Data Processing Addendum

Last Updated: February 16, 2024

Because MoveData’s Terms of Service already incorporate MoveData’s Data Processing Addendum (“DPA”), you do not need to sign a separate copy. This DPA contains legal terms that apply to personal information that may be contained in Customer Content.

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service or Enterprise Agreement entered into between MoveData (“MoveData”) and you that incorporates this Addendum by reference (the “Agreement”) and governs the Processing of Personal Information by MoveData in providing its automation platform (the “Service”) pursuant to the Agreement.

1. Definitions

1.1. “Data Subject” means any individual whose Personal Information may be Processed under this Addendum.

1.2. “Data Protection Legislation” means applicable law governing the use, access to, deletion of, or Processing of Personal Information under this Addendum

1.3. “Personal Information” means personal data or personal information (as defined under the applicable Data Protection Legislation) that is subject to the Data Protection Legislation and that you authorise MoveData to collect and process on your behalf in connection with MoveData’s provision of the Service under the Agreement.

1.4. “Process” or “Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.5. “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Information on behalf of the controller (as such term is defined under the GDPR).

1.6. “Security Incident” means a breach of security of the Service or MoveData’s systems used to process Personal Information leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information processed by MoveData. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems

1.7. “Sensitive Information” means the types of sensitive Personal Information set forth in Article 9, Section 1 of the GDPR.

1.8. “Service Provider” means an entity that receives Personal Information and is prohibited from retaining, using, selling, or disclosing such information other than in connection with providing the Service pursuant to the Agreement.

1.9. “Subprocessor List” means MoveData’s Subprocessors as identified here.

1.10. “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

1.11. “European Data” means Personal Information that is subject to the protection of European Data Protection Laws.

1.12. “European Data Protection Laws” mean (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (b) in respect of the United Kingdom, the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); and (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss FADP”); in each case as may be amended, superseded or replaced from time to time.

1.13. “Swiss Amendments” mean the Controller to Processor SCCs or the Processor to Processor SCCs (as applicable) with the following amendments: (a) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner, (b) “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023, (c) the term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c), (d) the Controller to Processor SCCs also protect the data of legal entities until the entry into force of the Revised FADP, and (e) the FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

1.14. “UK Addendum” means the template Addendum B.1.0 issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force from 21 March 2022, available here: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf as updated and/or replaced from time to time. For the purposes of the UK Addendum,

(a) the information required for Table 1 is contained in Schedule 1 of this DPA, and the start date shall be the commencement of the Service;

(b) in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor where MoveData is acting as your Processor and Module Three for Processor to Processor where MoveData is acting as your Subprocessor;

(c) in relation to Table 3, the list of parties and description of the transfer are as set out in Schedule 1 of this DPA, MoveData’s technical and organizational measures are set out in Schedule 2 of this DPA, and the list of MoveData’s Subprocessors is as provided in Section 8 of this DPA; and

(d) in relation to Table 4, neither party will be entitled to terminate the UK Addendum in accordance with clause 19 of Part 2 of the UK Addendum.

1.15. “U.S. Data Protection Laws” mean all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

2. Details of the Processing

Categories of Data Subjects As set out in Schedule 1
Types of Personal Information As set out in Schedule 1
Subject-Matter and Nature of the Processing Personal Information will be subject to those processing activities which MoveData needs to perform in order to provide the Service pursuant to the Agreement.
Purpose of the Processing The provision of the Service to you
Duration of the Processing For the duration of the Agreement

 

3. Processing Requirements

3.1. MoveData will Process Personal Information solely as a Processor or Service Provider on your behalf and in accordance with the Agreement.

3.2. Notwithstanding anything to the contrary in the Agreement, MoveData shall not retain, use or disclose Personal Information other than as provided for in the Agreement or as needed to perform the Service. MoveData is hereby instructed to process Personal Information to the extent necessary to enable MoveData to provide the Service in accordance with the Agreement and this Addendum.

3.3. You will be responsible for providing or making Personal Information available to MoveData in compliance with all applicable Data Protection Legislation, including providing any necessary notices to, and obtaining and maintaining any necessary rights, consents, and authorisations from Data Subjects whose Personal Information is provided by you to MoveData for Processing pursuant to this Addendum. MoveData and You acknowledge and agree that you have not “sold” Personal Information to MoveData.

3.4. You acknowledge and agree that you, rather than MoveData, are responsible for certain configurations and design decisions for the Service and that you, and not MoveData, are responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Legislation. Without limiting the foregoing, you represent, warrant, and covenant that you shall only transfer Personal Information to MoveData using secure, reasonable, and appropriate mechanisms.

