Superthread data processing terms

Superthread IO Ltd, the provider of the Superthread service, uses certain third-party processors in order to provide the services set forth in our Terms. This document is a continuation of our Terms outlining how and we process your data.

Definitions

These Data Processing Terms form part of our agreement. In these Data Processing Terms:

  1. Appropriate Safeguards: means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
  2. Data Controller: has the meaning given to that term (or to the term “controller”) in Data Protection Laws;
  3. Data Processor: has the meaning given to that term (or to the term “processor”) in Data Protection Laws;
  4. Data Subject: has the meaning given to that term in Data Protection Laws;
  5. Data Subject Request: means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
  6. GDPR: means the General Data Protection Regulation (EU) 2016/679;
  7. International Organisation: means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
  8. International Recipient: has the meaning given to that term in section 6;
  9. Personal Data: has the meaning given to that term in Data Protection Laws;
  10. Personal Data Breach: means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
  11. Processing: has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
  12. Processing Instructions: has the meaning given to that term in section 2;
  13. Protected Data: means Personal Data received from or on behalf of You to the extent that it is processed by Superthread on Your behalf in connection with the performance of Superthread’s obligations under our agreement;
  14. Services: means the Services as defined under our agreement.
  15. Sub-processor: means another Data Processor engaged by Superthread for carrying out processing activities in respect of the Protected Data on behalf of You;
  16. Superthread: means Superthread IO Ltd.
  17. Supervisory Authority: means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

In these Data Processing Terms:

(a) references to any applicable laws (including to the Data Protection Laws and each of them) and to terms defined in such applicable laws shall be replaced with or incorporate (as the case may be) references to any applicable laws replacing, amending, extending, re-enacting or consolidating such applicable law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such applicable laws, once in force and applicable;

(b) a reference to a law includes all subordinate legislation made under that law; and

(c) references to paragraph numbers are to paragraphs of these Data Processing Terms.

1. Data Processor and Data Controller

The parties agree that, for the Protected Data, you shall be the Data Controller and Superthread shall be the Data Processor.

Superthread shall process Protected Data in compliance with:

  1. the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under our agreement; and
  2. the terms of our agreement.

You shall comply with:

  1. all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under our agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
  2. the terms of our agreement.

You warrant, represent and undertake, that all instructions given by you to Superthread in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and

You shall not withhold, delay or condition your agreement to any change to our agreement, the Platform or the Services requested by Superthread in order to promote compliance with Data Protection Laws by the Services, the Platform, Superthread and any Sub-Processor.

2. Instructions and details of processing

Insofar as Superthread processes Protected Data on behalf of you, Superthread:

  1. unless required to do otherwise by applicable law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with your documented instructions as set out in this paragraph 2 and the Data Processing Details below, as updated from time to time in accordance by agreement between the parties (“Processing Instructions”);
  2. if applicable law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify you of any such requirement before processing the Protected Data (unless applicable law prohibits such information on important grounds of public interest); and
  3. shall inform you if Superthread becomes aware of a Processing Instruction that, in Superthread’s opinion, infringes Data Protection Laws, provided that this shall be without prejudice to the terms described in section 1.

The processing of Protected Data to be carried out by Superthread under our agreement shall comprise the processing set out in the Data Processing Details below, as may be updated from time to time by agreement between the parties.

3. Technical and organisational measures

Superthread shall implement and maintain, at its cost and expense, the technical and organisational measures:

  1. in relation to the processing of Protected Data by Superthread, as set out in the Data Processing Details below; and
  2. taking into account the nature of the processing, to assist you insofar as is possible in the fulfilment of your obligations to respond to Data Subject Requests relating to Protected Data.

Any additional technical and organisational measures shall be at your cost and expense.

4. Using staff and other processors

You provide general written authorisation to Superthread to engage Sub-Processors  to perform the Services, including Amazon Web Services. The full list of sub-processors can be found at the end of this document. You shall be given the opportunity to object to any new Sub-Processor and state its grounds for doing so. You acknowledge that Sub-Processors are essential in order for Superthread to provide the Services and that objecting to the use of a Sub-Processor may prevent Superthread from continuing to provide the Services to you. In the event that Superthread is unable to adequately address those objections, either party may terminate our agreement upon notice without liability to the other. For the avoidance of doubt, in such circumstances Superthread shall not be obliged to refund any subscription charges paid by you.

Superthread shall:

  1. appoint each Sub-Processor under a written contract substantially on the standard terms of business of that Sub-Processor, or containing materially the same obligations as under these Data Processing Terms, that is enforceable by Superthread; and
  2. remain fully liable for all the acts and omissions of each Sub-Processor which constitutes a breach of these terms as if they were its own.

