ShareGate by Workleap – Data Processing Addendum

1. Definitions and Interpretation

1.1 All capitalized terms not defined herein shall have the meaning set forth in the EULA.

1.2 The following capitalized terms shall have the meaning ascribed to them below:

• “Account Information” means Personal Information that relates to the transactional or commercial relationship between Customer and Workleap, including Personal Information relating to Customer’s account, billing information and sales and support requests;
• “Data Controller” has the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
• “Data Processor” has the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
• “Data Protection Regulator” means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;
• “Data Subject” has the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
• “Privacy Laws” means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information and Sensitive Personal Information including but not limited to Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”),  the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”), the California Consumer Protection Act of 2018 (the “CCPA”) and the California Privacy Rights Act (the “CPRA”);
• “Process”, “Processing” or “Processed” have the meaning set out in the Privacy Laws, as applicable to this Data Processing Addendum;
• “2021 Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Information to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or any European Commission’s decision amending or replacing this decision;
• “Standard Contractual Clauses” means collectively the 2021 Standard Contractual Clauses or the UK International Data Transfer Addendum whichever is applicable; and
• “UK International Data Transfer Addendum” means the International Transfer Data Addendum to the 2021 Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office.

1.3 The term “including” is not limiting and means “including, without limitation”.

2. Protection of Personal Information

2.1. Supersedence. This Data Processing Addendum shall supersede any and all provisions of the EULA inconsistent herewith. 

2.2. Data Controller and Data Processor. The Parties acknowledge that with regards to the processing of Customer Personal Information, the Customer is the Data Controller and Workleap is the Data Processor of the Customer Personal Information. Workleap will Process Customer Personal Information in accordance with Schedule 1 to this Data Processing Addendum. With regards to Account Information, Customer is a Data Controller and Workleap is an independent Data Controller (and not a joint Data Controller with Customer). Workleap will process Account Information for the limited purposes of (i) managing the customer relationship, (ii) carrying out Workleap’s core business operations, (iii) implementing security measures designed to prevent unauthorized access, fraud or abuse of ShareGate and/or the Services, (iv) complying with Workleap’s legal obligations, and (v) fulfilling any other lawful purpose authorised under Privacy Laws, this Data Processing Addendum or the EULA. 

2.3. Customer’s Obligations as Data Controller. The Customer warrants that the Customer Personal Information has been obtained fairly and lawfully and, in all respects in compliance with the Privacy Laws.