3.5. You acknowledge that the Service is not intended or designed for the Processing of Sensitive Information, and you agree not to provide any Sensitive Information through the Service. The parties agree that you provide Personal Information to MoveData as a condition precedent to MoveData’s performance of the Service and that Personal Information is not exchanged for monetary or other valuable consideration.

4. Security

MoveData shall implement and maintain throughout the term of the Addendum reasonable and appropriate technical and organisational measures designed to protect Personal Information against unauthorised or accidental access, loss, alteration, disclosure, or destruction, including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption.

5. Security Incident

If MoveData becomes aware of a Security Incident, MoveData will (a) notify you without undue delay, and not later than 48 hours after MoveData discovers the Security Incident, and (b) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within MoveData’s reasonable control. Upon your request and taking into account the nature of the applicable Processing, MoveData will assist by providing, when available, information reasonably necessary for you to meet your Security Incident notification obligations under Data Protection Laws. You acknowledge that MoveData providing notification of a Security Incident is not an acknowledgment of fault or liability.

6. Confidentiality

MoveData will ensure that its personnel authorised to process Personal Information are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

7. Data Subject Requests

You are responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information Processed by MoveData under this Addendum. If MoveData receives a request from your Data Subject in relation to the Data Subject’s Personal Information Processed under your Service account, MoveData will notify you and advise the Data Subject to submit the request to you, and you will be responsible for responding to any such request.

8. Subprocessors

In providing the Service, you agree that:

8.1. MoveData engages the organisations listed on the Subprocessor List (each a “Subprocessor”) to help process Personal Information on the Service.

8.2. MoveData will enter into a written agreement with each Subprocessor imposing data processing and protection obligations substantially the same as those set out in this Addendum.

8.3. MoveData will maintain a current list of its Subprocessors, including their functions and locations, as specified in the Subprocessor List.

8.4. MoveData may update the Subprocessor List from time to time. In the event that MoveData seeks to add any Subprocessors and update the Subprocessor List, MoveData will provide notice of such additions to you (which may be via email, a posting, or notification on an online portal for our services, or other reasonable means).

8.5. In the event that you do not wish to consent to the use of such additional Subprocessor, you may notify MoveData that you do not consent within fifteen (15) days based on reasonable data protection concerns. In such case, the parties will discuss such concerns in good faith.

8.6. If the parties are unable to reach a mutually agreeable resolution to your objection to a new Subprocessor, you, as your sole and exclusive remedy, may terminate the Order for the affected Service for convenience, and MoveData will refund any prepaid, unused fees for the terminated portion of the applicable Term.

9. Data Transfers

9.1. In connection with the performance of the Agreement, you authorise MoveData to transfer Personal Information internationally, and in particular, that Personal Information may be transferred to and processed by MoveData in Australia and other jurisdictions where MoveData and its Subprocessors have operations. Whenever Personal Information is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws.

9.2. To the extent applicable to you, you acknowledge that in connection with the performance of the Service, MoveData is a recipient of European Data in Australia. To the extent that MoveData receives European Data in Australia, MoveData will comply with the following:

9.2.1. Standard Contractual Clauses. If the Data Privacy Framework is invalidated and/or does not cover the transfer of European Data to MoveData, the applicable Standard Contractual Clauses will be incorporated by reference and form a part of this DPA as follows:

9.2.1.1. the Controller to Processor SCCs if the restricted transfer is subject to the GDPR and MoveData is acting as your processor;

9.2.1.2. the Processor to Processor SCCs if the restricted transfer is subject to the GDPR and MoveData is acting as your subprocessor;

9.2.1.3. the Swiss Amendments if the restricted transfer consists of Personal Information originating from Switzerland; and

9.2.1.4. the UK Addendum if the restricted transfer is subject to the UK GDPR.

10. Information

10.1. MoveData shall make available its privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this Addendum.

11. Return or Disposal

Promptly following termination of the Agreement and this Addendum for any reason, MoveData will destroy the Personal Information it was Processing on your behalf pursuant to MoveData’s provision of the Service unless Data Protection Legislation prevents MoveData from destroying all or part of the Personal Information.

12. Modification

Notwithstanding anything to the contrary in the Agreement, MoveData may periodically modify this Addendum as required to comply with Data Protection Legislation.


