Terms of Service
These Terms of Service set out the terms and conditions upon which you may use the ProdPad Service CreateShift makes available through www.prodpad.com.
By signing up to or using the ProdPad Service, you agree to and accept these Terms of Service.
Please read these Terms of Service carefully and make sure you understand and agree to them before using the ProdPad Service. If you have any questions relating to these Terms of Service please contact us at hello@prodpad.com.
Terms for beta program can be found here.
IF YOU DO NOT ACCEPT THESE TERMS OF SERVICE, PLEASE DO NOT USE THE PRODPAD SERVICE.
- INFORMATION ABOUT CREATESHIFT
- The ProdPad Service is provided by CreateShift Limited (“CreateShift”), a company incorporated and registered in England and Wales under company number 8092272 whose registered office is at 36 Brunswick Street West, Hove, BN3 1EL, UK. CreateShift’s VAT number is GB139492875.
- INTERPRETATION
- In these Terms of Service, save where the context requires otherwise, the following words and expressions have the following meaning:
- “Account” means the Customer’s account on the ProdPad Service;
- “Agreement” means the agreement between the Customer and CreateShift for the provision of the ProdPad Service comprising these Terms of Service and any terms agreed to during the Sign Up Process;
- “Billing Period” means the billing period for the Service Fees as set out in the applicable ProdPad Service Plan;
- “Customer” means the person or organisation identified as the customer during the Sign Up Process;
- “Customer Data” means any content or data transferred to any CreateShift equipment as a result of the Customer’s use of the ProdPad Service;
- “Commencement Date” means the date from which the Customer will receive access to the ProdPad Service as set out during the Sign Up Process;
- “Confidential Information” means information which is identified as confidential or proprietary by either party or by the nature of which is clearly confidential or proprietary;
- “Malware” means any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience (including all viruses, worms, trojan horses, spyware, logic bombs and similar files, scripts, agents, things or devices);
- “ProdPad Service” means the product management services and features CreateShift makes available through the Website;
- “ProdPad Service Plan” means the service plans relating to the ProdPad Service made available on the Website from time to time;
- “Service Fees” means the amount set out in the ProdPad Service Plan for the provision of the ProdPad Service;
- “Sign Up Process” means the process (whether electronic or otherwise) by which the Customer signs up to use the ProdPad Service and, which amongst other things, identifies the Customer and the applicable ProdPad Service Plan;
- “Terms of Service” means these terms and conditions of service as amended from time to time;
- “Trial” means a trial of the ProdPad Service for the Trial Period;
- “Trial Period” means the Trial period set out in the Sign Up Process;
- “User” means any person authorised by the Customer to access the ProdPad Service on behalf of the Customer; and
- “Website” means www.prodpad.com and any subdomains.
- In these Terms of Service, save where the context requires otherwise, the following words and expressions have the following meaning:
- CREATING AN ACCOUNT
- To use certain features and functionalities of the ProdPad Service, the Customer must first register and create an Account by completing the Sign Up Process.
- If the Customer is a legal entity (rather than an individual), the individual completing the Sign Up Process on the Customer’s behalf must have the necessary authority, power and right to fully bind the Customer.
- The Customer must promptly update the Customer’s Account information in the event of any changes to this information.
- CreateShift reserves the right to suspend or terminate the Customer’s Account and access to the ProdPad Service if any information provided proves not to be accurate or current.
- All Users of the ProdPad Service must be over the age of 16.
- TRIAL
- CreateShift may offer a Trial of the ProdPad Service during the Trial Period. If a Trial Period has been agreed during the Sign Up Process, the Trial will start on the Commencement Date and will continue for the Trial Period. Following expiry of the Trial Period, the Agreement will automatically terminate unless otherwise agreed by the Customer and CreateShift as set out in writing or during the Sign Up Process.
- Either party may terminate the Agreement at any time during the Trial Period.
- DURATION
- The Agreement shall start on the Commencement Date and continue until terminated:
- by CreateShift on one (1) month’s notice to expire no earlier than the end of the applicable Billing Period; or
- by Customer up until 30 days prior to their renewal date and such termination shall take effect at the end of the current Billing Period. The Customer acknowledges that it will not be entitled to a refund over any part of the Billing Period it has not used following its termination of the Agreement in accordance with this clause.
- Unless terminated by either party in accordance with clause 5.1, the Agreement shall automatically renew on the expiry of the Billing Period for another Billing Period and the Customer shall be charged the relevant Service Fees in accordance with clause 13.
