Weaving a Magical Pact for Data Protection: An Enchanted Alliance
Once upon a time in the enchanted land of Data, a wise and gentle kingdom known as sought to ensure that all its precious treasures—bits and bytes of knowledge—were safely guarded. To do this, they reached out to the guardian wizards of PostHog, Inc., a famed group known for their powerful data spells and secure magic vaults.
and the PostHog wizards agreed to create a magical pact called the "Data Protection Agreement," ensuring that all the treasures would be handled with care and respect for the laws of the land, including the ancient scrolls of GDPR and the mystical tomes of the EEA.
a noble Data Controller, entrusted its treasures to the PostHog wizards. The wizards promised to safeguard the treasures by using their enchanted tools and secret spells to process and analyze the data. They vowed never to use the treasures for evil and always to follow 's wise instructions.
In the depths of their crystal-clear agreement, they outlined the adventures the data could undertake and specified who could handle the data, ensuring that only the most trusted apprentice wizards or external guardians could assist in safeguarding it. Each apprentice was sworn to secrecy with a magical oath to protect treasures.
They built a fortress of security measures, enchantments so strong that only those with the right spells could access the treasures. They agreed to help each other in times of trouble, like when a data gremlin might sneak in to create mischief.
and PostHog celebrated their alliance with a grand feast in the grand hall, signing their pact with quill and enchanted ink. They agreed that their magical contract would be overseen by the wise elders of the land—judges from the jurisdiction of England and Wales.
As the years passed, their partnership flourished. 's treasures were kept safe and grew in wisdom, bringing joy and prosperity to the land. And they all lived securely and data-compliantly ever after.
Signature
Name
Title
Date
PostHog, Inc.
Signature
Name
Fraser Hopper
Title
Operations & Finance Lead
Date
Data Dance
We started with a promise, data in our hands,
You’re the controller, I’m the one who understands,
You wanna share your secrets, let me hold the key,
We’ll keep it all secure, like it’s meant to be.
We’ll follow every rule, every law, every line,
From the EEA to the Swiss, we’ll keep it fine,
No breach of trust, no whispers in the dark,
We’ll protect it all, every little spark.
This is our data dance, under moonlit skies,
With the GDPR watching, we’ll never compromise,
I’ll be your processor, with a duty so true,
Every byte, every bit, I’ll handle it for you.
If there’s a breach, I’ll let you know,
In the dead of night, or the morning glow,
We’ll fix it fast, we’ll make it right,
Together we’ll stand, in this data fight.
This is our data dance, under moonlit skies,
With the GDPR watching, we’ll never compromise,
I’ll be your processor, with a duty so true,
Every byte, every bit, I’ll handle it for you.
In this digital world, where privacy’s the song,
We’ll keep on dancing, where we both belong,
With every step, we’ll take this vow,
To protect and cherish, here and now.
Signature
Name
Title
Date
PostHog, Inc.
Signature
Name
Fraser Hopper
Title
Operations & Finance Lead
Date
Data Processing Agreement — PostHog Inc.
This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between (the “Company”) and PostHog, Inc. (the “Processor”) (together as the “Parties”).
WHEREAS
(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.
