WeQ App Data Processing Agreement and Privacy Policy

June 15, 2018

Go Back

Data Processing Agreement and Privacy Policy

1. Introduction

This Data Processing Agreement and Privacy policy is aimed to define how and why WeQ collects and handles Personal Data. Its goal is to let Users use the Application to its full capability and in the same time protect and limit the use of Personal Data.

This Data Processing Agreement and Privacy policy is aimed to be written in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

WeQ stores Personal Data to provide the Services in a reliable and safe way and in accordance with Controller's lawful instructions. 

Any questions related to this Data Processing Agreement and Privacy policy can be sent to contact@WeQ.io

1.1. Scope

This Data Processing Agreement and Privacy policy is part of the Terms and Conditions applied to all Users of WeQ (the "Terms").

1.2. Definitions

The following definitions in this Data Processing Agreement and Privacy policy shall have the meaning as set forth in this provision:

"Application" – the web-based gamification system developed and provided by WeQ in which a Master Coach creates quizzes and challenges that participants respond to via their personal computers or mobile devices. The results are often shared in real time with the session, and data is used to customize and increase the value of the experience.

"Controller" - the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. This is most often the Master Coach. 

"Customer" - the person or company who purchases a License to use a Paid version of the Application.

“Deliverables” - the result of Quiz completed by a Team in various formats such as diagrams, charts and reports. "Data Protection Legislation" means Personal Data regulated by GDPR (Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data).

"EEA" means the European Economic Area, which constitutes the member states of the European Union, the United Kingdom, Norway, Iceland and Liechtenstein."Free Version" - the free version of the Application.“Facilitated Session” - the offline WeQ game session facilitated by Master Coach 

"GDPR" - Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data

"License" – the right for one Master Coach to use either a Paid Version of the Application, or a Free Version of the Application."License Period" – as defined in section 4.

"Master Coach" - the person(s) who create(s) the Team in the Application and guides them during the session. 

“Master Coach Initiation Day” - The moment that User’s WeQ account is promoted to the “Master Coach” designation. 

"Master Coach account" - the account, identifiable by unique email, belonging to one Master Coach.

"Master Coach version" - the Master Coach version of the Application.

"Paid Version" - Any other version of the Application that the Customer pays for.

“Personal Data” 

"Master Coach’s Personal Data" – any information about the Master Coach that can be related to an identified, or identifiable living natural person ('Data Subject'), or as otherwise defined by law, regulation or contractual agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Master Coach Personal Data collected by WeQ is limited to Master Coach's email address, name, IP-address and billing address.

“User Personal Data" – any information about the User that can be related to an identified, or identifiable living natural person ('Data Subject'), or as otherwise defined by law, regulation or contractual agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

"Processor" - shall mean an entity which processes Personal Data on behalf of the Controller.

"Quiz" - questions created by the Master Coach.

"Services" – all services furnished by WeQ to a User under these Terms, such as, but not limited to the Application, the card game, and the Website.

"Team" - a group of users is created who use and respond to the Quiz. "Team version" - the version of the Application serving the Team

"Terms" - these Terms and Conditions including any separate agreement that might have been entered into between WeQ and the User regarding the Services.

"Third Party Application" – the software for which the copyright obviously belongs to a third party or is listed by WeQ to be a Third Party Application.

"User" - A Customer, Master Coach, Team or other person having used the Website or the Application.

"User Data" – all data that a User provides when using the Website or Application including Quiz and answers to Quiz."WeQ" - WeQu BV (tradename WeQ), a Dutch Besloten Vennootschap met beperkte aansprakelijkheid (private limited company) registered at Arena Boulevard 71, 1101 DL Amsterdam The Netherlands, with Dutch company registration number 66840724, VAT number NL856719869B01 and e-mail contact@WeQ.io

"Website" - all sites related to WeQ.io, sub-site or versions of them connected to help/support the User to use the Application.

2. Roles and responsibilities

2.1 Parties' Roles

To the extent that WeQ processes Personal Data in the course of providing the Services, it will do so only as a Processor acting on behalf of a Master Coach or a Customer (as Controller) and in accordance with the requirements of the Agreement.