- The Agreement shall start on the Commencement Date and continue until terminated:
- ACCESS TO THE PRODPAD SERVICE
- CreateShift grants the Customer a non-exclusive, non-transferable, personal and non sub-licensable licence to permit Users to use the ProdPad Service as permitted by the functionality of the ProdPad Service.
- The Customer must treat any username and password used to access the ProdPad Service or the Customer’s Account as Confidential Information, and it must not disclose it to any third party (other than to Users).
- In relation to Users, Customer shall procure that each User keeps secure and confidential any username and password provided to them for the User’s use of the ProdPad Service and shall not disclose such user name and password to any third party including any other Users.
- The Customer shall procure that each of its Users has its own username and password and will ensure that such usernames and passwords are not shared.
- CreateShift may disable any username or password, at any time and at CreateShift’s sole discretion, if a User or the Customer has failed to comply with any of the provisions of the Agreement.
- The Customer is responsible for maintaining the confidentiality of login details for its Account and any activities that occur under its Account including the activities of Users. The Customer shall, and shall procure its Users shall, use “strong” passwords which shall be at least eight (8) characters and not featured on any compromised password list in connection with its Account. CreateShift encourages the use of long passwords managed with Password Manager as per NIST recommendations and Single Sign On where possible. If the Customer has any concerns about the login details for its Account or thinks they have been misused, please contact CreateShift at hello@prodpad.com.
- The Customer must take reasonable precautions to prevent any unauthorised access to, or use of, the ProdPad Service and, in the event of any such unauthorised access or use, promptly notify CreateShift.
- The Customer recognises that CreateShift is always innovating and finding ways to improve the ProdPad Service with new features and services. Therefore, the Customer agrees that the ProdPad Service may change from time to time and no warranty, representation or other commitment is given in relation to the continuity of any functionality of the ProdPad Service.
- The Customer shall indemnify and defend CreateShift, its agents and contractors from and against any and all losses, damages, claims, liabilities or expenses (including reasonable lawyer’s fees) arising out of a claim brought by a third party relating to the Customer’s use of the ProdPad Service (except to the extent caused by CreateShift’s negligence).
- If the Customer chooses to downgrade the ProdPad Service Plan it has selected, the Customer acknowledges that this may result in the loss of certain Customer Data and certain elements of the ProdPad Service and CreateShift shall not be liable for any such loss.
- Beta Program: If the Customer chooses to use beta features we may temporarily use 3rd party services to process the Customer’s data. If the Customer does not want Customer data temporarily process by 3rd party services do not use the beta features. If the Customer toggles on the Beta AskDotBot feature this will send feedback to 3rd party service (OpenAI) in order to deliver the feature. If the Customer does not want the data sent to OpenAI, do not toggle on the AskDotBot feature.
- CUSTOMER’S OBLIGATIONS
- CreateShift may monitor the Customer’s use of the ProdPad Service to ensure quality, improve the ProdPad Service, and verify the Customer’s compliance with the Agreement.
- The Customer:
- must comply with all applicable laws and regulations with respect to its use of the ProdPad Service and its activities under the Agreement;
- must use and ensure its Users use the ProdPad Service in accordance with the terms of the Agreement and shall be responsible for any actions and omissions in connection with the use of the ProdPad Service by any Users;
- must obtain and shall maintain all necessary licences, consents, and permissions necessary for CreateShift to perform its obligations to the Customer under the terms of the Agreement;
- must ensure that its network and systems, including its internet browser used complies with any relevant specifications provided by CreateShift from time to time;
- is solely responsible for procuring and maintaining its network connections and telecommunications links from its systems in order to access and use the ProdPad Service;
- must not modify another website so as to falsely imply that it is associated with the ProdPad Service, any of CreateShift’s other services or CreateShift or its affiliates.
- must not carry out any penetration testing or automated or manual vulnerability scans (or similar security testing) in relation to the ProdPad Service without first having obtained the prior written authorisation of CreateShift; and
- must not use the ProdPad Service: (a) to access, store, distribute or transmit or prepare for distribution or transmission any Malware; (b) to access, store, distribute or transmit or prepare for distribution or transmission any material that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; (c) in a manner that is illegal or causes damage or injury to any person or property; (d) to infringe any copyright, database right or trademark of any person; (e) to transmit, send prepare for transmission or prepare for sending any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (‘spam’); or (f) to interfere with or attempt to interfere with or compromise the ProdPad Service integrity or security.
- The Customer agrees that failure to comply with this clause constitutes a material breach of the Agreement, and may result in CreateShift taking all or any of the following actions:
- immediate, temporary or permanent withdrawal of any rights to use the ProdPad Service;
- removing any violating Customer Data;
- the issuing of a warning;
- legal action against the Customer including proceedings for reimbursement of all costs and expenses (including, but not limited to, reasonable administrative and legal costs) incurred by us resulting from the breach; or
- disclosure of such information to law enforcement authorities as we reasonably feel is necessary.
