Data Processing Addendum

Data Processing Addendum

Data Processing
Addendum

Data Processing Addendum

Last Updated: November 27, 2023


If you require a signed copy of this addendum, please email hello@superhuman.com.


This Customer Data Processing Agreement, including its Annexes, (the "DPA") is supplemental to and forms part of our Terms of Service and any applicable order forms, statement of work or work orders (collectively, the "Agreement"), entered between Superhuman Labs, Inc. ("Superhuman") and the customer (the "Customer"). This DPA sets out the obligations that apply to Superhuman's processing of Personal Information.

  1. Definitions

    1. "Applicable Data Protection Laws" means all worldwide data protection and privacy laws and regulations applicable to the Personal Information in question including, where applicable, (i) European Data Protection Laws and (ii) the California Consumer Privacy Act as amended by the California Privacy Rights Act (California Civil Code § 1798.100) (“CCPA”), the Colorado Privacy Act of 2021, as amended (“CPA”), the Virginia Consumer Data Privacy Act of 2021, as amended (“VCDPA”), equivalent U.S. state privacy laws, and all laws and regulations implementing or supplementing the foregoing.

    2. "Europe" means, for the purposes of this DPA, the Member States of the European Union, plus Iceland, Liechtenstein, Norway, Switzerland and the United Kingdom.

    3. "European Data Protection Laws" means all data protection laws and regulations applicable to the European Union (“EU”) or the European Economic Area (“EEA”), including (a) the General Data Protection Regulation 2016/679 (the “EU GDPR”); (b) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the “UK GDPR”); (c) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”); (d) Directive 2002/58/EC concerning the processing of Personal Information and the protection of privacy in the electronic communications sector; and (e) applicable national implementations of (a),(b), (c), and (d).

    4. "Data Subject" means any individual about whom Personal Information may be processed pursuant to the Agreement.

    5. "Data Subject Rights" means all rights granted to Data Subjects by Applicable Data Protection Laws, such as the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making.

    6. "Personal Information" means any information that is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Laws, to the extent Superhuman, in its capacity as a processor or service provider, processes such information on behalf of the Customer in connection with performing the Services under the Agreement, as more particularly described in Annex A of this DPA.

    7. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Information from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Information from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where Swiss DPA applies, a transfer of Personal Information from Switzerland to any other country which is not based on an adequacy decision recognized under Swiss data protection law.

    8. "Security Incident" means any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information transmitted, stored or otherwise processed by Superhuman in the context of this Agreement. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

    9. "Sell" means to sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Information to a third party for monetary or other valuable consideration.

    10. "Sensitive Information" means Personal Information revealing a Data Subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.

    11. "Services" means the services provided by Superhuman to the Customer under the Agreement.

    12. "Sub-processor" means any third party processor engaged by Superhuman to assist in fulfilling its obligations with respect to providing the Services under the Agreement and this DPA.

    13. The terms "controller", "processor" and "processing" shall have the meanings given to them under Applicable Data Protection Laws and the terms "process", "processes" and "processed" shall be interpreted accordingly. "Service provider" and "supervisory authority" have the meaning given to them under Applicable Data Protection Laws.

    14. "Data Privacy Framework" means the EU-U.S. Data Privacy Framework and the forthcoming UK Extension of the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce and the European Commission regarding the collection, use, and retention of personal data transferred from the European Union, United Kingdom, and Switzerland to Superhuman in the United States.

    15. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

  2. Scope and applicability of this DPA

    This DPA applies only to the extent that Superhuman processes Personal Information in accordance with the instructions of the Customer in the course of providing the Services and/or for the business purposes agreed with the Customer in writing in the Agreement (collectively, the "Business Purposes"), as further described in Annex A of this DPA. For the avoidance of doubt, Business Purposes shall include (i) processing in accordance with the Agreement (including this DPA); (ii) processing initiated by Customer's authorized users in their use of the Services; and (iii) processing to comply with other documented, reasonable instructions provided by Customer (e.g., via email), or where otherwise agreed upon by the parties, where such instructions are consistent with the terms of the Agreement.

