Moving on from Workplace from Meta? Discover how Actimo is the perfect alternative which gives you so much more
Moving on from Workplace from Meta? Discover how Actimo is the perfect alternative which gives you so much more
Effective: February 3, 2025
This data processing agreement shall apply to all customers where Actimo is acting as a data processor, unless Actimo and the customer have entered into a separate agreement governing data processing, such as a specific DPA from the customer.
This Data Processing Agreement (“DPA”) is an addendum to the legal agreement between you (the “Customer”) and Actimo for your use of the Actimo Services (the “Agreement”).
For the purposes of the DPA the following definitions apply;
“Customer Personal Data” means the categories of Personal Data that are set out in Annex A to this DPA and that are Processed by Actimo on behalf of the Customer.
“Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation or the “GDPR”) (ii) means the GDPR as it forms part of domestic law in the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018; (iii) the Norwegian legislation implementing the GDPR; and (iv) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each as applicable and each as amended, consolidated or replaced from time to time.
“New Sub-Processor” means any Sub-Processors engaged by Actimo after the effective date of the Agreement.
“Personnel” means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.
“SCC” means the European Commission’s standard contractual clauses for data transfers between EU and non-EU countries and/or, where applicable, the addendum to those standard contractual clauses or international data transfer agreement published by the Information Commissioner’s Office for data transfers from the UK.
“Sensitive Data” means: (i) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, credit, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (v) account passwords; (vi) personal data relating to criminal convictions or offences, or (vii) other information that falls within the meaning of “special categories of data” or “sensitive data” under applicable Data Protection Laws.
“Sub-Processor” means an entity to which Actimo subcontracts its processing of the Customer Personal Data.
“Data Subject”, “Controller”, “Personal Data”, “Personal Data Breach”, “Processing” (with “Process” and “Processed” to be construed accordingly) and “Processor” shall have the meaning provided to such term under the GDPR.
“Supervisory Authority” shall have the meaning given to the term under the GDPR, or shall refer to the Information Commissioner’s Office to the extent the UK GDPR applies.
All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For the avoidance of doubt, all references to the Agreement shall include this DPA and any relevant SCCs (where implemented in connection with the Agreement).
The parties acknowledge and agree that with regards to the Processing of Customer Personal Data in the course of providing the Services, Customer is the Controller and Actimo is a Processor acting on behalf of Customer as further described in Annex A (Details of Data Processing).
In the course of providing the Services, Actimo shall Process Customer Personal Data only:
If at any point, Actimo becomes unable to comply with Customer’s instructions regarding the Processing of Customer Personal Data (whether because Actimo believes that an instruction infringes the applicable law of the United Kingdom, or applicable EU/EEA law or national law of an EU/EEA Member State, or as a result of a change in applicable law, or a change in Customer’s instructions), Actimo shall reasonably promptly:
The Customer shall: (i) comply with its obligations under applicable laws, including Data Protection Laws, in respect of its Processing of Customer Personal Data and any Processing instructions issued to Actimo; and (ii) provide all notices and obtain all consents and rights necessary under Data Protection Laws for Actimo to Process Customer Personal Data for the purposes described in the Agreement. This DPA does not relieve the Customer’s obligations under Data Protection Law.
The Customer shall not provide (or cause to be provided) any Sensitive Data to Actimo for Processing under the Agreement, and Actimo will have no liability for Sensitive Data, whether in connection with a Personal Data Breach or otherwise.
Notwithstanding the foregoing, in the event that the Customer provides Sensitive Data to Actimo, Actimo shall not be obliged to Process such Sensitive Data.
Subject to Section 8, Actimo will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, any other breach of security, and take reasonable steps to ensure a level of security appropriate to the risks arising from its Processing activities, in accordance with applicable Data Protection Law. The security measures shall at all times be designed to preserve the security and confidentiality of Customer Personal Data in accordance with Actimo’s security standards set out in Annex B to this DPA.