- The Customer acknowledges that it is responsible for all Customer Data distributed or transmitted under its Account (including by its Users).
- The Customer acknowledges that the responses described in this clause are not limited, and we may take any other action we reasonably deem appropriate.
- IMPORTANT NOTE ON INTELLECTUAL PROPERTY RIGHTS
- CreateShift is the owner of or the licensee of all intellectual property rights in the ProdPad Service. These works are protected by copyright and other laws and treaties around the world. All such rights are reserved.
- The Customer will not, when using the ProdPad Service, except as may be allowed by any applicable law which is incapable of exclusion by CreateShift and to the extent expressly permitted under these Terms of Service:
- attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the ProdPad Service in any form or media or by any means;
- attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the ProdPad Service; or
- access all or any part of the ProdPad Service in order to build a product or service which competes with the ProdPad Service or use or attempt to use the ProdPad Service to directly compete with CreateShift.
- The Customer grants CreateShift a licence to access, download and use the Customer Data for the purpose of analysing the Customer Data in accordance with the ProdPad Service functionality, displaying the results of such analysis to Users, developing, testing, improving and altering the functionality of the ProdPad Service and producing anonymised or anonymised and aggregated statistical reports and research. Otherwise, CreateShift claims no rights in the Customer Data. The Customer shall maintain a backup of Customer Data and CreateShift shall not be responsible or liable for the deletion, correction, alteration, destruction, damage, loss, disclosure or failure to store any Customer Data.
- PUBLICITY
- CreateShift may use the Customer’s name, logo and related trade marks in any of CreateShift’s publicity or marketing materials (whether in printed or electronic form) for the purpose of highlighting that the Customer uses the ProdPad Service and alongside any testimonials that the Customer has agreed to give.
- The Customer may request CreateShift to stop using the Customer’s name, logo and related trademarks at any time by contacting CreateShift in writing at hello@prodpad.com.
- API
- The Customer may access Customer Data via CreateShift’s API (Application Program Interface).
- The Customer acknowledges that abuse or excessively frequent requests to the ProdPad Service via the API may result in the temporary or permanent suspension of the Customer’s access to the API. CreateShift, in its sole discretion, will determine abuse or excessive usage of the API. CreateShift will make a reasonable attempt via email to warn the Customer prior to suspension.
- DATA PROTECTION
- If any of the Customer Data contains personal data, the parties will process such personal data in accordance with the Data Processing Schedule.
- For the purposes of the Agreement, “personal data” and “process” shall have the meanings as set out in the Data Processing Schedule.
- CONFIDENTIAL INFORMATION
- Each party may be given access to Confidential Information from the other party in order to perform its obligations under the Agreement. A party’s Confidential Information shall not be deemed to include information that:
- is or becomes publicly known other than through any act or omission of the receiving party;
- was in the other party’s lawful possession before the disclosure;
- is lawfully disclosed to the receiving party by a third party without restriction on disclosure;
- is independently developed by the receiving party, which independent development can be shown by written evidence; or
- is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
- Each party shall hold the other’s Confidential Information in confidence and, unless required by law, not make the other’s Confidential Information available for use for any purpose other than as needed to perform the terms of the Agreement.
- Each party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by it or its employees or agents in violation of the terms of the Agreement.
- Each party shall take a back-up of its own Confidential Information and shall not be responsible to the other for any loss, destruction, alteration or disclosure of Confidential Information.
- Each party may be given access to Confidential Information from the other party in order to perform its obligations under the Agreement. A party’s Confidential Information shall not be deemed to include information that:
- PRICE AND PAYMENT
- The Customer will pay the Service Fees as set out in the ProdPad Service Plan. The Service Fees are payable in advance. The Customer agrees that the Service Fees are non-refundable. Where an agreement has been signed specifying a 12-month term and total contract value, downgrading of the Service Plan is not allowed within the first 6 months from the start of the contract term. Furthermore, if a Customer wishes to cancel before the 12-month term is completed, the Customer remains liable to pay the total contract value in full. Upgrades to the Service Plan are eligible at any time during the contract term.
- Unless alternative payment is agreed during the Sign Up Process, the Customer will provide to CreateShift valid, up-to-date and complete credit or debit card details and it hereby authorises CreateShift to bill such credit or debit card for the Service Fees in accordance with the Billing Period.
