Data processing

We collect and process some of your data to enhance your experience, provide you with relevant content, and ensure everything functions efficiently. Don't worry! Your data is in good hands, and we handle it with complete confidentiality.

We only use what is necessary for you to enjoy to the fullest. If you want to know more, you can check our Privacy Policy.

Data processing

This Data Processing Agreement is made between Comisionea S.L., a Spanish limited liability company with its registered office at Calle Virués, 4 bajo, 46002 Valencia, Spain (hereinafter, "Feending" or the "Company") and the party that electronically accepts or otherwise agrees or opts for this Data Processing Agreement, for example, by signing an order contract (the "Customer"), specifying that the use of the Feending solution (hereinafter, the "Feending Solution") constitutes acceptance of this Data Processing Agreement.

PREAMBLE

In the context of European Union Regulation 2016/679 (GDPR), this Data Processing Agreement aims to define the rights and obligations of the Parties, as defined by the Data Protection Legislation, as defined herein.

In this respect, Feending is particularly sensitive to the privacy of its Users and the Customer regarding the protection of their Personal Data, as well as to its obligations as a Data Processor, as applicable, as described in this Data Processing Agreement.

It is expressly understood that this Data Processing Agreement forms an integral part of the main subscription contract that applies to the Parties regarding the provision of the Feending solution (hereinafter, the "Contract").

ARTICLE 1: DEFINITIONS

The terms used in this Data Processing Agreement and that have the first letter capitalized, whether in singular or plural form, shall have the following meaning:

“Administrator” designates any person, employee, representative, or third party duly authorized by the Customer or one of its Administrators to access the administration panel of the Feending Solution.

“Customer Contact Email” means the email address of the Customer communicated to Feending in order to notify relevant information about the Processing performed by the Company.

“Data Controller” means the natural or legal person, public authority, or other body that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Processor” means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller.

“Data Protection Legislation” means the GDPR, as well as any legislation and/or regulation implementing or creating under the GDPR and the Electronic Privacy Legislation, or that amends, replaces, promulgates, or consolidates them, and all other applicable national laws related to the processing of personal data and privacy that may exist under applicable law.

“Data Subject” means an identified or identifiable natural person.

“End User” means any User of the Feending Solution, who is not an Administrator and the Customer, who can access the Feending Solution with the credentials provided by an Administrator and who interacts using the Feending Solution.

“GDPR” (General Data Protection Regulation): means Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and its European and national implementation laws.

“Personal Data” means any information related to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“User” means any Administrator or End User.

ARTICLE 2: PROCESSING OF PERSONAL DATA

Personal Data is collected and processed in the following manner.

2.1 Personal Data of Customer Staff

In accordance with its subscription to the Contract and the availability of the Feending Solution, the Company collects information about the identification of the Customer (trading name, legal form, business address, NIF or intra-European VAT number) and contact Personal Data (emails, billing contacts).

For the collection of Personal Data from Customer staff (including the Customer Contact Email), the Company shall qualify as Data Controller.

2.2 Personal Data of Users

The Personal Data of Users, which are processed through the use of the Feending Solution, are the sole responsibility of the Customer, who collects and processes the Personal Data on its own behalf, understanding that the Customer determines the purposes and general means of processing Personal Data in accordance with the applicable Data Protection Legislation.

2.3 Processing of Personal Data of Users by the Company

The Customer is informed that the Personal Data of its Users are collected solely for the purpose of executing the Contract and the Feending Solution to which the Customer has subscribed. If the Customer does not communicate the required Personal Data, it will not be able to use the full functionality of the services.

The Customer is informed that the Company performs statistical analyses, as well as audience measurement, visits, and effective uses of the Feending Solution, but only after anonymizing the Personal Data of the Users. Furthermore, these statistical analyses, as well as audience measurement, visits, and effective uses of the Feending Solution, are exclusively intended for Feending, excluding third parties, and solely for the purpose of optimizing and improving the functionalities of the Feending Solution.

The Customer guarantees the accurate transmission of this information to the Users of the Feending Solution.

2.4 Obligations of the Customer as Data Controller

The Customer, when using the Feending Solution, must qualify as Data Controller of the Personal Data of the Users.

As Data Controller, the Customer explicitly agrees to:

  • Have a legal basis for collecting and processing its Personal Data prior to collecting, hosting. The Customer confirms that it is informed that it can obtain the consent of the User through a feature provided by the Company in the Feending Solution.

