Data Processing Agreement

Last update: May 1, 2024

 

This TopLeader Data Processing Agreement and its appendices (the “DPA”) form part of the TopLeader Terms and Conditions of Service or of any superseding Master Service Agreement (“Agreement”) entered into by and between Customer (as defined in the Agreement) and TopLeader, to reflect the Parties’ agreement with respect to the processing of Personal Data by TopLeader on behalf of Customer in connection with the Services.

This DPA is effective upon the Effective Date.

In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

 

1. Definitions

Capitalized terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

1.1 “Customer Personal Data” or “Customer Personal Information” means Personal Data and Personal Information processed by TopLeader on behalf of Customer under this DPA and the Agreement in connection with the Services;

1.2 “Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Customer Personal Data under the Agreement, including, where applicable (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“), together with any national implementing laws in any EU Member State, (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“) and the UK Data Protection Act 2018 (together the “UK Data Protection Laws”); (iii) the Swiss Federal Act on Data Protection of 19 June 1992; and (iv) laws and regulations of the United States of America, including the California Consumer Privacy Act of 2018, Cal. Civil Code Sec. 1798.100 et seq. (“CCPA”); in each case as amended, repealed, consolidated or replaced from time to time;

1.3 “EEA” means the European Economic Area;

1.4 “EU” means the European Union;

1.5 “Personal Data Breach” means any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems;

1.6 “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en, as may be amended, superseded or replaced from time to time;

1.7 “Sub-Processor” means a third party engaged by TopLeader as another Processor under this DPA to process Customer Personal Data in order to provide parts of the Services;

1.8 “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office and laid before Parliament in accordance with section 119(A) of the UK Data Protection Act 2018 on 2 February 2022 (as it is revised under its Section 18) to facilitate the international transfer of Personal Data in compliance with the UK GDPR, and currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf;

1.9 The terms “Personal Data”, “Data Subject”, “processing”, “Controller” and “Processor” as used in this DPA have the meanings given in the GDPR. The terms “Business”, “Business Purpose”, “Consumer”, “Personal Information”, “Sell”, “Share” and “Service Provider” as used in this DPA have the meanings given in the CCPA.

 

2. Scope, Role of the Parties and Details of Processing

2.1 This DPA applies to any processing of Customer Personal Data by TopLeader subject to Data Protection Laws.

2.2 Customer and TopLeader agree and acknowledge that with respect to the processing of Customer Personal Data on behalf of Customer:

2.2.1 TopLeader is the Processor of such Customer Personal Data and Customer is the Controller;

2.2.2 For the purposes of the CCPA (to the extent applicable), Customer is the Business and TopLeader is the Service Provider and receives Customer Personal Data pursuant to the Business Purpose of providing the Services to Customer in accordance with the Agreement;

2.2.3 Appendix 1 describes the subject matter and details of the processing.

2.3 At the Customer's request, the TopLeader Platform may be integrated with third-party products via a dedicated API to enable the sharing of Personal Data or Personal Information from the third-party product to the TopLeader Platform. The Parties acknowledge that, in this case, TopLeader remains the Customer's Processor and acts on the Customer's instructions. The Parties further acknowledge that TopLeader is not responsible for third-party products.

 

3. Obligations of Customer

3.1 Customer, in its use of the Services, shall comply with Data Protection Laws.

3.2 Customer shall be solely responsible for (i) the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such data; (ii) complying with all necessary transparency and lawfulness requirements under Data Protection Laws, including obtaining any necessary consents and authorizations and having any and all required legal bases in order to collect, process and transfer to TopLeader the Customer Personal Data, and to authorize the processing by TopLeader, and for TopLeader’s processing activities on Customer’s behalf, including the pursuit of Business Purposes as under the CCPA; and (iii) ensuring that its instructions to TopLeader regarding the processing of Customer Personal Data comply with applicable laws, including Data Protection Laws.

3.3 Customer shall immediately inform TopLeader if Customer detects any errors or irregularities in the data processing operations which affect compliance with Data Protection Laws.

 

4. Processing of Customer Personal Data on behalf of Customer

4.1 TopLeader shall only process Customer Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s documented and lawful instructions, except where and to the extent otherwise required by applicable laws (the “Permitted Purposes”).

