Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Customer ("Controller") and Jamie Karl Serret trading as Serret ("Processor") for the ChartPull service. This DPA applies where ChartPull processes personal data on behalf of the Customer.

2. Definitions

The following terms have the meanings set out below for the purposes of this DPA:

• "Controller" means the Customer who determines the purposes and means of processing.
• "Processor" means Serret, operating ChartPull.
• "Sub-processor" means a third party engaged by the Processor to assist with the processing of Personal Data.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Subject" means the individual whose Personal Data is processed.

3. Scope of Processing

The details of the processing carried out under this DPA are as follows:

3.1 Subject Matter

Generation of organisational charts from Google Workspace directory data.

3.2 Duration

The term of the Customer's ChartPull subscription.

3.3 Nature of Processing

Automated processing (read-only access to Google Workspace Admin Directory).

3.4 Purpose

Visualisation and analysis of employee organisational structure.

3.5 Categories of Data Subjects

Customer's employees and contractors listed in Google Workspace.

3.6 Types of Personal Data

The following categories of Personal Data are processed:

• Full names
• Email addresses
• Job titles
• Departments
• Office locations
• Manager relationships
• Profile photographs
• Organisational unit paths

4. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
• Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational security measures to ensure a level of security appropriate to the risk, as described in our Security Architecture.
• Engage Sub-processors only with prior general written authorisation from the Controller (see Sub-processor List).
• Assist the Controller in responding to Data Subject rights requests, including requests for access, rectification, erasure, and data portability.
• Assist the Controller with data protection impact assessments (DPIAs) and prior consultation with supervisory authorities where required.
• Delete all Personal Data within 30 days of subscription termination, unless retention is required by applicable law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

5. Sub-processors

Current Sub-processors engaged by the Processor are listed at https://chartpull.com/subprocessors.

The Processor will notify the Controller at least 30 days before engaging a new Sub-processor, providing the Controller with an opportunity to object to the engagement.

If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, the Controller may terminate the subscription in accordance with the Terms of Service.

6. International Data Transfers

Personal Data is processed in the United States (Vercel hosting, Neon database).

Transfers of Personal Data from the European Economic Area (EEA) are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission.

The Processor has assessed that US privacy protections, combined with technical measures (encryption in transit and at rest, access controls, data minimisation), provide adequate protection for the Personal Data transferred.

7. Data Breach Notification

The Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach.

The notification will include:

• The nature of the Personal Data breach.
• The categories and approximate number of Data Subjects affected.
• The likely consequences of the breach.
• The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

8. Audit Rights

The Controller may audit the Processor's compliance with this DPA.

Audits shall be conducted with reasonable notice (minimum 30 days) and during normal business hours, and shall not unreasonably interfere with the Processor's business operations.

The Controller may appoint a qualified third-party auditor to conduct the audit on its behalf, subject to the auditor entering into appropriate confidentiality obligations.

9. Term and Termination

This DPA is effective for the duration of the Customer's ChartPull subscription.

The Processor's obligations regarding data deletion and confidentiality survive the termination of this DPA and the underlying subscription agreement.

10. Governing Law

This DPA is governed by the laws of New South Wales, Australia.

For EU Data Subjects, the provisions of the General Data Protection Regulation (GDPR) shall take precedence where there is a conflict between the governing law and the requirements of the GDPR.

11. Contact

For enquiries relating to this Data Processing Addendum or our data processing practices, please contact us: