Data Protection
Becoming a customer of our service implies acceptance of our Data Processing Agreement, unless otherwise explicitly agreed with us in writing.
Data Processing Agreement
This document lays out the responsibilities of MigrateSubs (owned and operated by Granular Code Pte. Ltd., UEN 202244865C), hereafter referred to as MigrateSubs, to its customers with regards to data protection in general and the European Union’s General Data Protection Regulation (GDPR) specifically.
1. MigrateSubs as Data Processor, Definitions
MigrateSubs is a Data Processor operating on behalf of its customers.
Customers are individuals or organizations paying money to use the MigrateSubs service. Free trial users of the MigrateSubs Service are not Customers and should not send MigrateSubs personal data.
MigrateSubs's Customers are Data Controllers.
"Personal data" means any information relating to an identified or identifiable person.
"Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
"Services" means the MigrateSubs (application program interface) and the professional services provided by MigrateSubs.
"Sub-processor" means any Data Processor engaged by MigrateSubs.
"Data Subject" means the individual to whom Personal Data relates.
2. Processing of Personal Data
Use of the service implies that MigrateSubs may process personal data on behalf of the Data Controller in accordance with the requirements of Data Protection Laws. The Data Controller will ensure that instructions to MigrateSubs for the processing of personal data comply with Data Protection Laws. The Data Controller is solely responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires personal data.
Data Processor shall process the Customer Personal Data as a processor, as necessary to perform its obligations under the Terms of Service or in this DPA (the "Permitted Purpose"). Data Processor shall not retain, use, disclose or otherwise process the Customer Personal Data for any purpose other than the Permitted Purpose except where otherwise required by law(s) that are not incompatible with the applicable Data Protection Laws, and shall not "sell" the Customer Personal Data. Data Processor shall promptly inform Customer if it becomes aware that the Data Processor cannot perform its obligations.
The inputs to the MigrateSubs Service provided by the Data Controller are URLs and optionnal parameters. No other data should be sent to MigrateSubs. The Data Controller bears sole responsibility for transmission of URls that can include personnal data.
MigrateSubs lays out a full and accurate description of its data protection practices on its website at Privacy Policy. This description is updated from time to time as and when practices change.
3. Rights of Data Subjects
The Data Controller is solely responsible for the collecting of all necessary consent from Data Subjects to allow MigrateSubs to process personal data on its behalf.
MigrateSubs will, to the extent legally permitted, promptly notify the Data Controller if it receives a request from a Data Subject for access to, or deletion of, that person’s personal data. MigrateSubs will not respond to a Data Subject request without the Data Controllers prior written consent except to confirm that the request relates to the Data Controller. The Data Controller is solely responsible for completing such request as required by law.
4. Personnel
MigrateSubs ensures that its personnel engaged in the processing of personal data are informed of the confidential nature of the personal data, have received appropriate training on their responsibilities and have agreed to confidentiality obligations that survive the termination of that persons’ employment or engagement by MigrateSubs.
MigrateSubs shall take commercially reasonable steps to ensure the reliability of any MigrateSubs personnel engaged in the processing of personal data and that access to personal data by MigrateSubs is limited to those MigrateSubs personnel who require such access to perform the Services.
MigrateSubs’s data protection officer can be reached by email at support@migratesubs.com
5. Sub-Processors
The Data Controller agrees MigrateSubs may engage third-party Sub-processors to provide the Services and such Sub-processors may access personal data, and appoint additional levels of Sub-processors, only for purposes of providing the services MigrateSubs retained them to provide and not for any other purpose.
MigrateSubs takes all reasonable steps to evaluate the security, privacy and confidentiality practices of proposed Sub-Processors that have access to or process Service Data both before they are engaged and on an ongoing basis.
MigrateSubs never passes Customer’s Personal Data (such as first name, last name, email etc.) to Sub-Processors.
Any changes to the Sub-Processors engaged by MigrateSubs will be notified by an update to this page, located at https://migratesubs.com/gdpr#sub-processors You may also email support@migratesubs.com and request to be notified directly when this list changes.