Schedule 1

LIST OF PARTIES

Data exporter(s):

Name You
Address
As detailed in the communications between us from time to time
Contact person’s name, position, and contact details As detailed in the communications between us from time to time
Activities relevant to the data transferred under these Clauses Receipt of the Service
Role (controller/processor) Controller

 

Data importer(s):

Name MoveData
Address Level 10/418A Elizabeth St, Surry Hills NSW 2010
Contact person’s name, position, and contact details James Kent
Director
legal@movedata.io
Activities relevant to the data transferred under these Clauses Provision of the Service
Role (controller/processor) Processor

 

Data importer(s):

Categories of data subjects whose personal data is transferred
Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of data subjects:
Data exporter’s employees, contractors, representatives, agents, and other individuals whom data exporter permits to use the Service, as well as Personal Information relating to the data exporter’s customers, partners, users, and vendors.
Categories of personal data transferred
Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following Personal Information:First and Last Name, Billing Address, Payment Information, IP Address, API Key, Access Token, User Identifiers, Password, Integration Configuration, API Logs, Cookies
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None, and the data exporter is prohibited from using the Service to process any such data under the terms of the Agreement.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis

Nature of the processing

The performance of the Service pursuant to the Agreement.

Purpose(s) of the data transfer and further processing

The performance of the Service pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Located here

 


TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MoveData maintains administrative, physical, and technical safeguards designed for protection of the security, confidentiality, and integrity of Personal Information uploaded to the Service, as described in this Schedule.

1. Security Governance

1.1. MoveData maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to:

a. help our customers secure their data processed using MoveData Services against accidental or unlawful loss, access, or disclosure,

b. identify reasonably foreseeable and internal risks to security and unauthorised access to MoveData Services, and

c. minimise security risks, including through risk assessment and regular testing.

1.2. Security Governance covers the following core functions:

a. application security​ (secure development, security feature design, and secure development training)

b. infrastructure security​ (data centres, cloud security, and strong authentication)

c. monitoring and incident response​ (cloud native and custom)

d. vulnerability management​ (vulnerability scanning and resolution)

e. compliance and technical privacy

f. security awareness​ (onboarding training and awareness campaigns)

2. Access Control

2.1. Preventing Unauthorised Product Access

Third party data hosting and processing MoveData exclusively uses Amazon Web Services for data hosting and processing purposes and as such inherits their compliance (read more). Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with this Addendum. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed and/or stored by these vendors.
Physical and environmental security MoveData hosts product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of such providers are audited for SOC 2 Type II and ISO 27001 compliance (amongst other certifications). Additional information about physical and environmental security can be found here.
Authentication Customers who interact with MoveData Services are required to authenticate before they are able to access their non-public data. Since MoveData is installed into Salesforce it inherits Salesforce’s own Multi-Factor Authentication (read more).
Authorisation Customer Content (content transferred in and out of integrations or other MoveData Services) is stored in multi-tenant storage systems which are only accessible to Customers via application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorisation model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customisation options. Authorisation to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access Public product APIs may be accessed using an API key or through OAuth authorisation. Authorisation credentials are stored encrypted.

 

2.2. Preventing Unauthorised Product Use

We implement industry-standard access controls and detection capabilities for the internal networks that support our products.

Access controls Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Static code analysis Automated security reviews of code stored in our source code repositories, performed through static code analysis, checking for coding best practices and identifiable software vulnerabilities.
Security testing The MoveData application and APIs are certified by Salesforce for the Salesforce AppExchange. To achieve this, MoveData has passed an exhaustive suite of tests including static code analysis and penetration testing. We are reviewed periodically by the Salesforce Security Review team in order to remain compliant (read more).

 

2.3. Limitations of Privilege & Authorisation Requirements

Product access A subset of our personnel have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect, and respond to security incidents, and implement data security.
Personnel Security MoveData personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. MoveData conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local law and regulations.

 

3. Encryption Technologies

In-transit We make HTTPS encryption (also referred to as SSL or TLS) available on all our login interfaces and for free on every customer site hosted on the MoveData products. Our HTTPS implementation uses industry-standard algorithms and certificates in combination with additional to application-specific controls.
At-rest We store user passwords following policies that follow industry standard practices for security. We have implemented hardware-based cryptographic technologies to ensure that stored data is encrypted at rest.

 

4. Input Controls

Detection We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate personnel of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and/or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimise product and customer damage or unauthorised disclosure. Notifications will be in accordance with the terms of the Agreement.

 

5. Data Deletion and Portability

Please see Data Retention and Deletion

6. Availability Controls

Our products are designed to ensure redundancy and seamless failover. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

Redundancy The infrastructure providers use designs to eliminate single points of failure and minimise the impact of anticipated environmental risks. MoveData’s product is designed to allow the company to perform certain types of preventative and corrective maintenance without interruption.
Business Continuity MoveData has designed and regularly plans and tests its business continuity planning/disaster recovery programs.