Data Processing Agreement

1. Definitions

• "Controller" means the entity (Customer) that determines the purposes and means of processing personal data.
• "Processor" means BugHarbor, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• "Sub-processor" means any third party engaged by BugHarbor to process personal data on behalf of the Controller.
• "Data Subject" means the natural person to whom the personal data relates.

2. Scope and Purpose

This DPA applies to all processing of personal data by BugHarbor in connection with the provision of the BugHarbor feedback collection and management service (the "Service").

BugHarbor processes personal data on behalf of the Controller for the following purposes:

• Providing the feedback collection and management service
• Storing and managing feedback submissions, including attachments (screenshots, recordings, audio files)
• Processing feedback metadata (browser information, device information, IP addresses)
• Providing AI-powered analysis of feedback (via sub-processors)
• Sending notifications and communications related to the Service
• Providing customer support and technical assistance

3. Processor Obligations

3.1 Processing Instructions

BugHarbor shall process personal data only in accordance with:

• The Controller's documented instructions as set forth in this DPA and the Terms of Service
• Applicable data protection laws, including the GDPR, CCPA, and other relevant regulations

3.2 Security Measures

BugHarbor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit using TLS/SSL
• Encryption of sensitive data at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Employee training on data protection
• Incident response procedures
• Regular backups and disaster recovery procedures

3.3 Confidentiality

BugHarbor ensures that persons authorized to process personal data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4. Controller Obligations

The Controller is responsible for:

• Ensuring it has a lawful basis for processing personal data
• Obtaining necessary consents from data subjects where required
• Providing accurate and up-to-date personal data
• Complying with all applicable data protection laws
• Informing BugHarbor of any special requirements or restrictions regarding data processing

5. Sub-processors

5.1 Authorization

The Controller generally authorizes BugHarbor to engage sub-processors to process personal data. BugHarbor maintains a current list of sub-processors, which is available at our Sub-processors page.

5.2 Sub-processor Obligations

BugHarbor shall:

• Ensure sub-processors are bound by data protection obligations equivalent to those in this DPA
• Remain fully liable for the performance of sub-processors
• Notify the Controller of any intended changes to sub-processors

5.3 Objection to Sub-processors

The Controller may object to the addition of a new sub-processor by notifying BugHarbor in writing within 30 days of the notification. If the Controller objects, BugHarbor will work with the Controller to find a mutually acceptable solution. If no solution is found, the Controller may terminate the affected part of the Service.

6. Data Subject Rights

BugHarbor shall assist the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws, including:

• Right of Access: Providing access to personal data
• Right to Rectification: Correcting inaccurate personal data
• Right to Erasure: Deleting personal data upon request
• Right to Restrict Processing: Limiting processing of personal data
• Right to Data Portability: Providing data in a structured, machine-readable format
• Right to Object: Objecting to certain types of processing

BugHarbor will respond to such requests within a reasonable timeframe and in accordance with applicable law.

7. Data Breach Notification

In the event of a personal data breach, BugHarbor shall:

• Notify the Controller without undue delay, and in any event within 72 hours after becoming aware of the breach
• Provide the Controller with sufficient information to allow the Controller to meet its obligations to report the breach to supervisory authorities and notify data subjects
• Assist the Controller in investigating and remediating the breach

The notification shall include, to the extent possible:

• A description of the nature of the breach
• The categories and approximate number of data subjects affected
• The categories and approximate number of personal data records concerned
• The likely consequences of the breach
• Measures taken or proposed to address the breach

8. Data Retention and Deletion

BugHarbor shall:

• Retain personal data only for as long as necessary to provide the Service or as required by law
• Delete or return all personal data to the Controller upon termination of the Service, unless retention is required by law
• Delete personal data in accordance with the Controller's instructions and applicable law

Upon termination of the Service, the Controller may request deletion of all personal data. BugHarbor will delete such data within 30 days, unless retention is required by applicable law.

9. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom. In such cases, BugHarbor shall ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards as required by applicable law

A list of countries where personal data may be processed is available on our Sub-processors page.

10. Audits and Compliance

BugHarbor shall:

• Make available to the Controller all information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits conducted by the Controller or its authorized representatives, subject to reasonable notice and confidentiality obligations
• Maintain records of processing activities as required by applicable law

11. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service. BugHarbor shall be liable for any damages caused by processing where it has not complied with obligations specifically directed to processors under applicable data protection law or where it has acted outside or contrary to lawful instructions of the Controller.

12. Term and Termination

This DPA shall remain in effect for as long as BugHarbor processes personal data on behalf of the Controller. Upon termination of the Service, the provisions of Section 8 (Data Retention and Deletion) shall apply.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

14. Contact Information

For questions about this DPA or to exercise your rights, please contact us:

• Email: privacy@bugharbor.space
• Support: Through our in-app support channels