1. Processing of Personal Data

1.1 Roles of the parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Subscriber is the Controller, Plecto is the Processor and that Plecto will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below. In appendix B section 4.1 reference is made solely to the consent-based processing activity. Plecto’s customers may withdraw their consent at any time.

1.2 Subscriber’s Processing of Personal Data. The Subscriber shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Subscriber’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. The Subscriber shall have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which the Subscriber acquired the Personal Data.

1.3 Plecto’s Processing of Personal Data. Plecto shall only Process Personal Data by documented instructions from the Subscriber, unless required by EU-law or the national law of the Member States to which Plecto is subject; In that case, Plecto shall notify the Subscriber of this legal requirement before Processing, unless a court of competent jurisdiction prohibits such notification for reasons of important social interests, cf. Article 28 (3) a.

1.4 Plecto’s information duty. Plecto shall immediately inform the Data Controller if the Data Controller’s instructions, in the opinion of Plecto, contravene the General Data Protection Regulation or data protection provisions contained in EU-Law or the national law of the Member States to which Plecto is subject.

1.5 Details of the Processing. The subject-matter of Processing of Personal Data by Plecto is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed are specified in Appendix B (Details of the Processing).

1.6 Free Trial customers. The customer shall also be considered the data controller in this regard. Customers who only use Plecto’s free trial period shall be subject to this data processing agreement, unless Plecto has signed the customer’s own data processing agreement. Plecto’s legal basis for processing the customer's personal data is Article 6(1)(b) of the GDPR. If the customer does not continue with a subscription following the trial period, all personal data will be deleted from Plecto’s servers within three (3) months, counted in calendar days.


2. Rights of the Data Subjects

2.1 Plecto shall, taking into account the nature of the Processing, assist as far as possible the Subscriber by appropriate technical and organizational measures, with the obligation of Subscriber to respond to requests for the exercise of the data subjects' rights as laid down in Chapter 3 of the Data Protection Regulation.

2.2 Plecto shall assist the Subscriber in ensuring compliance with the Subscriber's obligations pursuant to Article 33-36 of the Data Protection Regulation, taking account of the nature of the Processing and the information available to Plecto, as referred to in Article 28 (3) f.

2.3 Should the Subscriber need the assistance of Plecto, in ensuring compliance with the obligations set forth in Article 33-36, Plecto retains the right to charge the Subscriber reasonable costs associated with the assistance, including the hours spent by Plecto personnel.

3. Plecto personnel

3.1 Plecto shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Plecto shall ensure that such confidentiality obligations survive the termination of the personnel engagement.3.2 Plecto shall take commercially reasonable steps to ensure the reliability of any Plecto personnel engaged in the Processing of Personal Data.

3.3 Plecto shall ensure that the access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4. Processing security

4.1 Plecto shall implement all measures required by Article 32 of the Data Protection Regulation, which shall include, appropriate technical and organizational measures, to ensure a level of safety fitting these risks. Plecto has, inter alia, implemented the following security measures:

(i) Technical measures (the list is non-exhaustive), including firewalls, antivirus software, encryption, backup solutions, logging, two-factor authentication for system access, password protection, and access control/authorization management.

(ii) Organisational measures, including an IT security policy, security awareness training, system risk assessments, physical access control in the form of a locked main entrance with individual access cards issued to all employees, and confidentiality clauses included in employment contracts.

5. Sub-processors

5.1 Plecto shall comply with the conditions referred to in Article 28

(2) and (4) of the Data Protection Regulation, to use another Data Processor (Sub-processor).

5.2 Plecto maintains an updated list of Sub-processors in this MSA in appendix B, section 5

5.3 The Subscriber gives Plecto a general approval, to use the Sub-processors defined in appendix B, section 5.

5.4 Plecto shall notify its customers following the general authorization pursuant to Section 6.3 and in accordance with Article 28(2) of the Data Protection Regulation. Upon such notification, Plecto’s customers shall have one calendar months to raise any reasoned objections to the appointed new data processor(s). If no objections are received within this period, the appointment of the new data processor(s) shall be deemed accepted by the data controller(s)

5.5 The Subscriber may object to Plecto’s use of a new Sub-processor by notifying Plecto promptly in writing within ten (10) business days after receipt of Plecto’s notice in accordance with the mechanism set out in Section 5.4 in the event the Subscriber objects to a new Sub-processor, as permitted in the preceding sentence, Plecto will use reasonable efforts to make available to the Subscriber a change in the Services or commend a commercially reasonable change to the Subscriber’s configuration, or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonable burdening the Subscriber. If Plecto is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Subscriber may terminate the Agreement. Plecto will refund the Subscriber any prepaid fees covering the remainder of the term of the Agreement following the effective date of termination.