2.4. Workleap’s Obligations as Data Processor. Workleap shall:  

• 2.4.1. Process the Customer Personal Information only in accordance with Schedule 1 of this Data Processing Addendum and any other reasonable documented instructions as provided by the Customer to Workleap from time to time (“Instructions”), including with regard to transfers of Customer Personal Information to a third country, save where: 
  • 2.4.1.1. such Instructions are unlawful;  
  • 2.4.1.2. such Instructions would cause Workleap to breach its own obligations under Privacy Laws or the EULA or any other agreement with a third party;  
  • 2.4.1.3. Workleap is under a legal obligation to Process the Customer Personal Information, in which case Workleap shall inform the Customer of the legal obligation, except to the extent the law prohibits it from doing so; and/or 
  • 2.4.1.4. such Instruction delays or prevents performance of Workleap’s obligations under the EULA, in which case Workleap shall be granted relief from liability hereunder. 
• 2.4.2. inform the Customer if, in its opinion, an Instruction received from the Customer infringes the Privacy Laws; 
• 2.4.3. ensure that all Workleap employees and personnel who are involved in the Processing of Customer Personal Information have committed themselves to confidentiality or are under statutory obligations of confidentiality; 
• 2.4.4. not provide any new third party with access to the Customer Personal Information or sub-contract any of its obligations under the EULA that involve Processing Customer Personal Information without providing at least thirty (30) days advance notice to the Customer via email. The Customer hereby approves the third parties listed in Schedule 2 hereto (the “Sub-processors”), which are compliant with requirements under Privacy Laws, as applicable to this Data Processing Addendum, regarding transfers of Customer Personal Information to a third country; 
• 2.4.5. ensure that any sub-contract entered into by Workleap (where Customer Personal Information is Processed by a Sub-processor) contains provisions which comply with Privacy Laws and in any event are no less onerous than those imposed under Section 2 of this Data Processing Addendum, and where a Sub-processor fails to fulfil its data protection obligations under the Privacy Laws, Workleap shall remain liable to Customer for the performance of that Sub-processor’s obligations; 
• 2.4.6. implement and maintain appropriate technical and organizational security measures to protect against unauthorised or unlawful Processing of the Customer Personal Information and against accidental loss, disclosure or destruction of, or damage to, the Customer Personal Information, taking into account the state of the art, costs of implementation and nature, scope, context and purposes of Processing, as described in the Privacy Policy, and including:
  • 2.4.6.1 the anonymization, pseudonymization and/or encryption of Customer Personal Information;
  • 2.4.6.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
  • 2.4.6.3 the ability to restore the availability and access to Customer Personal Information in a timely manner in the event of a physical or technical incident; and
  • 2.4.6.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
• 2.4.7. taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, as further described in Schedule 3 hereto, to enable the Customer to comply with its obligations under Privacy Laws in responding to requests from Data Subjects or the Data Protection Regulator, insofar as this is possible; 
• 2.4.8. assist the Customer, to comply with the following obligations under the Privacy Laws, taking into account the nature of Processing and information available to Workleap, including: 
  • 2.4.8.1. notification and assistance to Customer without undue delay, in accordance with the provision set forth in Section 12 of the Privacy Policy, and notification to the Data Protection Regulator and Data Subjects of a Data Incident, as defined in the Privacy Policy, with regards to Customer Personal Information transmitted, stored or otherwise Processed; and 
  • 2.4.8.2. the Customer’s obligations to carry out data protection impact assessments, or any similar assessment required under Privacy Laws, and any subsequent consultation with the Data Protection Regulator; 
• 2.4.9. make available to Customer, or an independent third-party auditor mandated by the Customer (who shall not be a competitor of Workleap), up to a maximum of once a year, or when a breach of Customer Personal Information is reasonably suspected, all reasonable information that Workleap deems necessary to demonstrate compliance with the obligations imposed on Workleap under Section 2 of this Data Processing Addendum, and allow for and contribute to audits, including inspections for the sole purpose of demonstrating such compliance;  
• 2.4.10. unless required by law, following termination or expiry of the EULA for whatever reason, securely delete all of the Customer Personal Information in accordance with Workleap’s retention policy, or without delay at Customer’s request; 
• 2.4.11. comply with the relevant Controller to Processor provisions of the 2021 Standard Contractual Clauses which are incorporated by reference and are an integral part of this Data Processing Addendum, for the purpose of which the Parties agree that:
  • 2.4.11.1. Customer is the data exporter and Workleap is the data importer. 
  • 2.4.11.2. Module Two of the 2021 Standard Contractual Clauses will apply where Customer is a Controller and Workleap is a Processor. 
  • 2.4.11.3. Clause 7 of the 2021 Standard Contractual Clauses will apply. 
  • 2.4.11.4. For the purpose of Clause 9, paragraph (a) of the 2021 Standard Contractual Clauses, option 2 shall apply, as per the time period specified under section 2.4.4 hereof. 
  • 2.4.11.5. The Parties agree that to the extent permitted by Privacy Laws any direct claims brought under the Standard Contractual Clauses by a Party shall be subject to the limitation of liability set out in the EULA, provided however that nothing in this Data Processing Addendum shall be construed as a limitation or exclusion of a Party’s liability toward a Data Subject under the Standard Contractual Clauses. 
  • 2.4.11.6. For the purpose of Clause 17 of the 2021 Standard Contractual Clauses the parties choose option 1 and the law of the Republic of Ireland. 
  • 2.4.11.7. For the purpose of Clause 18 of the 2021 Standard Contractual Clauses, paragraph (b), the Parties choose the courts of the Republic of Ireland. 
  • 2.4.11.8. The contents of Appendix I of the Standard Contractual Clauses are deemed completed with the information found in Section 2 and Schedule 1 hereof. The contents of Appendix II are described in Schedule 3 hereto. 
  • 2.4.11.9. In the event of any conflict between the provisions of the Standard Contractual Clauses and this Data Processing Addendum, the Standard Contractual Clauses shall prevail.
• 2.4.12  comply with the UK International Transfer Addendum, as set out in Schedule 4 hereto.
• 2.4.13 Additional Provisions for California. To the extent that Workleap processes Personal Information of consumers subject to the CCPA, the CPRA and applicable regulations thereunder, the Parties shall comply withall applicable provisions of the CCPA, of the CPRA and of applicable regulations thereunder, as amended from time to time. The Parties shall agree to act in good faith to enter into a modified agreement in order to address any such amendment and ensure ongoing compliance with California laws. Workleap shall not (a) retain, use or disclose such Personal Information for any purpose other than for the specific purposes described under the EULA or this Data Processing Addendum, or as otherwise permitted by the CCPA, the CPRA or applicable regulations; (b) retain, use or disclose such Personal Information for a commercial purpose other than the specific purposes described under the EULA or this Data Processing Addendum; or (c) “sell” or “share” such Personal Information (the terms “sell” and “share” having the meaning ascribed to them in the CCPA, CPRA or applicable regulations).

