Starbrix company logo
Pricing
Log in
Contact sales
Sign up
Pricing

Starbrix legal documents

Terms of ServiceTerms of Additional ServicesDeveloper termsAcceptable use policyPrivacy policyData processing addendumSub-processorsOpen source list

Updated: 18.04.2024

Data Processing Addendum

This Data Processing Addendum ("DPA") constitutes an integral component of the agreement ("Agreement") between you, the Customer (referred to as "you", "your", or "Customer"), and StarBrix International Ltd ("Starbrix," "Starbrix.app," "us," "we," or "our"), governing the utilization of Starbrix's services. It is incorporated by reference into Starbrix's Terms of Service and Privacy Policy. This DPA delineates the terms governing the Processing of Personal Data by Starbrix solely on behalf of the Customer. The term "Parties" collectively refers to both you and Starbrix, with each being referred to as a "Party." Any capitalized terms not defined in this DPA shall carry the meanings ascribed to them in the Terms of Service. By availing yourself of the Services, the Customer acknowledges and accepts the terms set forth in this DPA. By doing so, you affirm that you possess the full authority to legally bind the Customer to this DPA. If you lack the authority to bind the Customer or any other entity, or if you cannot or do not agree to comply with and be bound by this DPA, please refrain from providing Personal Data to us. In the event of any conflict between specific provisions of this DPA and those of the Terms of Service, the provisions of this DPA shall take precedence over conflicting provisions of the Terms of Service, solely concerning the Processing of Personal Data.

1. Definitions

Affiliate: Refers to any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. For the purpose of this definition, “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Authorized Affiliate: Denotes any of Customer's Affiliates explicitly permitted to use the Services as per the Agreement between Customer and Starbrix but has not signed its own Agreement with Starbrix and does not fall under the definition of “Customer” as outlined in the Agreement.

CCPA: Abbreviation for the California Consumer Privacy Act of 2018, along with its implementing regulations, subject to amendments from time to time.

The terms Controller, Member State, Processor, Processing, and Supervisory Authority shall hold the same meaning as defined in the GDPR. Similarly, the terms Business, Business Purpose, Consumer, and Service Provider shall retain the same meaning as outlined in the CCPA. For clarity within this DPA, “Controller” shall also encompass “Business,” and “Processor” shall also include “Service Provider,” to the extent that the CCPA applies. Likewise, Processor’s Sub-processor shall refer to the concept of Service Provider.

Data Protection Laws: Encompass all applicable and binding privacy and data protection laws and regulations, including those of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada and the United States of America. This includes the GDPR, the UK GDPR, and the CCPA, applicable to, and in effect at the time of, the Processing of Personal Data under this agreement.

Data Subject: Refers to the individual to whom Personal Data pertains.

GDPR: Abbreviation for the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the Processing of Personal Data and on the free movement of such data.

Personal Data or Personal Information: Encompasses any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer. This data is processed by Starbrix solely on behalf of Customer under this DPA and the Agreement.

Services: Denotes the Starbrix cloud-based services, including platforms, products, services, applications, application programming interface (“API”), tools, and any ancillary or supplementary Starbrix products and services (including Upgrades as defined in the Agreement), offered online and via mobile application (“Platform”), and any other services provided to Customer by Starbrix under the Agreement.

Security Documentation: Refers to the security documentation, updated periodically, detailing the technical and organizational measures adopted by Starbrix applicable to the Processing of Personal Data under the Agreement and this DPA. This documentation is accessible via www.starbrix.app/security or as otherwise made reasonably available to Customer by Starbrix.

Sensitive Data: Indicates Personal Data protected under special legislation requiring unique treatment, such as “special categories of data,” “sensitive data,” or similar terms under applicable Data Protection Laws. This may include, but is not limited to:

  • Social security number, tax file number, passport number, driver’s license number, or similar identifiers;
  • Financial or credit information, credit or debit card number;
  • Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life, or sexual orientation, or data relating to criminal convictions and offenses;
  • Personal Data relating to children; and/or
  • Account passwords in unhashed form.