  • Collect the Personal Data of the Users only for specific, explicit, and legitimate purposes and not to process them in a manner incompatible with those purposes.

  • Maintain a record of the processing of Personal Data carried out through the Feending Solution.

  • Implement all necessary technical and organizational measures to ensure the security of the processing carried out, guarantee the protection of the rights of individuals affected by the processing, and comply with the requirements of the Data Protection Legislation.

  • Limit access to the Personal Data of the Users only to authorized persons, i.e., to Users of the Feending Solution.

  • Raise awareness and train staff members on the processing of Personal Data, the provisions of the Data Protection Legislation, and its consequences.

  • Never transfer, in any way, the Personal Data of the Users to a third party, unless this transfer complies with the Data Protection Legislation.

  • Guarantee all rights regarding access, portability, erasure, rectification, opposition, and restriction of the Personal Data of the Users collected during the use of the Feending Solution; if the Customer requires the assistance of the Company to do so, the Customer agrees to notify any request to exercise any of the aforementioned rights to the Company without delay.

  • Notify the relevant supervisory authority of any security breach that poses a serious risk to the rights and freedoms of the Users within 72 hours after becoming aware of the breach.

  • After the termination of the Contract with the Company, and in the event that retention is no longer necessary, proceed to delete the Personal Data of the Users within a period compatible with the Data Protection Legislation.

In the event that the information is collected directly from the Users, the Customer, as Data Controller, agrees to provide the Users, as appropriate, with the following information:

  • The information regarding the identity of the Customer, as well as the name of the Data Controller.

  • The purpose of the processing of Personal Data.

  • The recipient of the Personal Data: the Customer and the Company, as well as their subcontractors.

  • The retention period of the Personal Data.

  • The existence of their rights regarding access, rectification, erasure, and portability of the Personal Data, or any limitation or opposition to the processing of such data.

  • When appropriate, the Users' right to withdraw their consent regarding the processing.

  • The right of the Users to lodge a complaint with the competent supervisory authority if they believe their rights have not been respected.

  • The Customer informs the Users that refusal to communicate the aforementioned data will result in the Feending Solution being unavailable for use.

In accordance with this Data Processing Agreement, the Customer agrees to carry out all declarative formalities and/or authorization requests and/or impact assessments, if necessary, as well as to ensure compliance with the competent supervisory authority in light of the processing it performs in connection with the use of the Feending Solution.

In the event that the Customer has not yet carried out the aforementioned formalities, it explicitly agrees to do so immediately.

The Customer remains responsible for the Processing of Personal Data carried out under its own responsibility.

The Customer must communicate the Customer Contact Email to the Company.

2.5 Obligations of the Company as Data Processor

The use of Users' Personal Data in the context of the use of the Feending Solution implies that Feending must be qualified as a Data Processor.

The object, duration, nature, and purpose of the processing of Personal Data, as well as the type of Personal Data processed and the categories of Data Subjects, are listed in Annex 1.

The Contract, its Appendices, and this Data Processing Agreement shall qualify as written instructions from the Customer, qualified as the Data Controller, to Feending, qualified as the Data Processor, without prejudice to any additional instruction given in writing.

As Data Processor and in accordance with the privacy procedures provided by the Data Protection Legislation, Feending may only use Personal Data in accordance with the instructions of the responsible Customer.

As Data Processor, Feending agrees to always present sufficient guarantees to ensure the implementation of the necessary security and privacy measures.

Furthermore, Feending agrees to:

  • Support the Customer in fulfilling its obligations to respond to requests from Data Subjects to exercise their rights under the GDPR; when this assistance exceeds what is commercially reasonable, Feending and the Customer will agree on the applicable financial terms for the continuation of the assistance.

  • Maintain a record of the processing of Personal Data carried out through the Feending Solution.

  • Not transfer the Users' Personal Data to third parties, except for its subcontractors and as permitted by the Contract, its Appendices, and this Data Processing Agreement, and without prior notification to the Customer.

