Figures’s GDPR-compliant Data Processing Agreement sets out our rights and obligations in regards to data processing and sets out the subject-matter and duration of the processing, the nature and purpose of the processing, as well as the type of personal data and categories of data subjects.
Table of Contents
- 1. Scope
- 2. Nature and Purposes by Data Processing, Data Subjects Affected by Data Processing
- 3. Allocation of Responsibilities
- 4. Use of Sub-Processors
- 5. International Transfers
- 6. Incidents and Requests by Data Subjects or Supervisory Authorities
- 7. Data Retention
- 8. Liability
- 9. Duration and Termination Rights
- 10. Audit
1. Scope
1.1. These general terms and conditions regarding data processing (hereinafter: the “Data Processing Terms”) apply with respect to the processing of personal data by Figures as set out in the Terms of Use. Such data processing in the context of the Figures Application (hereinafter: the “Application”). is carried out in accordance with applicable laws and regulations, including, without limitation, the EU regulation 2016/679 (General Data Protection Regulation - GDPR) and other national laws and regulations on data protection, as applicable.
1.2. These Data Processing Terms prevail on the Terms of Use in the event of a conflict between any of the provision of these Data Processing Terms and the Terms of Use.
2. Nature and Purposes by Data Processing, Data Subjects Affected by Data Processing
2.1. The categories of data processed by Figures in connection with the Customer (the "Processed Data") are the following [click on the arrows to expand]:
- Name, surname and email address of contact person for contract administration
- Name, surname and email address of contact person for invoicing, where applicable
- Name, surname or combination of characters or numbers chosen by our customers to identify the employee
- Date of birth (optional)
- Gender
- Job title
- Type of job (chosen by Customer from types provided by Figures)
- Seniority
- Annual base salary
- Annual bonus
- Annual collective bonus
- Equity hire grant
- Equity hire grant type
- Employee’s status as a founder
- Geographical location
- Department
- Office name or location
- Hire date
- Name of manager
- Performance ratings (optional)
- Profile picture (optional)
- Corporate name
- Legal form of the company, registration number, address, share capital
- Size of the company
- Expected growth (optional)
- Current valuation (optional)
- Equity pool size (optional)
- Turnover information (optional)
- Annual budget increase (optional)
- Frequency of wage increases (optional)
- Eligibility of employees for pay increases (optional)
2.2. The data subjects affected by the data processing activities of Figures are the following:
(i) For Customer Contact Data:
- Employees of Customer designated by Customer for administration of the account
- Employees of Customer designated by Customer for invoicing, where applicable, related to the account
(ii) For Customer Employee Data:
- Employees of Customer reported by Customer to Figures for purposes of using the Application
(iii) For Customer Business Data:
- No data subjects are affected
2.3. Figures processes the Processed Data exclusively for the following purposes:
(i) Customer Contact Data:
- for the purpose of administration and execution of the services, including receipt of the remuneration owed by Customer where applicable
(ii) Customer Employee Data:
- for the purpose of generating overviews and reports made available exclusively to Customer by means of dashboards displayed as part of the Application; and
- only in anonymised form as defined by the GDPR (hereafter “Anonymised”, without identification of Customer or any Customer employee), for the purpose of generating aggregate statistical benchmarking data; such data are stored by Figures on a separate database which is accessed by the Application for display of aggregated market benchmarks to Customer and other users of the Application
(iii) Customer Business Data:
- for the purpose of generating overviews and reports made available exclusively to Customer by means of dashboards displayed as part of the Application; and
- without disclosure of any Customer Business Data, for the purpose of generating aggregated statistical benchmarking data; such data are stored on a separate database which is accessed by the Application for display of aggregated market benchmarks to Customer and other users of the Application.
2.4. No special categories of personal data pursuant to Art. 9 (1) GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data or data concerning a natural person’s sex life or sexual orientation will be processed in connection with the provision of the services.
