Our Data Processing Agreement (DPA)
Sub-processing of personal data
- Sub-processing of data by TinyMDM
- Sub-processing of data by third party data processors
The Customer agrees that we may engage data processors to process personal data on its behalf. The Customer acknowledges and agrees that: (a) TinyMDM’s affiliates may be retained as data processors; and (b) TinyMDM and TinyMDM’s affiliates may engage third party data processors in connection with the provision of the Services. TinyMDM or a TinyMDM affiliate will enter into a written agreement with the sub-processor imposing data protection obligations on the sub-processor comparable to those imposed on TinyMDM under this Agreement with respect to the protection of personal data. In the event that the sub-processor fails to meet its data protection obligations under such written agreement with TinyMDM, TinyMDM shall remain liable to the Customer for the performance of the sub-processor’s obligations under this agreement, unless otherwise provided in the TinyMDM agreement.
Data Transfer Mechanisms
You acknowledge and agree that we may access and process personal data globally as necessary to provide the Subscription Service in accordance with the Agreement and to other jurisdictions where Subsequent Processors operate. Wherever personal data is transferred outside its country of origin, and in particular outside the European Economic Area (“EEA”), the United Kingdom or Switzerland, each party will ensure that such transfers are made in accordance with the requirements of data protection laws.
- List of subprocessors
TinyMDM provides a list of Data Processors for the Services in the annex. TinyMDM will update the list to reflect any additions, replacements or other changes to TinyMDM’s subprocessors.
- Right to object
As a data controller, you acknowledge that these data processors are essential to provide the Service and that objecting to the use of a data processor may prevent TinyMDM from providing its Services. You may, however, reasonably object to TinyMDM’s use of a new Subsequent Processor on legitimate grounds, subject to the termination and liability provisions of the TinyMDM Agreement.
Transfer of Data outside the EU
TinyMDM will not transfer European Data to a country or recipient that is not recognized as offering an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all necessary steps to ensure that the transfer complies with applicable European data protection laws. Such measures may include (but are not limited to) transferring such data to a recipient that is covered by an appropriate framework or other legally adequate transfer mechanism recognised by the relevant authorities or courts as providing an adequate level of protection for personal data, to a recipient that has obtained an authorisation of binding corporate rules in accordance with applicable European data protection laws, or to a recipient that has executed the appropriate standard contractual clauses in each case, as adopted or approved in accordance with applicable European data protection laws.
According to the Joint Declaration of the European Commission and the United States dated 25 March 2022, a new transatlantic framework for the protection of personal data has been agreed, which promotes transatlantic data flows and addresses the concerns expressed by the European Court of Justice in the Schrems II judgment of July 2020.
The only data transferred outside of Europe are:
- Active Campaign: first name, last name, administrator function, email, additional email if applicable, telephone number, additional telephone number if applicable, TinyMDM subscription status. Purpose: Customer / Prospect Relationship Management.
- Stripe: email address, postal address, means of payment, bank references (CB / Sepa Debit), Stripe reference ID, CB / Sepa type. Purpose: Billing of the Service.
- Freshdesk: first name, last name, email, additional email if applicable, TinyMDM subscription status, information on devices and users concerned by the support ticket. Purpose: free technical support offered to customers and users of the Service.
- Calendly: first name, last name, email, additional email if applicable, telephone number. Purpose: platform for booking calls or online demonstrations of the Service with the sales team.
- Google Analytics: IP address. Purpose: to collect anonymised statistical data about how visitors use the site.
- Google Recaptcha. Purpose: security to fight against robots.
Cooperation with the supervisory authority of the National Commission for Data Protection and Liberties (CNIL)
The controller and the data processor and, where applicable, their representatives shall cooperate with the supervisory authority, at the latter’s request, in the performance of its tasks.
Operations carried out on processing operations
In accordance with Art. 30 of the GDPR, Ars Nova Systems undertakes to keep an up-to-date processing register, listing all operations carried out on personal data and providing an overview of what is done with personal data.
We use various security technologies and procedures to help protect your personal data from unauthorized access, use or disclosure. We secure the personal data you provide on computer servers in a controlled and secure environment, protected from unauthorized access, use or disclosure. All personal data is protected by appropriate physical, technical and organizational measures. To learn more about security at TinyMDM, please visit this page.