(C) The Parties seek to implement a data processing agreement that complies with applicable Data Protection Laws (as defined below) (D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1. “Agreement” means this Data Processing Agreement and all Annexes;
1.1.2. “Company Personal Data” means any Personal Data provided to or Processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;
1.1.3. “Data Protection Laws” means all applicable laws relating to Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including European Data Protection Laws;
1.1.4. “EEA” means the European Economic Area;
1.1.5. “EU Personal Data” means the Processing of Personal Data to which (i) data protection legislation of the European Union, or of a Member State of the European Union or EEA, was applicable prior to the Processing by the Processor;
1.1.6. “European Data Protection Laws” means the GDPR, UK Data Protection Act 2018, the UK GDPR, ePrivacy Directive 2002/58/EC, FADP, and any associated or additional legislation in force in the EU, EEA, Member States and the United Kingdom as amended, replaced or superceded from time to time;
1.1.7. “FADP” means the Swiss Federal Act on Data Protection and its Ordinances, as amended from time to time;
1.1.8. “FDPIC” means the Swiss Federal Data Protection and Information Commissioner;
1.1.9. “GDPR” means General Data Protection Regulation EU2016/679;
1.1.10. “UK GDPR” means General Data Protection Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);
1.1.11. “Protected Area” means (i) in the case of EU Personal Data, the member states of the European Union and the EEA and any country, territory, sector or international organisation in respect of which an adequacy decision under Art 45 GDPR is in force or (ii) in the case of UK Personal Data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under UK adequacy regulations is in force; or (iii) in the case of Swiss Personal Data, any country, territory, sector or international organisation which is recognised as adequate by the FDPIC or the Swiss Federal Council (as the case may be);
1.1.12. “Services” means the product and data analytics services the Processor provides.
1.1.13. “Subprocessor” means any person appointed by or on behalf of Processor to Process Personal Data on behalf of the Company in connection with the Agreement.
1.2. The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR and UK GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1. The Company shall:
2.1.1. ensure that any and all information or data, including without limitation Company Personal Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;
2.1.2. be solely responsible for ensuring that it has all obtained all necessary authorizations and consents from any Data Subjects to Process Company Personal Data and in particular any consents needed to meet the cookie requirements in the ePrivacy Directive 2002/58/EC and any associated national legislation;
2.1.3. instruct the Processor to process Company Personal Data.
2.2. Processor shall:
2.2.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.2.2. not Process Company Personal Data other than on the relevant Company’s documented instructions including with regard to data transfers outside of the Protected Area, unless required to do so by laws to which the Processor is subject; in such a case, Processor shall inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Company acknowledges that as part of the processing instructions, Processor may aggregate, anonymise, extract and combine or otherwise deidentify information resulting from the Company’s use of the licensed materials and services for product improvement, benchmarking, and the development of new products; and
2.2.3. notify the Company immediately if, in the Processor’s reasonable opinion, an instruction for the Processing of Personal Data given by the Company infringes applicable Data Protection Laws , it being acknowledged that the Processor shall not be obliged to undertake additional work or screening to determine if the Company’s instructions are compliant.
3. Processor Personnel
3.1. Processor shall take reasonable steps to ensure the reliability of any personnel who may have access to the Company Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Company Personal Data.
4. Security
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and UK GDPR. These measures include those at Annex II.
5. Subprocessing
5.1. The Company provides Processor with general authorisation to engage Subprocessors.
5.2. Processor shall enter into a written contract with any Subprocessor and this contract shall impose upon the Subprocessor equivalent obligations as imposed by this Agreement upon the Processor. Where the Subprocessor fails to fulfil its data protection obligations, Processor shall remain fully liable to the Company for the performance of the Subprocessors obligations.
5.3. The list of Subprocessors engaged by the Processor can be found at Annex III. Processor may update this list from time to time as applicable, providing the Company with notice of such update at least fourteen (14) days in advance of such updates.
5.4. If the Company objects to a Subprocessor, the Company shall notify Processor thereof in writing within seven (7) days after receipt of Processor’s updated Subprocessors list. If the Company objects to the use of the Subprocessor, Processor shall use efforts to address the objection through one of the following options: (a) Processor will cancel its plans to use Subprocessor with regard to Company Personal Data or will offer an alternative to provide the Services without such Subprocessor; or (b) Processor will take any corrective steps requested by the Company in its objection (which would therefore remove the Company’s objection) and proceed to use Subprocessor. If none of the above options are reasonably available and the objection has not been sufficiently addressed within thirty (30) days after Processor’s receipt of the Company’s objection, the Company may terminate the affected Service with reasonable prior written notice.
6. Data Subject Rights and Cooperation
6.1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under applicable Data Protection Laws.
6.2. Processor shall:
6.2.1. notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable laws to which the Processor is subject.