- The Customer shall pay the Service Fees by card payment or, if agreed in advance with CreateShift, by bank transfer within 14 days after receipt of an invoice from CreateShift. For contracts with a 12-month term and a signed quote specifying a total contract value, if the Customer wishes to downgrade the ProdPad Service Plan within the first 6 months of the term, no prorated refunds will be provided. If the Customer wishes to cancel before the 12-month term is up, they are liable for the total contract value in full. Upgrades to the Service Plan are eligible at any time.
- If the Customer upgrades or downgrades the ProdPad Service Plan it has selected during any Billing Period, a prorated charge or credit relating to the remainder of the Billing Period will be applied (as applicable) and the Service Fees will be adjusted automatically to the new rate from the start of the next Billing Period. Any prorated credit applied under this clause may only be used to offset Service Fees payable by the Customer in future. For the avoidance of doubt, the Customer shall not be entitled to a cash refund of any prorated credit it receives under this clause.
- If CreateShift has not received payment within 14 days after the due date, and without prejudice to any other rights and remedies available to CreateShift:
- CreateShift may, without liability to the Customer, suspend or temporarily disable all or part of its access to the ProdPad Service and CreateShift shall be under no obligation to provide any access to the ProdPad Service while the invoice(s) concerned remain unpaid; and
- interest shall accrue on such due amounts at an annual rate equal to 3% over the then current base lending rate of Barclays Bank PLC at the date the relevant invoice was issued, commencing on the due date and continuing until fully paid, whether before or after judgment.
- All amounts and fees stated or referred to in the Agreement:
- are payable in the currency specified in the Sign Up Process or otherwise stipulated by CreateShift; and
- are exclusive of value added tax (“VAT”) or any other applicable taxes, levies or duties imposed by taxing authorities (excluding only United States federal or state taxes), unless otherwise expressly stated, which shall be paid at the same time as payment of the Service Fees. CreateShift shall send the Customer a VAT invoice if CreateShift is requested to do so.
- Unless otherwise agreed in writing, CreateShift may increase the Service Fees upon 30 days’ notice in writing to the Customer, such increase to take effect from the start date of the next applicable Billing Period.
- If the Customer is unhappy with the increase, the Customer may terminate the Agreement with CreateShift pursuant to clause 5.1.2.
- During such notice period, the Services Fees will not increase.
- SERVICE LEVELS AND SUPPORT
- Where the Customer has paid for access to the ProdPad Service, we will use commercially reasonable endeavours to make the ProdPad Service available with an uptime rate of 99%, except for:
- planned maintenance for which 24 hours’ notice will be given; or
- unscheduled maintenance during normal business hours (UK time) or otherwise, for which we will use reasonable endeavours to give the Customer advance notice.
- Where the Customer has paid for access to the ProdPad Service, CreateShift will, as part of the ProdPad Service, use reasonable endeavours to provide a level of support that is appropriate to the nature of any issues requiring support during normal business hours (UK time). The Customer can access such support through the following means:
- Email: help@prodpad.com
- Help desk: https://help.prodpad.com
- In-app messenger service
- Support for Customers using the ProdPad Service for free will be provided entirely at CreateShift’s option and discretion.
- The Customer acknowledges that elements of the ProdPad Service are dependent on access to various third party services and APIs. The Customer agrees that CreateShift is not responsible for the non-availability or interruption to the ProdPad Service caused by any such non-availability of any such third party services or APIs.
- Where the Customer has paid for access to the ProdPad Service, we will use commercially reasonable endeavours to make the ProdPad Service available with an uptime rate of 99%, except for:
- SUSPENSION AND TERMINATION
- If the Customer fails to pay any sum due to CreateShift and such sum remains outstanding for a further 14 days following notice requiring such sum to be paid, CreateShift may terminate the Agreement with the Customer immediately by notice and without any liability for CreateShift to the Customer.
- CreateShift may terminate the Agreement with 30 days’ notice in writing.
- CreateShift may terminate the Agreement by notice with immediate effect, or such notice as CreateShift may elect to give, if the Customer:
- is in breach of applicable law; or
- infringes CreateShift’s intellectual property rights in the ProdPad Service.
- Either party may terminate the Agreement at any time on written notice to the other if the other:
- is in material or persistent breach of any of the terms of the Agreement and either that breach is incapable of remedy, or the other party fails to remedy that breach within 30 days after receiving written notice requiring it to remedy that breach; or
- is unable to pay its debts (within the meaning of section 123 of the Insolvency Act 1986), or becomes insolvent, or is subject to an order or a resolution for its liquidation, administration, winding-up or dissolution (otherwise than for the purposes of a solvent amalgamation or reconstruction), or has an administrative or other receiver, manager, trustee, liquidator, administrator or similar officer appointed over all or any substantial part of its assets, or enters into or proposes any composition or arrangement with its creditors generally, or is subject to any analogous event or proceeding in any applicable jurisdiction.
