Data Processing Agreement

Moodup and the data controller have signed a service agreement that specifies that Moodup will both store and process personal data as a data processor on behalf of the data controller. The parties have therefore agreed to a processing agreement according to the following terms:

Information Disclosure

Moodup shall have its privacy policy publicly available and accessible during the term of the agreement. The privacy policy is hosted at moodup.com/privacy. The policy shall be accessible on the Moodup website homepage so that the employees and managers of the data controller can access information about the processing and their rights regarding it.

Data Processing

  1. Moodup may only process personal data in accordance with documented instructions from the data controller, including the provisions in the appendix accompanying these terms (Appendix I).
  2. If Moodup is legally permitted, the company shall notify the data controller immediately if Moodup is unable to fulfill its obligations under this processing agreement or if Moodup believes that instructions from the data controller violate laws or regulations regarding data protection.
  3. Moodup is responsible for the data processing as a data processor and shall ensure that such processing complies with data protection laws and regulations.
  4. The transfer of personal data outside the EEA shall be subject to prior written consent from the data controller. Moodup shall ensure that such transfer complies with the provisions of data protection laws by satisfying at least one of the following conditions: (i) Transfer to a country recognized by the European Union's executive body as providing adequate protection for personal data (Adequacy Decision) (ii) If data is transferred to a country not recognized by the European Union, Moodup shall implement appropriate safeguards.

Confidentiality

Moodup shall ensure that its employees and other parties working with Moodup have the necessary authorization to process personal data and are bound by confidentiality obligations in accordance with applicable laws and regulations regarding data protection.

Security

Moodup shall implement all necessary security measures in accordance with data processing requirements as specified by laws and regulations regarding data protection. Data shall be stored encrypted, and all communications to and from Moodup's servers shall also be encrypted. Further information about the security measures implemented by Moodup is available at moodup.com/security.

Assistance

Moodup shall assist the data controller in implementing appropriate technical and organizational measures to ensure adequate security considering the risks associated with the processing, such as reporting data breaches, conducting impact assessments, seeking prior consultation from the Data Protection Authority, and responding to requests from data subjects to exercise their rights under relevant laws and regulations. Moodup is entitled to a reasonable period of preparation, and the data controller shall reimburse Moodup for the costs incurred in providing such assistance.

Transparency

Moodup shall provide the data controller with access to all necessary information to confirm compliance with its obligations under this processing agreement and data protection laws and regulations. Moodup shall also assist in audits and inspections conducted by the data controller or a third party authorized by the data controller and bound by confidentiality obligations. Moodup is entitled to a reasonable period of preparation for audits or inspections, and the data controller shall reimburse Moodup for the costs incurred in such audits or inspections.

Subprocessors

  1. Moodup is authorized to use subprocessors to fulfill its obligations under the service agreement and this processing agreement. Moodup shall notify the data controller in writing if it intends to change subprocessors with at least ten days' notice. The data controller has the right to object to such change if it believes that the new subprocessor does not fulfill the obligations specified in data protection laws and regulations.
  2. Moodup is responsible for all processing carried out by subprocessors on personal data, and the same obligations regarding data protection shall apply to Moodup as specified in this agreement, laws, and other legal regulations.

Data Breach

Moodup shall promptly notify the data controller if the security or confidentiality of personal data is compromised. Moodup shall inform the data controller of the nature of the breach, its likely consequences, and the measures taken to mitigate and prevent its recurrence.

Liability

Penalties imposed by public authorities under data protection laws and regulations shall be borne by the party to whom the penalty is imposed.

Handling of Data upon Termination

  1. When the service agreement expires, Moodup shall either return all personal data to the data controller upon request or securely delete all personal data belonging to the data controller. However, responses from employees to inquiries shall always be deleted when the service agreement expires and shall never be shared with the data controller to ensure the anonymity of employees. Moodup retains employee responses while this service agreement is in effect to provide the data controller with insights into employee satisfaction and related factors over time. This is always done in an anonymous manner to prevent the data controller from tracing responses back to individual employees.

Changes to Terms

  1. Moodup reserves the right to modify these terms but shall notify the data controller at least 15 days in advance. Moodup shall notify customers of changes to the terms by email and by making the new terms accessible at moodup.com/processing-agreement.
  2. If the customer rejects the changes to the terms within 15 days of receiving the notification by email, the customer accepts the modified terms. If the customer rejects the modified terms within the specified period, such rejection shall be deemed equivalent to termination of the agreement according to the aforementioned provisions, and the terms that were in effect between the parties with the consent of both shall apply during the notice period.
  3. These terms shall indicate the date of the last modification. These terms were last modified on March 19, 2022.

Appendix I

Further description of data processing

I.A General Description

Moodup and the data controller have entered into a service agreement where personal data about the data controller's employees is stored and processed. Moodup will process the personal data on behalf of the data controller.

I.B Purpose

The purpose of the processing is to store and allow the data controller to process personal data of employees to assess their job satisfaction and related factors. Moodup enables the data controller to work with the information securely and in compliance with the terms of laws and regulations regarding data protection.

I.C Types of Personal Data

The types of personal data processed are determined by the data controller and may vary depending on the services used by the data controller. Examples of the information processed may include national identification numbers, names, email addresses, phone numbers, gender, and employment age of the data controller's employees. Moodup also stores and processes employee responses to inquiries about job satisfaction and related factors.

I.D Data Owners

The owners of the personal data are the employees and managers of the data controller.

I.E Duration

The processing will take place during the term of the service agreement.

I.F Deletion/Return of Personal Data

When the service agreement expires, Moodup shall immediately cease processing all personal data belonging to the data controller. Moodup shall, upon the data controller's request: (i) return all personal data to the data controller; or (ii) securely delete all personal data. However, responses from employees to inquiries shall always be deleted and never returned to the data controller to ensure the anonymity of employees. Deletion or return shall take place within 30 days after the service agreement expires.

I.G Subprocessors

DigitalOcean (data is stored in the Netherlands)