4.2 The Parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete instructions to TopLeader in relation to the processing of Customer Personal Data. Any additional instruction from Customer must be made in writing, specifying the purpose concerned and the operation to be carried out, being understood that the implementation of any additional instruction may be conditional on Customer's acceptance of the corresponding cost estimate issued by TopLeader.

4.3 TopLeader shall immediately inform Customer if, in its opinion, an instruction of Customer infringes Data Protection Laws. TopLeader may, without any kind of liability to Customer, temporarily cease all processing of the affected Customer Personal Data (other than securely storing such data) until such time as Customer issues new instructions with which TopLeader is able to comply.

 

5. TopLeader Personnel

5.1 TopLeader personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. TopLeader conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

5.2 Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, TopLeader’s confidentiality and privacy policies. Personnel handling Customer Personal Data are provided with security training. TopLeader’s personnel will not process Customer Personal Data without authorization and always on a need-to-know basis.

 

6. Security

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, TopLeader shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described under Appendix 2 to this DPA (the “Security Measures”).

6.2 Customer acknowledges and agrees that the Security Measures provide a level of security appropriate to the risk in respect of Customer Personal Data.

6.3 TopLeader may update the Security Measures from time to time provided that such updates do not materially decrease the overall protection of Customer Personal Data.

6.4 Customer acknowledges that the Services are not designed, intended, or authorized to process special categories of Personal Data (“Sensitive Data”). The extent of any submission of Sensitive Data is determined and controlled by Customer in its sole discretion and at its own risk.

 

7. Data Subject Rights

7.1 In the event that TopLeader receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data, TopLeader shall, to the extent legally permitted, promptly notify Customer and not respond directly unless legally required to do so.

7.2 To the extent that Customer is unable to independently address a Data Subject request through the Service, then upon written request TopLeader will provide reasonable assistance to Customer to respond to any Data Subject requests. Customer shall reimburse TopLeader for the commercially reasonable costs arising from this assistance.

7.3 TopLeader shall not be liable if Customer fails to respond or correctly or timely respond to any Data Subject request.

7.4 If claims pursuant to Article 82 GDPR are brought by the Data Subject against TopLeader, Customer shall assist TopLeader’s defense against such claims.

 

8. Personal Data Breach

8.1 TopLeader shall notify Customer without undue delay after becoming aware of any Personal Data Breach and provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer to assist Customer to meet Customer's obligations to report a Personal Data Breach as required under Data Protection Law. Such notification shall not be interpreted or construed as an admission of fault or liability by TopLeader.

8.2 TopLeader shall make reasonable efforts to identify the cause of such Personal Data Breach and take all measures TopLeader deems necessary and reasonable to remediate the cause of such a Personal Data Breach to the extent it is within TopLeader’s reasonable control.

8.3 The obligations herein shall not apply to incidents that are caused by Customer or its Permitted Users.

 

9. Assistance

9.1 If, pursuant to Data Protection Law, Customer is required to perform a data protection impact assessment or prior consultation with a data protection supervisory authority, at Customer's request, TopLeader will provide such documents as are generally available for the Services (e.g., this DPA, the Agreement, Audit Reports and Certifications). Any additional assistance shall be mutually agreed between the Parties.

9.2 TopLeader may assist Customer, at Customer’s request and cost, in ensuring compliance with Customer’s obligations pursuant to Data Protection Laws.

 

10. Download or Deletion of Customer Personal Data

10.1 Customer may, at any time before the expiration or termination of the Agreement, (i) download Customer Personal Data available on the Platform or (ii) request TopLeader to provide a copy thereof.

10.2 Upon termination of the Agreement, TopLeader shall delete all the Customer Personal Data promptly and in any event within six (6) months.

10.3 TopLeader may retain Customer Personal Data to the extent authorized or required by Data Protection Laws and only to the extent and for such period as authorized or required by Data Protection Laws and always provided that TopLeader shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only processed as necessary for the purpose(s) specified in the Data Protection Laws authorizing or requiring its retention and for no other purpose.