- On termination of the Agreement for any reason all licences granted under the Agreement shall immediately terminate and the Customer’s right to access and use the ProdPad Service will end.
- Upon termination of the Agreement, the Customer may request that any Customer Data is actively deleted, passively deleted or parked in accordance with CreateShift’s Data Deletion Policy. If the Customer fails to make such an election, Customer Data will be subject to passive deletion and CreateShift shall not be held responsible for the deletion of such Customer Data.
- The accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination shall not be affected or prejudiced.
- LIMITED WARRANTY
- CreateShift undertakes to support the ProdPad Service as specified in clause 14 with reasonable skill and care. Otherwise, the ProdPad Service is provided on an “AS IS” basis and CreateShift gives no representations, warranties, conditions or other terms of any kind in respect of the ProdPad Service, whether express or implied, including, but not limited to, warranties of satisfactory quality, merchantability fitness for a particular purpose or non-infringement.
- Except as expressly and specifically provided for in the Agreement:
- the Customer assumes sole responsibility for any results obtained from the use of the ProdPad Service and for any decisions or actions taken arising from such use and it relies on the results obtained from the ProdPad Service at its own risk;
- all representations, warranties, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by law, excluded from the Agreement; and
- CreateShift will not be responsible for any interruptions, delays, failures or non-availability affecting the ProdPad Service or the performance of the ProdPad Service which are caused by third party services or errors or bugs in software, hardware or the internet on which CreateShift relies to provide the ProdPad Service and the Customer acknowledges that CreateShift does not control such third party services and that such errors and bugs are inherent in the use of such software, hardware and the Internet.
- CREATESHIFT’S LIABILITY
- Subject to clause 17.2, CreateShift will not be liable for losses that result from CreateShift’s failure to comply with the Agreement, in tort (including negligence) or otherwise in conditions that fall into the following categories: loss of income or revenue; loss of business; loss of profits; loss of anticipated savings; loss of data; waste of management or office time; or any indirect, consequential or special damages, costs or expenses.
- Nothing in the Agreement excludes or limits CreateShift’s liability for death or personal injury caused by CreateShift’s negligence or for fraud or fraudulent misrepresentation.
- CreateShift’s total liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise arising in connection with the performance or contemplated performance of the Agreement shall in all circumstances be limited to the Service Fees paid by the Customer in the 6 months prior to the event giving rise to the claim or, where no Service Fees are payable (e.g. during the Trial Period), £1.
- WRITTEN COMMUNICATIONS
- Applicable laws may require that some of the information or communications CreateShift sends to the Customer should be in writing. When using the ProdPad Service, the Customer accepts that communication with CreateShift will be mainly electronic.
- CreateShift will contact the Customer by e-mail or provide the Customer with information by posting notices on the ProdPad Service.
- For contractual purposes, the Customer agrees to this electronic means of communication and the Customer acknowledges that all contracts, notices, information and other communications that CreateShift provides to the Customer electronically comply with any legal requirement that such communications be in writing.
- NOTICES
- All notices given by the Customer to CreateShift must be given to hello@prodpad.com. CreateShift may give notice to the Customer by posting on the ProdPad Service, at the e-mail or postal address the Customer provides to CreateShift, or in any other way CreateShift deems appropriate. Notice will be deemed received and properly served immediately when posted on the ProdPad Service or 24 hours after an e-mail is sent or 3 days after the date of posting of any letter. In proving the service of any notice, it will be sufficient to prove, in the case of a letter, that such letter was properly addressed, stamped and placed in the post and, in the case of an e-mail that such e-mail was sent to the specified e-mail address of the addressee.
- TRANSFER OF RIGHTS AND OBLIGATIONS
- The Customer may not transfer, assign, charge or otherwise deal in the Agreement, or any of the Customer’s rights or obligations arising under the Agreement, without CreateShift’s prior written consent.
- EVENTS OUTSIDE CREATESHIFT’S CONTROL
- No party shall be liable to the other for any delay or non-performance of its obligations under the Agreement arising from any cause beyond its control including, without limitation, any of the following: telecommunications failure, pandemic, internet failure, act of God, governmental act, war, fire, flood, explosion or civil commotion. For the avoidance of doubt, nothing in this clause 21 shall excuse the Customer from any payment obligations under the Agreement.
- WAIVER
- No forbearance or delay by either party in enforcing its rights shall prejudice or restrict the rights of that party, and no waiver of any such rights or of any breach of any contractual terms shall be deemed to be a waiver of any other right or of any later breach.