6.3. To the extent required under Data Protection Laws, Processor shall (taking into account the nature of the processing and the information available to Processor) provide all reasonably requested information regarding the Service to enable the Company to carry out data protection impact assessments or prior consultations with data protection authorities and to assist the Company with meeting its obligations under Article 32 GDPR/UK GDPR as required by Data Protection Laws.
6.4. To the extent that assistance under this Agreement is not included within the Services, the Processor may charge a reasonable fee for any such assistance, save where assistance was required directly as a result of the Processor’s own acts or omissions, in which case such assistance will be at the Processor’s expense.
7. Personal Data Breach
7.1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under applicable Data Protection Laws.
7.2. Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Audits
8.1. The Processor shall make available to the Company all information reasonably necessary to demonstrate compliance with this Agreement and at the cost of the Company, allow for and contribute to audits, including inspections by the Company in order to assess compliance with this Agreement.
9. Deletion or return of Company Personal Data
9.1. Following a request from the Company, Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data , return or delete and procure the deletion of all copies of the Company Personal Data unless applicable laws require storage of such Customer Personal Data.
10. General Terms
11.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
11.1.1. disclosure is required by law;
11.1.2. the relevant information is already in the public domain.
11.2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address,
11.3. Governing Law and Jurisdiction. This Agreement is governed by the laws of England and Wales.
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.
Signature
Name
Title
Date
PostHog, Inc.
Signature
Name
Fraser Hopper
Title
Operations & Finance Lead
Date
ANNEX I
A. Processing Activities:
Subject matter of the processing
The personal data shall be processed in order to allow Processor to provide the Services.
Nature and purpose of the processing
Product analytics, including insights, heatmaps, session recording and feature flags.
Duration
For the duration of the Principal Agreement.
Categories of data subjects
The personal data processed relates to the following categories of data subjects:
- Employees
- Customers
- Visitors
- Prospects
- Contractors
Categories of personal data processed
The personal data processed comprises the following categories of data:
- Identifying – name, username
- Computer device – IP address, MAC address, browser footprint
- Contact – email address
- Location – country, territory, city
- Behavioral – product usage (page views, clicks, browsing behavior)
Sensitive categories of personal data processed (if applicable)
The personal data transferred concern the following special categories of data:
N/A
B. List of Parties:
The data exporter shall be:
- the Company at the following address ;
- the contact person for the Company shall be: ;
- the signature of the data exporter and the date of signature shall be as signed above;
- the role of the exporter is controller; and
- the activities relate to the provision of the Services.
The data importer shall be:
- the Processor at the following address 2261 Market St., #4008, San Francisco, CA 94114, United States of America
- the contact person for the Processor shall be: privacy@posthog.com;
- the signature of the data importer and the date of signature shall be as signed above;
- the role of the exporter is processor;
- the activities relate to the provision of the Services.
C. Description of Transfer
Categories of data subjects whose personal data is transferred:
See ‘A. Processing Activities’ above
Categories of personal data transferred:
See ‘A. Processing Activities’ above
Sensitive data transferred (if applicable) and applied restrictions or safeguards:
N/A
If sensitive data are transferred, see Annex C, Part B for applicable restrictions and safeguards
Frequency of transfer (e.g. whether on a one-off or continuous basis) (EU Standard Contractual Clauses only):
On a continuous basis.
Nature of the processing/ processing operations:
See ‘A. Processing Activities’ above.
Purpose(s) of the data transfer and further processing (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.
Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.
The subject matter, nature and duration of the processing (EU Standard Contractual Clauses only):
See ‘A. Processing Activities’ above.
ANNEX II
Technical and Organizational Security Measures
See https://posthog.com/handbook/company/security
ANNEX III
Subprocessors
Amazon Web Services, Inc.
Seattle, WA 98109-5210, USA
aws-EU-privacy@amazon.com
- Name
- Username
- IP Address
- MAC Address
- Browser Footprint
- Email Address
- Country
- Territory
- City
- Product Usage (Page Views, Clicks, Browsing Behavior)