5.6 Plecto shall be fully liable for the acts and omissions of its Sub-processors to the same extent Plecto would be liable if performing the services of each Sub-processors, except as otherwise set forth in the Agreement.

6. Transfer of information to third countries or International Organizations.

6.1 Plecto may process Personal Data only by documented instructions from the Subscriber, including as regards to the transfer and internal use of Personal Data to third countries or International Organizations, unless required under EU law or national law of the Member States, to which Plecto is subject; In that case, Plecto shall notify the Subscriber of this legal requirement before Processing unless a court of competent jurisdiction prohibits such notification for reasons of important social interests, cf. art. 28 (3) a.

6.2 If the list of Sub-processors in accordance to Section 5.2 contains companies located in third countries, by signing the Agreement, or in respect of an addition to the list of Sub-processors by not raising an objection to that Sub-processor in accordance with Section 5.5, the Subscriber approves Plecto’s use of these6.3. For transfers to sub-processors located in the United States, the following transfer mechanisms are applied: the EU–U.S. Data Privacy Framework, provided that Plecto’s sub-processor is certified thereunder. Where the sub-processor is not certified under the EU–U.S. Data Privacy Framework, the transfer is based on the EU Standard Contractual Clauses (SCCs)

7. Breach Notifications

7.1 Plecto maintains security incident management policies and procedures and shall, notify Subscriber without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Subscriber Data, including Personal Data, transmitted, stored or otherwise Processed by Plecto or its Sub-processors of which Plecto becomes aware (a “Customer Data Incident”).

7.2 Plecto shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Plecto deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Plecto’s reasonable control. The obligations herein shall not apply to incidents that are caused by Subscriber or Subscriber’s License.

7.3 Plecto are obligated, to provide the Subscriber with information about such breaches as described in 7.1, within 48 hours after Plecto becomes aware of the breach, so that the Subscriber can inform the supervisory authority within 72 hours, as required by Article 33 (1).

8. Deleting and retrieving information

8.1 The data is deleted only upon termination. Following termination, a retention period of forty-five (45) days applies, after which all data provided or transmitted by the customer to Plecto is permanently deleted

9. Audit

9.1 Plecto shall make available to the Subscriber all information necessary to demonstrate compliance with Article 28 of the Data Protection Regulation and allow and contribute to audits, including inspections carried out by the Subscriber or other auditor, which is authorized by the Subscriber.

9.2 Plecto is obligated to comply with Article 58, acknowledging the powers of the supervisory authorities.

9.3 Any audits by the Subscriber, has to be announced at least 72 hours in advance, and cannot interfere with the people at Plecto or their daily working tasks.

9.4 The Subscriber shall pay all its own costs associated with the audit.

10. Legal

10.1 Plecto shall promptly inform the Subscriber if it becomes subject to any proceedings which may lead to a claim for compensation or an administrative fine under the EU Legislation or national legislation supplementing the EU GDPR. Should such proceedings be initiated,

Plecto shall (a) provide Subscriber with the details (including specific infringement allegations); (b) provide Subscriber with such information and assistance that Subscriber reasonably requests; and (c) not hinder or oppose Subscriber from taking an active part in the proceedings (using its own counsel at its own cost).

Appendix B

  1. Nature and Purpose of Processing

1.1 Plecto will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Subscriber in its use of the Services.

1.2 Processing is carried out on behalf of the Subscriber, who determines the legal basis.

1.3 Where the customer, acting as the data controller, signs this Data Processing Agreement prepared by Plecto, the primary legal basis for the processing is Article 6(1)(b) of the GDPR. In certain cases, specific processing activities may instead be based on other legal grounds, such as compliance with a legal obligation, consent, or Plecto’s legitimate interests.