 

11. Information and Audit

11.1 TopLeader shall make available to Customer, at its own expense, all information that Customer may reasonably request to demonstrate compliance with this DPA and Data Protection Laws.

11.2 TopLeader shall allow for and contribute to audits, including inspections, of the processing activities covered by this DPA, in accordance with the following procedures:

11.2.1 TopLeader undertakes to regularly test and evaluate the technical and organizational measures implemented in accordance with this DPA. The results of these tests and evaluations will be recorded in an audit report (the "Audit Report").

11.2.2 Upon Customer’s written request, TopLeader will provide Customer or its mandated auditor with a copy of the latest Audit Report.

11.2.3 TopLeader will also provide Customer or its mandated auditor with any additional information it may require regarding the technical and organizational measures in place, in order to help Customer understand the scope of these measures.

11.2.4 If further information is needed by Customer to comply with its own audit obligations or a competent data protection supervisory authority’s request, Customer will inform TopLeader in writing to enable TopLeader to provide such information or to grant Customer access to it.

11.3 If the Audit Report or the additional information provided by TopLeader in accordance with clauses 11.2.1 to 11.2.4 reveals a material breach of this DPA, Customer may conduct audits in accordance with the following principles:

11.3.1 The audit must be preceded by a document audit under the conditions of Section 11.2 which revealed material points of non-compliance of TopLeader.

11.3.2 The audit must be conducted by an independent, reputable, third-party auditor jointly selected by the Parties for its expertise, independence and impartiality. Any auditor selected by the Parties to conduct an audit shall not be a competitor of TopLeader, shall not be in conflict with TopLeader and shall be under confidentiality obligations no less strict than the obligations of Customer under the Agreement.

11.3.3 Audits may include inspections at the premises or physical facilities of TopLeader, provided that auditors shall have no right to view or access any systems, data, records or other information relating or pertaining to TopLeader’s other customers.

11.3.4 Audits may be carried out once a year with a reasonable notice of at least 20 (twenty) business days (which may be reduced to three (3) business days in case of emergency such as in case of Personal Data Breach).

11.3.5 Customer acknowledges that conducting an audit during certain busy periods is likely to interfere with TopLeader’s proper performance of the Services and substantially disrupt its business with all of its clients. Therefore, Customer may only exercise its right to audit during the period 1 March to 31 May of each year to reduce the number of parallel audits (except in case of Personal Data Breach).

11.3.6 Audits shall be carried out during normal business hours and only in a manner that causes minimal disruption to TopLeader’s business, subject to coordinating the timing of such visit and in accordance with any applicable audit procedures in order to reduce any risk to TopLeader’s other customers. Under no circumstances shall the audit performed deteriorate or slow down the Services provided by TopLeader or affect the organizational management of TopLeader.

11.3.7 TopLeader’s information collected during audit operations will be considered as confidential information and may only be used for the purposes of the audit and the necessary corrective actions to the exclusion of any other use by Customer.

11.3.8 An identical copy of the audit report shall be provided to Customer and TopLeader following the completion of the audit. The Parties may comment on this audit report. This report may, if necessary, be subject to further review by a steering committee.

11.3.9 The cost of the compliance audit shall be borne solely by the Customer.

11.3.10 In case the audit report reveals a violation by TopLeader to the terms of this DPA, TopLeader shall have a period of six (6) months from the communication of the final audit report to provide and implement, at no cost to Customer, a remediation plan. If necessary, TopLeader may exceptionally extend this period by three (3) months after expressly informing Customer and objectively justifying such extension.

11.3.11 The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent data protection supervisory authorities on request.

 

12. International Data Transfers

12.1 Customer Personal Data may be transferred from the EU/EEA and the UK to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection supervisory authorities of the EEA, the EU, the Member States, or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.

12.2 If the processing of Customer Personal Data involves transfers from the EU/EEA to countries which have not been subject to an Adequacy Decision, and such transfer is not permitted through alternative means approved by the European Commission or by applicable Data Protection Laws, TopLeader will take all reasonable steps to ensure that Customer Personal Data is treated securely and in accordance with Data Protection Laws, including by signing of a data transfer agreement governed by the relevant Standard Contractual Clauses.

