This Data Processing Addendum ("DPA") forms part of the agreement between Heapform and the customer for the provision of services. It applies when Heapform processes personal data on behalf of the customer in connection with the services.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (including GDPR). "Processing" means any operation performed on Personal Data. "Sub-processor" means any third party engaged by Heapform that processes Personal Data on behalf of the customer.
2. Scope and Instructions
Heapform will process Personal Data only on the customer's documented instructions and in accordance with this DPA. The customer is the data controller; Heapform is the data processor.
3. Security
Heapform will implement appropriate technical and organizational measures to protect Personal Data from unauthorized access, loss, alteration, or disclosure. Personnel authorized to process Personal Data are bound by confidentiality obligations.
4. Sub-processors
Heapform may engage sub-processors. Sub-processors are subject to data protection obligations consistent with this DPA. A list is available at /legal/subprocessors. Heapform remains liable for sub-processor actions.
5. Data Subject Rights
Heapform will assist the customer in responding to requests from data subjects exercising their rights under applicable data protection laws (e.g., access, rectification, erasure, data portability, objection).
6. Breach Notification
In the event of a Personal Data breach, Heapform will notify the customer without undue delay after becoming aware of the breach and provide sufficient information to assist the customer in meeting its notification obligations.
7. Data Transfers
Where Personal Data is transferred outside the EEA or similar jurisdictions, Heapform will ensure adequate safeguards (e.g., standard contractual clauses) are in place.
8. Deletion Upon Termination
Upon termination, Heapform will, at the customer's choice, return or delete all Personal Data processed on behalf of the customer, unless required by law to retain it.
9. Audits
The customer has the right to audit Heapform's compliance with this DPA, subject to reasonable notice and confidentiality obligations.
10. Contact
For questions about this DPA, contact us at privacy@heapform.com.