2.2 Compliance

Master Coach or Customer, as Controller, shall be responsible for ensuring that:

  • it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation; and
  • it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to WeQ for processing in accordance with the and this Data Processing Agreement.

When it comes to Master Coach Personal Data, WeQ is seen as the Processor and the Master Coach, or when applicable, the Customer, as the Controller.

When it comes to User Personal Data (except Master Coach Personal Data stated above) and User Data, the Master Coach is seen as Controller and solely responsible for the collection, storing and management of such potential Personal Data. WeQ, as a Processor, will only store such data as a result of the Master Coach's use of the Application and use certain User Data from Free versions of the Application.

The Master Coach is responsible for ensuring that the processing of data within the Application takes place in accordance with applicable legislation.

3. User's right to its own data

WeQ recognize that the User have full right to its own data, WeQ hereby receives a right to process that data for the purpose to enable WeQ to deliver the Services to the User.

3.1 Purpose Limitation

WeQ will process the Personal Data only for the purpose of providing the Services in a reliable and safe way and in accordance with Controller's lawful instructions.

3.2 Right to access

The Master Coach has, at any time, right to obtain from WeQ confirmation as to whether or not Master Coach Personal Data concerning the Master Coach is being processed, where and for what purpose. WeQ will comply with such a request at latest within 30 days. Requests regarding User Personal Data, which the Master Coach is responsible for, should be directed to the Master Coach and the Master Coach is obliged to grant access to such User Personal Data.

3.3 Right to be forgotten

The User shall have the right to request that WeQ erases User Personal Data concerning the User without undue delay. WeQ will comply with such request at latest within 30 days. If the User exercises the right to be forgotten - the Service can no longer be provided the User. WeQ may be mandated by law to keep some Personal Data even if the User has requested to be forgotten. Team shall have the right to request that the Master Coach erases Team Personal Data. The Master Coach shall comply with such request within 30 days.

3.4 Processing of special categories of personal data

WeQ does not process any special categories of Personal Data defined under article 9 of GDPR.

4. Security within WeQ

WeQ will have in place and maintain throughout the term of this agreement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing (a "Security Incident").

In the event of a Security Incident, WeQ will notify User and provide reasonable assistance in order to remedy or mitigate the effects of the Security Incident.

4.1 Organization of Information security

Top management shall set direction for and show commitment to information security.

The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness. WeQ maintains separation/segregation of duties to prevent error and fraud by ensuring that at least two individuals are responsible for separate parts of any task, so that no single role or account, can access, modify or use User Data without authorization or detection.

4.2 Human resource security

WeQ has a process that ensures that all personnel with access to systems or information that can have access to User Data have signed a Non-Disclosure Agreement (NDA) as part of their contract with WeQ. WeQ has a staff onboarding process that includes verifying the identity of staff and the background and skill they state. WeQ has a rigorous staff termination process that includes revoking access rights, seizing IT equipment, invalidating company access card as well as notification of continuous confidentiality obligations.

4.4 Operations security

Losses, theft, damages, tampering or other incident related to IT-assets that compromises security must be reported as soon as possible to the VP-Engineering.

4.5 Continuous improvements

WeQ shall implement new updates and versions of the Application, to the extent deemed suitable by WeQ. WeQ has world class engineering practices to ensure everything we do has a security perspective. This list is an example of things we do to uphold information security.

  • Clear code conventions enforced by static code analysis;
  • Use of well known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection);
  • Incident response plans are maintained and followed to quickly act on incidents;
  • Continuous check up to keep libraries up-to-date;
  • Continuous integration builds and testing;
  • Continuous improvement process with entire product team where security issues are a standing item;
  • All code is peer reviewed to find bugs and security holes early;
  • Passwords are always kept in password safes or as configuration.

5. Business continuity

WeQ shall always have the right to disconnect the Application for service and upgrading without giving prior notice to the User. WeQ intends to give notice on beforehand to the User before updates or maintenance of the Application.