12.3 For data transfers governed by UK Data Protection Laws, the UK Addendum shall apply.

 

13. CCPA Requirements

13.1 Customer and TopLeader hereby acknowledge and agree that in no event shall the transfer of Customer Personal Information from Customer to TopLeader pursuant to the Agreement constitute a sale of information to TopLeader, and that nothing in the Agreement shall be construed as providing for the sale of Customer Personal Data to TopLeader.

13.2 TopLeader is prohibited from using or disclosing Customer Personal Information for any purpose other than the Permitted Purposes.

13.3 TopLeader shall not Sell or Share Customer Personal Information.

13.4 To the extent applicable to the Services, TopLeader hereby certifies that it understands and will comply with the requirements in this DPA relating to CCPA.

 

14. Liability

14.1 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

14.2 Customer acknowledges that TopLeader is reliant on Customer for direction as to the extent to which TopLeader is entitled to use and process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, TopLeader will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by TopLeader, to the extent that such action or omission resulted directly from the Customer's instructions or from Customer's failure to comply with its obligations under Data Protection Laws and TopLeader was acting in accordance with Customer’s instructions.

 

 

Appendix 1: Subject Matter and Details of the Data Processing

 

1. Subject Matter

TopLeader’s provision of the Services to Customer.

 

2. Duration of the Processing

The Processing is performed for the duration of the Agreement.

 

3. Nature and Purpose of the Processing

TopLeader will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Agreement. This notably involves the following processing operations: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

4. Categories of Data

• Identification Data: name, title and position, contact information (company email, phone number for example for the dial-in feature), salutation (Mr./Ms.)

• TopLeader Platform Data:

  • Credentials, Coachee company, Coachee profile picture (optional), IP address;

  • Coaching Session data: assigned Coach, number of Coaching Sessions, messages (between Coach and Coachee as well as Coachee and support: date, content, sender, recipient), coaching goals (title, description, milestones), Coach selection criteria (e.g., experience in certain subject areas), coaching focus areas (e.g., time management, resilience, delegation, communication), coaching activities (time, date, duration, participants)

  • Coaching Authentication Token: “TopLeader-access-token” for authenticating a logged in user;

  • Information during Video Calls (unless end-to-end-encrypted): Audio-Video-Transmission, TopLeader Platform Coachee ID, User Agent, Coachee IP-Address, Coachee location in order to provide you with the best possible video and sound quality - Video call are not recorded.

  • Data Processing Protocols may contain:

    • IP address

    • Coaching Session Data metadata including sessions allocated to user

    • User ID

    • Authorization and authentication events: Login failures, rights granted, rights removed.

 

5. Data Subjects

• Coachees

• Coachee Counterparts (limited to the cases as defined above in sect. “Category of Data”, para. e) Psychometric Assessment Data)

 

 

Appendix 2: Security Measures

 

1. People Security

1.1 Personnel Security Management

TopLeader maintains established policies and procedures designed to standardize employee onboarding and offboarding using automated processes, enabled by using identity and access management (IAM). Background checks are performed on new employees in accordance with TopLeader’s hiring procedures and applicable law prior to onboarding. Confidentiality agreements and terms of acceptable use are in place for each party.

1.2 Security Awareness Training

In order to promote a culture that enables members of TopLeader’s workforce to safeguard data and information in a secure manner, TopLeader maintains a comprehensive Security Awareness Training program to address general and role-based security training.

1.3 Policy Communication and Enforcement

All information security policies are communicated internally and available for reference in a centralized location. Known violations of policies follow an established disciplinary and enforcement process.

 

2. Data Security

2.1 Encryption

TopLeader data is encrypted in transit and storage using industry-standard ciphers and methods. This includes the use of AES-256 and TLS encryption ciphers. Encryption keys are stored securely with limited access. Advanced encryption is applied to various application infrastructure layers, and can include disk, application, and database encryption. Sharing of encryption keys is prohibited and key management procedures are reviewed on a yearly basis.

2.2 Product Access Controls

TopLeader provides a number of mechanisms to help customers keep their data secure and control access. This includes a series of controls that are based on the principle of least privilege. We encourage all customers to enable integration into their Federated Identity Provider through SAML. TopLeader’s platform is fully responsive across desktop and laptop devices. Security event and audit logs are collected and continuously monitored to detect and respond to anomalous behavior.

