DPA Exhibit

The DPA Exhibit applicable to Compose, Inc., an IBM Company.
Last Revised: June 30, 2021

DPA Exhibit

This DPA Exhibit is applicable to: Compose.com

1. Categories of Data Subjects

Data Subjects of any Client Personal Data that generally can be processed in this Cloud Service may include Client’s and its affiliates’ employees, contractors, business partners, or customers, and to the extent required by law any other legal entities whose personal data is processed by the Cloud Service.

IBM will process Personal Data of all Data Subjects listed above in accordance with the Agreement. Given the nature of the Services, Client acknowledges that IBM is not able to verify or maintain the above list of Categories of Data Subjects. Therefore, if Client will not use this Cloud Service with all the Data Subjects as set out above, then Client is responsible for providing complete, accurate, and up-to-date information to IBM on the actual Data Subjects from within the above list that Client will process in this Cloud Service via Additional Instructions to IBM as set out in the IBM Data Processing Addendum (DPA).

2. Personal Data

The lists as set out below are the Types of Personal Data and Special Categories of Personal Data that generally can be processed within this Cloud Service. IBM will process all Types of Personal Data and Special Categories of Personal Data listed below in accordance with the Agreement. Given the nature of the Services, Client acknowledges that IBM is not able to verify or maintain the below lists of Types of Personal Data and Special Categories of Personal Data. Therefore, if Client will not use this Cloud Service for all the Types of Personal Data and Special Categories of Personal Data as set out below, then Client is responsible for providing complete, accurate, and up-to-date information to IBM on the actual Types of Personal Data and Special Categories of Personal Data from within the below list that Client will process in this Cloud Service via Additional Instructions to IBM as set out in the DPA.

2.1 Types of Personal Data

Basic Personal Information (such as name, address, phone number, email, etc.)
Financial Information (such as PCI DSS, FFIEC, etc. - such as credit card, bank account, financial holdings, salary information, etc.)
Technically Identifiable Personal Information (such as device IDs, usage based identifiers, static IP addresses, etc. – when linked to an individual)
Employment Related Identifiable Information (any HR data such as job history, performance review information, etc.)
Personally Related Identifiable Information (such as personality insights or sentiment analysis)
Personal Location Information (such as geolocation data)

Client should not include personal data in text fields that are not intended for or do not request personal data.

2.2 Special Categories of Personal Data

This Cloud Service was not designed to process any Special Categories of Personal Data.

3. Processing Activities

The processing activities with regard to Client Content (including Client Personal Data) within this Cloud Service include:

Receipt of Content from Data Subjects and/or third parties
Computer processing of Content, including data transmission, data retrieval, data access, and network access to allow data transfer if required
Technical customer support involving Content at Customer request, including monitoring, problem determination, and problem resolution
Transformation and transition of Content as necessary to deliver the Cloud Service
Storage and associated deletion of Content
Backup of Content

4. Duration of Processing

IBM will remove Content (including Client Personal Data) that is stored or persisted within this Cloud Service within 30 days after termination or expiration of the Cloud Service. Some Content (including Client Personal Data) may remain in the Cloud Service backups until the expiration of such backups 95 days after data is removed from the online service.

5. Technical and Organizational Measures

The following Technical and Organizational Measures (TOMs) apply to all content processed by IBM within this Cloud Service (including Client Personal Data):

5.1 Base Technical and Organizational Measures

IBM's foundational Technical and Organizational Measures for data protection within its Cloud Services are as described in IBM's Data Security and Privacy Principles for IBM Cloud Services (https://www.ibm.com/cloud/data-security), or as otherwise described below or within the Service Description.

5.2 Amendment to TOMs

This Cloud Service does not provide for an annual ISO 27001 Certification, nor SOC2 Audit.

5.3 Additional TOMs

The following additional TOMs are applicable to this Cloud Service:

5.3.1 Data Protection

Client Content is encrypted when transmitted by IBM on any public networks.

Client Content is encrypted at rest within the IBM Cloud Datacenter.

5.3.2 Business Continuity

The Cloud Service has Business Continuity plans in place which involve daily backups of Client Content to support eventual recovery of the Cloud Service, and associated Client Content, in the event of a corresponding disaster.

5.4 Certifications

This Cloud Service does not provide any industry recognized compliance, certifications, attestations, or reports, at this time.

6. Deletion and Return of Content

Client can make a copy of their Content (including Client Personal Data) at any time prior to termination or expiration of the Cloud Service via the use of self service options available within the Cloud Service.

Client may also request removal of Content (including Client Personal Data) at any time prior to termination or expiration of the Cloud Service.

7. IBM Hosting and Processing Locations

The following IBM data hosting and processing locations are utilized for this Cloud Service. Client may be able to request that IBM utilize a subset of these locations.

IBM Data Hosting Locations:

Australia
Germany
United Kingdom
United States

IBM Data Processing Locations

Australia
Canada
China
France
Germany
Ireland
Poland
South Africa
United Kingdom
United States

The IBM legal entities associated with each of the IBM Data Hosting and IBM Data Processing Locations set out above are Subprocessors and can be found at https://www.ibm.com/cloud/subprocessors.

8. Third Party Subprocessors

The following third party Subprocessors are involved in the Processing of Content, including Client Personal Data:

Amazon Web Services, Inc. (for data hosting), United States
Amazon Web Services, Inc. (for data hosting), Ireland
Amazon Web Services, Inc. (for data hosting), Australia
Amazon Web Services, Inc. (for data hosting), Germany
Amazon Web Services, Inc. (for data hosting), Singapore
Google, Inc. (for data hosting), United States
Google, Inc. (for data hosting), Belgium
Help Scout, Inc. (for data processing), United States
PagerDuty, Inc. (for data processing), United States
SendGrid, Inc. (for data hosting), United States
SendGrid, Inc. (for data processing), United States
Slack Technologies (for data processing), United States
Stripe, Inc. (for data hosting), United States
Stripe, Inc. (for data processing), United States

Any changes to Subprocessors will be communicated via update of this document as published on www.compose.com. Additional details on each 3rd party subprocessor are available upon request.

9. International Data Transfer

EU Standard Contractual Clauses signed by all IBM Data Importers, if applicable, are available at: https://www.ibm.com/software/sla/sladb.nsf/sla/eumc

10. Privacy Contact

The privacy contact for IBM Cloud Services is DPA.Help.project@uk.ibm.com.

11. Data Privacy Officer and Other Controllers

Client is responsible for providing complete, accurate and up-to-date information about its data privacy officer and any other Controllers (including their data privacy officer). Please see the Privacy Contact and Customer communications section for contact information.

Still need help?

If this page doesn't answer your questions, summon a human and ask away!