  3. Processing of Personal Information

    1. The Parties acknowledge and agree that Customer is the controller of the Personal Information processed in connection with the Services or is acting on behalf of the controller in entering into this Agreement.

    2. Superhuman will at all times process the Personal Information only to fulfill the Business Purposes. Except as necessary to fulfill the Business Purpose or as required or permitted by Applicable Data Protection Laws, Superhuman will (i) not Sell or share for cross-context behavioral advertising purposes any Personal Information; (ii) not retain, use, or disclose Personal Information after the termination of the Agreement or another valid request to delete Personal Information; (iii) not retain, use, or disclose the Personal Information outside of the direct business relationship between the Customer and Superhuman; and (iv) not combine the Personal Information that Superhuman receives from or on behalf of Customer with Personal Information that Superhuman collects or receives from another person. Superhuman certifies that it understands these restrictions and will comply with them. Superhuman shall inform Customer if it can no longer comply with its obligations under Applicable Data Protection Laws or if, in its opinion, the Customer's processing instructions infringe Applicable Data Protection Laws. The parties acknowledge and agree that the disclosure of Personal Information by the Customer to Superhuman does not form part of any monetary or other valuable consideration exchanged between the parties.

    3. Customer shall comply with its obligations under Applicable Privacy Laws, and in particular under European Data Protection Laws as a controller or on behalf of the controller. Where Customer is itself a processor acting on behalf of a third party controller, Customer shall ensure that any data processing undertaken pursuant to this DPA and the Agreement reflects the documented instructions issued by the ultimate controller of such data.

    4. The parties agree that the Agreement (including this DPA), and the Customer's use of the Services in accordance with the applicable terms of use, set out Customer's complete and final instructions to Superhuman in relation to the processing of Personal Information. The parties further agree that any processing outside the scope of these instructions (if any) shall require a prior written agreement between the Customer and Superhuman.

  4. Aggregate or de-identified information

    Notwithstanding the foregoing or anything to the contrary in the Agreement (including this DPA), the Customer acknowledges that Superhuman shall have a right to collect and create anonymized, aggregate, and/or de-identified information as defined by Applicable Data Protection Law ("Aggregate Data") for its own legitimate business purposes, including, but not limited to, product improvement and development.

  5. Customer responsibilities

    The Customer is responsible for the lawfulness of Personal Information processed under or in connection with the Agreement. Notwithstanding anything contrary in the Agreement, the Customer represents and warrants that:

    1. It has provided, and will continue to provide all notices and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Superhuman to lawfully process Personal Information for the purposes contemplated by the Agreement (including this DPA);

    2. It has complied with its obligations under Applicable Data Protection Laws in order to lawfully provide Superhuman and its Sub-processors with the Personal Information;

    3. It shall ensure its processing instructions comply with applicable laws (including Applicable Data Protection Law) and that the processing of Personal Information by Superhuman in accordance with the Customer's instructions will not cause Superhuman to be in breach of Applicable Data Protection Laws; and

    4. It shall make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Personal Information.

  6. Prohibited information

    Customer further acknowledges that it shall not disclose, and shall not require any individuals to disclose, (i) Sensitive Information or (ii) Personal Information of any person under the age of 13, and Customer agrees not to provide any such information through the Services.

  7. Security

    1. Superhuman will provide and maintain reasonable technical and organizational measures that have been designed, taking into account the nature and risks of its processing, to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information, including the measures listed in Annex B of this DPA. Customer acknowledges that Superhuman may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of Superhuman's processing of Personal Information.

    2. Superhuman will require that its personnel who are granted access to Personal Information be under an appropriate obligation of confidentiality (whether a contractual or statutory duty) to protect the confidentiality of the Personal Information.

    3. Customer agrees that, except as otherwise provided by this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Information when in transit to and from the Service(s) and taking any appropriate steps to securely encrypt or backup any Personal Information processed in connection with the Services.

  8. Audit

    1. Upon written request from Customer and no more than once annually, Superhuman shall provide the required information reasonably necessary to demonstrate compliance with the obligations of Applicable Data Protection Laws and this DPA. Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Superhuman has experienced a Security Incident, or on another reasonably similar basis.