Schedule 1: Description of the Processing of Customer Personal Information

Workleap will Process Customer Personal Information in accordance with the description below

1) Categories of Data Subjects whose Personal Information is Processed

All Users, as defined under the EULA and applicable Product-Specific Terms.

2) Categories of Personal Information Processed

Workleap Processes several categories of Customer Personal Information, such as:

• User credentials (includes email and password hashes);
• User profile data (includes first name, last name, company name and email contact of the User);
• Diagnostic data:
  • ShareGate Migrate: Workleap may ask Customer to provide diagnostic data in order to resolve support issues. Diagnostic data may include data collected by ShareGate Migrate in diagnostic mode, such as the migration report, the ShareGate Migrate error log, the copy manifest and the capture of the ShareGate Migrate HTTP/HTTPS traffic stream (the “ShareGate Migrate Diagnostic Data”). Given that the ShareGate Migrate Diagnostic Data may sometimes contain Customer Data, it is possible that Workleap has access to Customer Personal Information that was included in the documents and data stored in Customers’ own Microsoft SharePoint, Microsoft 365 and/or email server. The ShareGate Migrate Diagnostic Data may also include Users’ credentials that permit Users to access ShareGate Migrate. Workleap has no control over the categories of Personal Information which may be included in ShareGate Migrate Diagnostic Data.
  • ShareGate Protect: In the context of providing support services, Workleap’s support team may request access to Customer Data (as defined in the EULA) or ShareGate Protect Diagnostic Data (as defined below) to investigate what prevents the normal functioning of the Services. “ShareGate Protect Diagnostic Data” means the migration report, the error log, and the copy manifest which may be transmitted to Workleap. Given that the ShareGate Protect Diagnostic Data may sometime contain Customer Data, it is possible that Workleap has access to Customer Personal Information that was included in the documents, and to data stored in Customers’ own Microsoft SharePoint and Microsoft 365 environment. Workleap has no control over the categories of Personal Information which may be included in ShareGate Protect Diagnostic Data.
• Data contained in migrated files: By using certain functionalities of the Services, Customer may transfer files containing Customer Personal Information. Such files are hosted temporarily by Workleap as a migration is performed. Workleap does not access or otherwise use Customer Personal Data processed in this context, and has no control over, or knowledge of, the nature of Customer Personal Data processed in this context.
• Tenant data: ShareGate Protect may require access to Customer Data found on Customer’s Microsoft Teams, Microsoft 365 and/or SharePoint tenant in order to perform an assessment of the tenant. The assessment requires access to data such as group memberships, usage reports, and Users’ basic profiles.

3) Sensitive Personal Information Processed

Workleap does not intentionally process Sensitive Personal Information through ShareGate and/or the Services. Any collection or processing of Sensitive Personal Information by Workleap is incidental and outside of Workleap’s control.

4) Frequency of the Processing and Transfer

The Processing and Transfer of Customer Personal Information is continuous.

5) Nature of the Processing

Workleap processes Customer Personal Information in the course of providing ShareGate and/or the Services, as described in the EULA and in ancillary documentation further describing the nature and functionality of ShareGate and/or the Services. Without limiting the generality of the foregoing, the Processing may entail handling, accessing, viewing, storing, transmitting, and otherwise making available the Customer Personal Information, including by automated means.