The following is an up-to-date list (as of 14 November 2022) of the names and locations of MigrateSubs Sub-Processors:
| Sub-processor | Purpose | Location of Sub-processor |
|---|---|---|
| ChartMogul | Subscription analytics | Germany |
| Crisp | Live chat and support service | France |
| Application analytics and diagnostics, User authentication | United States | |
| MailerSend | Emailing service | United States |
| Sentry | Error tracking | United States |
| Stripe | Payment provider | United States |
| UpCloud | Cloud hosting | Finland |
6. Security
MigrateSubs agrees to implement and maintain the administrative, technical, and physical safeguards of personal data stored using the Services.
As MigrateSubs can process your Customer's Personal Data, security is a core concern in all parts of our infrastructure.
MigrateSubs never stores or transmits Customer's full account details such as credit card numbers or CVC numbers. All information is transmitted directly to the payment gateways MigrateSubs work with. Only tokenized references to Customer’s Personal Data and meta-data (such as the last 4 digits of account numbers) are transmitted and recorded by MigrateSubs servers.
MigrateSubs never records or passes Customer’s Personal Data (such as first name, last name, email etc.) to third-party services. Only hashed references and the first and last two characters are stored for usage tracking purposes.
MigrateSubs take all reasonable steps to protect data we receive from loss, misuse or unauthorized access, disclosure, alteration and/or destruction. MigrateSubs put in place appropriate physical and electronic procedures to safeguard and secure such data.
MigrateSubs uses a third party enterprise-class web application firewall to restrict access to our Services. We use a „block first, ask questions later“ approach and all subsequent requests by a potential threat will also be blocked - only a manual review by our support team will lift a block.
All communication with our Service is performed through a secure connection. We do not provide any non-SSL endpoints. Data encryption is applied wherever possible which means that even in transit between our servers, your data is kept encrypted.
All our servers are firewalled and kept updated with the latest security patches. All security keys and passwords stored by our application on your behalf are kept encrypted at rest.
7. Security Breach Management and Notification
If MigrateSubs becomes aware of unlawful access to the Data Controller's personal data stored through the Services, or unauthorized access to the Services resulting in loss, disclosure, or alteration of the Data Controller's personal data ("Security Breach"), MigrateSubs will promptly: (a) notify the Data Controller of the Security Breach; (b) investigate the Security Breach and provide the Data Controller with information known to MigrateSubs about the Security Breach; and (c) follow its policies and procedures to mitigate the effects and to minimize any damage resulting from the Security Breach.
The Data Controller agrees that an unsuccessful Security Breach attempt will not be subject to Section 7.1 above. An unsuccessful Security Breach attempt is one that results in no unauthorized access to the Data Controller's personal data or to the Services storing your Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.
Notification(s) of Security Breaches, if any, will be delivered to one or more of the Customer’s business, technical or administrative contacts by any means MigrateSubs selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on MigrateSubs’s support systems at all times.
MigrateSubs’s report of and/or response to a Security Breach under this Section will not be construed as an admission by MigrateSubs to fault or liability with respect to the Security Breach.
8. Deletion of Customer Data
MigrateSubs agrees to delete Customer personal data in accordance with MigrateSubs’s procedures and Data Protection Laws.
With termination of the Terms of Service and this DPA the Data Processor shall anonymize, delete, or return to Customer all Customer Personal Data (including copies) in it’s possession or control, upon request from Customer.
At a Customer's request, MigrateSubs will provide the Customer with a certification of deletion of personal data.
9. Governing Laws
This Agreement is governed by the laws of Singapore.
In addition to this DPA, the attached Standard Contractual Clauses (SCC) shall apply to ensure an adequate level of data protection. In the event of inconsistencies between regulations from this DPA and those from the SCC, regulations from the SCC shall prevail.
10. Legal Effect
This agreement comes into effect from the time of purchase of an MigrateSubs subscription. It expires with cessation of the Customer's MigrateSubs subscription.