- SEVERABILITY
- If any provision of the Agreement is judged to be illegal or unenforceable, the continuation in full force and effect of the remainder of the provisions shall not be prejudiced.
- CREATESHIFT’S RIGHT TO VARY THE TERMS OF SERVICE
- CreateShift has the right to revise and amend these Terms of Service from time to time to reflect changes in market conditions affecting CreateShift’s business. The most current Terms of Service will always be at https://www.prodpad.com/terms-of-service/.
- The Customer will be subject to the Terms of Service in force at the time that it makes use of the ProdPad Service, or if CreateShift notifies the Customer of changes to these Terms of Service and it continues to use the ProdPad Service the Customer will be subject to those changes.
- CreateShift will use reasonable endeavours to notify the Customer of any material changes to these Terms of Service by the placement of a notice on the ProdPad Service.
- ENTIRE AGREEMENT
- The Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
- THIRD PARTY RIGHTS
- A person who is not party to the Agreement shall not have any rights under or in connection with them under the Contracts (Rights of Third Parties) Act 1999.
- LAW AND JURISDICTION
- The Agreement shall be governed by and construed in accordance with English law and each party hereby submits to the exclusive jurisdiction of the English courts.
Schedule: Data Processing Schedule
- INTRODUCTION
- This Schedule forms part of the Terms of Service between CreateShift and the Customer for the provision of the ProdPad Service and sets out the terms upon which CreateShift will process personal data on the Customer’s behalf when providing the ProdPad Service and acting as a data processor.
- DEFINITIONS
- In this Schedule, save where the context requires otherwise, the following words and expressions have the following meaning:
- “Business Day” means a day other than a Saturday, Sunday or bank or public holiday in England;
- “Data Subject Request” means a request made by a data subject to exercise any rights of data subjects under Data Protection Laws relating to the Personal Data;
- “Data Protection Laws” means any applicable law relating to the protection of personal data and privacy in force from time to time, including (i) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); (ii) the Data Protection Act 2018; and (iii) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; in each case together with all laws implementing, replacing or supplementing the same and any other applicable data protection or privacy laws;
- “EEA” means the European Economic Area;
- “Personal Data” means the personal data described in Annex 1 (Data Processing Information) and any other personal data processed by CreateShift on behalf of the Customer pursuant to or in connection with the Agreement;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
- “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
- “Sub-processor” means any data processor (including any affiliate of CreateShift) appointed by CreateShift to process Personal Data on behalf of the Customer;
- “Supervisory Authority” means any regulatory authority responsible for the enforcement of Data Protection Laws; and
- “UK” means the United Kingdom.
- Any other terms which appears as defined in this Schedule shall have the meaning given to them in the Terms of Service.
- In this Schedule, save where the context requires otherwise, the following words and expressions have the following meaning:
- PROCESSING OF THE PERSONAL DATA
- Each party acknowledges and agrees that for the purposes of the Agreement and Data Protection Laws, the Customer shall be the controller and CreateShift the processor in respect of the Personal Data.
- Each party confirms that in the performance of the Agreement it will comply with Data Protection Laws.
- CreateShift shall only process the types of Personal Data relating to the categories of data subjects for the specific purposes in each case as set out in Annex 1 (Data Processing Information) to this Schedule and shall not process the Personal Data other than in accordance with the Customer’s documented instructions (whether in the Agreement or otherwise) unless processing is required by applicable law to which CreateShift is subject, in which case CreateShift shall, to the extent permitted by such law, inform the Customer of that legal requirement before processing that Personal Data.
- CreateShift shall inform the Customer if, in its opinion, an instruction it receives from the Customer pursuant to the Agreement infringes the GDPR.
- CUSTOMER WARRANTY
- The Customer warrants that it has all necessary rights to provide the Personal Data to CreateShift for the processing to be performed in relation to the ProdPad Service.
- SUPPLIER PERSONNEL
- CreateShift shall treat all Personal Data as confidential and shall use reasonable efforts to inform all its relevant employees, contractors and/or any Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
- CreateShift shall take reasonable steps to ensure the reliability of any employee, contractor and/or any Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in paragraph 3.3 in the context of that person’s or party’s duties to CreateShift.
- CreateShift shall ensure that all such persons or parties involved in the processing of Personal Data are subject to:
- confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
- user authentication processes when accessing the Personal Data.
- SECURITY
- CreateShift shall implement the technical and organisational measures set out in Annex 2 (Security Measures) to this Schedule and the Customer acknowledges that such measures ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing.