6) Purposes of the Processing and Further Processing

Workleap processes the Customer Personal Information in accordance with Customer’s documented lawful instructions, which shall be deemed to include any processing activities necessary to:

• Provide, maintain and improve ShareGate and/or the Services in accordance with the EULA;
• Prevent and address service, security, support or technical issues with ShareGate and/or the Services;
• Ensure the integration and synchronization of ShareGate and/or the Services with Customer’s external systems, where applicable.

Workleap also processes Customer Personal Information to comply with its legal obligations.

7) Retention Period

Customer Personal Information is retained and processed only as long as necessary for the purposes described in paragraph 6 above, in accordance with Section 10 of Workleap’s Privacy Policy.

8) Transfers to Sub-Processors

Workleap may transfer Customer Personal Information to its Sub-Processors (listed under Schedule 2 hereto) in accordance with Section 2.4 (Workleap’s Obligations as Data Processor) or otherwise as permitted under the EULA.

SCHEDULE 2: ShareGate Sub-processors

An up-to-date list of Workleap Sub-Processors may be found on the ShareGate Sub-processors page.

SCHEDULE 3: General Description of the Technical and Organizational Security Measures in Place

All capitalized terms not defined herein shall have the meaning set forth in the EULA.

Workleap has implemented and maintains the following technical and organizational security measures:

1. Measures of pseudonymization and encryption of personal data

It is Workleap’s policy to pseudonymize Customer Personal Information whenever possible.   The data is encrypted in transit with HTTP over TLS. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled.   The data is also encrypted at rest by Workleap and the Sub-processors. Encryption keys are managed with limited number of employees and secured in a vault with regular rotations.

2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Confidentiality Workleap has measures in place to ensure that no person is allowed to access Customer Personal Information without authorization. Such measures include, without limitation: – Workleap manages accesses to Customer Personal Information based on the role-based access control (RBAC) permissions model on a need to access basis and least privileged basis. – – In order to perform technical investigations, Workleap’s customer success agents and developers may request Customer’s consent to access Customer Personal Information for investigative purposes only. – Workleap has a secure authentication process in place. – All Workleap employees are subject to a criminal background check to ensure that they are not guilty of a job-related offense. – Workleap’s internal database is located at a Microsoft Azure datacenter. Microsoft Inc. conforms to global security standards such as ISO 27001, FedRAMP, SOC 1 and SOC 2. – Workleap has measures in place to control physical security at its office (including security guard at building entrance, alarm system, visitor registration). – All Workleap employees and Sub-processors have signed a non-disclosure agreement. – The data is encrypted in transit with HTTP over SSL. Certificates are 2048 bits and private keys are stored in a specific secret vault. Weak cyphers are disabled. The data is also encrypted at rest. Encryption keys are managed with limited number of employees and secured in a vault with regular rotations. – Regular updates concerning current security attacks are sent to Workleap’s employees to raise awareness. – Workleap employees undergo mandatory annual data privacy training. Workleap has BCP and DRP documentation. Tabletop testing is done at least once a year. Integrity Workleap has measures in place to ensure that the data integrity is maintained. Such measures include, without limitation: The right to modify or delete any customer data (which includes Customer Personal Information) is restricted to a limited group of people on a need basis. – Employees in the customer success team and in the technical support team are granted the right to modify and delete customer data in Workleap’s database.  Any modification or deletion by such employees is catalogued in an audit log. Workleap reviews accesses every two months and every time a team changes. – A group of four key employees have unlimited access to Workleap’s database. – A policy restricting possible modifications and deletions within Workleap’s database is in place. Workleap maintains backups of its database in accordance with its retention policy. Availability Workleap has measures in place to ensure that Customer Personal Information is available and is used properly in the intended Process. Such measures include, without limitation: – Workleap maintains backups of its database in accordance with its retention policy. – Workleap has implemented Azure security center to prevent malware in the hosting environment and a centralized antimalware solution to prevent malware in the office with periodic full scans and firewall integration. – Workleap is in the process of adopting and operationalizing a disaster recovery plan. It is Workleap’s objective that this disaster recovery plan be fully operational as quickly as possible.   Resilience Workleap has measures in place to ensure that ShareGate is resilient. Such measures include: – Workleap’s infrastructure can scale depending on the load. – Workleap’s infrastructure is redundant in the same datacenter. – Workleap’s database server is redundant in another region.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

If causes of outage are within Workleap’s control, its recovery time objective (RTO) is about 8 hours or less. See measures described under section 2 above with respect to “Availability”.