3. Allocation of Responsibilities
3.1. All processing of Customer Contact Data in connection with the use of the Application will be carried out by Figures as an independent controller pursuant to Art. 24 GDPR. Figures will ensure at its own expense and risk that all relevant provisions of the GDPR and other applicable data protection laws and regulations are complied with when processing Customer Contact Data, and that the rights of data subjects under applicable data protection law are safeguarded.
3.2. With respect to Customer Employee Data, Figures and Customer hereby agree that processing will be carried out by Figures:
- as processor on behalf of Customer, acting as controller, pursuant to Art. 28 GDPR for Customer Employee Data to the extent that Customer Employee Data is processed for the purpose of generating overviews and reports under the Customer’s instructions and made available exclusively to Customer by means of dashboards displayed as part of the Application (Section 2.3(ii), first bullet point) and
- as independent controller to the extent that Customer Employee Data is processed for the purpose of generating aggregated and anonymised statistical benchmarking data stored on a separate database which is accessed by the Application for display of aggregated, fully Anonymised, market benchmarks to Customer and other users of the Application (Section 2.3(ii), second bullet point). Figures will ensure at its own expense and risk that all relevant provisions of the GDPR and other applicable data protection laws and regulations are complied with for Customer Employee Data it processes as independent controller for statistical benchmarking, and that the rights of data subjects under applicable data protection law are safeguarded.
In both cases, the data processing will be carried out subject to the following terms and conditions:
(i) Figures will only process Customer Employee Data that has been collected and submitted to Figures by Customer. Customer shall be solely responsible for ensuring that all Customer Employee Data submitted to Figures is collected and provided on a legal basis in accordance with relevant provisions of the GDPR and other applicable data protection laws and regulations. Customer, at a minimum, shall inform the Customer employees about the data processing activities connected to the use of the Application by using the Figures Privacy Notice.
(ii) Figures will only process Customer Employee Data for the purposes set forth in Section 2.3(ii) above and by abiding with these Data Processing Terms, including, without limitation, the confidentiality obligations set forth in Section 4 below. For the avoidance of doubt, where Figures processes Customer Employee Data for the purpose of generating overviews and reports made available exclusively to Customer by means of dashboards displayed as part of the Application (Section 2.3(ii), first bullet point), Figures will process the data only on documented instructions from Customer, and shall immediately inform Customer if, in Figures's opinion, an instruction given by Customer infringes the GDPR or other applicable data protection provisions.
The foregoing subsections 3.2(i) and 3.2(ii) notwithstanding, each of the Parties will ensure at its own expense and risk that all relevant provisions of the GDPR and other applicable data protection laws and regulations of data protection law are complied with, and that the rights of data subjects under applicable data protection law are safeguarded. This includes when acting as controller, without limitation, compliance with the following obligations:
- maintain a proper record of its respective data processing activities, including the data processing activities provided under these Data Processing Terms;
- appoint a data protection officer to the extent a party is obliged to do so under applicable laws and regulations regarding data processing;
- implement appropriate technical and organisational measures to ensure the security and protection of personal data, review the effectiveness and adequacy of such technical and organisational measures implemented on a regular basis, and report to the other party any material adjustments proposed or implemented to improve adopted technical and organisational measures;
- take appropriate measures to provide those rights of data subjects as provided for in Art. 12 to 23 GDPR are safeguarded and that the data subjects are informed accordingly;
- carry out data protection impact assessments to the extent a party is obliged to do so under applicable laws and regulations regarding data processing;
- comply with all relevant documentation obligations in order to be able to demonstrate compliance with applicable laws and regulations regarding data processing.
