Last updated: October 11, 2021
This is a reference copy of the ngrok Data Processing Agreement. For a full copy including the attached schedules and the Standard Contractual Clauses, please click here.
This Data Processing Agreement is between (1) the customer agreeing to the ngrok Terms of Service currently located at https://ngrok.com/tos, or another written agreement executed by the Parties that references this Data Processing Agreement (the “Terms”) (such customer hereinafter “Customer“) and (2) ngrok Inc., as the provider of the Services under the Terms (hereinafter “ngrok“). Customer and ngrok together are also referred to as the “Parties” and each is also referred to as a “Party“.
1 General provisions
1.1 Customer is the controller according to the European General Data Protection Regulation (“GDPR”). ngrok is processing personal data on behalf of the Customer, thus a processor according to the GDPR, or a sub-processor where Customer is itself a processor to another controller.
1.2 ngrok processes personal data in order to fulfil its obligations under the Terms on behalf of Customer in accordance with Art. 4(2) and Art. 28 of the GDPR solely based on this Data Processing Agreement (“DPA”) and Customer’s instructions.
1.3 The subject matter of the processing results from the Terms.
1.4 Beginning and duration of the processing depend on the beginning and duration of the Terms.
1.5 Unless stipulated otherwise in the DPA, the terms used herein shall have the meaning ascribed to them in the Terms.
2 Nature and purpose of the processing, type of personal data and categories of data subjects
2.1 Under this DPA, ngrok will process Customer’s communications content data (potentially any information that is personal data that is processed via nrogk’s services (the “Services”) as agreed (solely subject to Customer’s discretion); contact information; configuration data (such as domain names, as far as these are personal data, IP addresses, and potentially authentication keys)) and any content of Customer’s customers (i.e their respective data subjects) or other data subjects that are somehow involved in the processing of Customer when using the Services (solely subject to Customer’s discretion) as agreed between ngrok and the Customer. Further details of the processing activities undertaken by ngrok on behalf of Customer result from the Terms.
2.2 The purpose of the processing is to provide the Services as agreed between ngrok and the Customer and subject to the Terms.
2.3 The processing activities concern personal data of Customer’s customers.
3 Customer’s rights and obligations; instruction rights
3.1 It is the sole responsibility of Customer to assess the legitimacy of the processing. If not set out differently, this includes the handling of data subjects rights. ngrok will forward to Customer any data subject’s rights request clearly addressed to Customer.
3.2 Any orders, partial orders and instructions given by Customer in general shall be in writing or in a documented electronic form.
3.3 Changes of the subject-matter of the processing or of procedures shall be coordinated between Customer and ngrok and established in writing or in a documented electronic form.
3.4 ngrok ensures that Customer or a third party instructed by Customer can verify the implementation and adequacy of the technical and organizational measures by ngrok before and during the processing (including on-site inspections). Upon request, ngrok will provide Customer with a written report (from a third party) that ngrok fulfils all necessary requirements regarding the technical and organizational measures. Where Customer does not object to the findings, such report fulfils the audit obligations under the GDPR.
4 ngrok’s obligations
4.1 ngrok processes personal data solely within the scope of this DPA and upon instructions of Customer, unless required to do so by European Union or member state law to which ngrok is subject. In such a case, ngrok shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2 ngrok shall take appropriate technical and organizational measures for the processing of the personal data for the processing (Art. 32 GDPR).
4.3 ngrok shall contribute to and support Customer to the best of its ability when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 of the GDPR by Customer, to the creation of records of processing activities (Art. 30 of the GDPR) and to a necessary data protection impact assessment (Art. 35 of the GDPR). ngrok shall immediately forward the required information to Customer. Customer will reasonably reimburse ngrok for any such contribution or support.
4.4 ngrok shall immediately bring to Customer’s attention if, in ngrok’s opinion, an instruction issued by Customer violates statutory provisions.
4.5 ngrok shall correct, delete or restrict the processing of personal data upon Customer’s instruction, unless statutory provisions or legitimate interests of ngrok require ngrok not to do so. ngrok shall be entitled to provide information concerning personal data under this DPA to third parties or the data subject only upon Customer’s prior instruction or consent, unless such provision is part of using the Services.
4.6 ngrok confirms to be aware of the applicable data protection provisions of the GDPR. ngrok agrees to be bound by confidentiality with regard to processing Customer’s personal data under this DPA during and after the contractual relationship between the Parties.
4.7 ngrok shall ensure that each person having access to Customer’s personal data is bound to data secrecy and informs them of all relevant data protection obligations according to this DPA as well as the obligation to act on Customer’s instructions.
5 ngrok’s notification obligations
5.1 ngrok shall notify Customer of any malfunctions, infringements by ngrok or the persons employed by ngrok of data protection provisions or the stipulations made in the DPA or an instruction as well as any suspected data protection infringements or irregularities in the processing of personal data without undue delay as soon as they become known to ngrok.
5.2 ngrok shall provide adequate support to Customer regarding Customer’s obligations according to Art. 33 and 34 of the GDPR.
6.1 ngrok only may use sub-processors with Customer’s prior consent. Customer agrees to the sub-processors as listed in Annex 1. If Customer has a reasonable basis to object to ngrok’s use of a new sub-processor, Customer shall notify ngrok promptly in writing within seven (7) days after receipt of ngrok’s notice regarding such new sub-processor. In the event Customer objects to a new sub-processor(s) on a reasonable basis, ngrok will use reasonable efforts to work in good faith with Customer to find an acceptable, reasonable, alternate solution. If the Parties are not able to agree to an alternate solution within a reasonable time (no more than 30 days), Customer may terminate the Terms in respect only to the specific service which cannot be provided by ngrok without the use of the objected-to new sub-processor, by providing written notice to ngrok.
6.2 ngrok will contractually ensure that ngrok’s obligations agreed on in this DPA also apply to all sub-processors.
6.3 ngrok shall remain responsible to Customer for sub-processor’s obligations.
7 Transfer of personal data to countries outside the EU
7.1 The Parties conclude the standard contractual clauses in Annex 2.
7.2 Where ngrok transfers personal data to another controller or processor outside of the EU (as far as allowed under the DPA), ngrok will fulfil all necessary requirements under the GDPR.
8 Technical and organizational measures according to Art. 32 of the GDPR
A level of protection adequate to the risk to the rights and freedoms of the data subjects shall be ensured with regard to the processing under this DPA.
9 Obligations of ngrok after termination of the processing
After the termination of the procession under this DPA, ngrok shall, at Customer´s choice, hand over, delete in accordance with data protections regulations, or have deleted accordingly, all data, documents and processing or usage results in connection with the processing being in its possession.
10 Final provisions
If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence.