Table of Contents
Data Processing Agreement
This document was last updated on October 24, 2023.
This Data Processing Agreement (the “DPA”) forms an integral part of the Contract concluded between CoderPad France, SA (the “Service Provider”) and You (the “Client”), the purpose of which is to define the conditions applicable to the Services. The DPA and the other documents of the Contract are complementary and mutually explanatory. However, in case of contradiction, the priority rules are defined in the Customer Agreement.
The purpose of this DPA concluded between the Service Provider and the Client in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”), is to define the conditions under which, CoderPad, the Service Provider, as a subcontractor and as part of the Services defined in the Contract, processes, on instructions from You, the Client, Personal Data as defined in Article 4(1) of the GDPR (“Personal Data”).
The processing of Personal Data by the Service Provider as data controller does not fall within the scope of this DPA. The processing operations for which the Service Provider is the data controller are described in the Site’s privacy policy at: https://coderpad.io/privacy/
For the purposes of this DPA, the Service Provider acts as “Subcontractor” and the Client is deemed to act as “Data Controller”. The terms “Subcontractor” and “Data Controller” have the meanings given to them within the GDPR (respectively Article 4 (8) and Article 4 (7) of the GDPR).
If the Client acts as Subcontractor on behalf of a third party responsible for the processing, the Parties expressly agree that the following conditions apply:
(a) The Client has previously ensured that all necessary authorizations to conclude this DPA, including the appointment by the Client of the Service Provider as a subsequent subcontractor, have been obtained from the controller;
(b) a contract, which is in full compliance with the terms and conditions of the Contract (including this DPA), has been concluded with the third-party controller in accordance with Article 28 of the GDPR;
(c) The Client complies with all the provisions of the GDPR.
1. Compliance with applicable regulations on the protection of personal data
Each Party undertakes to comply with all obligations resulting from the application of any applicable regulations relating to the protection of Personal Data, in particular the provisions of the GDPR.
To this end, they acknowledge that they are subject to an obligation of enhanced cooperation throughout the term of the Contract and therefore undertake to provide each other without delay with any information, intelligence, document or file that enables them to maintain or demonstrate their compliance with the GDPR and to immediately inform each other of any failure or risk of failure to comply with the regulations.
2. Rights and obligations of the Service Provider and the Client
As part of the Contract, the Service Provider undertakes to process the Data only for the purposes of the processing mentioned in Appendix 1, which are outsourced to it.
As such, the Service Provider shall refrain from any use of this Data for its own benefit or for the benefit of third parties, with the exception of processing related to the follow-up of the commercial relationship with the Client for which the Service Provider is responsible for processing (see Privacy Policy).
In addition, the Service Provider undertakes to process Personal Data only on the basis of and in accordance with the Client’s documented instructions.
In the event that European and/or French law conflicts with the Client’s instructions or does not allow the Service Provider to process Personal Data in accordance with such instructions, the Service Provider must inform the Client as soon as possible before processing. In such a case, the Parties undertake to meet in order to find the most appropriate amicable solution with regard to the Contract and the rights and freedoms of the person concerned.
In addition, the Service Provider undertakes to respect the Client, by its employees authorized to process Personal Data, the strictest confidentiality regarding the Personal Data processed pursuant to this Contract and all the information contained in Appendix 1. All this information is considered confidential information. The Service Provider guarantees to the Client that it has implemented and maintains all necessary measures to preserve and ensure that its employees respect the confidentiality of Personal Data.
Thus, the Service Provider must only make the Personal Data accessible and consultable to the Service Provider’s employees duly authorized, by virtue of their duties and qualities, to process the Personal Data within the strict limits of what is necessary for them to perform their duties.
The Service Provider declares that it keeps a written record of all categories of processing activities carried out on behalf of the Client.
The Service Provider’s Data Protection Officer, on the date of signature of the Contract, is identified in Appendix 4 of this DPA. In the event of a change, the Service Provider undertakes to inform the Client as soon as possible and to provide him with the new identity and contact details of the Data Protection Officer.
For its part, the Client undertakes to:
- Transmit to the Service Provider any information or document it may need to fulfill its obligations under this paragraph;
- Inform the Service Provider of any request, audit or control initiated by a supervisory authority that would directly concern or involve the Service Provider in its capacity as subcontractor.
3. Description of the processing of personal data
Appendix 1 of the DPA defines:
- The purpose, nature and purpose of each of the processing of Personal Data that the Service Provider carries out on behalf of the Client under the Contract;
- The categories of Personal Data processed;
- The categories of data subjects within the meaning of Article 4 (1) of the Regulation by the said processing operations;
- The period of storage of personal data;
- The places of processing of Personal Data located outside the European Economic Area.
4. Client’s right to audit and impact analysis
For the purpose of monitoring the compliance of the Parties to the GDPR, the Client has an audit right, which he may exercise subject to fifteen (15) working days’ notice. In this respect, the Client shall appoint, at its own expense, an independent auditor who is not a competitor of the Service Provider on the SaaS market, who shall be validated by the Service Provider and who shall sign a confidentiality agreement.
This specific audit on the protection of Personal Data by the Service Provider will focus on compliance with the GDPR and this DPA. The audit may not cover the Service Provider’s financial, accounting and commercial data.
The audit will be conducted remotely and during the Service Provider’s working hours.
During this audit, the Service Provider undertakes to cooperate in good faith with the auditor and shall (i) provide the auditor with all documentation to establish compliance with the GDPR and this DPA and (ii) answer all questions.
A copy of the audit report prepared by the auditor shall be provided to each Party.
In the event that the audit report reveals one or more breaches by the Service Provider of the GDPR or this DPA, the Parties agree to meet as soon as possible to establish an action plan to remedy the identified breach(s).
In addition, at the Client’s express request, the Service Provider undertakes to provide all necessary assistance in the event that the Client carries out, during the term of the Contract, an impact analysis in relation to the Personal Data processed by the Service Provider.
5. Notification of violations of Personal Data
If the Service Provider becomes aware of an incident affecting the Personal Data of the Data Controller (unauthorized access or disclosure, loss, destruction or alteration of Data, of accidental or unlawful origin), the Service Provider shall inform the Client as soon as possible, and in any event no later than forty-eight (48) hours after the Service Provider becomes aware of such an event, specifying whether the violation in question is likely to create a risk for the rights and freedoms of the persons concerned.
This notification shall be accompanied by all relevant documentation in order to enable the Client, if necessary, to notify the competent authority of this violation.
At a minimum, the notification must (i) describe the nature of the incident, and if possible, the number of persons involved (ii) describe the likely consequences of the incident, (iii) describe the measures taken or proposed by the Service Provider in response to the incident and (iv) specify who is the Service Provider’s preferred contact person for the incident.
In general, it is the Client’s responsibility to communicate directly to the data subject the violation of Personal Data, when it is likely to create a high risk to the rights and freedoms of a Data Subject, unless otherwise agreed in writing by the Parties.
6. Subcontractors
The Service Provider informs the Client that, on the date of the last update of this DPA, it uses the subcontractors identified in Appendix 2 of this DPA, which the Client accepts.
The Service Provider declares that, on the date of the last update of this DPA, it has signed contracts with each of these subcontractors for the processing of Personal Data. The Service Provider undertakes to maintain these contracts in force throughout the term of the Contract.
The Service Provider guarantees to the Client that it has verified that these subcontractors provide sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing operations identified in Appendix 1 meet the requirements of the GDPR.
In addition, the Service Provider undertakes to inform the Client and obtain the Client agreement in the event of any planned change concerning the addition or replacement of any subcontractor. Notification of the change will be made by e-mail to the Client’s address provided for this purpose and listed in Appendix 4 of this Appendix. In the event of the Client’s disagreement with such a change, the Parties shall meet and discuss in good faith with a view to resolving the disagreement.
In the event of non-response from the Client within ten (10) working days, the change is considered as automatically accepted by the Client.
In addition, before any subcontracting operation, the Service Provider undertakes to sign a contract with its subcontractor in accordance with Article 28(4) of the GDPR, which shall transfer to the latter, mutatis mutandis, the obligations provided for in this paragraph, in particular as regards providing sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing operation meets the requirements of the applicable regulations.
7. Security of Personal Data
The Service Provider declares that it has put in place and maintains in force and up to date, throughout the duration of the Contract, and until the destruction of the Personal Data identified in Appendix 1, all appropriate security measures to ensure the security of the Data in order to protect them from any destruction, loss, alteration, disclosure and unauthorized access, whether such acts are of accidental or illegal origin.
The security measures identified at the date of the last update of this DPA are listed in Appendix 3 of this DPA.
The Parties shall notify each other, throughout the term of the Contract, of any necessary updates or modifications to the said security measures, in particular in order to respond to any new threat or any change in the state of the art or regulations.
8. Data subjects’ right to information
It is the Client’s responsibility to provide the persons concerned by the processing operations at the time of data collection with the information listed in Articles 13 and 14 of the GDPR.
The Service Provider will assist the Client in fulfilling its obligation to comply with requests to exercise the rights of the Persons concerned, whether it concerns the right of access, rectification, deletion and opposition, the right to limit processing, the right to the portability of the Data or the right not to be the subject of an automated individual decision (including profiling), by providing it with any necessary information, intelligence, document or file.
If the persons concerned make requests to the Service Provider to exercise their rights, the Service Provider must send these requests as soon as it receives them by email to the Client contact referred to in Appendix 4.
9. Personal data at the end of the Contract
At the end of the Contract, account deletion can be requested by the Client via email at [email protected].
If requested with account deletion, all Personal Data attached to the account will be deleted within 30 Days.
The Service Provider also undertakes to destroy all Personal Data upon written instructions from the Client. These instructions may be given at any time after the end of the Contract, up to a maximum of one (1) year.
The destruction shall be carried out by the Service Provider within 30 days from the date of receipt of the instructions, with the exception of:
- security logs that will be deleted within a maximum period 1 year after receipt of instructions;
- database backups that will be deleted within a maximum period of one (1) month after receipt of instructions.
In the event that the Service Provider has not received instructions from the Client three years after the end of the Contract, the Service Provider shall destroy the Personal Data, unless otherwise agreed by the Parties.
In any event, and unless otherwise provided by European or French law, the Service Provider undertakes not to keep any copy of the Personal Data and to provide the Client with a written certificate of destruction of the said copies.
APPENDIX 1: IDENTIFICATION OF PROCESSING OPERATIONS OF PERSONAL DATA
- Purpose of the processing operation (and legal basis):
Benefit from the Services: evaluate Candidates’ skills (Contract performance)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Level of competence of the persons concerned (score, rank)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
Customer
Data retention period:
Maximum 3 years: see chapter 10
Data processing and storage location:
AWS, USA
AWS, Ireland
GCP, USA
Heroku, USA
- Purpose of the processing operation (and legal basis):
Security & fraud detection (execution of the Contract)
Categories of Personal Data Processed:
Connection information (IP, Geoloc)
Browsing logs (IP, URL)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
CoderPad support team, Customer
Data retention period:
Maximum 3 years: see chapter 10
Data processing and storage location:
AWS, Ireland
AWS, USA
GCP, USA
Heroku, USA
All AWS stored Personal Data are subject to daily backups. These backups are destroyed after one (1) month from their creation.
- Purpose of the processing operation (and legal basis):
Enhance product quality / bring support to users (legitimate interest)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Connection information (IP, Geoloc)
Browsing logs (IP, URL)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
CoderPad support & dev team
Data retention period:
2 Weeks
Data processing and storage location:
Datadog, USA
- Purpose of the processing operation (and legal basis):
Enhance product quality / bring support to users (legitimate interest)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Connection information (IP, Geoloc)
Browsing logs (IP, URL)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
CoderPad support & dev team
Data retention period:
Product analytics retention: 12 months
Session replay retention: 1 month
Data processing and storage location:
FullStory, USA
- Purpose of the processing operation (and legal basis):
Enhance product quality / bring support to users (legitimate interest) – only if contacting support via [email protected]
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Connection information (IP)
Categories of data subjects:
Candidates (as entered on support form or communicated by candidate or customer)
Categories of recipients of the Data:
CoderPad support & dev team
Data retention period:
Maximum 3 years after end of contract : see chapter 10
Data processing and storage location:
Hubspot, Germany
- Purpose of the processing operation (and legal basis):
Enhance product quality : Analytics (legitimate interest)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Connection information (IP, Geoloc)
Browsing logs (IP, URL)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
CoderPad support & marketing team
Data retention period:
Maximum 3 years after end of contract : see chapter 10
Data processing and storage location:
Google Cloud Platform (Looker), USA
- Purpose of the processing operation (and legal basis):
Benefit from the Services: transactional emails (Contract performance)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
Customer
Data retention period:
30 Days
Data processing and storage location:
Mailgun Technologies, Inc., USA
- Purpose of the processing operation (and legal basis):
Enhance product quality (legitimate interest)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Connection information (IP)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
CoderPad support & dev team
Data retention period:
90 Days
Data processing and storage location:
Sentry, USA
- Purpose of the processing operation (and legal basis):
Enhance product quality : Data transfer (legitimate interest)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Connection information (IP)
Categories of data subjects:
Candidates (as entered by the Client)
Categories of recipients of the Data:
CoderPad support & marketing team
Data retention period:
As necessary for data transfer (max 7 days)
Data processing and storage location:
Stitch, USA
- Purpose of the processing operation (and legal basis):
Rewarding elected customers / candidates taking part of product research only (Consent)
Categories of Personal Data Processed:
Identity of the persons concerned (email, name)
Categories of data subjects:
Candidates (as communicated by the candidate)
Categories of recipients of the Data:
CoderPad support & marketing team
Data retention period:
10 years (“money” transaction)
Data processing and storage location:
Tremendous, USA
- Purpose of the processing operation (and legal basis):
Benefit from the Services: evaluate Candidates’ skills (Contract performance)
Categories of Personal Data Processed:
Video Streams
Categories of data subjects:
Candidates (as appearing on video)
Categories of recipients of the Data:
Customer
Data retention period:
No Storage
Data processing and storage location:
Twilio, USA
- Purpose of the processing operation (and legal basis):
Enhance product quality – product research (Consent)
Categories of Personal Data Processed:
Identity of the persons concerned (email)
Categories of data subjects:
Candidates (as communicated by the candidate)
Categories of recipients of the Data:
CoderPad support & marketing team
Data retention period:
Maximum 3 years: see chapter 10
Data processing and storage location:
TypeForm, USA
APPENDIX 2: LIST OF APPROVED SUBCONTRACTORS
Specific subcontractors for Accounts using the “United States” storage and processing site only**
Subprocessor | Processing Country | Purpose of Processing | Duration of Processing |
Amazon Web Services | USA* | Public cloud hosting services | Ongoing |
Amazon Data Services Ireland Ltd | Ireland | Public cloud hosting services | Ongoing |
Datadog | USA* | Analytics and instrumentation services | Ongoing |
FullStory | USA* | Enabling support during service term | Ongoing |
Google Cloud Platform | USA* | Public cloud hosting services Analytics | Ongoing |
Heroku | USA* | Public cloud hosting services | Ongoing |
Hubspot | Germany | Supporting business operations | Ongoing |
Mailgun Technologies | USA* | Transactional emails | Ongoing |
Sentry | USA* | Enabling support during service term | Ongoing |
Stitch | USA* | Data Transfer | Ongoing |
Tremendous | USA* | Research Rewarding | Ongoing |
Twilio | USA* | Providing video functionality in services | Ongoing |
Typeform | USA* | Supporting business operations | Ongoing |
* Data transfers from EU to the USA is is made under the EU Standard Contractual Clauses (SCC)
** Regardless of your geographical location, if you are using the CoderPad Interview product, you are using the United States storage and processing site for data unique to the Interview product.
Specific subcontractors for Accounts using the “Europe” storage and processing site only**
Subprocessor | Processing Country | Purpose of Processing | Duration of Processing |
Amazon Data Services Ireland Ltd | Ireland | Public cloud hosting services | Ongoing |
Datadog | USA* | Analytics and instrumentation services | Ongoing |
Hubspot | Germany | Supporting business operations | Ongoing |
Google Cloud Platform | Belgium or Netherlands | Data Visualization | Ongoing |
Stitch | USA* | Data pipeline | Ongoing |
Tremendous | USA* | User Rewarding | Ongoing |
Twilio, Inc | USA* | Video transport (no storage) | Ongoing |
APPENDIX 3: DESCRIPTION OF SECURITY MEASURES
- All communications between the server and clients are encrypted (TLS 1.) data at rest is encrypted (AES256).
- Passwords stored in the Provider’s database are encrypted in a non-reversible way (one-way hash).
- Unsuccessful connection attempts are logged and trigger alerts.
- Account passwords must be “strong”
- Access to Personal Data by the Service Provider’s employees is authorized according to roles as defined in the Service Provider’s Security Policy (for example, the support team is authorized to access Personal Data in the event of a bug).
- Access is technically managed by a central account repository
- MFA is enabled on critical infrastructure
- Infrastructure undergo a weekly vulnerability scan and yearly penetration test
APPENDIX 4: SERVICE PROVIDER AND CLIENT POINTS OF CONTACT
DPO of the Service Provider:
Charlotte GALICHET
Admitted to the Paris Bar
4, place de Valois – 75001 Paris
01 86 95 18 81
Contact of the Service Provider for any requests or instructions relating to this DPA:
Frédéric THIRARD
09 54 39 85 49
Client contact for notification of a breach of personal data protection:
The email address entered by the Client in the CoderPad UI (by default, the email address used by the Client when creating their account)
Client contact for any other CoderPad request related to this DPA:
The email address used by the Client when creating their account
