Matomo Cloud Data Processing Agreement (DPA)

Processing personal data in a secure, fair, and transparent way is extremely important to us at InnoCraft. To better protect individuals’ personal data, we are providing this agreement to govern InnoCraft’s and processing of personal data on your behalf. 

Definitions 

  1. “Customer”​ refers to the organisation that uses the Service; 
  2. “We” or “Innocraft” refers to InnoCraft Ltd, 7 Waterloo Quay, PO Box 625, 6140 Wellington, New Zealand;
  3. In the course of providing the Matomo Analytics Cloud to analyse the online behaviour of Customer’s website’s visitors or Customer’s app’s users (“Service”) to Customer, InnoCraft may process personal data on behalf of Customer. 
  4. In this Data Processing Agreement (“DPA”), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/679), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction; 
  5. “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with the Data Protection Legislation; 
  6. The parties agree that Customer is the data controller and that InnoCraft is its data processor in relation to personal data that is processed in the course of providing the Service.

Nature and purpose of the intended processing of personal data

The purpose of the data processing is the statistical evaluation and analysis of performance and usage behaviour of people on the controller’s (Customer’s) websites or apps. This can be done in an anonymous or at least pseudonymised way. The processor (InnoCraft) does not pursue its own purposes with this data processing.

Processing of controller (Customer) Personal Data 

  1. Depending on how the controller chooses to use the Service, the subject matter of processing of personal data may cover the following types/categories of data:
    • IP address (by default the IP address is stored anonymised) 
    • city, region, country, longitude/latitude (latitude and longitude are often near the center of population. These values are not precise and cannot be used to identify a particular address or household.) 
    • browser, browser version, device type, operating system, user agent 
    • date, time, timezone 
    • pages visited (page URLs and page titles) 
    • screens visited 
    • referrer URL 
    • marketing campaign URL parameters 
    • files clicked and downloaded 
    • links to an outside domain that were clicked 
    • screen resolution 
    • session recording storing the HTML page, and all mouse events (movements, scrolls, locations and clicks), and keypresses 
    • search terms used on an internal mobile’s or web properties’ search engine 
    • custom dimensions and custom variables (any personal or non personal data the controller wishes to process) 
    • custom events 
    • content pieces 
    • JavaScript errors 
    • User ID 
    • ecommerce order ID, order dDate 
    • ecommerce abandoned carts 
    • media titles and URLs 
    • participation in A/B tests 
  2. The group of data subjects affected by the processing of their personal data under this Agreement includes end-users of the controller’s websites and apps that use the Service. 

The processor (InnoCraft) obligations with respect to the controller

  1. The processor (InnoCraft) will process the controller (Customer) Personal Data only in accordance with Instructions from the controller (Customer) through the settings of the Service, i.e. (a) to operate, maintain and support the infrastructure used to provide the Service; (b) to comply with the controller (Customer)’s instructions and processing instructions in their use, management and administration of the Service; (c) as otherwise instructed through settings of the Service. The processor (InnoCraft) shall guarantee the confidentiality of personal data processed hereunder. 
  2. The processor (InnoCraft) will only process the controller (Customer) Personal Data in accordance with the Agreement. The processor (InnoCraft) shall notify the controller (Customer) without undue delay if, in the processor’s opinion, an instruction for the processing of personal data given by the controller (Customer) infringes the Data Protection Legislation. 
  3. Where a data subject asserts their rights as a data subject directly against the processor (InnoCraft), this request will be forwarded to the controller (Customer) without delay. The processor (InnoCraft) may not correct, delete, restrict the processing of or provide information on the data processed under the contract unauthorised, but only in accordance with documented instructions from the controller (Customer), unless this is required by law or the Terms of Service.
  4. Every transfer of personal data to a country which is not a member state of either the EU or the EEA requires the prior consent of the controller (Customer) and shall only occur if the requirements of art. 44 of the GDPR have been met. The adequate level of protection in New Zealand has been approved by the European Commission (art. 45(3) GDPR).
  5. The processor (InnoCraft) shall ensure that all employees required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Agreement.
  6. The processor (InnoCraft) may hire other companies to provide limited services on its behalf, provided that the processor (InnoCraft) complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services the processor (InnoCraft) has retained them to provide, and they shall be prohibited from using personal data for any other purpose. The processor (InnoCraft) remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom the processor (InnoCraft) transfers personal data will have entered into written agreements with the processor (InnoCraft) requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the controller (Customer) in the processor’s (InnoCraft’s) Privacy policy. Prior to modifying the list of subprocessors, the controller (Customer) will be notified by email. The list will be updated within thirty (30) days of any such notification if the controller (Customer) does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with the Data Protection Legislation. If, in the processor’s reasonable opinion, such objections are legitimate, the controller (Customer) may, by providing written notice to the processor (InnoCraft), terminate the Agreement.
  7. If the processor (InnoCraft) becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by the processor (InnoCraft) in the course of providing the Service (an “Incident”), it shall without undue delay notify the controller (Customer) by email notification and provide the controller (Customer) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on the controller (Customer) content. The processor (InnoCraft) shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
  8. The processor (InnoCraft) shall assist the controller (Customer) in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in arts. 32 to 36 of the GDPR.

