Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is applicable to all users ("Customer") of Capable Works Limited ("Capable") software and services (the "Services"). This DPA is subject to the Terms of Service between the Customer and Capable, and it governs the processing of personal data in accordance with the GDPR and other applicable data protection laws.

By using Capable’s Services, the Customer agrees to the terms of this DPA.

1. Definitions

1.1 Applicable Data Protection Law: Refers to the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other applicable laws and regulations concerning data protection and privacy.

1.2 Personal Data: Any information related to an identified or identifiable natural person, as defined by the Applicable Data Protection Law.

1.3 Processing: Any operation or set of operations performed on Personal Data, including collection, storage, modification, transfer, or deletion.

1.4 Sub-Processors: Any third-party data processors engaged by Capable to process Personal Data under this DPA.

1.5 Standard Contractual Clauses (SCCs): The clauses provided by the European Commission to ensure that the transfer of Personal Data outside of the EEA complies with EU Data Protection Law.

2. Scope of Processing

2.1 Subject Matter: Capable will process Personal Data as necessary to provide the Services to the Customer.

2.2 Duration: Capable stores user data for a maximum of 90 days after the uninstallation of the Services from the Customer’s system. Upon expiry of this period, the data is deleted.

2.3 Nature and Purpose of Processing: The purpose of the processing is to provide the Services, including integration with third-party applications such as Slack. Capable does not store email addresses, but will store connection information for Slack if integration is enabled.

2.4 Types of Personal Data Processed: Personal Data processed by Capable may include connection data for integration with Slack, user activity data, and other data necessary to provide the Services.

2.5 Categories of Data Subjects: Data subjects include the Customer’s employees, users of the Services, and other individuals whose Personal Data is shared in connection with the Services.

3. Sub-Processors

3.1 Capable uses the following third-party service providers to support the provision of its Services:

  • Amazon Web Services (AWS): Storage and compute services, hosted in the USA.
  • Sentry: Error monitoring services, hosted in the USA.
  • Heap: Analytics services, hosted in the USA.
  • Slack: Communication and collaboration services, hosted in the USA.
  • Unsplash: Media content services, hosted in the USA.

Each Sub-Processor has entered into SCCs or other appropriate safeguards for data transfers outside the EEA.

4. Data Subject Rights

4.1 Capable will assist the Customer in responding to requests from data subjects to exercise their rights under the Applicable Data Protection Law, including access, correction, deletion, and objection requests.

5. Security Measures

5.1 Capable implements appropriate technical and organizational measures to ensure the security of Personal Data, including encryption, access control, and regular monitoring of its systems.

6. Data Breach Notification

6.1 In the event of a data breach, Capable will notify the Customer without undue delay and provide relevant information to help the Customer meet their data breach reporting obligations.

7. Data Transfers

7.1 Personal Data may be transferred to Sub-Processors located outside the EEA. These transfers are safeguarded by SCCs or other legally recognized mechanisms, ensuring compliance with GDPR.

8. Limitation of Liability

8.1 Capable’s total liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is limited to the amount paid by the Customer to Capable for the Services in the twelve (12) months preceding the event giving rise to the claim.

8.2 Capable shall not be liable for indirect, special, incidental, or consequential damages, or any loss of profits, revenue, data, or data use, arising from or in connection with this DPA, even if advised of the possibility of such damages.

9. Termination and Data Deletion

9.1 Upon termination of the Customer’s use of the Services, Capable will delete all Personal Data within 90 days, unless required by law to retain such data for a longer period.

10. Governing Law

10.1 This DPA is governed by and construed in accordance with the laws of the United Kingdom, without regard to its conflicts of laws principles.

By using the Services, the Customer acknowledges and agrees to this Data Processing Agreement.