Actimo shall take reasonable steps to ensure: (i) that Customer Personal Data are kept confidential; and (ii) that all relevant Actimo Personnel and any relevant Sub-Processors have committed themselves to ensuring the confidentiality of all Customer Personal Data that they Process.
Actimo shall ensure that Customer Personal Data is solely Processed by Actimo’s Personnel who are authorized by Actimo to Process Customer Personal Data.
Customer is responsible for reviewing relevant information pertaining to data security as is made available by Actimo. Based on such information, the Customer shall make an independent assessment on whether the Actimo Service complies with the Customer’s obligations pursuant to applicable laws, including Data Protection Laws. Customer understands that Actimo’s security measures may be updated or modified as needed, provided that such updates and/or modifications do not negatively affect the overall level of security for the Actimo Services provided to Customer.
Actimo shall:
Actimo’s notification of, or response to, a Personal Data Breach under this Section 4 shall not be construed as an acknowledgment by Actimo of any fault or liability with respect to the Personal Data Breach.
In respect of the Processing of Customer Personal Data, taking into account the nature of the Processing and the information available to Actimo, Actimo shall, at the Customer’s written request and expense, reasonably promptly assist the Customer with the Customer’s legal obligations under Data Protection Law by providing the Customer with any reasonable technical and organizational assistance necessary to:
For the avoidance of doubt, Actimo shall be entitled to receive remuneration for any documented costs Actimo incurs in connection with its assistance under this Section 5.
Actimo shall, in relation to its Processing of Customer Personal Data, maintain documentation of its compliance with this DPA and Data Protection Law, including written records of all Customer Personal Data Processed on behalf of the Customer. Actimo shall provide access to the aforementioned documentation upon the Customer’s reasonable notice.
At the Customer’s request and expense, Actimo shall: (i) promptly provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Law, to the extent that Actimo is reasonably able to provide such information; and (ii) subject to Section 8, allow for and contribute to audits, including inspections, conducted by the Customer of Actimo’s premises and security systems specific for Customer, as Customer may reasonably require to ascertain compliance with Data Protection Law.
The Parties shall agree on the timing of such audits, including the scope and methods for the audits. Unless otherwise agreed, a maximum of one (1) audit may be conducted each year. Notwithstanding the foregoing, the Customer shall be entitled to carry out additional audits to the extent that the performance of such audits are necessary for the Customer’s compliance with Data Protection Law. The Customer shall give Actimo reasonable notice of the audit. The audit shall be conducted in a manner that causes the least possible disruption to Actimo’s ordinary operations. Further, all on-site audits shall be restricted to Actimo’s standard opening hours, and Actimo shall provide the Customer with copies of Actimo’s then-current policies and procedures regarding access to its premises, and the Customer shall procure that all Personnel involved in such on-site audits shall abide by such policies and procedures at all times. The audit result shall be documented appropriately. No provision of this DPA shall entitle Customer, or any auditor, to access confidential information of Actimo or any third party. Actimo may object to any third-party auditor appointed by Customer if the auditor is, in Actimo’s reasonable opinion: (i) not suitably qualified or independent; (ii) a competitor, or affiliate of a competitor, of Actimo; or (iii) otherwise manifestly unsuitable for the role. Any such objection by Actimo will require Customer to appoint another auditor or conduct the audit itself.
The Customer may appoint a third party to conduct audits on its behalf at Customer’s own expense. The relevant third party may not be a competitor of Actimo.
Costs for any audits initiated by the Customer pursuant to this Section 6 shall be borne by the Customer. Notwithstanding the foregoing, if audits, pursuant to this Section 6, identifies that Actimo is in material non-compliance with this DPA or Data Protection Laws, costs for such audits shall be borne by Actimo.
The Customer hereby grants Actimo a general authorization to subcontract its processing of the Customer Personal Data to a Sub-Processor, subject to this Section 7.