    2. Superhuman may object to the use of a third party auditor if the auditor is, in Superhuman's reasonable opinion, not suitably qualified or independent, a competitor of Superhuman, or otherwise manifestly unsuitable. Such objection by Superhuman will require Customer to appoint another auditor or conduct the audit itself.

    3. The audit must be conducted during regular business hours at the applicable facility, subject to an audit plan agreed to between the parties at least two weeks in advance and may not unreasonably interfere with Superhuman's business activities.

    4. If Customer's requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer's audit request and Superhuman confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

    5. Any Customer-requested audits are at Customer's expense. Customer shall reimburse Superhuman for any time expended by Superhuman or its Sub-processors in connection with any Customer-requested audits or inspections at Superhuman's then-current professional services rates, which shall be made available to Customer upon request.

    6. Customer may use the audit reports only for the purposes of meeting Customer's regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit reports are confidential information of the parties under the terms of the Agreement.

    7. Customer shall have the right upon notice to Superhuman to take reasonable and appropriate steps to remediate Superhuman's use of Personal Information in violation of this DPA.

  9. Assistance

    1. Customer is responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information processed by Superhuman. Customer shall delete from the Services all Personal Information (except where such information has been anonymized or de-identified) for which it has received a verified request for deletion from the relevant individuals or applicable data protection authorities relating to the processing of Personal Information under the Agreement.

    2. Superhuman will reasonably cooperate and assist Customer, including by implementing appropriate technical and organizational measures, with the fulfillment of Customers own obligations under Applicable Data Protection Laws, including (i) complying with Data Subjects' requests to exercise Data Subject Rights, (ii) replying to inquiries or complaints from Data Subjects, (iii) replying to investigations and inquiries from supervisory authorities, (iv) conducting data protection impact assessments, and prior consultations with supervisory authorities, and (v) providing notifications to affected individuals, regulators and other parties in connection with Security Incidents.

    3. Superhuman will notify Customer as soon as practicable, unless prohibited by applicable law, if Superhuman (i) receives a request, complaint or other inquiry regarding the processing of Personal Information from a Data Subject or supervisory authority, (ii) receives a binding or non-binding request to disclose Personal Information from law enforcement, courts or any government body, (iii) is subject to a legal obligation that requires Superhuman to process Personal Information in contravention of Customer's instructions, or (iv) is otherwise unable to comply with Applicable Data Protection Laws or this DPA. For the avoidance of doubt, Superhuman may communicate, without restriction, with a regulatory or judicial body or a Data Subject if it is not reasonably apparent on the face of the communication to which customer of Superhuman the request relates to.

    4. Customer acknowledges that the Services provide the Customer with a number of controls that the Customer may use to retrieve, correct, delete or restrict Personal Information, which Customer may use to assist it in connection with its obligations under Applicable Data Protection Laws and to respond to requests from Data Subjects or applicable Supervisory Authorities.

    5. Superhuman will assist with conducting any legally required data protection impact assessments (including subsequent consultation with applicable data protection authorities), if so required by applicable law, taking into account the nature of processing and the information available to Superhuman. Superhuman may charge a reasonable fee for any such assistance, as permitted by Applicable Data Protection Laws.

  10. Security Incidents

    1. Upon becoming aware of a Security Incident, Superhuman shall notify Customer without undue delay that a Security Incident has occurred, unless otherwise prohibited by applicable law or otherwise as instructed by a Supervisory Authority. Following such notification, Superhuman will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident. Superhuman shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Client. Superhuman's notification of or response to a Security Incident will not be construed as an acknowledgement by Superhuman of any fault or liability with respect to the Security Incident.

    2. In the event of a Security Incident, Customer is solely responsible for determining whether Applicable Data Protection Laws require the notification of affected individuals, regulators, and other parties of the Security Incident. At the Customer's request, Superhuman will provide reasonable assistance and cooperation with respect to any notifications that the Customer is legally required to send to affected Data Subjects and relevant authorities. Superhuman may charge a reasonable fee for such requested assistance, to the extent permitted by Applicable Data Protection Laws.