2. Duration of Processing

2.1 Subject to Section 8 of Appendix A, Plecto will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

3. Categories of Data Subjects

3.1 Subscriber may submit Personal Data to the Services, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of
  • Subscriber (who are natural persons)
  • Employees or contact persons of Subscriber’s prospects,
  • customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Subscriber (who
  • are natural persons)
  • Subscriber’s Licens authorized by Subscriber to use the
  • Services

4. Type of Personal Data

4.1 Telephone call recordings with customers, which are processed for the purpose of internal training. The legal basis for this processing is consent pursuant to Article 6(1)(a) of the GDPR. Telephone call recordings may also be processed for the purpose of handling customer complaints and disputes, including for documentation and evidentiary purposes. The legal basis for such processing is Plecto’s legitimate interests pursuant to Article 6(1)(f) of the GDPR.

4.2 Subscriber may submit Personal Data to the Services, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical
  • business address)
  • ID data
  • Professional life data
  • Connection data
Name Contact Information Purpose Plecto's Legal Basis and Deletion Storage and Legal basis for transfers to third countries
Sleeknote Søren Frichs Vej 42B, 8230 Åbyhøj
+45 71 99 77 07
mail@sleeknote.com		 Collection of data on the Controller’s websites via direct submissions (submitted data); Collect behavioral analytics related to “pop-ups” (analytic data); Systematization and analysis of data; Presentation of analytic data in dashboards. GDPR art 6, stk. 1, litra b. Deletion happens after 3 months when Plecto no longer has a purpose or the contract is ended. Denmark.
Dealfront Durlacher Allee 73, 76131 Karlsruhe, Germany
privacy@dealfront.com		 Analysis of user behavior, product optimization, marketing, improvement of user experience, reporting, and performance measurement (dealfront.com). Integration with CRM or other systems to enrich customer databases. GDPR art 6, stk. 1, litra b. When Plecto terminates the contract, Dealfront deletes personal data (except where required by law). Backups may remain for up to 97 days. Storage in EU (Germany). Transfers to USA or other countries based on EU Standard Contractual Clauses (SCCs).
Google Inc. Sankt Petri Passage 5, 1165 København K
data-protection-office@google.com
Tlf: +45 32 70 05 92		 Cloud service; Gmail, Calendar, Drive etc. GDPR art 6, stk. 1, litra f. Deletion happens after 3 months when Plecto no longer has a purpose. Storage in the EU. Can be forced to transfer to the US. Data Privacy Framework certified.
Fenerum Hermodsvej 22a, 8230 Aarhus
+45 69 15 72 80
developers@fenerum.com		 Customer invoicing. GDPR Art 6, stk. 1, litra b. Retained for five years in accordance with the Danish Bookkeeping Act, then deleted. Storage in the EU (France and the Netherlands).
Hubspot 1 Sir John Rogerson’s Quay, Dublin 2, Irland
Privacy@hubspot.com
Phone +353 1 518 7500		 Plecto's CRM system. GDPR art 6, stk. 1, litra f. Personal data is deleted within 30 days upon Plecto’s request. Dublin, Ireland. Can be forced to transfer to the US. Data Privacy Framework certified.
Stonly Stonly SAS, 43 Rue du Président Wilson, 92300 Levallois-Perret, France
Support@stonly.com
Phone +06 70 23 27 10		 Self-service support for users/customers. GDPR art 6, stk. 1, litra b. Storage in EU (France). Can be forced to transfer to the US. EU Standard Contractual Clauses (SCCs).
Scaleway 8 Rue de la Ville l’Evêque, 75008 Paris, France
Privacy@scaleway.com
+33 1 84 13 00 00		 Hosting. GDPR art 6, stk. 1, litra f. Deletion carried out within 72 hours of a confirmed request from Plecto. Storage in EU (France).
E-Conomic By Visma Gærtorvet 1-5, 1799 København V
info@e-conomic.dk
Phone +45 88 20 48 40		 Accounting system. GDPR art 6, stk. 1, litra b. Retained for five years in accordance with the Danish Bookkeeping Act, then deleted. Storage in EU (Ireland). Can be forced to transfer to the US. E-Conomic uses Google Ireland hosting (Data Privacy Framework certified).
Metabase 9740 Campo Rd. Suite 1029, Spring Valley, CA 91977, USA
Legal@metabase.com
Phone (415) 688-4151		 Business intelligence functionality; querying, visualizing, and managing data stored in the customer’s data. GDPR art 6, stk. 1, litra f. Plecto requests deletion when the purpose is no longer relevant. Storage in EU (Frankfurt). Can be forced to transfer to the US. EU Standard Contractual Clauses (SCCs).
Sign Up

Build your first dashboard.
Start your 14-day free trial today