Actimo shall take reasonable steps to ensure that, in each instance in which it engages a Sub-Processor to Process any Customer Personal Data, it shall: (i) appoint such Sub-Processors in accordance with the Customer’s prior authorization as granted above; and (ii) use commercially reasonable efforts to enter into a written agreement with each Sub-Processor, requiring the Sub-Processor to comply with data protection obligations equivalent in all material respects to those imposed on Customer under this DPA with respect to the Processing of Customer Personal Data.
Actimo shall be responsible for any acts or omissions of such Sub-Processor in breach of this DPA and for any acts or omissions of such Sub-Processors that cause Actimo to breach any of its obligations under this DPA.
Actimo will inform the Customer if Actimo intends to appoint or use a New Sub-Processor to the extent applicable to the Processing of Customer Personal Data by updating the list of Actimo’s current Sub-Processors available in Annex C herein. If the Customer has reasonable grounds to object to Actimo’s use of a New Sub-Processor, and such objection directly relates to Customer’s obligations under Data Protection Law, the Customer shall notify Actimo thereof in writing within fifteen (15) calendar days after receipt of Actimo’s notice.
Following such an objection from the Customer, Actimo shall be entitled to terminate the Agreement for convenience without being obligated to refund any amounts that the Customer has already paid, to the fullest extent permitted under applicable law.
Customer warrants that it shall at all times comply with its obligations under Data Protection Laws in respect of Actimo’s engagement to Process any Customer Personal Data.
Customer acknowledges that the security measures set out in Annex B below are sufficient for the purposes of Processing the Customer Personal Data under this DPA.
Customer shall not, whether through action or omission, place Actimo in breach of any Data Protection Laws.
Customer agrees that Actimo shall be entitled to transfer and Process Customer Personal Data within the EU/EEA and the UK.
Subject to Section 7, Customer acknowledges that Actimo may transfer and Process Customer Personal Data to areas outside the EU/EEA/UK. Actimo shall take all reasonable steps to ensure that such transfers are made in compliance with the requirements of the Agreement, this DPA and Data Protection Law.
To the extent that Actimo transfers Customer Personal Data protected by Data Protection Laws to a country outside of EU/EEA/UK that is not recognized as providing an adequate level of protection for personal data (as described in applicable Data Protection Law), Actimo shall ensure that the transfer is based on the appropriate version(s) of the SCCs. Actimo shall enter into written agreement including appropriate SCCs with all of Actimo’s Sub-Processors that might Process Customer Data outside the EU/EEA/UK, and shall require that its Sub-Processors abide by and Process Data in compliance with the SCCs.
Upon termination of the Agreement, Actimo shall delete or return to Customer, at Customer’s choice, all Customer Personal Data in Actimo’s possession or control within 180 days after the termination. This requirement shall not apply to the extent Actimo is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived in back-up systems, which Actimo shall securely isolate, protect from any further Processing and eventually delete in accordance with Actimo´s deletion policies, except to the extent required by applicable law.
Annex A – Details of Data Processing
Processor:
Actimo is the Processor of Customer Personal Data.
Controller:
The Customer is the Controller of Customer Personal Data.
Subject matter:
Processing of Customer Personal Data by Actimo on behalf of the Customer under, or in connection with, the Agreement.
Duration of Processing:
Actimo will Process Customer Personal Data as outlined in Section 10 (Return or Deletion of Data) of this DPA.
Purposes of Processing:
Actimo shall only Process Customer Personal Data for the following purposes: (i) Processing as necessary to provide the Actimo Services in accordance with, or in connection with, the Agreement; (ii) Processing initiated by Customer in its use of the Actimo Services; and (iii) Processing to comply with any other reasonable instructions by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
Nature of the Processing:
Actimo provides an engagement platform, and related services, that allows users to create and upload content, create or engage with messages and invite others to engage with messages, as more particularly described in the Agreement.