  11. Sub-Processors

    1. Pursuant to the Agreement, Customer agrees that Superhuman may engage Sub-processors to process Personal Information on the Customer's behalf and disclose Personal Information to Sub-processors, provided that Superhuman enters into a written agreement with all Sub-processors which imposes substantially similar obligations on the Sub-processors as this DPA imposes on Superhuman,. Subject to the limitation of liability provisions in the Agreement, Superhuman will be responsible and liable for the acts, omissions or defaults of its Sub-processors in the performance of obligations under this DPA as if they were Superhuman's own acts, omissions or defaults.

    2. By signing this DPA, Customer hereby provides a general written authorization for Superhuman to engage Sub-processors to provide the Services. Customer may access Superhuman's list of Sub-processors through the following URL: https://superhuman.com/subprocessors. Customer can also subscribe to receive email notifications of updates to Superhuman's Sub-processor list by emailing this request to hello@superhuman.com. Superhuman will provide at least fifteen (15) calendar days prior written notice to Customer of the engagement of any new Sub-Processor. Customer may object in writing to the appointment of each such Sub-Processor on reasonable grounds relating to the Sub-processor's ability to protect Personal Information in accordance with this DPA, by notifying Superhuman promptly in writing within ten (10) calendar days of receipt of Superhuman notice in accordance with this Section 7. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If Customer does not object to the proposed Sub-processor within ten (10) calendar days of receipt of notice, the Sub-processor is deemed to have been approved. Superhuman may in its sole discretion, remove the Sub-Processor from the list. In the event a Sub-Processor is removed by Superhuman, Superhuman will be provided a reasonable amount of time to replace the Sub-processor.

  12. Data Transfers

    1. In connection with the performance of the Agreement, the parties agree that Superhuman may transfer Personal Information to various locations, which may include locations both inside and outside of Europe. The parties agree that where transfer of Personal Information from Customer to Superhuman is a Restricted Transfer, the Data Privacy Framework as set forth in Section 24.1 will apply.

    2. To the extent that Superhuman in the US receives Personal Information from Europe, the transfer of Personal Information will be subject to the Data Privacy Framework. However, if the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated, the SCCs, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor), will apply, where appropriate.

  13. Return or disposal

    Upon termination or expiration of the Agreement for any reason, including non-payment by Customer, Superhuman will return or destroy Personal Information in its possession or control. Superhuman may retain Personal Information to the extent that Superhuman is required by any applicable law to retain some or all information (including Personal Information), in which event Superhuman shall isolate and protect such data from any further processing except to the extent required by applicable law.

  14. General

    1. The parties agree that this DPA shall supersede and replace any existing terms the parties may have previously entered into in connection with the Services, as such terms relate to the subject matter of this DPA.

    2. The obligations placed upon Superhuman under this DPA shall survive so long as Superhuman and/or its Sub-processors process Personal Information on the Customer's behalf.

    3. This DPA may not be modified except by a subsequent written instrument signed by both parties.

    4. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

    5. The Agreement remains unchanged and in full force and effect. In case of discrepancies between this DPA and any agreement(s) between the parties and/or their Affiliates, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement. This DPA shall not limit or restrict, but shall only be deemed to supplement the Standard Contractual Clauses.

    6. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions of the Agreement.

    7. This DPA will be governed by and construed in accordance with the governing law and venue provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

ANNEX A

DESCRIPTION OF THE PROCESSING

Categories of Data Subjects whose Personal Information is Processed:

Customer shall be deemed to have declared that the categories of data subjects include: (i) employees, agents, advisors, freelancers of Customer (who are natural persons); and/or (ii) Customer's Authorized Users.

Categories of Personal Information Processed:

Customer shall be deemed to have declared that the types of personal data may include but are not limited to the following types of personal data: the personal information described in the Privacy Policy, available at superhuman.com/privacy

Nature, subject matter and duration of the Processing

Nature and Subject Matter: Superhuman provides a Service designed to improve the email experience by making it faster and more intelligent, as further described in the Agreement.

Duration: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms, plus the period from the expiry of the Agreement until deletion of the Personal Information by Superhuman, in accordance with the terms of the Agreement and this DPA.

Purposes of the Processing:

Superhuman shall process Personal Information for the business purposes set out in the Agreement.