Superthread shall ensure that all persons authorised by it to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with applicable law).

5. Assistance with Your compliance and Data Subject rights

Superthread shall refer all Data Subject Requests it receives to you, provided that if the number of Data Subject Requests exceeds 5 per calendar month, you shall pay Superthread’s charges calculated on a time and materials basis at Superthread’s then current rates for recording and referring the Data Subject Requests in accordance with this paragraph.

From the GDPR Date, Superthread shall provide such reasonable assistance as you reasonably requires (taking into account the nature of processing and the information available to Superthread) to you in ensuring compliance with your obligations under Data Protection Laws with respect to:

  1. security of processing;
  2. data protection impact assessments (as such term is defined in Data Protection Laws);
  3. prior consultation with a Supervisory Authority regarding high risk processing; and
  4. notifications to the Supervisory Authority and/or communications to Data Subjects by you in response to any Personal Data Breach,

provided you shall pay Superthread’s charges for providing the assistance described in this section, such charges to be calculated on a time and materials basis at Superthread’s then-current rates for professional services.

6. International data transfers

AWS Regions. The following applies in respect of processing by Amazon Web Services as a sub-processor of Superthread: you may specify the location(s) where User Data will be processed within the AWS Network, including the EU (Dublin) Region, the EU (Frankfurt) Region, the EU (London) Region and the EU (Paris) Region (each a “Region”). Once you have made your choice, AWS will not transfer User Data from the selected Region(s) except as necessary to provide the Services initiated by you, or as necessary to comply with the law or binding order of a governmental body. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses.

Subject to the above paragraph, you agree that Superthread may transfer Protected Data to countries outside the United Kingdom or to any International Organisation(s) (an “International Recipient”), provided all transfers by Superthread of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of our agreement shall constitute your instructions with respect to transfers in accordance with section 2.

7. Records, information and audit

Superthread shall maintain, in accordance with Data Protection Laws binding on Superthread, written records of all categories of processing activities carried out on behalf of you.

Superthread shall, in accordance with Data Protection Laws, contribute and allow for audits either by (at its option): (i) making available to you upon reasonable request interviews with Superthread personnel and documents, which you must treat confidentially under the confidentiality provisions of our agreement or under a non-disclosure agreement concluded between the Parties; or (ii) responding to a written security questionnaire submitted to it by you provided that you will not exercise this right more than once per year and will hold Superthread’s responses in confidence under the confidentiality provisions of our agreement.

8. Breach notification

In respect of any Personal Data Breach involving Protected Data, Superthread shall, without undue delay:

  1. notify you of the Personal Data Breach; and
  2. provide you with details of the Personal Data Breach.

9. Deletion or return of Protected Data and copies

Superthread shall, at your written request, either delete or return all the Protected Data to you in such form as you reasonably request within a reasonable time after the earlier of:

  1. the end of the provision of the relevant Services related to processing; or
  2. once processing by Superthread of any Protected Data is no longer required for the purpose of Superthread’s performance of its relevant obligations under our agreement,

and delete existing copies (unless storage of any data is required by applicable law and, if so, Superthread shall inform you of any such requirement).

DATA PROCESSING DETAILS

  1. Subject-matter of processing: The provision of services by Superthread to the Customer as outlined in any order and/or associated documentation.
  2. Duration of the processing: For the duration of the provision of the Services (including any retention of Personal Data comprised in the Services).
  3. Nature and purpose of the processing: To provide the Superthread issue tracking and collaboration service to you.
  4. Type of Personal Data: Any personal data comprised within User Data.
  5. Categories of Data Subjects: Authorised Users; other natural persons identifiable from any User Data.
  6. Technical and Organisational Security measures applied to the Protected Data: As set out in our security practices document, which is available on request, simply contact us contact@superthread.com.

List of sub-processors

The name, sub-processing activity, and country of each of these sub-processors is set out below:

Company Purpose Country
Amazon Web Services, Inc. Cloud Hosting United Kingdom
GoSquared Ltd. (Also known as EcoSend) Email Automation United States
Segment.io, Inc. Product Analytics United States
Amplitude, Inc. Product Analytics United States
Functional Software Inc. (Also known as Sentry) Error Monitoring United States
PostHog, Inc. Product Analytics Germany
AC PM, LLC (Also known as Postmark) Email Sending United States
Stripe, Inc. Billing & Payments United States
Cloudflare, Inc. Cloud Services United States
Open AI, LLC Artificial Intelligence United States
HubSpot, Inc. Sales CRM United States
Zapier, Inc. Business Automation United States