- SUBPROCESSING
- The Customer hereby grants its general authorisation to the appointment of Sub-processors by CreateShift under the Agreement.
- If CreateShift seeks to replace any existing Sub-processor and/or appoint any new Sub-processor, CreateShift will provide the Customer with 30 days’ prior notice of the proposed change in Sub-processor(s) and the Customer shall have the right to object to such change within 14 days after its receipt of such notice.
- The Customer’s sole remedy if it does not agree to the replacement or appointment of a Sub-processor shall be to terminate the Agreement.
- With respect to each Sub-processor, CreateShift shall:
- enter into a written contract with the Sub-processor which shall contain terms materially the same as those set out in this Schedule;
- remain liable to the Customer for any failure by the Sub-processor to fulfil its obligations in relation to the processing of any Personal Data.
- An overview of the Sub-processors CreateShift relies upon as at the Commencement Date (and which shall be deemed to be approved by the Customer), including their functions and locations, is available at https://www.prodpad.com/compliance.
- DATA SUBJECT RIGHTS
- CreateShift shall refer all Data Subject Requests it receives to the Customer without undue delay and, in any event, within 2 Business Days.
- The ProdPad Service will enable the Customer to access, rectify and restrict processing of the Personal Data, and to erase and export the Personal Data.
- In the event that the Customer cannot fulfil any Data Subject Request itself using the means described in paragraph 8.2, CreateShift shall co-operate as reasonably requested by the Customer to enable the Customer to comply with any such request.
- INCIDENT MANAGEMENT
- In the case of a Personal Data Breach, CreateShift shall not later than 24 hours after having become aware of it notify the Personal Data Breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under Data Protection Laws.
- DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- CreateShift shall, at the Customer’s request, provide reasonable assistance to the Customer with any data protection impact assessments which are required under applicable Data Protection Laws and with any prior consultations to any Supervisory Authority of the Customer or any of its affiliates which are required under Data Protection Laws, in each case in relation to processing of Personal Data by CreateShift on behalf of the Customer and taking into account the nature of the processing and information available to CreateShift.
- DELETION OR RETURN OF CUSTOMER PERSONAL DATA
- On cessation of processing of Personal Data by CreateShift, or termination of the Agreement, CreateShift shall permit Customer (at its option) to:
- extract a complete copy of all Personal Data by secure file transfer and securely wipe all other copies of the Personal Data processed by CreateShift or any Sub-processor unless required to retain such data in order to comply with applicable laws; or
- request CreateShift to delete the Personal Data (and procure that any Sub-processor does the same) unless required to retain such data in order to comply with applicable laws.
- If the Customer fails to exercise its rights under paragraphs 11.1.1 and 11.1.2 above, CreateShift shall delete the Personal Data (and procure that any Sub-processor does the same) within 90 days following the termination of the Agreement, unless required to retain such data in order to comply with applicable laws.
- On cessation of processing of Personal Data by CreateShift, or termination of the Agreement, CreateShift shall permit Customer (at its option) to:
- AUDIT RIGHTS
- CreateShift shall make available to the Customer on request all information reasonably necessary to demonstrate compliance with this Schedule and Data Protection Laws and allow for and contribute to audits in accordance with CreateShift’s or its Sub-processors polices in place from time to time.
- Prior to conducting any audit pursuant to paragraph 12.1, the Customer must submit an audit request to CreateShift and the Customer and CreateShift must agree the start date, scope and duration of and security and confidentiality controls applicable to any such audit.
- CreateShift may (acting reasonably) object to the appointment by the Customer of an independent auditor to carry out an audit pursuant to paragraph 12.1 and, where this is the case, the Customer shall be required to appoint another auditor or conduct the audit itself.
- INTERNATIONAL TRANSFERS OF PERSONAL DATA
- In the event that a transfer of Personal Data to CreateShift or any Sub-processor is reasonably considered to involve a transfer of Personal Data outside of the UK and/or the EEA to a country which is not recognised by the European Commission as having an adequate level of protection for personal data, CreateShift shall, upon request, enter into Standard Contractual Clauses with the Customer or with the relevant Sub-processor (as agent on behalf of the Customer) for such transfer of Personal Data.
- COSTS
- The Customer shall pay any reasonable costs and expenses incurred by CreateShift in meeting the Customer’s requests made under paragraphs 8, 10 and 12 of this Schedule.
- MISCELLANEOUS
- Any obligation imposed on CreateShift under the Agreement in relation to the processing of Personal Data shall survive any termination or expiration of the Agreement.
- In the event of inconsistencies between any provision of the Agreement and provision of this Schedule, the provision of this Schedule shall prevail with regard to the parties’ obligations relating to the processing of the Personal Data.
