Data processing agreement

This Data Processing Agreement (“Agreement”) is incorporated by reference into the Shake’s Terms of Service (the “Terms”). The terms “Shake”, “we”, “us” mean Shake Technologies, Inc.

This Agreement applies in respect of the provision of the Services to you, except that Appendix 1, Appendix 2 and Schedule 1 apply only to Processing of your Personal Data governed by GDPR, and Clause 4 applies only to Processing of your Personal Data governed by the CCPA.

Data Protection Law

All applicable international, national, federal, state, provincial, and local laws, rules, regulations, directives, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of the Processing of Data, including but not limited to the General Data Protection Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (the “GDPR”), the e-Privacy Directive 2002/58/EC, the e­Privacy Regulation 2017/003, the California Consumer Privacy Act of 2018, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code (the “CCPA”) and any equivalent or similar laws, rules, regulations, directives, and governmental requirements in applicable jurisdictions, and any laws implementing, replacing or supplementing any of them, as amended, consolidated, re-enacted or replaced from time to time.

Audit

Official inspection to verify compliance with this Agreement and applicable Data Protection Law.

International Data Transfer

Any transfer of Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom.

Business, Commercial Purpose, Controller, Data Subject, Personal Data, Personal Information, Process, Processing, Processor, Sale, Sell, Service Provider

Meanings given in applicable Data Protection Law.

Permitted Purpose

The purpose described in Appendix 1 which is necessary for Shake to perform its obligations under the Terms.

Security Incident

Accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your Personal Data.

Security Measures

An information security program that includes administrative, physical, technical and organisational measures with a goal to safeguard your Personal Data.

Standard Contractual Clauses

The clauses annexed to EU Commission Decision 2010/87/EU of February 5, 2010 on standard contractual clauses for the transfer of Personal Data to Processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18).

1.1 Other capitalised terms are defined in our Terms of Service.

Frequently asked questions

Is Shake GDPR compliant?

We have added functional enhancements to the Shake platform and prepared detailed documentation to make sure that you as a data controller can feel totally confident using Shake and fulfilling your obligations under GDPR.

Can we use Shake if we have customers in the EU?

Of course. Understanding how to comply with EU citizens’ rights to their personal data is important for your ability to comply with GDPR. Shake is a data processor and provides you ways to comply with those rights, whereas you need to decide which reported data may be considered personal, take steps to exclude data that you don’t want Shake to process, and understand how to use consent or other lawful basis when you’re sending personal data.

Can we use Shake if we have customers in the EU?

Of course. Understanding how to comply with EU citizens’ rights to their personal data is important for your ability to comply with GDPR. Shake is a data processor and provides you ways to comply with those rights, whereas you need to decide which reported data may be considered personal, take steps to exclude data that you don’t want Shake to process, and understand how to use consent or other lawful basis when you’re sending personal data.

If we’re outside of the EU, do we need to be concerned about GDPR in the first place?

You probably do because GDPR cares about the rights of individuals and it’s hard to be sure that you will never process data of an EU citizen due to the prevalence of globalization, international travel and remote work.

Do we need to obtain consent before we send ourselves data with Shake?

Not necessarily. The GDPR primarily cares about personal data. Unidentified reports are mostly anonymous and may not include any personally identifiable data — receiving such a report without consent can be fine. It’s possible to receive personal data accidentally though, for example if you receive a screenshot of a screen where personal data is visible. It’s important that you ensure all appropriate form fields are excluded before you start receiving reports, or that you’re receiving reports only after you have consent.

Where is my data stored? Should I be concerned about the data of my customers in the EU being stored outside of the EU?

Shake data is stored within Amazon Web Services’ data centers in the EU. We chose their world-renowned data centers because of their state-of-the-art security systems.

How do I make sure personal data isn’t being captured by Shake?

You have full control over which fields or elements are excluded and it is important that you exclude the personal data that you do not want Shake to capture.

When specific users ask to be forgotten, can I delete their Shake data?

Yes, write to friends@shakebugs.com and we will delete those individual users.

If an EU citizen requests a copy of data being processed by Shake, what can I provide to them?

