This Data Processing Agreement ("DPA") forms part of the Terms and Conditions, EULA, Master Subscription Agreement or other agreement governing the use of Plane's services ("Agreement") between Plane Software, Inc. ("Plane", "we," "us," or "our") and the Customer ("Customer", "you" or "your") to reflect the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.
In the event of a conflict between this DPA and the provisions of the Agreement, the terms of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
Any capitalized term used but not otherwise defined in this DPA shall have the meaning provided to it in the Agreement.
1.1. "Personal Data" means any personal information that the Customer or its end users provide, upload, or make accessible through Plane's Services. This includes information related to identifiable individuals, such as names, contact details, or any other data shared as part of the Customer's use of the Service. This data is processed by Plane solely on behalf of the Customer in accordance with the terms of the Agreement.
1.2. "Usage Data" refers to information collected by Plane about how the Customer interacts with and utilizes the Services. This data may include activity logs, performance metrics, and other operational data used to improve, secure, and maintain the functionality of the Services, as well as to enhance the overall user experience. See Telemetry for more information.
1.3. "Data Protection Laws" refers to all data protection laws and regulations applicable to the Processing of Personal Data under this DPA, that may exist in any relevant jurisdiction, including but not limited to the GDPR and the CCPA.
1.4. "Sub-processor" means any third party that is authorized by Plane to handle or process Customer Personal Data as part of delivering the Services.
1.5. "Services" shall have the meaning set forth in the Agreement.
1.6. The terms, "Controller", "Process", "Processor", "Processing", "Data Subject", "Business", "Business Purpose", "Business Operator", "Service Provider" and "Supervisory Authority" shall have the same meanings as defined by Data Protection Laws.
The parties acknowledge and agree that:
2.1. Customer acts as either a Controller or Processor of the Personal Data and/or a Business as defined by Data Protection Laws.
2.2. Plane acts as a Processor of the Personal Data and/or a Service Provider as defined by Data Protection Laws. In scenarios where the Customer operates as a Processor, Plane acts as a Sub-processor, reaffirming that this arrangement does not alter the respective responsibilities of the parties as outlined in this DPA.
3.1.1. provide instructions for the processing of Personal Data, in compliance with Data Protection Laws;
3.1.2. ensure that any and all information or data, including without limitation Personal Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;
3.1.3. establish and have any and all required legal bases to authorize the Processing by Processor;
3.1.4. ensure that the Customer's instructions for processing do not place Plane in violation of Data Protection Laws;
3.1.5. take full responsibility for the integrity, quality, and legality of the Personal Data shared with Plane, which includes ensuring that the data is obtained lawfully and that the Processing instructions align with legal requirements;
3.1.6. not supply Plane with any Personal Data that contravenes the terms of the Agreement or is unsuitable for the intended Services. Furthermore, the Customer will indemnify Plane against any claims or damages arising from violations of these obligations;
3.2.1. comply with all applicable Data Protection Laws in the Processing of Personal Data;
3.2.2. process Personal Data in accordance with this DPA and any other documented instructions from the Customer unless required by law; in such a case, Processor shall inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
3.2.3. notify the Customer immediately if, in the Processor's reasonable opinion, an instruction for the Processing of Personal Data given by the Customer infringes applicable Data Protection Laws, it being acknowledged that the Processor shall not be obliged to undertake additional work or screening to determine if the Customer's instructions are compliant.
3.2.4. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access;
3.3. Annex A sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.
3.4. Processor shall not directly or indirectly sell any Personal Data, or retain, use, or disclose any Personal Data for any purpose other than for the purpose of performing Services for Company; or retain, use, or disclose any Personal Data outside the scope of this DPA or the Agreement.
4.1. The Customer provides Processor with general authorization to engage the Subprocessors set out in Annex B to access and process Personal Data in connection with the Services and from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.
4.2. Plane shall ensure that Sub-processors are bound by data protection obligations no less protective than those provided in this DPA.
4.3. Processor may update the list of Subprocessors from time to time as applicable, providing the Customer with notice of such update (and an opportunity to object) at least fourteen (14) days in advance of such updates.
4.4. The Customer may object to a Subprocessor, and shall notify Processor thereof in writing within seven (7) days after receipt of Processor's updated Subprocessors' list and based on reasonable grounds relating to data protection. Customer acknowledges that certain Sub-processors are essential to providing the Services and that objecting to the use of a Sub-processor may prevent Plane from offering the Services to Customer.
4.5 If Customer does not object to the engagement of a third-party within seven (7) days of notice by Plane, that third party will be deemed an Sub-Processor for the purposes of this DPA.
4.6. If the Customer reasonably objects to an engagement with a new Subprocessor, Customer and Plane will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to Plane.
4.7. If Customer reasonably objects to an engagement with a Sub-processor and Plane cannot sufficiently address the objection within a reasonable period of time, which will not exceed thirty (30) days, Customer may upon prior written notice to Plane, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Processor all the amounts owed to Processor or due before the date of termination. Customers will have no further claims against Processor (including, without limitation, requesting refunds for Service).
5.1. Processor shall, to the extent legally permitted, notify Customer or refer Data Subject to Customer, if Processor receives a request from a Data Subject to exercise their rights (to the extent available to them under applicable law) of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, or object to the Processing.
5.2. If Processor receives a Data Subject request in relation to Customer's data, Processor will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such requests. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Plane, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
5.3. Taking into account the nature of the Processing, Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible and reasonable, to the extent Processor is legally permitted to do so, for the fulfillment of Customer's obligation to respond to a Data Subject Request under data protection laws. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.
6.1. Processor shall take reasonable steps to ensure the reliability of any personnel who may have access to the Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Personal Data.
