Overview
This Data Processing Agreement ("DPA") forms part of the agreement between Webpeak Technologies Limited ("Processor") and you ("Controller") for the provision of services through the GEIST Platform, including TalentGeist, LifeGeist, and other applications.
This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (GDPR) and establishes the terms under which we process personal data on your behalf.
Enterprise Customers
If you require a signed, customized DPA for your organization, please contact us to arrange execution of a formal agreement.
Request Custom DPA1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
- "Controller" means the natural or legal person which determines the purposes and means of Processing Personal Data.
- "Processor" means Webpeak Technologies Limited, which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
2. Subject Matter and Duration
The Processor will process Personal Data on behalf of the Controller in accordance with the Controller's instructions and the terms of the main service agreement. Processing will continue for the duration of the service agreement.
Types of Personal Data
- Personal master data (name, email, profile information)
- Communication data (email addresses, contact preferences)
- Contractual master data (account details, subscription information)
- Log data (access logs, audit trails)
- Employee performance data (TalentGeist: reviews, goals, feedback)
- Personal productivity data (LifeGeist: tasks, calendar, contacts)
Categories of Data Subjects
- The Controller's employees (TalentGeist)
- The Controller's customers and users
- Authorized users of the GEIST Platform
3. Processor Obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with GDPR Articles 32-36
- Delete or return all Personal Data upon termination of services
- Make available all information necessary to demonstrate compliance
- Inform the Controller if an instruction infringes GDPR or other data protection laws
4. Security Measures
We implement the following technical and organizational measures to protect Personal Data:
Encryption
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Encrypted backups
Access Control
- Role-based access control
- Multi-factor authentication
- Audit logging
Infrastructure
- EU-based data centers
- Firewall protection
- DDoS mitigation
Organizational
- Staff confidentiality agreements
- Regular security training
- Incident response procedures
5. Sub-processors
The Controller grants general authorization for the Processor to engage sub-processors. We will inform the Controller of any intended changes and provide an opportunity to object.
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany (EU) |
| Google Cloud (Vertex AI) | AI/ML processing | EU region |
| Backblaze B2 | Encrypted backups | EU region |
| Stripe | Payment processing | EU/US |
6. International Transfers
Personal Data is primarily processed within the European Economic Area (EEA). Where transfers outside the EEA are necessary (e.g., AI processing via Google Cloud), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Additional technical measures (encryption, pseudonymization)
7. Data Subject Rights
We will assist the Controller in responding to Data Subject requests, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
We will notify the Controller promptly if we receive a request directly from a Data Subject.
8. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify the Controller without undue delay (and within 48 hours) after becoming aware
- Provide information about the nature of the breach
- Describe the likely consequences of the breach
- Describe measures taken or proposed to address the breach
- Assist the Controller in notifying supervisory authorities and Data Subjects as required
9. Audits
We will make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and allow for audits and inspections.
The Controller may request audit reports, certifications, or conduct on-site audits with reasonable notice. We maintain SOC 2 Type II certification and annual penetration testing.
10. Termination
Upon termination of the service agreement, we will:
- Return all Personal Data to the Controller in a standard format (upon request)
- Delete all copies of Personal Data within 30 days (unless legally required to retain)
- Provide certification of deletion upon request
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Ireland. The courts of Dublin, Ireland shall have exclusive jurisdiction over any disputes.
Contact
For DPA-related inquiries:
Legal: [email protected]
Data Protection Officer: [email protected]
Address:
Webpeak Technologies Limited
5 Clarinda Park North
Dun Laoghaire, Dublin
Ireland, A96 W6N1