Depending on what data you’ve chosen to send Shake when receiving reports, you may or may not have any personal data in Shake. Either way, if you’d like to provide all personal data to your customer, you can write to friends@shakebugs.com and we can help you.

Does Shake use my data for its own purposes?

Absolutely not! We host your data to provide you our brilliant service on top of it, just like a bank provides and protects your safe deposit box without owning its contents. Your data is yours only.

Data protection

2.1 You appoint Shake to Process your Personal Data. Each party shall comply with the obligations that apply to it under applicable Data Protection Law.

You shall, in your use of the Service, Process Personal Data in accordance with the requirements of the applicable Data Protection Law. For the avoidance of doubt, your instructions for the Processing of your Personal Data shall comply with the applicable Data Protection Law. You shall ensure that you have provided or will provide any necessary notices to Data Subjects, and have obtained or will obtain all necessary rights and consents (to the extent required) for you to Process your Personal Data in accordance with this Agreement.

You acknowledge that Shake is reliant on you for direction as to the extent to which Shake is entitled to Process your Personal Data on behalf of you in performance of the Service. Consequently, Shake will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Shake, to the extent that such action or omission resulted from your instructions or from your failure to comply with your obligations under the applicable Data Protection Law.

2.2 Shake shall Process your Personal Data only for the Permitted Purpose, except where otherwise required by any EU (or any EU Member State) law applicable to Shake. In no event shall Shake Process your Personal Data for its own purposes or those of any third party.

2.3 Shake shall ensure that any person that it authorises to process Personal Data (including Shake’s staff, agents and subcontractors) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process Personal Data who is not under such a duty of confidentiality. Shake shall ensure that all authorised persons process Personal Data only as necessary for the Permitted Purpose.

2.4 Shake shall implement Security Measures to protect Personal Data from Security Incidents. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:

  1. the pseudonymisation of Personal Data,
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
  3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

At a minimum, such Security Measures shall include the measures identified in Appendix 2.

2.5 Shake shall not subcontract any Processing of your Personal Data to a third party subprocessor without your prior written consent. You permit Shake to disclose your Personal Data to the following subprocessors which assist Shake in providing the Service as described in the Terms, pursuant to applicable Data Protection Law:

  1. Amazon Web Services, Inc. (Hosting), United States
  2. Canny, Inc. (Customer feedback), United States
  3. FullStory, Inc. (Analytics), United States
  4. Google LLC (Analytics), United States
  5. Intercom, Inc. (Support helpdesk, customer communication), United States
  6. Segment.io, Inc. (Analytics), United States
  7. SendGrid, Inc. (Customer communication), United States
  8. Stripe, Inc. (Payment processing), United States

2.6 Shake shall assist you by appropriate technical and organisational measures to enable you to respond to:

  1. any request from a Data Subject to exercise any of its rights under applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable), and
  2. any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of your Personal Data.

You shall be solely responsible for responding to such requests.

2.7 If Shake believes or becomes aware that its Processing of Personal Data is likely to result in a high risk to the data protection rights of Data Subjects, it shall promptly inform you and provide you with all such reasonable assistance as you may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority, solely to the extent that such assistance is necessary and relates to the Processing of your Personal Data by Shake, taking into account the nature of the Processing and the information available to Shake.

2.8 Upon becoming aware of a Security Incident, Shake shall inform you without undue delay. At your request, Shake will provide you with all reasonable assistance necessary to enable you to fulfil your data breach reporting obligations under (and in accordance with the timescales required by) applicable Data Protection Law.

2.9 Upon termination or expiry of this Agreement, Shake shall (at the election of you) either destroy or return to you all your Personal Data in its possession within a reasonable timeframe. This requirement shall not apply to the extent that Shake is required by any applicable Data Protection Law to retain some or all of Personal Data, in which event Shake shall isolate and protect your Personal Data from any further processing except to the extent required by such law.