7.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
7.2. Customer is responsible for configuring the product and using features and functionalities made available by Plane to maintain appropriate security in light of the nature of Personal Data. Customer acknowledges that the security measures are subject to technical progress and development and that Plane may update or modify the security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the product.
7.3. To the extent required by applicable law and taking into account the nature of processing and the information available to Plane, Plane will assist Customer by notifying it of a security incident without undue delay or within the time period required under applicable law. Plane will provide timely and periodic updates to Customer as additional information regarding the security incident becomes available. Customer acknowledges that any updates may be based on incomplete information. Plane will not assess the contents of Customer Personal Data for the purpose of determining if such Customer Personal Data is subject to any requirements under applicable law.
8.1. Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data breach under applicable Data Protection Laws.
8.2. Processor shall cooperate with the Customer and take reasonable and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor's reasonable control).
9.1. Upon Customer's 14 days prior written request at reasonable intervals (no more than once every 12 months), and subject to strict confidentiality undertakings by Customer, Processor shall make available to Customer that is not a competitor of Processor (or Customer's independent, reputable, third-party auditor that is not a competitor of Processor and not in conflict with Processor, subject to their confidentiality and non-compete undertakings) all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by them (provided, however, that such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Processor's prior written approval.
9.2. Upon Processor's first request, Customer shall return all records or documentation in Customer's possession or control provided by Processor in the context of the audit and/or the inspection). Customer shall be fully responsible for bearing all the costs and expenses arising from or related to this section.
10.1. Upon termination of the Agreement and subject thereto, Processor shall, at the request of Customer (indicated in written notification to Processor), delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer in the manner described in the Agreement, and Processor shall delete existing copies of such Personal Data unless applicable laws require or authorize the storage of the Personal Data.
10.2. If no such request is received by Plane following termination, Plane may delete Customer Personal Data in line with its obligations under applicable law.
10.3. Prior to the termination of the Agreement, Customer agrees that it is solely responsible for deleting Customer Personal Data via the Services. Upon termination of the Agreement, Plane will (i) provide Customer thirty (30) days after the effective date of termination to obtain a copy of any stored Customer Personal Data via the Services, and (ii) delete any stored Customer Personal Data within thirty (30) days upon customer request, unless alternate timeframes for retention and/or deletion are otherwise set forth in the Agreement or subsequently agreed upon by the parties in writing. Any Customer Personal Data archived on Plane's back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.
10.4. Post termination, Plane may retain Customer Personal Data (i) as required by applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Plane will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Personal Data and not further Process it except as required by Applicable Data Protection Law.
11.1. Customer Personal Data will be stored and processed in data centers maintained by Plane or its Subprocessors unless the parties otherwise expressly agree in writing.
11.2. The Customer approves the Processing of Customer data under this DPA outside in countries where the Processor or one of the Sub-processors is registered.
11.3. Customer acknowledges that Processor's primary processing operations take place in the United States, and that the transfer of Customer's Personal Data to the United States is necessary for the provision of the Services to Customer
11.4. Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, "EEA"), Switzerland and the United Kingdom ("UK") to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, or Switzerland or the UK as relevant ("Adequacy Decisions"), as applicable, without any further safeguard being necessary.
11.5. If the Processing of Personal Data by Processor includes transfers (either directly or via onward transfer) from the EEA, Switzerland and/or the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA, Switzerland or the UK, as applicable, then the Standard Contractual Clauses shall apply.
11.6. Where the transfer of Personal Data is made subject to the Standard Contractual Clauses, the "data importer" thereunder shall be either the Processor or its Sub-processor, as the case may be and as determined by Processor, and the "data exporter" shall be the Controller of such Personal Data. The Processor shall, and shall ensure that the relevant Sub-processor shall (where applicable) comply with the data importer's obligations, and the Controller shall comply with the data exporter obligations, in each case under the applicable Standard Contractual Clauses. If necessary, Processor will ensure that its Sub-processor enters into Standard Contractual Clauses with Customer directly, and in such case Customer hereby gives Processor an instruction and mandate to sign the Standard Contractual Clauses with any such Sub-processor in Customer's name and on behalf of Customer. The Standard Contractual Clauses will not apply to Personal Data that relates to individuals located outside of the EEA, or that is not transferred, either directly or via onward transfer, outside the EEA.
12.1. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
12.1.1 disclosure is required by law;
12.1.2 the relevant information is already in the public domain.
12.2. All notices and communications given under this Agreement must be in writing and will be communicated by email.
12.3. This Agreement is governed by the laws and choice of jurisdiction stipulated in the Agreement.
Plane will process Customer's Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer's instructions as set forth in this DPA.
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.
Customer end-users/customers and Customer employees.
Plane processes Personal Data contained in Customer Account Data, Customer Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Plane in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include:
Refer to Agreement.
| Company | Description | Location |
|---|---|---|
| Functional Software, Inc. AKA Sentry | Error Monitoring | United States |
| Plausible | Website analytics | European Union (EU) |
| Elasticsearch BV | Document Search | United States |
| Stripe, Inc. | Billing & Payments | United States |
| Cloudflare, Inc. | Cloud Services | Global |
| Intercom, Inc. | Email Support | United States |
| PostHog, Inc. | Product Analytics | United States |
| Vercel, Inc. | Hosting | United States |
| OpenAI, LLC | Artificial Intelligence | United States |
| Brevo | Email Automation | United States |
| HubSpot, Inc. | Sales CRM | United States |
| Slack Technologies, LLC | Internal communication | United States |
| Heroku | Hosting | United States |
| AWS | Engineering + Storage | United States |
| Google Analytics | Website and Doc analytics | United States |
| Google Workspace | Comms | United States |
| Cal.com | Calendar Scheduling | United States |
| Accounting | Accounting | United States |