Data Processing Agreement - Schedule 1

List of Parties, Description of Processing and Transfer of Personal Data, Competent Supervisory Authority

MODULE TWO: CONTROLLER TO PROCESSOR

A. LIST OF PARTIES

The Controller:	means the Customer.
Address:	As set out for the Customer in the Agreement.
Contact person’s name, position and contact details:	As provided by the Customer in its account and used for notification and invoicing purposes.
Activities relevant to the data transferred under the SCCs:	Use of the Service.
Signature and date:	By entering into the Agreement, the Controller is deemed to have signed the SCCs incorporated into this DPA and including their Annexes, as of the Effective Date of the Agreement.
Role:	Data Exporter.
Name of Representative (if applicable):	Any UK or EU representative named in the Controller’s privacy policy.

The Processor:	means the Company: Zestia Limited
Address:	20 Dale Street, Manchester, M1 1EZ, England
Contact person’s name, position and contact details:	support@capsulecrm.com
Activities relevant to the data transferred under the SCCs:	The provision of cloud computing solutions to the Controller under which the Processor processes Personal Data upon the instructions of the Controller in accordance with the terms of the Agreement.
Signature and date:	By entering into the Agreement, the Processor is deemed to have signed the SCCs, incorporated into this DPA, including their Annexes, as of the Effective Date of the Agreement.
Role:	Data Importer
Name of Representative (if applicable):	Data Protection Representative Limited

В. DESCRIPTION OF PROCESSING AND TRANSFERS

Categories of data subjects:	Individuals about whom data is uploaded to the Service by (or at the direction of) the Controller or by Users, Affiliates and other participants whom the Controller has granted the right to access the Service in accordance with the provisions of the Agreement including but not limited to: Prospects, customers, clients, business partners, vendorsand suppliers (who are natural persons) Employees, agents, advisors, consultants, freelancers (who are natural persons). Individuals with whom Users communicate by email and/or other messaging media.
Categories of Personal Data:	Data relating to individuals uploaded to the Service by (or at the direction of) the Controller or by Users, Affiliates and other participants whom the Controller has granted the right to access the Service in accordance with the provisions of the Agreement. The Personal Data includes but is not limited to: Name Title Employer & position within the organisation Contact details including email, phone, address Links to online identities including websites and social networks Personal Data held in custom fields defined by the Controller or Users Personal Data within email and messaging content which identifies or may reasonably be used to identify, data subjects. Personal Data within notes and activity logs recorded by Users File attachments that may contain Personal Data Information offered by Users as part of support enquiries
Sensitive Data:	No sensitive data (special category data) will be processed or transferred and shall not be contained in the content of, or attachments to, emails.
The frequency of the processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis):	Continuous basis for the duration of the Agreement.
Nature of the processing:	The nature of processing personal data is to enable the functionality of Capsule as set out in the Agreement and related documentation.
Purpose(s) of the data transfer and further processing:	Personal Data is transferred to sub-contractors who need to process some of the Personal Data in order to provide their service to the Processor as part of the Service provided by the Processor to the Controller.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:	Unless agreed otherwise in writing, for the duration of the Agreement, subject to clause 14 of the DPA.
For transfers to (Sub-) processors, also specify subject matter, nature and duration of the processing:	The Sub-processor list sets out the Personal Data processed by each Sub-processor and the service provided by each Sub-processor.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies (e.g. in accordance with Clause 13 of the SCCs)	Where the EU GDPR applies, the Irish Data Protection Authority - the Data Protection Commission (DPC). Where the UK GDPR applies, the UK Information Commissioner's Office, (ICO). Where the FDPA applies, the Swiss Federal Data Protection and Information Commissioner, (FDPIC).

MODULE THREE: PROCESSOR TO PROCESSOR

A. LIST OF PARTIES

The Data Exporter: is the Company.

The Data Importers: are the Sub-processors named in the Sub-processor list published at https://capsulecrm.com/dpa/subprocessors which contains the name, address, contact details and activities relevant to the data transferred to each Data Importer.

В. DESCRIPTION OF PROCESSING AND TRANSFERS

The Sub-processor list includes the information about the processing and transfers of the Personal Data, for each Data Importer:

categories of Data Subjects
categories of Personal Data
the nature of the processing
the purposes of the processing

Personal Data is processed by each Sub-processor:

on a continuous basis
to the extent necessary to provide the Service in accordance with the Agreement and the Data Exporter’s instructions.
for the duration of the Agreement and subject to clause 14 of the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

The competent Supervisory Authority of the Data Exporter shall be:

Where the EU GDPR applies, the Irish Data Protection Authority – the Data Protection Commission (DPC);
Where the UK GDPR applies, the UK Information Commissioner's Office, (ICO).
Where the FDPA applies, the Swiss Federal Data Protection and Information Commissioner, (FDPIC).