(iii) Where Figures processes Customer Employee Data for the purpose of generating overviews and reports made available exclusively to Customer by means of dashboards displayed as part of the Application (Section 2.3(ii), first bullet point), Figures will:
- ensure that its personnel authorised to process the personal data is committed to confidentiality as further detailed in Section 4.3;
- assist Customer to take appropriate measures to provide those rights of data subjects as provided for in Art. 12 to 23 GDPR are safeguarded and that the data subjects are informed accordingly;
- assist Customer to carry out data protection impact assessments taking into account the nature of processing and the information available to Figures, to the extent Customer is obliged to do so under applicable laws and regulations regarding data processing;
- assist Customer in case of data breach taking into account the nature of processing and the information available to Figures;
- at the choice of Customer, delete or return all Processed Data to Customer, in compliance with Section 10.2;
- make available to Customer information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections conducted by the Customer or another auditor mandated by Customer as detailed in Section 13;
- apply in contracts with sub-processors the same data protection obligations as set out in these Data Processing Terms and as detailed in Section 5.
4. Use of Sub-Processors
4.1. Figures may engage third parties to process the Processed Data or any part thereof on its behalf (“Sub-Processor”). Figures will select Sub-Processors with due care and provide that such Sub-Processors are bound by adequate contractual arrangements in such a way as to ensure that they comply with the requirements for the protection of personal data pursuant to Article 28 of the GDPR.
5. International Transfers
5.1. Figures does not transfer any Customer Employee Data to third parties outside the EU/EEA, or engage a Sub-Processor to process Customer Employee Data outside the EU/EEA.
5.2. Figures may use tools to process Customer Contact Data that imply transfer of such Data outside the EU/EEA, in particular tools that are hosted in the USA. This is limited to Customer Contact Data and any transfer of such Data outside the EU/EEA or engagement of Sub-Processors to process such Data outside the EU/EEA will only be carried out if the receiving country has an adequate level of protection of personal data as decided by the European Commission, or if the transfer is subject to the European Commission’s then current Standard Contractual Clauses (SCCs) for transfer of personal data to third countries.
5.3. Depending on the Customer's localisation, the Application may be accessed from outside the EU/EEA by Customer. The Parties agree that the transfer in that case is covered by Module 4 of the Standard Contractual Clauses incorporated by reference in this Terms of Use and completed as follows: the “data exporter” is Figures; the “data importer” is Customer, the optional docking clause in Clause 7 is not applicable, the optional paragraph in Clause 11(a) is struck; the governing law in Clause 17 is the law of France and the courts in Clause 18 the courts of France; Annex 1 – B description of transfer is as described in the Data Processing Terms.
6. Incidents and Requests by Data Subjects or Supervisory Authorities
6.1. The Parties shall inform each other promptly and in a transparent manner of any relevant incidents, requests, orders and/or claims raised or asserted by third parties in connection with the processing of Processed Data, including, without limitation, any of the following:
(i) Any data security incidents occurred or about to occur within the sphere of a party, which constitute or may reasonably be considered as an actual or imminent data breach regarding Processed Data;
(ii) Any requests or orders received by a party from supervisory authorities, courts or other governmental agencies regarding the processing of Processed Data;
(iii) Any enquiries, requests or claims received by a party from a data subject regarding the processing of Processed Data.
6.2. In any of the events mentioned in the foregoing Section 7.1, the Parties shall cooperate reasonably to ensure an adequate response with the aim respecting their mutual obligations and interests and taking into account their respective responsibilities under the GDPR and other applicable laws and regulations. Without limiting the generality of the foregoing, the Parties :
(i) Where a data breach, request or order from a supervisory authority, court or other governmental agency, or an enquiry, request or claim is related to Customer Employee Data, the Customer will act as the primary point of contact for Customer's employees affected by the data breach. Customer shall give due consideration to the suggestions of Figures in communicating with the affected Customer's employees.
(ii) In the event of a personal data breach, the Parties shall cooperate in good faith to fulfil their obligations under the GDPR data protection law and shall ensure that necessary notifications to the supervisory authority and/or affected data subjects is made within 72 hours of becoming aware of the data breach.
(iii) The Parties shall document all data breaches of personal data covered by these Data Processing Terms and make such documentation available to the other party as reasonably required for the other party to comply with its obligations under the GDPR.
7. Data Retention
7.1. Figures undertakes to process and store Processed Data for no longer than is necessary for the purposes set forth in Section 2.3 above.