Standard Contractual Clauses: Refers to:

  • In respect of transfers of Personal Data subject to the GDPR, the Standard Contractual Clauses between controllers and processors, and between processors and processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • In respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (“IDTA”); and
  • In respect of transfers subject to the Federal Act on Data Protection (as revised as of 25 September 2020), the terms set forth in Annex IV of the EU SCCs (“Switzerland Addendum”).

Sub-processor: Denotes any third party carrying out specific Processing activities of Personal Data under the instruction of Starbrix.

UK GDPR: Refers to the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland. This includes amendments by the Data Protection, Privacy and Electronic Communications Amendments etc. (EU Exit) Regulations 2019 (SI 2019/419).

2. Processing of Personal Data

Roles of the Parties: The Parties acknowledge and agree that concerning the Processing of Personal Data solely by Starbrix on behalf of Customer:

  • Customer serves as the Controller of Personal Data, and
  • Starbrix acts as the Processor of such Personal Data.

The terms “Controller” and “Processor” below represent Customer and Starbrix, respectively.

Customer’s Obligations: Customer, in utilizing the Services, and in providing instructions to the Processor, shall adhere to Data Protection Laws, the Agreement, and this DPA. Customer shall establish and maintain all necessary legal bases to collect, Process, and transfer Personal Data to the Processor. This includes authorizing the Processing activities conducted by the Processor on Customer’s behalf in accordance with the Agreement and this DPA, including the pursuit of a Business Purpose.

Processor’s Processing of Personal Data: The Processor shall Process Personal Data for the following purposes:

  • in accordance with the Agreement and this DPA;
  • in connection with its provision of the Services;
  • to comply with Customer’s reasonable and documented instructions, consistent with the terms of the Agreement and this DPA;
  • to share or receive Personal Data from third parties as per Customer’s instructions and/or pursuant to Customer’s use of the Services;
  • rendering Personal Data into Anonymous Information; and
  • as required by applicable laws or competent authorities, provided Processor informs Customer promptly unless legally prohibited.

Processor shall promptly notify Customer if, in Processor’s reasonable opinion, an instruction by Customer for Personal Data Processing infringes Data Protection Laws, unless prohibited by such laws. Processor is not obligated to assess whether Customer's instructions breach any Data Protection Laws.

Details of Processing: The subject-matter of Processing Personal Data by Processor is the performance of Services pursuant to the Agreement and this DPA.

Sensitive Data: The Parties agree that the Services aren't intended for Processing Sensitive Data. If Customer intends to Process Sensitive Data using the Services, it must first obtain explicit prior written consent from Starbrix and fulfill any additional requirements.

CCPA Standard of Care; No Sale or Sharing of Personal Information: Processor acknowledges it doesn't receive or process Personal Information as consideration for services provided under the Agreement or this DPA. Processor confirms understanding of CCPA rules and agrees not to sell or share any Personal Information Processed hereunder without Customer’s consent or instruction. Processor shall process Personal Information only for specified purposes and in compliance with applicable CCPA sections, refraining from unauthorized use or combination of Personal Information. Processor shall notify Customer if it determines it can no longer meet its CCPA obligations.

3. Data Subject Requests

If the Processor receives a Data Subject Request from a Data Subject or Consumer to exercise their rights (to the extent available to them under applicable Data Protection Laws), including but not limited to access, rectification, restriction of Processing, erasure, data portability, objection to Processing, opting out of the sale of Personal Information, or not being subject to automated individual decision making, and not being discriminated against (“Data Subject Request”), the Processor shall promptly notify the Customer or direct the Data Subject or Consumer to the Customer.

Considering the nature of the Processing, the Processor shall assist the Customer, to the extent feasible and reasonable, in facilitating a response to a Data Subject Request. The Processor may direct Data Subjects or Consumers to the Customer’s Organization Account Owner for handling such requests or provide guidance on utilizing the self-exercising features available within the Starbrix.app.

4. Confidentiality

The Processor shall ensure that all its personnel and contractors involved in the Processing of Personal Data are bound by confidentiality agreements or are otherwise subject to statutory confidentiality obligations.

5. Sub-processors

Appointment of Sub-processors:

Customer acknowledges and agrees that:

  • Processor's Affiliates may serve as Sub-processors; and
  • Processor and its Affiliates may engage third-party Sub-processors in connection with the provision of the Services.