  • Allow the Data Controller to audit the processing carried out by Feending, as well as any appropriate technical and organizational measures that ensure the security of the processing, respect for the rights of data subjects, and the requirements of the Data Protection Legislation, specifying that the Customer must inform the Company at least thirty (30) calendar days in advance by written notice. The audit will be conducted at the Customer's expense and may only cover the appropriate technical and organizational measures that ensure the security of the processing, respect for the rights of data subjects, and the requirements of the GDPR. The Customer agrees to designate an independent auditor, who is not a competitor of the Company in the field of Software as a Service (SaaS), who is pre-approved by the Company and agrees to a confidentiality agreement. The Company agrees to cooperate with the auditor in the fulfillment of its mission by providing reasonably necessary information and responding to its reasonable questions. A copy of the audit report prepared by the auditor will be provided to each Party and will be collectively discussed among the Parties during a meeting specifically organized for this purpose.

  • The Company agrees to assist the Customer with the analysis of whether a data protection impact assessment is necessary for the processing of Personal Data by the Customer. When the latter considers it necessary to conduct a data protection impact assessment, the Company agrees to assist the Customer in conducting the data protection impact assessment and, when appropriate, in relation to prior consultation with the supervisory authority. This assistance applies under the same conditions established in the first paragraph of this article.

  • Restrict access to Personal Data only to authorized personnel. In this context, the Company informs the Customer that, according to its employment contracts, its staff is subject to confidentiality clauses that explicitly refer to Personal Data.

2.6 Data Breach

The Company will implement all technical measures that allow for the detection of personal data breaches (as defined by the Data Protection Legislation) and that enable informing the Data Controller of the breaches within a reasonable timeframe.

In the event of a personal data breach occurring or having occurred, the Company will notify the Customer by email without undue delay, and in any case, within 72 hours after becoming aware of the breach, using the Customer Contact Email.

Without prejudice to the Company’s legal obligations, the Customer will be responsible for notifying the breach to the competent authority(ies) and/or affected individuals.

Without prejudice to the Company's legal obligations, the Company will assist the Customer to the best of its ability with the notification of the breach to the competent authority(ies) and/or affected individuals.

The Company will treat any questions/requests from the Customer related to the breach as a priority.

In the event of a breach, the Company will take all necessary and appropriate measures to restore the Personal Data and/or limit the negative impact of the breach as much as possible (including, among others, providing forensic assistance to the Customer), understanding that the Company, when reasonably possible, will always consult the Customer about the measures to be taken.

2.7 Appropriate Technical and Organizational Measures Implemented by Feending

From the outset of the Processing, the Company has implemented appropriate technical and organizational measures to guarantee the security of the processing, as well as respect for the rights of the persons involved and the requirements of the GDPR.

The code of the Feending Solution and the processed Personal Data are hosted on the servers of Amazon and Google Cloud Platform, as both offer sufficient guarantees in terms of the technical and organizational measures required under the Data Protection Legislation.

The Customer can consult the privacy policies of Amazon AWS and Google Cloud Platform at the following addresses:

https://cloud.google.com/security/privacy/

https://aws.amazon.com/compliance/gdpr-center/

The Company also performs a daily backup of the Personal Data hosted on the servers of Amazon and/or Google Cloud Platform. Personal Data is saved once every hour. The Company retains the last backup of each day for a period of thirty (30) days.

The Customer has the capability to extract the Personal Data of the end Users in an Excel spreadsheet from its administration module.

For any additional questions, the Company invites its customers to contact via email at support@feending.com.

2.8 Service Providers of the Data Processor

For the proper use of the services provided in Feending, it is required that data be transferred outside the European area; for example, they may be transferred and stored in countries outside the European Economic Area (EEA). This is because we use remote servers to provide our services, which may be located outside the EEA or use servers outside the EEA, which is generally the nature of data stored in the "cloud". It may also be processed by personnel operating outside the EEA and working for one of our providers, such as our web hosting provider (Amazon Web Services and Google Cloud Platform), the payment processing provider (Stripe), or our marketing services provider (Hubspot). These services have their updated privacy policies.

This processing of data outside the EEA is covered by legal mechanisms to allow the transfer of data. If additional information is required regarding the international transfer of data, please contact us at contacto@feending.com.

2.9 Retention Period of Personal Data

A. Personal Data of Customer Staff

Subject to the mandatory retention period of all data related to customer files, which is three (3) years from the end of the contractual relationship, the identification data of the Customer staff (including the Customer Contact Email) will be retained by Feending for a period not exceeding the subscription period of the Feending Solution, except for the legal archiving period.