2.10 Shake has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. Once in a rolling 12-month period or following a Security Incident or as otherwise required by applicable Data Protection Law, Shake will permit you or your auditor to conduct an Audit of Shake at your expense, to the extent that such information is within Shake’s control and Shake is not precluded from disclosing it by law, a duty of confidentiality, or any other obligation owed to a third party. The parties will agree in advance on reasonable timing, scope, and security controls applicable to the Audit, including restricting access to Shake’s trade secrets and data belonging to Shake’s other customers. If the Security Incident is caused by you then Shake may charge you a fee for the Audit if Shake documents the basis and calculation of the fee in advance. If you provide Shake with notice of a security deficiency (detected through tests or Audits performed under this section or otherwise), Shake will remediate the deficiency as appropriate within a reasonable timeframe.

2.11 Parties acknowledge that each party may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.

International transfers

3.1 You hereby authorize Shake to perform International Data Transfers to any country deemed adequate by the EU Commission on the basis of appropriate safeguards in accordance with Data Protection Law or pursuant to the Standard Contractual Clauses referred to in Clause 3.2.

3.2 By signing this Agreement, the parties conclude the Standard Contractual Clauses, which are attached as Schedule 1 and hereby incorporated into this Agreement and completed as follows: Appendix 1 and Appendix 2 to the Standard Contractual Clauses are Appendix 1 and 2 to this Agreement respectively.

3.3 If Shake’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Shake’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then the parties will work together in good faith to reasonably resolve such non-compliance.

California Consumer Privacy Act

4.1 Shake is acting as a Service Provider with you. Shake shall retain, use and disclose Personal Data solely for the purpose of performing its obligations under the Terms for you, and for no commercial purpose other than the performance of such obligations. Shake does not receive any Personal Data as consideration for the services described in the Terms. Shake shall not Sell Personal Data, and shall not retain, use or disclose Personal Data except as necessary for the sole purpose of performing the services described in the Terms. Shake shall refrain from taking any action that would cause any transfers of Personal Data, either to Shake or from Shake, to qualify as a Sale of Personal Information.

Miscellaneous

5.1 This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to hear any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by applicable Data Protection Law.

Contact

6.1 As always, please never hesitate to get in touch with us at friends@shakebugs.com for anything relating to overall security of your Personal Data.

Appendix 1. Data Processing description

This Appendix 1 forms part of the Agreement and describes the Processing that the Processor will perform on behalf of the Controller.

Controller

You are the Controller.

Processor

Shake is the Processor.

Data Subjects

Data Subjects may include end users of your applications and Authorized Users who use the Service.

Categories of data

Personal Data to be processed concern the following categories of data:

Regarding your application end users: Crash data, configuration data, device identification, build data, and any user data, including personally identifiable data, supplied by you to Shake.

Regarding Authorized Users: First name, last name, work organization email address.

Special categories of data

No special categories of data will be processed.

Processing operations

Your Personal Data will be stored and Processed only in order to provide the Service described in the Terms for your benefit.

Appendix 2. Security Measures

Shake’s Security Measures include:

  1. strict logical or physical separation between your Personal Data and confidential information, Shake’s own data and data of Shake’s other customers;
  2. maintaining industry-standard perimeter protection for Shake’s network and devices connected thereto (“Shake’s System”);
  3. applying, as soon as practicable, patches or other controls to Shake’s System that effectively address actual or potential code-based security vulnerabilities;
  4. employing commercially reasonable efforts to ensure that Shake’s System remains free of security vulnerabilities, viruses, malware, and other harmful code;
  5. employing commercially reasonable efforts to practice safe coding standards and practices which address common application security vulnerabilities;
  6. providing appropriate education and training to Shake employees and workers regarding these Security Measures and ensuring that those individuals are bound by confidentiality obligations;
  7. accessing or transferring your Personal Data or your confidential information to or from Shake systems only in a secure and confidential manner, including complying with specific security provisions and procedures set forth by you in advance in writing, and
  8. limiting Shake employee/agent/subcontractor access to Shake’s network, systems, devices and facilities to those with a need for such access, and whose access privileges shall be revoked promptly upon their termination.

Schedule 1. Standard Contractual Clauses

Meet your favorite bug and crash reporting tool.

Add to app in minutes

Doesn’t affect app speed

GDPR & CCPA compliant