As of the Effective Date, Customer grants Processor general written authorization to engage the Sub-processors, listed on the Sub-processor's Page available at www.starbrix.app/legal/sub-processors ("Sub-processor's Page"), which are currently utilized by Processor for processing Personal Data.

The Sub-processor's Page provides a subscription mechanism for notifications regarding the engagement of new Sub-processors or the replacement of existing ones ("Sub-processor Notice"). Customer acknowledges and agrees to subscribe to this mechanism upon entering into this DPA. Notifications sent through this mechanism fulfill Processor's obligation to inform Customer of new or replacement Sub-processors.

Objection to Sub-processors:

Upon publication of a new Sub-processor Notice, Customer may reasonably object to Processor's use of a new or replacement Sub-processor for reasons concerning the protection of Personal Data intended to be Processed by such Sub-processor. Customer must promptly submit objections in writing to [email protected] within seven (7) days following publication. If no objection is raised within this period, Customer is deemed to have accepted the new Sub-processor. If Customer objects, Processor will make reasonable efforts to provide alternative solutions to avoid Processing by the objected-to Sub-processor. If unable to provide a satisfactory resolution within thirty (30) days, Customer may terminate the Agreement and this DPA with respect to affected Services by providing written notice to Processor. Any outstanding amounts under the Agreement prior to termination shall be paid to Processor. During the objection process, Processor may temporarily halt Processing of affected Personal Data and/or suspend access to Services. Customer shall have no further claims against Processor arising from termination under this paragraph.

Agreements with Sub-processors:

Processor or its Affiliate has executed written agreements with existing Sub-processors and shall do the same for new Sub-processors. These agreements contain data protection obligations similar to those outlined in this DPA, particularly regarding the implementation of appropriate technical and organizational measures to meet GDPR requirements. If a Sub-processor fails to fulfill its data protection obligations, Processor remains accountable to Customer for the Sub-processor's performance.

6. Security And Audits

Controls for the Protection of Personal Data:

Processor shall maintain industry-standard technical and organizational measures to safeguard Personal Data processed under this agreement. These measures include protection against unauthorized or unlawful Processing, accidental destruction, loss, alteration, or damage, as well as unauthorized access to or disclosure of Personal Data, ensuring the confidentiality and integrity of Personal Data. Upon Customer’s reasonable request and at Customer’s expense, Processor will assist Customer in ensuring compliance with GDPR, considering the nature of the Processing and available information.

Audits and Inspections:

Upon Customer’s written request with a 14-day notice at reasonable intervals (but not exceeding once every 12 months), and subject to strict confidentiality agreements, Processor shall provide non-competing Customer or Customer’s independent third-party auditor with necessary information to demonstrate compliance with this DPA. Processor may fulfill this obligation through questionnaire-based audits, providing attestations, certifications, or summaries of audit reports from accredited third-party auditors. Information from audits shall be used solely by Customer to assess Processor’s compliance and shall not be disclosed to third parties without Processor’s consent. Customer shall transfer all relevant records to Processor upon request.

Conduct of Audits:

Customer and its auditors shall minimize any disruption to Processor’s operations, premises, equipment, personnel, and business during audits or inspections.

Limitation of Audit Rights:

The audit rights provided herein shall apply only if the Agreement does not grant Customer audit rights meeting Data Protection Laws requirements. If Standard Contractual Clauses apply, this section does not alter or modify them nor affect Supervisory Authority or Data Subject rights under them.

7. Data Incident Management And Notification

Incident Response:

Processor maintains internal security incident management policies and procedures. In compliance with applicable Data Protection Laws, Processor shall promptly notify Customer upon becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data Processed by Processor on behalf of the Customer (“Data Incident”). Processor shall endeavor to identify and take necessary and reasonable steps to remediate and/or mitigate the cause of such Data Incident within Processor’s reasonable control. These obligations do not apply to Data Incidents caused by Customer, its Users, or anyone using the Services on Customer’s behalf.

Communication and Disclosure:

Customer agrees not to disclose, release, or publish any findings, admission of liability, communication, notice, press release, or report regarding any Data Incident that directly or indirectly identifies Processor without prior written approval from Processor. This includes legal proceedings, notifications to regulatory or supervisory authorities, or affected individuals, unless compelled to do so by applicable Data Protection Laws. In such cases, Customer shall provide Processor with reasonable prior written notice to allow Processor to object to such disclosure. If disclosure is mandated by law, Customer shall limit the scope of disclosure to the minimum extent required.

8. Return and Deletion of Personal Data

Upon termination of the Agreement and discontinuation of the Services, Processor shall, at the Customer’s discretion (as indicated through the Platform or in written notification to Processor), either delete or return to the Customer all Personal Data Processed on behalf of the Customer, as outlined in the Agreement. This action shall be taken upon Customer's notice. However, Processor may be required or permitted by applicable laws to retain certain Personal Data.

9. Cross-border Data Transfers

9.1 Transfers to Countries with Adequate Data Protection:

Personal Data may be transferred from EU Member States, Norway, Iceland, Liechtenstein (collectively, “EEA”), Switzerland, and the United Kingdom (“UK”) to countries with an adequate level of data protection, as determined by Adequacy Decisions issued by relevant authorities. This includes mechanisms and frameworks similarly approved by the EEA, Switzerland, and/or the UK, without requiring additional safeguards. Notably, this encompasses the European Commission’s adequacy decision of 10 July 2023, establishing the EU-US Data Privacy Framework.

9.2 Direct Transfers from EEA, Switzerland, and UK:

If Processor directly transfers Personal Data from the EEA, Switzerland, or the UK to countries lacking Adequacy Decisions, and alternative compliance mechanisms are not utilized, the following terms apply:

  • For transfers from the EEA: EU Standard Contractual Clauses (SCCs) shall apply.
  • For transfers from the UK: UK Addendum terms shall apply.
  • For transfers from Switzerland: Switzerland Addendum terms shall apply.

Additional safeguards outlined in Annex V of the EU SCCs apply to these transfers.

Onward Transfers from EEA, Switzerland, and UK:

When Processor transfers Personal Data from the EEA, UK, or Switzerland to authorized Sub-processors in countries lacking Adequacy Decisions, the appropriate compliance mechanisms shall be employed. This includes EU SCCs, the International Data Transfer Addendum, and/or SCCs adjusted per the Swiss Federal Data Protection and Information Commissioner’s guidance.

9.3 Transfers from Other Jurisdictions:

If Processor receives Personal Data from jurisdictions requiring specific compliance mechanisms for lawful transfer, Customer shall notify Processor. The Parties may then amend this DPA accordingly.

10. Authorized Affiliates

Contractual Relationship: By executing this DPA, Customer acknowledges that it enters into the agreement not only on its own behalf but also, where applicable, on behalf of its Authorized Affiliates. In doing so, each Authorized Affiliate agrees to adhere to the obligations outlined in this DPA. If Processor processes Personal Data on behalf of these Authorized Affiliates, they are deemed Controllers of such data. Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA. Any violation of these terms by an Authorized Affiliate is considered a violation by the Customer.

Communication: Customer retains responsibility for coordinating all communication with Processor as outlined in the Agreement and this DPA. Customer is authorized to engage in all communications relating to this DPA on behalf of its Authorized Affiliates.

11. Other provisions

Data Protection Impact Assessment and Prior Consultation: Upon Customer’s reasonable request, Processor shall provide Customer with reasonable cooperation and assistance, at Customer’s expense, to fulfill Customer’s obligations under the GDPR or the UK GDPR regarding data protection impact assessments related to Customer’s use of the Services. Processor shall offer assistance to the extent that Customer does not have access to the relevant information and it is available to Processor. Additionally, Processor shall, at Customer’s expense, provide reasonable assistance to Customer in cooperating or consulting with the Supervisory Authority as required under the GDPR or the UK GDPR.

Modifications: Either Party may request variations to this DPA with at least forty-five (45) calendar days' prior written notice if necessitated by changes in applicable Data Protection Laws to ensure compliance. The Parties shall endeavor to accommodate such modifications and negotiate in good faith to address the requirements of the law promptly. Processor reserves the right to amend this DPA without notice for non-material changes. However, if any material adverse changes are made affecting Customer’s rights or Processor’s obligations, Processor will notify Customer via the site, Platform, and/or email.