Data Processing Agreement
Overview
This Data Processing Agreement ("DPA") is between Nico Genz IT Solutions ("Pushrift", "Processor") and the customer using the Pushrift platform ("Controller"). It governs how Pushrift processes personal data on behalf of the Controller in connection with the delivery of over-the-air updates to the Controller's desktop applications.
This DPA forms part of and is incorporated into the Terms of Service. It applies wherever Pushrift processes personal data that is subject to the General Data Protection Regulation (GDPR) or other applicable European data protection law.
Definitions
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given to them in the GDPR.
"Sub-processor" means any third party engaged by Pushrift to process personal data on behalf of the Controller.
"Service" means the Pushrift platform as described in the Terms of Service.
What Pushrift Processes and Why
When end users of the Controller's application check for or receive updates through Pushrift, the following data is processed on behalf of the Controller:
| Data | Purpose |
|---|---|
| SDK-generated anonymous device identifier | Identifying the device for update targeting and delivery |
| Installed app version | Determining which update, if any, to deliver |
| Operating system and platform | Serving the correct update package for the device's platform |
| Update events (checked, downloaded, skipped) | Providing the Controller with update delivery metrics |
This data is processed solely to deliver the update service. Pushrift does not use it for any other purpose and does not combine it with data from other customers.
The data subjects covered by this DPA are the end users of the Controller's desktop applications.
Controller's Responsibilities
The Controller is responsible for ensuring that:
- It has a valid legal basis under the GDPR for instructing Pushrift to process end-user data
- End users have been informed about data processing in connection with app updates, in accordance with applicable law
- Any instructions given to Pushrift comply with applicable data protection legislation
Pushrift is not responsible for the Controller's compliance with its own obligations as a data controller.
Pushrift's Obligations as Processor
Pushrift will:
- Process personal data only on the documented instructions of the Controller, which are set out in this DPA and the Terms of Service, unless required to do otherwise by EU or member state law
- Ensure that all Pushrift personnel with access to personal data are subject to appropriate confidentiality obligations
- Implement and maintain the technical and organisational security measures described below
- Not engage new sub-processors without notifying the Controller in accordance with the sub-processor section of this DPA
- Assist the Controller in responding to data subject rights requests to the extent technically feasible
- Assist the Controller in meeting its obligations under Articles 32–36 of the GDPR (security, breach notification, DPIAs, and prior consultation), taking into account the nature of processing and the information available to Pushrift
- Delete all personal data processed under this DPA within 30 days of termination of the Service, unless retention is required by law
Security
Pushrift implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These measures include:
- Encryption of personal data in transit using TLS
- Encryption of personal data at rest
- Strict access controls — personal data is accessible only to personnel who require it to operate the Service
- Regular internal review of security practices
Sub-processors
By entering into this DPA, the Controller grants Pushrift general authorisation to engage the sub-processors listed on the Sub-processors page. All sub-processors are bound by written agreements that impose data protection obligations equivalent to those in this DPA.
Pushrift will notify the Controller of any intended addition or replacement of a sub-processor by updating the sub-processors page and, where practical, notifying customers by email. The Controller has 14 days from the date of notification to object in writing to the change. If the Controller objects and the parties cannot resolve the matter, the Controller may terminate the Service on written notice. Continued use of the Service after the 14-day period constitutes acceptance of the new sub-processor.
International Data Transfers
Some of Pushrift's sub-processors are located outside the European Economic Area, including in the United States. Where personal data is transferred to a country not recognised by the European Commission as providing an adequate level of protection, Pushrift ensures that appropriate safeguards are in place. Transfers to US-based sub-processors are covered by the European Commission's Standard Contractual Clauses (SCCs), which are incorporated into the agreements with those sub-processors.
Data Breach Notification
If Pushrift becomes aware of a personal data breach affecting the Controller's data, Pushrift will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will be sent to the email address on file for the Controller's account and will include, to the extent known at the time:
- A description of the nature of the breach
- The categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Term and Termination
This DPA remains in effect for as long as Pushrift processes personal data on behalf of the Controller. It terminates automatically upon termination of the Terms of Service. Upon termination, Pushrift will delete all personal data processed under this DPA within 30 days, except where longer retention is required by applicable law.
Governing Law
This DPA is governed by the laws of the Federal Republic of Germany, consistent with the Terms of Service.
Contact
For data protection queries, contact us at [email protected].