data upon termination of the Terms; and

      • (f) only transfer Personal Data to sub-processors in accordance with Appendix 1 (Data Processing Details) of this DPA.

  8. Singapore:

    • 8.1 The definition of “Data Protection Laws” includes the Personal Data Protection Act 2012 (PDPA).

    • 8.2 incident.io will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 4 (Processing Instructions) of this DPA and complying with the terms of the Terms.

  9. Switzerland:

    • 9.1 The definition of “Data Protection Laws” includes the Swiss Federal Act on Data Protection.