How Performalise FZ LLC processes personal data on behalf of its customers — compliant with UK GDPR, EU GDPR, and the Data Protection Act 2018.
Summary: This DPA governs how Performalise FZ LLC processes personal data on behalf of its B2B customers, in compliance with UK GDPR, EU GDPR, and the Data Protection Act 2018. It supplements and is incorporated into the Terms of Service. All defined terms are consistent with those in the Terms of Service and Privacy Policy.
This Data Processing Agreement ("DPA") is entered into between Performalise FZ LLC ("Processor") and the Customer ("Controller") as identified in the applicable Order Form or Terms of Service.
This DPA forms part of, and is incorporated by reference into, the Terms of Service between the parties. In the event of any conflict between this DPA and the Terms of Service in respect of data protection matters, this DPA shall prevail.
This DPA is effective from the date the Customer accepts the Terms of Service and continues for the duration of the subscription.
Performalise FZ LLC is committed to compliance with UK GDPR and EU GDPR in respect of personal data processed on behalf of its customers. This DPA meets the requirements of GDPR Article 28. If you require a countersigned copy of this DPA, please email [email protected].
Capitalised terms used but not defined in this DPA have the meanings given in the Terms of Service and Privacy Policy. In addition:
| Term | Meaning |
|---|---|
| Controller | The Customer, who determines the purposes and means of processing Personal Data |
| Data Protection Legislation | UK GDPR and DPA 2018; EU GDPR (Regulation 2016/679); PECR 2003; and any successor legislation |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates |
| EU GDPR | Regulation (EU) 2016/679 of the European Parliament and Council |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Legislation |
| Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data |
| Processor | Performalise FZ LLC, processing Personal Data on the Controller's documented instructions |
| Processing | Any operation or set of operations performed on Personal Data, as defined in Data Protection Legislation |
| Sub-processor | A third party appointed by Performalise FZ LLC to process Personal Data on behalf of the Controller |
| UK GDPR | The UK General Data Protection Regulation as defined in section 3(10) of the Data Protection Act 2018 |
3.1 The parties acknowledge and agree that in relation to the processing of Personal Data under or in connection with the Services:
3.2 The Controller warrants that it has a lawful basis for processing Personal Data and has obtained all necessary consents and complied with all applicable notice requirements to enable the lawful transfer of Personal Data to Performalise FZ LLC.
3.3 Performalise FZ LLC does not determine the purposes for which Customer Personal Data is processed. Any processing carried out outside the Customer's documented instructions would constitute independent processing for which Performalise FZ LLC assumes Controller responsibility.
In relation to the processing of Personal Data, Performalise FZ LLC shall:
4.1 Act only on documented instructions of the Controller, unless required to do so by applicable law (in which case, Performalise FZ LLC shall inform the Controller before processing, unless prohibited by law);
4.2 Ensure confidentiality — ensure that all persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
4.3 Implement security measures — implement and maintain appropriate technical and organisational measures to protect Personal Data in accordance with GDPR Article 32 (see Section 8 and the Data Security page);
4.4 Notify of conflicts — promptly inform the Controller if any instruction infringes applicable Data Protection Legislation in Performalise FZ LLC's reasonable opinion;
4.5 Assist with compliance — assist the Controller in meeting its obligations under Data Protection Legislation, including with respect to: Data Subject rights requests; security; breach notifications; Data Protection Impact Assessments (DPIAs); and prior consultation with supervisory authorities, at the Controller's reasonable cost;
4.6 Maintain records — maintain complete and accurate records of processing activities as required by GDPR Article 30, and make these available to the Controller on reasonable written request;
4.7 International transfers — not transfer Personal Data outside the UK or EEA without the Controller's prior written consent and appropriate safeguards in place (see Section 6).
5.1 The Controller provides general written authorisation for Performalise FZ LLC to appoint the Sub-processors listed in Schedule 2, subject to the requirements of this section.
5.2 Performalise FZ LLC shall:
5.3 If the Controller objects to a new Sub-processor on reasonable data protection grounds within the 30-day notice period, the parties shall discuss in good faith. If no agreement is reached within a further 30 days, the Controller may terminate the Services without penalty for the unexpired subscription period on written notice.
6.1 Where Performalise FZ LLC transfers Personal Data to a country outside the UK or EEA that does not benefit from an adequacy decision, it shall ensure that appropriate safeguards are in place, specifically:
6.2 Our primary data hosting is on AWS infrastructure (US regions). AWS participates in the EU-US Data Privacy Framework (DPF). Applicable SCCs or IDTA are in place with AWS as required.
6.3 Copies of applicable transfer mechanisms are available on request from [email protected].
7.1 Taking into account the nature of the processing, Performalise FZ LLC shall provide reasonable assistance to the Controller in responding to Data Subject rights requests under Data Protection Legislation, including requests relating to:
7.2 If Performalise FZ LLC receives a rights request directly from a Data Subject, it will promptly forward it to the Controller without responding independently, unless instructed or required by law to do so.