- This Agreement shall be governed by and construed in accordance with English law unless the Customer is established in the EEA in which case the governing law shall be the law of the country in which the Customer is established.
Annex 1: Data Processing Information
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter, nature and purposes of the processing of Personal Data | Processing for the purposes of provision of the ProdPad Service and any technical support in connection with the Customer’s use of the services. |
Duration of the processing | The duration of the Agreement. |
Type of personal data | Personal data including: – identification and contact data (name, email, profile image, social media profiles, bio, emails, telephone number, job title, employer); and – financial information of Customer (billing address, credit card details, account details, payment information). |
Categories of data subjects | Customers (if applicable) and Customers’ Users |
Annex 2: Security Measures
As from the Commencement Date, CreateShift will implement and maintain the security
measures set out in this Annex 2 to the Schedule to the Agreement. CreateShift may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the ProdPad Service.
- Data and Physical Security
- CreateShift utilizes AWS to provide the infrastructure (data centers, servers and similar) to provide the ProdPad Service. Details of the AWS infrastructure and security measures can be found here:
https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf.
Further information about the data centers specifically can be found here:
https://aws.amazon.com/compliance/data-center/data-centers/
- CreateShift utilizes AWS to provide the infrastructure (data centers, servers and similar) to provide the ProdPad Service. Details of the AWS infrastructure and security measures can be found here:
- Network and Application
- Intrusion Detection. – Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. CreateShift’s intrusion detection involves:
- Tightly controlling the size and make-up of CreateShift’s attack surface through preventative measures;
- Employing intelligent detection controls at data entry points; and
- Employing technologies that automatically remedy certain dangerous situations.
- Incident response – CreateShift monitors a variety of communication channels for security incidents, and CreateShift’s security personnel will react promptly to known incidents.
- Transit Encryption Technologies – CreateShift makes HTTPS encryption (also referred to as SSL or TLS connection) available. CreateShift servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.
- Audit – CreateShift has an infrastructure and network and application audit logging for compliance and security monitoring.
- Secure coding – All code is scanned through static analysis on a daily basis to identify bugs and vulnerabilities before they are released. Developers all undergo secure coding training.
- Scans – CreateShift runs regular web application and vulnerability scans. Regular scans are made of the infrastructure to identify infrastructure vulnerabilities. Identified issues are reviewed and addressed at the earliest possible time.
- Penetration Tests – Penetration tests by a 3rd party security company are conducted at least annually.
- Intrusion Detection. – Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. CreateShift’s intrusion detection involves:
- Business Security
- Business Continuity. – CreateShift replicates data over multiple systems to help to protect against accidental destruction or loss. CreateShift has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
- Redundancy. – CreateShift runs several clusters within AWS providing failover redundancy of the application.
- Data
- Data Storage, Isolation & Authentication. – CreateShift stores data in a multi-tenant environment in AWS in the EU (Ireland) region. Data, ProdPad database and file system architecture are replicated between multiple geographically dispersed data centers.
CreateShift logically isolates data on a per Customer basis at the application layer. CreateShift logically separates each Customer’s data from the data of other Customers, and data for an authenticated User will not be displayed to another User (unless both Users have access to the same Customer Account).
A central authentication system is used across all services to increase uniform security of data. Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the ProdPad Service, will enable Customer to determine the product sharing settings applicable to Users for specific purposes. Customer may choose to make use of certain logging capability that CreateShift may make available via the ProdPad Service, products and APIs. - Encryption. – All data is encrypted at rest using AES-256 industry standard utilizing AWS Key Management Store (KMS) to manage the keys. All data backups are encrypted using the same standard.
- Backups & redundancy. – Snapshots are taken nightly with point-in-time recovery to allow recovery to within 1 minute of failure. The backups are stored in S3 for high availability. Each data store is a cluster with hot failover in the event primary data store fails or becomes available. All data store nodes are physically separated into separate data centers.
- Decommissioned Disks and Disk Erase Policy. – Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) by AWS. Full details on disk decommissioning are available here https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.
- Data Storage, Isolation & Authentication. – CreateShift stores data in a multi-tenant environment in AWS in the EU (Ireland) region. Data, ProdPad database and file system architecture are replicated between multiple geographically dispersed data centers.
- Personnel Security
- CreateShift personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. CreateShift conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations.
Personnel are subject to a duty of confidentiality and must acknowledge receipt of, and compliance with, CreateShift’s confidentiality and privacy policies.
Personnel are provided with security training.
- CreateShift personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. CreateShift conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations.
- Sub-processor Security
- Before onboarding Sub-processors, CreateShift conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.