Data Subjects:
Any user the Customer invites into the Services, such as Customer personnel.
Categories of Customer Personal Data:
The Customer may upload, submit or otherwise provide certain Personal Data to or for the use of the Services, the extent of which is typically determined and controlled by the Customer in its sole discretion, and may include email addresses (required for login), organization (required), username, name, location, picture, video, user activity, and profile bio.
Sensitive Data:
It is not the intention of either Party that Actimo should Process any Sensitive Data as part of the provision of the Services.
Annex B – Security Measures
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 3 of this DPA).
Annex C – Sub-processors
| Name of service | Personal data hosting location* | Purpose of processing | Sub-processor company and address |
|---|---|---|---|
| Amazon Web Services EC2 (AWS) | Hosting in the EU. See list of sub-processors here. | Hosting environment & email service provider | Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg |
| Google Firebase | Hosting in the EU. See list of sub- processors here. | Native app push | Google Commerce Limited, Gordon House, Barrow Street, Dublin 4, Ireland |
| LinkMobility** | Hosting in the EU. See list of sub-processors here. | SMS gateway | Link Mobility A/S, Ørestads Boulevard 108, 4. 2300 København S, Denmark |
| Vonage** (previously called Nexmo) | Hosting in the EU. See list of sub-processors here, section c) SMS API. | MS gateway | Vonage B.V., Basisweg 10, 1043AP Amsterdam, The Netherlands |
| Sinch** | Hosting in the EU. See list of sub-processors here. | SMS gateway | Sinch UK Ltd., Cap House, 9-12 Long Lane, Barbican, London, EC1A 9HA |
| Twilio** (previously called Sendgrid) | Hosting in the USA. See list of sub-processors here. | Email service provider | Twilio Ireland Limited, 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland |
| CometChat | Hosting in the EU. See list of sub-processors here. | Actimo Chat service | CometChat Inc., 1002 Walnut St, Suite 200, Boulder, CO 80302, USA |
| Brightcove Zencoder | Hosting in the EU. See list of sub-processors here. | Video transcoding | Brightcove Inc., 290 Congress Street, 4th Floor Boston, MA 02210, USA |
| Relatel | Hosting in the EU. See list of sub-processors here. | Softphone for support calls | Relatel A/S, Teglværksgade 18, 2100 København Ø |
| Intercom | Hosting in the EU. See list of sub-processors here. | Chat system for support available to admins. | Intercom R&D Unlimited Company,2nd Floor Stephen Court 18-21 St. Stephen’s Green Dublin, 2 Ireland |
| Kahoot! AS and Kahoot! subsidiaries | Hosting in the EU. | Support purposes. Actimo is part of the Kahoot! group. | Kahoot! AS, Kronprinsesse Märthas plass 1, 0160 Oslo, Norway |
| Microsoft Azure** | Hosting in the EU. | AI Text Enhancer | Microsoft Azure One Microsoft Way, Redmond, WA 98052 USA |
* For a complete overview of personal data processing locations, international transfers and which sub-processor our sub-processors use, please review the links listed below.
** These are opt-in services. In the case of LinkMobility, Vonage and Sinch, these are three alternative SMS providers, the Controller can choose which to use. Vonage is the default SMS provider, but the Controller may choose LinkMobility or Sinch instead. Twilio is an opt-in email service provider that can be chosen by the Controller instead of the standard AWS sub-processor for email services.
Archived Data Processing Agreements:
Archived DPA Effective through: February 3, 2025
🇩🇰 Denmark
Vesterbrogade 1 L, 7.
1620 Copenhagen V
Denmark
+45 38 41 47 00
🇪🇸 Spain
Casa les Punxes
Avinguda Diagonal, 420,
08037 Barcelona
+45 38 41 47 00
ROI of Employee Engagement - The Executive Study
30% OFF ACTIMO TRANSLATE
Grab our free onboarding template and start building a cohesive onboarding flow!