2.3 Network Controls

The TopLeader platform is built on isolated, private networks using security groups and firewalls within GCP. All inbound and internal traffic is restricted to specific ports. All traffic rates, sources, and types are actively monitored at various points in the network beyond ingress and firewalls. TopLeader logically isolates customer data using application container technology and unique identifiers, which assures that access to customer data is limited to only that customer.

2.4 Data Retention and Disposal

Customer data will be deleted upon written request or by default at the end of the contractual relationship according to the TopLeader Data Deletion Policy. Certain data might be directly accessed/deleted by the Coachee directly in the TopLeader App. Data is retained as needed to satisfy data classification and/or external requirements. Processes are in place for the secure disposal of tangible property containing Customer Data are in place and take into account available technology so that Customer Data cannot practicably be read or reconstructed.

 

3. SDLC (Secure Development Lifecycle)

3.1 Agile Development

TopLeader has a dedicated cross-functional team to drive the Secure Development Lifecycle (SDLC) that supports the principles of agile development. This group is responsible for the coordination, communication, refinement, development of and adherence to security controls in our processes. In order to ship secure, high-quality products at pace, TopLeader leverages automated Security Testing to identify any potential vulnerabilities within source code, dependencies, and underlying infrastructure before releasing to our customers.

3.2 Dependency and Third Party Library Scanning

TopLeader analyzes project dependencies to determine vulnerabilities. Strict scoring criteria prevent the shipment of vulnerable dependencies in a product until it is resolved by Engineering teams.

3.3 Static Application Security Testing

TopLeader analyzes the web application source code yearly to determine bugs, technical debt, and security vulnerabilities. A strict scoring criterion is adhered to by the Engineering teams to ensure not only the security of code in our products but quality as well. Any code not meeting these criteria is not shipped until resolved.

3.4 Dynamic Application Security Testing

TopLeader runs automated web application vulnerability scans against the platform on a frequent basis. This allows for bugs, common exploits, security vulnerabilities, and issues to be discovered early on in the development process. By automating this approach, TopLeader is able to improve the quality and security of our platform for our customers.

3.5 Code Standards and Role-Based Access Control

In alignment with industry best practices, TopLeader has developed a baseline of source code controls to provide proper hygiene around code repositories supporting our platform. These controls are developed across the company. Controls automatically being enforced include but are not limited to: role-based access control, least privilege, code & repository ownership, segregation of duties, branch protections, and secrets management.

 

4. Security Monitoring and Response

4.1 Logging and Monitoring

TopLeader’s security logs are collected, aggregated, and correlated using a centralized security information and event management (SIEM) solution. Industry-standard log protection mechanisms are in place to ensure the integrity of the logs generated.

4.2 Incident Response

TopLeader has security incident response procedures in place to be followed in the event of any security breach. These procedures include areas that cover roles and responsibilities, investigation, communication, event logging, and remediative actions to be taken.

4.3 Contingency Planning

Availability of data is protected through the use of data replication and backup services provided by GCP. Data backups are captured on a periodic basis according to a defined schedule. TopLeader leverages automated scaling to centrally deploy backup policies to configure, manage, and govern backup activity across TopLeader’s GCP resources. Business continuity and disaster recovery plans and processes are maintained for responding to an emergency or adverse event that could damage Customer Data or production systems that contain Customer Data. Data restore tabletop testing exercises are completed bi-annually employing methodologies based on best practices and various scenarios. Test results enable TopLeader to verify the integrity of backup data and assurance in achieving recovery point and time objectives (RPO/RTO), as defined in TopLeader’s Business Continuity Plan (BC Plan).

4.4 Penetration Testing

TopLeader uses the services of a reputable third-party for an independent penetration test of our web application and thus yearly. These have resulted in continuous updates to our products and processes for improving security and reliability. These assessments are part of ongoing compliance and security requirements to keep TopLeader as a trusted provider of services. A customer-facing redacted executive summary of the latest penetration test is made available to customers under mutual non-disclosure agreement.