(i) Customer Contact Data related to contract administration and execution is retained for the mandatory preservation period prescribed by the laws applicable to Figures commercial activities, which is five (5) years from termination of use of the Application by Customer. Customer Contact Data related to accounting and billing is retained for a period of five (5) years in accordance with applicable tax legislation.
(ii) Customer Employee Data and Customer Business Data are retained for the duration of the use of the Application by Customer and erased after termination of use of the Application by Customer, unless erasure at an earlier point of time should be required upon request of a data subject.
7.2. Figures retains aggregated and anonymised statistical benchmarking data generated on the basis Customer Employee Data and/or the Customer Business Data for longer periods as the retention periods set forth in the foregoing Section 8.1(ii), it being understood that none of such statistical benchmarking data will identify Customer, any Customer employee and/or Customer's business.
8. Liability
8.1. In the relationship between the Parties, the Section 8 of the Terms of Use applies.
8.2. When Figures is acting as processor:
(i) Customer shall provide documented instructions to Figures that shall comply with applicable data protection laws. Figures shall only be liable if it acted outside of the lawful instructions of Customer.
(ii) Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Employee Data and the means by which Customer collected Customer Employee Data. In particular, Figures shall not be held liable in case the Customer provides Figures with Customer Employee Personal Data that have not been lawfully collected and/or in case Customer did not inform Customer Employee that their personal data will be processed by Figures.
(iii) For the avoidance of doubt, in case of a data breach occurring at Figures, Figures shall be held liable towards Customer only if the data breach impacts Customer Employee Data.
8.3. In the relationship between Figures and a Customer Employee affected by the data processing described in these Data Processing Terms, the Parties agree that pursuant to applicable data protection laws, in particular Art. 82 GDPR, in the event of a Customer Employee’s claim relating to the processing of his/her personal data by Figures in the context of the Application, Figures shall only be liable for its respective share of the event giving rise to liability vis-à-vis Customer Employee affected by the data processing and for which Figures has been found liable by a final judgement, i.e. non subject to appeal.
8.4. In the relationship between a Party towards a data protection authority, the Parties agree that:
(i) neither party will be liable to the other Party for fines imposed by a data protection authority to the other party as a result of this party's breach of the applicable data protection laws;
(ii) For the avoidance of doubt, each Party shall be only liable pursuant to a fine issued by a data protection authority for its respective share of the fine that has been specifically identified by the authority in its decision. Figures shall not be liable pursuant to a fine that has only been issued to Customer by a data protection authority or other regulatory body.
9. Duration and Termination Rights
9.1. The data processing based on these Data Processing Terms shall commence upon collection of the Processed Data and signature of the Terms of Use and shall run for the term of the Terms of Use, unless terminated earlier by either party.
9.2. Upon termination or expiry of the Terms of Use, Figures shall cease processing the Processed Data and will delete or return, at the choice of Customer Processed Data from its operational systems no later than 30 days after the effective date of termination of the use of the Application by Customer, unless Union or Member State law requires storage of the personal data. The right of Figures to retain Processed Data for archiving and statistical benchmarking purposes set forth in Sections 8.1 and 8.2 above remains unaffected.
10. Audit
10.1. Figures shall make available to Customer all information necessary to demonstrate Figures's compliance with its obligations set out in this Data Processing Terms and its obligations under the applicable data protection legislation.
10.2. Customer may, upon thirty (30) calendar days’ prior written notice, at its own expense, perform or have a third party audit professional perform an audit of Figures compliance with applicable data protection laws once every twelve (12) months. The audit shall not affect Figures business activity and shall not last more than 2 working business days. Before the commencement of any such additional audit inquiries, both Parties shall mutually agree upon the scope, timing and duration of the audit. The audit scope shall not affect Figures other clients’ personal data.
10.3. During such an audit, Figures shall provide all reasonable cooperation and assistance to the auditors and/or Customer.
10.4. Customer shall promptly notify Figures with information regarding any non-compliance discovered during the course of such audit inquiries.
Last updated: 16/01/2023