This GDPR Data Processing Addendum (“DPA”) is an addition to Terms and Conditions available here. The purpose of this DPA is to reflect the parties’ agreement regarding the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.
This DPA is not a replacement or shall not supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.

Data Subject Rights

To enable Data Controllers (in this case, ShepHertz Customers) to exercise Data subject rights (Right to Erase, Right to Suppress, Right to Modify, Right to Access), ShepHertz (Data Processor) provides both Dashboard controls as well as REST APIs to be in compliance with DPR requirements.

Incident Response

ShepHertz shall notify (within 72 hours) Data Controllers (in this case, ShepHertz Customers) without any delay if they become aware of a personal data breach affecting Data Subject (in this end consumers) personal data providing Data Controller with sufficient information to allow them to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Data Processing

ShepHertz stores and process the data collected of Data Subject by the Data Controller to provide analytics services like omni channel distribution, geo-graphic distribution, application activities analytics and the notification services to target those data subjects based on the analytics segments.

Data Retention

ShepHertz keeps Data subject’s information for indefinite period to provide the analytics. However to comply with GDPR guidelines, we have updated our SDKs where Data Controllers can provide the option to Data subject if they want to delete their data.

Access Control

ShepHertz hosts its services with Cloud Infrastructure providers – Microsoft Azure and Amazon Web Services. ShepHertz relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by such vendors to implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing and storage infrastructure (e.g. database and application servers and related hardware) where the personal data are processed or stored.

Data Protection

ShepHertz uses encryption technologies provided by infrastructure providers (Microsoft Azure and Amazon Web Services) to store data at rest.
Key based authentication to access the systems by authorized personnel only

Data Collection

In addition to the data collected by the Data Controller and provided to Data Processor for further processing, our client side SDK collects some more information like device details, timezone, geographical information. Complete list can be found here.