Customer undertakings and InnoCraft’s assistance 

  1. The controller (Customer) warrants that it has all rights to provide to the processor (InnoCraft) the personal data for processing in connection with the provision of the processor (InnoCraft) Services, including the users’ consent, if required by the Data Protection Legislation.
  2. The controller (Customer) shall comply at all times with Data Protection Legislations in respect of all personal data it provided to the processor (InnoCraft) pursuant to the Agreement.
  3. The processor (InnoCraft) shall make available to the controller (Customer) information reasonably necessary to demonstrate compliance with the processor (InnoCraft)’s obligations under this DPA. Such audit shall consist solely of: (i) the provision by the processor (InnoCraft) of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with the processor (InnoCraft) IT personnel. Such an audit may be carried out by the controller (Customer) or a national privacy supervisory authority composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality (such as the ICO or the CNIL). For the avoidance of doubt no access to any part of the processor’s IT system, data hosting sites or centers, or infrastructure will be permitted.

Technical and Organisational Measures

  1. The processor (InnoCraft) shall establish data security in accordance with arts. 28(3)(c), 32 and 5(1) and (2) GDPR. The measures for data security and to guarantee an appropriate protection level in relation to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of art. 32(1) GDPR must be taken into account. 
  2. Before the start of the processing, the processor (InnoCraft) shall document the implementation of the necessary technical and organisational measures with regard to the execution of this data processing agreement, and shall present these documented measures to the controller (Customer) for inspection. Upon acceptance by the controller (Customer), the documented measures become part of the data processing agreement. The processor (InnoCraft) currently observes the measures described in Appendix 1.
  3. The technical and organisational measures are subject to technical progress and further development. In this respect, the processor (InnoCraft) may implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes must be documented.

Liability and Indemnity 

Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA. 

Duration and Termination 

  1. This DPA shall come into effect upon the Customer’s acceptance and shall continue until it is changed or terminated in accordance with the Terms of Service.
  2. If you are accepting this agreement on behalf of the controller (Customer), you warrant that: (a) you have full legal authority to bind the controller (Customer) to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of the controller (Customer), to this DPA. If you do not have the legal authority to bind the controller (Customer), please do not accept this DPA.
  3. Upon termination of the controller’s (Customer’s) account, the processor (InnoCraft) shall delete the controller (Customer) data within 30 days in accordance with its standard backup and retention policy and the Terms of Service.
  4. Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein. 

DPO and EU Representative

  1. As data protection officer the processor (InnoCraft) has appointed 
    ePrivacy GmbH
    represented by Prof. Dr. Christoph Bauer
    Große Bleichen 21, 20354 Hamburg, Germany
    phone: +49 40 609451 810
    email: dpo@eprivacy.eu 

    The controller (Customer) shall be informed immediately of any change of data protection officer.
  1. As the processor (InnoCraft) is established outside the EU and the EEA, it designates the following Representative within the European Union pursuant to art. 27(1) GDPR: 
    ePrivacy Holding GmbH
    represented by Prof. Dr. Christoph Bauer
    Große Bleichen 21, 20354 Hamburg, Germany
    phone: +49 40 609451 810
    email: eu.rep@eprivacy.eu 

Appendix 1 – Technical and Organisational Measures

The processor (InnoCraft) currently observes the technical and organisational measures described below.

a) Access Control

i) Preventing Unauthorised Product Access

  • Outsourced processing: We host our Service with an outsourced cloud infrastructure provider compliant with a number of physical security and information security standards which are detailed at https://aws.amazon.com/security/. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programmes in order to protect data processed or stored by these vendors.
  • Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers.
  • Authentication: Customers who interact with the products via the user interface must authenticate before accessing non-public Customer data.
  • Authorisation: Customer Data is stored in systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. Only the appropriately assigned individuals can access relevant features, views, and customisation options. Authorisation to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
  • Application Programming Interface (API) access: APIs may be accessed using an API token.

ii) Preventing Unauthorised Product Use

  • Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
  • Bug bounty: A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a bug bounty program in an effort to widen the available opportunities to engage with the security community and improve the product defenses against sophisticated attacks.

iii) Limitations of Privilege & Authorisation Requirements

  • Product access: A subset of our employees have access to the products and to Customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective Customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged.
  • Access to Production Environment. Our backend production environment that runs Matomo Cloud is only accessible by a dedicated group of Privileged Users whose privileges must be approved by senior management. Privileged Users may only access our backend production environment via a bastion host and doing so requires 2FA both to log in and to establish a SSH via the bastion host.
  • Employees who have access to the products and to Customer data undergo required training on specific security topics, including phishing, protection of digital identities, social engineering, wifi security, and the handling of Customer Data. We maintain records of training occurrence and content.
  • We enforce strong password guidelines for all employee accounts, including requirements for password length, complexity, and the use of letters and numbers.
  • Our Clean Desk policy requires employees to keep their workstations clear of sensitive information when not in use.

b) Transmission Control

  • In-transit (to load balancer): We make HTTPS encryption (also referred to as SSL or TLS) the default and available on APIs and all user interfaces. Our HTTPS implementation uses industry standard algorithms and certificates.
  • At-rest: user passwords and API tokens are stored encrypted in the database. We use disk encryption technologies to ensure that stored data is encrypted at rest. 

c) Input Control

  • Detection: We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
  • Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimise product and Customer damage or unauthorised disclosure. Notification to Customer will be in accordance with the terms of the Agreement. 

d) Availability Control

  • Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
  • Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
  • Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Privacy Policy

Please refer to the Matomo Cloud Privacy Policy for more information: https://matomo.org/matomo-cloud-privacy-policy

Contact Us

Email: privacy@innocraft.com

Contact form: matomo.org/contact