ANNEX B

TECHNICAL AND ORGANISATIONAL MEASURES

Superhuman's information security program includes administrative, technical, and physical safeguards designed to protect the Personal Information that we handle against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized form of processing)

Superhuman's security program is based on the following key security principles:

  • The principle of least privilege — services and users are granted the minimal set of permissions required to do their job.

  • Encryption at rest and in transit — all data is encrypted at rest and in transit, with particularly sensitive data encrypted additionally at the application level.

  • Minimize attack surface — we expose no internal servers to the internet, use distroless containers, and run fully on infrastructure managed by Google.

  • Automatic updates — laptops, servers and containers are configured to automatically update to the latest versions soon after they become available.

  • Clear security boundaries — production, staging, development, etc. are all separate and navigating a security boundary requires authenticating using Google's Identity and Access Management (IAM). All authentication requires two factors.

  • Verify assumptions — all code that is added to Superhuman is reviewed from the point of view of security, and we run annual security audits with an external firm to identify mistakes.

We have included below some illustrative examples of security measures in place at Superhuman:

  1. Measures for the encryption of personal data

    • Superhuman is hosted fully on Google Cloud. We make use of their existing infrastructure security to encrypt data at rest, and where appropriate, an additional layer of application-level encryption to reduce the risk of data being exposed.

    • Superhuman encrypts all network traffic across the public internet using TLS, and uses Google Cloud ATLS to protect traffic within our environment.

  2. Measures for protecting ongoing confidentiality, integrity, availability and resilience of processing systems and services

    • Superhuman keeps all of its systems and services up-to-date, using automated mechanisms where possible, or by responding to proactive alerting. We rely heavily on immutable infrastructure that is regularly recreated in a known good state.

    • Permissions are assigned using the principle of least privilege — each employee only has access to the necessary parts of the infrastructure required to perform their role.

    • Superhuman proactively predicts how our usage patterns will change, and invests heavily in ensuring that our systems are resilient to our anticipated load. All changes to systems are approved by an independent engineer, and tested before they are changed in production.

  3. Measures for restoring the availability and access to Personal Information in a timely manner in the event of a physical or technical incident

    • Superhuman continually monitors the availability of its systems and has 24/7 coverage in case of incidents affecting the availability of the service.

    • Superhuman core services are distributed across multiple zones to reduce the probability that a catastrophic event will impact our availability.

    • Superhuman backs up all data and those backups are distributed across multiple regions, so that if our live production environment is completely unavailable, we will still be able to restore access to data.

  4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

    • Superhuman conducts annual security audits using a third party firm to help identify areas of cyber risk.

    • Superhuman conducts an annual SOC 2 audit process to help evaluate the effectiveness of our controls.

    • Superhuman conducts quarterly incident outage simulations, including restoring production backups.

  5. Measures for user identification and authorization

    • All user identification is delegated to your email provider (Google or Microsoft), and we heavily rely on Oauth2 for authorization.

    • Superhuman employees are required to use multi-factor authentication.

    • All sign-in events are logged to an independent system of record.

  6. Measures for physical security of locations at which Personal Information is processed

    • Superhuman processes Personal Information within Google Cloud, which provides physical security as described in Google documentation: https://cloud.google.com/security

  7. Measures for ensuring system configuration, including default configuration

    • Superhuman uses Google Cloud Kubernetes Engine to enforce a consistent configuration across all our production machines.

    • Superhuman uses Google Cloud Security Scanner to identify any unsafe changes to configuration to our Google Cloud resources.

    • Superhuman uses MDM to enforce a secure system configuration for all company-owned laptops.

  8. Measures for internal IT and IT security governance and management

    • Superhuman's infrastructure is covered by Googleʼs ISO 27001 certification and SOC 2 attestations, since it is fully hosted on the Google Cloud.

    • Superhuman has in place a written Information Security Policy, including supporting documentation.

    • Other written security policies that Superhuman has in place include the following:

      • Data Access Levels

      • Disaster recovery and business continuity

      • Infrastructure management policy

      • Records of processing activities

      • Risk management policy

      • Data retention policy

  9. Measures for ensuring accountability

    • Superhuman requires all employees to report any potential policy violations and to escalate them either to a manager, or to our anonymous complaints form.