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

AccessAccess control: Workleap reviews accesses regularly and every time a team changes. Vulnerability assessments: External tests are conducted continuously using a Private Bug Bounty Program. Workleap also performs annual penetration testing with a third-party auditor, and uses security testing methodologies such as SAST/DAST. Security assessment: Workleap has several dashboards to assess its security. Logs centralization: Workleap uses a SIEM to aggregate its logs.

5. Measures for user identification and authorisation

Workleap manages accesses to Customer Personal Information based on the role-based access control (RBAC) permissions model on a need to access basis and least privileged basis. Workleap has a secure authentication process in place.

6. Measures for the protection of data during transmission

See section 2 above under the heading “Confidentiality”.

7. Measures for the protection of data during storage

See section 2 above under the heading “Confidentiality”.

8. Measures for ensuring physical security of locations at which personal data are processed

See section 2 above under the heading “Confidentiality”.

9. Measures for ensuring events logging

See Section 2 above under the heading “Integrity”, and Section 4.

10. Measures for ensuring system configuration, including default configuration

A formal change management process governs changes to the application, data and supporting infrastructure. Changes are managed based on their impact and follow the SDLC methodology or a fast-track process. Workleap also relies on its Access Management Policy and Change Management Policy.

11. Measures for internal IT and IT security governance and management

Workleap relies on an extensive Security Program, including, without limitation: – An Information Security Policy; – An Access Management Policy – A Security Incident Management Policy; – A Personal Information Protection Policy; – An Operational Security Policy; and – A Change Management Policy.

12. Measures for certification/assurance of processes and products

Workleap’s security processes are audited annually under the SOC2 framework.

13. Measures for ensuring data minimisation

Data use and data collection is governed by Workleap’s Privacy Policy and Data Utilization Policy. Data access is possible only in accordance with the “least privilege” principle. Workleap’s data retention policy, anonymization processes and pseudonymization process ensure that data is only retained for as long as it is necessary for the purpose of the underlying services.

14. Measures for ensuring data quality

See section 2 above.

15. Measures for ensuring limited data retention

See Section 13 above.

16. Measures for ensuring accountability

Workleap’s security policies are under the responsibility of its Director of Security and of its Data Protection Officer. Workleap’s Security Program clearly assigns roles and responsibilities within the organization, which are regularly audited under the SOC2 framework.

17. Measures for allowing data portability and ensuring erasure

In accordance with its Privacy Policy, Workleap has a process in place allowing Data Subjects to exercise the privacy rights, including by requesting that Workleap erase or modify personal data. Workleap has processes in place to provide Data Subjects with a copy of their personal data upon request. Personal Information is stored in accordance with Workleap’s Personal Information Protection Policy and data retention processes. Archival copies of personal data are securely deleted in accordance with applicable data retention schedules.

SCHEDULE 4: UK International Data Transfer Addendum

Purpose. This Schedule supplements the Data Processing Addendum as incorporated by reference to the EULA to govern the international transfer of Personal Information out of the United Kingdom. By signing the EULA, the Parties agree to the terms of this Schedule. 

PART 1: Tables

Table 1 will be completed with the Parties’ details as set out in the EULA. 

TABLE 2 – Selected SCCs
Addendum EU SCCs	The 2021 Standard Contractual Clauses, including the appendix information as set out in Section 2.4.11 of the Data Processing Addendum.

TABLE 3 – Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the 2021 Standard Contractual Clauses (other than the Parties), and which for this Addendum is set out in:
Annex 1A	List of Parties: As described in Section 2.2 of the Data Processing Addendum.
Annex 1B	Description of Transfer: As described in Schedule 1 of the Data Processing Addendum.
Annex II	Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Schedule 3 to the Data Processing Addendum.
Annex III	List of Sub Processors: As described in Schedule 2 to the Data Processing Addendum.

TABLE 4 – Ending this Addendum
Ending this Addendum when the Approved Addendum changes	Which Parties may end this Addendum: Exporter and Importer

PART 2: Mandatory Clauses

Mandatory Clauses incorporated by this express reference: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

Incorporation by reference of Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and submitted to Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 and approved on 21 March 2022, as amended from time under Section ‎‎18 of those Mandatory Clauses.