B. Personal Data of Users

The Company informs the Customer that it will delete the Personal Data of the Users within a period of thirty (30) to ninety (90) days after the termination of the Contract, without prejudice to any direct deletion request from the Users.

Upon termination of the contractual relationship, the Company agrees to return, free of charge and upon the first request of the Customer made by registered letter with acknowledgment of receipt, all Personal Data belonging to the Customer that remain in the possession of the Company in accordance with the terms of this Data Processing Agreement in a standard format (Microsoft Excel, SQL, and CSV) within thirty (30) days following the same request.

The Company also commits to respond to any question posed by the Customer within thirty (30) calendar days after receiving the request for return.

2.10 Customer's Responsibility

The Customer remains solely responsible for the legality of the processing carried out during the use of the Feending Solution.

Furthermore, the Customer remains solely responsible for the Personal Data that it collects and processes as Data Controller. The Customer agrees to proceed with the collection and processing of Users' Personal Data in accordance with the Data Protection Legislation.

The Customer is informed that certain categories of Personal Data, referred to as "sensitive", under the Data Protection Legislation, cannot be collected or processed without the explicit prior consent of the data subjects or any other formality required by the applicable Data Protection Legislation (request for authorization, impact assessment, etc.). The Customer agrees never to proceed with the collection and processing of sensitive Personal Data, except as provided by the Legislation. The Company disclaims any responsibility regarding the collection or processing of Sensitive Personal Data. The Customer acknowledges and agrees that any potential sensitive personal data is subject to the same technical and organizational security measures that the Company implemented for non-sensitive Personal Data.

The Company, as Data Processor, disclaims any responsibility regarding the quality, relevance, and legality of the Personal Data. Except as provided herein, the Company cannot be held liable for the collection or processing of Personal Data that contravene the provisions of the Data Protection Legislation.

The Customer shall indemnify the Company, upon first request, against any damage incurred as a result of any action by a User or any third party due to the violation of this clause and/or any breach of any of its obligations as a data controller in accordance with the Data Protection Legislation.

ANNEX 1. OVERVIEW OF PROCESSING

A. Duration of Processing

During the duration of the contractual relationship between the Parties, including the period covered by the Data Reversibility clause of the Contract.

B. Nature and Purpose of Processing

The Personal Data will be processed for the purpose of providing the services established and agreed upon in the Contract. In this sense, Feending may carry out all types of processing operations.

C. Type of Personal Data Processed

  • Personal identification data (first name, last name, gender, profile picture, date of birth, spoken language, nationality, email, phone, address);

  • Electronic identification data (IP addresses, cookies);

  • Academic background and results;

  • Professional experience;

  • Current job;

  • Qualifications and professional certificates;

  • Hobbies and areas of interest;

  • Location data;

  • In general, any personal information submitted or posted by a User (payment data, etc.).

D. Categories of Data Subjects

Users of the Controller, including, among others, members of the Controller's community, employees, collaborators, customers, prospects, suppliers, and subcontractors of the Controller.

E. Security Measures

The Data Processor will implement appropriate technical and organizational measures and will regularly monitor compliance with these measures. This includes:

  1. Access control to the system: the Data Processor will take reasonable steps to prevent unauthorized access to computer systems, such as strong authentication procedures (passwords, two-factor authentication) and documented access approvals.

  2. Access control to data: the Data Processor will take reasonable steps to prevent unauthorized access to Personal Data, such as granting access to personal data only as necessary, confidentiality obligations, and blocking workstations.

  3. Data transfer control: the Data Processor will take reasonable steps to ensure that personal data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transportation, or storage, and that it is possible to verify and establish to which entities the transfer of personal data is intended through data transmission facilities (data transfer control), such as the encryption of data at rest and in transit.

  4. Input control: the Data Processor will take reasonable steps to ensure that it is possible to retrospectively verify and establish whether and by whom Personal Data has been entered, modified, or deleted in data processing systems, such as logging systems.

  5. Processing control: the Data Processor will take reasonable steps to ensure that personal data is processed in accordance with the instructions of the Data Controller, such as entering into appropriate data processing agreements with subprocessors.

  6. Availability control: the Data Processor will take reasonable steps to prevent the accidental destruction or loss of Personal Data.

Feending is powered by:

© Copyright 2023 | Comisionea SL

Feending is powered by:

© Copyright 2023 | Comisionea SL

Feending is powered by:

© Copyright 2023 | Comisionea SL