7.3 Assistance beyond standard platform functionality will be provided at the Controller's reasonable cost.
In accordance with GDPR Article 32, Performalise FZ LLC implements and maintains the following technical and organisational measures. These are consistent with, and cross-reference, the Data Security Policy:
| Measure | Detail |
|---|---|
| Encryption in transit | TLS 1.3 with AES-256-GCM or ChaCha20-Poly1305; Perfect Forward Secrecy |
| Encryption at rest | AES-256 for all stored data via AWS KMS with automated key rotation |
| Access control | Role-based access (RBAC), MFA required for all internal staff, least-privilege principle |
| Audit logging | All access to production environments logged and retained for review |
| Penetration testing | Annual third-party penetration test; OWASP Top 10 scope |
| Vulnerability management | Automated scanning, dependency review, defined patch management SLAs |
| Business continuity | Multi-AZ AWS deployment, daily automated backups, PITR (35 days), quarterly DR tests |
| Information security management | ISO/IEC 27001:2013 aligned; formal certification in progress |
| Staff training | Annual data protection and security awareness training for all staff with system access |
| Incident response | Documented SIRP; 72-hour breach notification commitment from confirmation of breach |
9.1 Performalise FZ LLC shall notify the Controller without undue delay, and in any event within 72 hours of confirming that a Personal Data Breach affecting Customer Data has occurred, by email to the Controller's designated contact address. Initial notification may be provided without complete details where these are not yet available; further information will be provided as it becomes known.
9.2 The notification shall include, to the extent known at the time:
9.3 Performalise FZ LLC shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
9.4 The Controller is solely responsible for notifying the relevant supervisory authority (such as the ICO in the UK) and any affected Data Subjects as required by applicable Data Protection Legislation, using information provided by Performalise FZ LLC as above.
10.1 Performalise FZ LLC shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits or inspections conducted by the Controller or a mandated third-party auditor.
10.2 Any audit shall be subject to: (a) at least 30 days' prior written notice; (b) reasonable confidentiality obligations; (c) a maximum of one audit per calendar year unless a Personal Data Breach has occurred; and (d) costs beyond standard documentation being borne by the Controller.
10.3 Performalise FZ LLC may, at its discretion, provide third-party penetration test reports and security audit summaries as an alternative to a full on-site inspection, where these adequately demonstrate compliance with this DPA.
11.1 On termination or expiry of the subscription, Performalise FZ LLC shall, at the Controller's written request received within 30 days of termination, either:
11.2 If no written request is received within 30 days of termination, Performalise FZ LLC shall securely delete all Customer Data without further notice.
11.3 Performalise FZ LLC may retain Personal Data for longer where required by applicable law, in which case it will notify the Controller and ensure the data is not used for any other purpose.
This DPA is governed by and construed in accordance with the laws of England and Wales. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales for the resolution of any dispute arising out of or in connection with this DPA, including non-contractual disputes.
Where this DPA operates alongside contracts governed by the laws of another jurisdiction, the data protection obligations in this DPA shall nonetheless apply as written, in compliance with applicable Data Protection Legislation.
| Detail | Description |
|---|---|
| Subject matter | Provision of the Performalise Product Development Intelligence SaaS platform |
| Duration | For the duration of the subscription plus up to 30 days for data return or deletion |
| Nature of processing | Collection, storage, analysis, retrieval, and deletion of team performance and product data entered into the platform |
| Purpose | Enabling agile coaching, product delivery intelligence, team analytics, and continuous improvement for the Controller's teams |
| Categories of Personal Data | Work email addresses (for authentication and login); names and job titles (for user profiles); system-generated user identifiers; platform usage and activity data; anonymised sprint and team performance metrics |
| Categories of Data Subjects | The Controller's employees, contractors, and authorised users who access and use the platform |
| Special category data | None. The Controller must not upload special category personal data (as defined in GDPR Article 9) to the platform. |
The following Sub-processors are approved as at the Effective Date. Performalise FZ LLC will notify the Controller of any additions or replacements in accordance with Section 5.
| Sub-processor | Purpose | Processing location | Transfer safeguard |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, and compute infrastructure | US (us-east-1 primary; eu-west-1 backup) | EU SCCs (2021/914/EU) / UK IDTA |
| HubSpot Inc. | CRM, marketing email, and customer communications | EU (Dublin, Ireland) | EU SCCs |
| Stripe Inc. | Payment processing (direct subscribers only) | EU / US | EU SCCs / UK IDTA |
| Atlassian (Jira / Confluence) | Integration connector (where enabled by Customer) | US / EU | EU SCCs / UK IDTA |
| Microsoft (Azure DevOps) | Integration connector (where enabled by Customer) | EU / US | EU SCCs / UK IDTA |
To request a countersigned DPA, enquire about Sub-processor changes, or submit a data rights request, contact: [email protected]