6. Incident management

WeQ has an incident management process to detect and handle breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

6.1 Breach Notification

All incidents are documented and evaluated internally and an action plan for each individual incident is made, including mitigatory actions.

If the incident is grave and the risk of damage to personal rights and freedoms of natural persons are high, WeQ shall as soon as possible (but no later than 72 hours) inform the affected individuals. WeQ reserves the right to decide what level of notification is needed for what severity of breach of data. In case the incident it grave WeQ will also continuously inform the Controller how we work to ensure Personal Data is kept safe.

7. Sub-processing

WeQ has entered into Data Processing Agreements that meet the GDPR requirements for all our subcontracts. Users authorize WeQ to subcontract processing of Personal Data under the Agreement to a third party provided that: (i) WeQ provides Master Coach and Customer with reasonable prior notice of any such subcontracting; and (ii) WeQ flows down Purpose Limitation and Security to any subcontractor it appoints.

Third Party Sub-Processors shall be restricted to only the necessary access, use, retention and disclosure of customer Information needed to fulfill contractual obligations.

7.1 Transfer of personal data to third country

In accordance with GDPR a transfer of personal data to a third country may take place where the Commission has decided that the third country in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

The European Commission has so far (as of May 2018) recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (If part of EU-US Privacy Shield Framework) as providing adequate protection. WeQ hereby reserves the right, and in compliance with GDPR, to use sub-suppliers in countries approved by The European Commission at the current date. WeQ use subcontractors to deliver the best Application possible to our Users.

7.2 List of subcontractors and location

Aarni Consulting B.V.

Arena Boulevard 65, Kamer 325, 1101 DL, Amsterdam

App development and IT Services

MongoDB Inc

229 W 43rd Street, 5th Floor. New York, NY 10036

United States

Database Services

Jira

Level 6 341 George Street Sydney, NSW 2000 Australia

Incident / issue tracking

Google Inc

1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Internal file storage

Slack Technologies

Limited 4th Floor, One Park Place Hatch Street Upper Dublin 2, Ireland

Internal communication

Drift.com, Inc

3 Copley Place Suite 7000 Boston, MA 02116 United States

User communication (chat and email)

Mentimeter

Mariatorget 1A SE-118 48 Stockholm Sweden

Interactive Polling

Amazon.com Inc (Amazon Web Services)

410 Terry Avenue North. Seattle, WA 98109-5210. USA

Data hosting

The Rocket Science Group, LLC (Mailchimp)

1526 DeKalb Ave NE, Atlanta, GA 30307, USA

User communication (email)

Hubspot

25 First Street, 2nd Floor Cambridge, MA 02141United States

User communication and sales admin

Trello Inc

55 Broadway, 25th Floor, New York NY 10006, USA

Internal communication (task management)

TYPEFORM S.L

B65831836 Bac de Roda, 163 Barcelona 08018, Spain

User Communication (survey & email)

Zapier, Inc

548 Market St #62411, San Francisco, California 94104, USA

Internal Communication

WeQ reserves the right to add subcontractors if they comply with the rules and regulations of this Data Processing Agreement and Privacy statement

8. Physical and environmental security

8.1 Office

Physical access to WeQ's office premises shall be restricted to staff individually and on a need to have basis. Physical access to where Services are performed shall log physical access related events such as date, time, swipe/proximity card-id, door-id, access denied or access granted.

8.2 Data Centers

WeQ is working with the best in class service providers for data storage. The service providers' physical infrastructure is hosted and managed within Amazon'smazon Web Services(AWS) secure data centers and utilize the Amazon Web Service (AWS) technology Infrastructure as a Service(IaaS) offerings. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

WeQ’s application servers are hosted in the EU-Frankfurt region of AWS hosting and database servers are hosted in the EU-Ireland region of AWS with high availability and disaster recovery protection.

Amazon's data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate

Sarbanes-Oxley (SOX) - As a publicly traded company in the United States, salesforce.com is audited annually and remains in compliance with the Sarbanes-Oxley (SOX) Act of 2002.

Amazon security is covered here (https://aws.amazon.com/security/)

9. User privacy and data integrity

Keeping User Data secure is extremely important and WeQ spend a lot of effort and time to ensure all data sent to WeQ is handled securely. We will, in this section and the section regarding Security Revision Schedule, describe what WeQ do to accomplish this.

Top management is responsible for setting direction for and show commitment to data integrity and user privacy. WeQ have experienced engineers designing and building our systems according to best practices to ensure highest data security in all parts of the application. We only use well-recognized and highly secure 3rd party systems with proper security certifications and practices. Our employees are required to use 2 factor authentications for all systems where data is stored, together with individual accounts to ensure that we can follow who did what and when. When an employment is ended, we immediately revoke all accesses that such employee had.

Security measures are taken to protect User and User Data both for "Data at rest" and "Data in transit ". (Read more below).

WeQ respects intellectual property rights and will remove any content that infringes copyright, trademark, patent or other intellectual property rights of third parties upon notification from a Master Coach, Customer or third party.

WeQ store User Personal Data until requested to delete by the User. WeQ has a process in place to report and handle Privacy Incidents and/or Breaches as well as address inquiries, complaints and disputes.

9.1. Personal Data

We avoid storing any Personal Data that is not needed to supply our users with a great experience and gain value from WeQ. We have deemed the following to be the minimum amount of Personal Data we need from a User:

  • Master Coachs' and Customers' name
  • User Email address
  • Customer billing address
  • User IP address
  • User agent

WeQ stores this Personal Data the minimum time we can and at the same time deliver a safe, reliable and valuable Application. We have deemed the following timeframes appropriate until we delete Personal Data needed:

  • Master Coaches' and Customers' name (stored until requested to be deleted)
  • User Email address (stored until requested to be deleted)
  • Customer billing address (stored until requested to be deleted)
  • User IP address (stored until requested to be deleted)
9.2. Access to User Data

WeQ's staff do not access or interact with User Data or applications as part of normal operations. There may be cases where WeQ is requested to interact with User Data at the request of the Master Coach or Customer for support purposes or where required by law. User Data is access controlled and all access by WeQ's staff is accompanied by customer approval, government mandate or top management approval. Reason for access, actions taken by staff, and support start and end time is recorded for each access.

9.3. Data at Rest

WeQ uses Encryption of all data "at-rest".

WeQ gets powerful and automatic protection through our database provider. The WeQ database storage volumes are encrypted and follows the Atlas security measures (https://webassets.mongodb.com/_com_assets/collateral/Atlas_Security_Controls.pdf)

WeQ stores User Personal Data, Master Coach Personal Data and User Data on AWS hosting and managed through the MongoDB Atlas Cloud database management. Both Ddatabase and hosting service providers are certified under the EU-U.S. Privacy Shield framework.

https://www.heroku.com/policy/security(https://aws.amazon.com/compliance and https://www.mongodb.com/cloud/compliance)

 Any access to the WeQ databases are protected through IP(Internet Protocol) whitelisting and only the WeQ authorized premises are whitelisted to connect to the database. All data access is audited and monitored through the MongoDB Atlas cloud platform.

WeQ stores User Personal Data, Master Coach Personal Data and User Data on AWS (an Amazon service https://aws.amazon.com/compliance/ ). For geographical locations, see section "List of subcontractors and location".

9.4. Data in Transit

WeQ uses standard SSL, ie. Encryption of data "“in-transit” using an SHA-256 RSA Encryption Certificate, and are rated A+ by 3rd party vendor, SSL Labs.

 Privacy and the protection of User Data are of highest importance to WeQ and we both have technical and operational support in place to ensure this.

9.5. Backups and Data Loss Prevention

Data is backed up continuously using database clusters and we have an automatic failover system if the main system would fail.

9.6. User Password

We encrypt (hashed and salted) passwords using the Bcrypt algorithm to protect them from being harmful in the case of a breach. WeQ can never see User passwords and Users can only self-reset them by email.