Litmus takes the privacy and security of our customers’ data seriously. This FAQ guide is designed to assist you when completing the Litmus Data Processing Addendum, which can be found here.
For more information on our security practices, please see our Trust Center.
1. What is a DPA, and do I need to sign Litmus’s DPA?
- A Data Processing Addendum (“DPA”) is a legally binding document entered into by a data controller and a data processor, which regulates data processing activities under the parties’ relationship. Article 28(3) of the General Data Protection Regulation (“GDPR”) requires that data controllers, data processors and subprocessors enter into written contracts, or DPAs, in order to process personal data that is subject to GDPR.
- If you provide personal data that is subject to GDPR to Litmus for processing, then you should enter into the Litmus DPA. Please follow the instructions set forth in Section 7 below to execute the Litmus DPA.
2. Who is the data controller and who is the data processor?
The customer acts as the data controller with respect to personal data it provides to Litmus for processing in connection with the customer’s use of the services. Litmus acts as the data processor. Litmus follows the customer’s instructions for the processing personal data provided by the customer.
3. Why can my organization not use its own DPA?
The Litmus DPA is tailored to reflect the Litmus service offering, and how Litmus processes data in connection with the provision of services. The Litmus DPA addresses the relevant GDPR requirements related to the scope and confidentiality of data processing, the security measures in place to ensure the security of our customers’ data, the data breach notification process, and our audit and subprocessing activities. These provisions are specific to the manner in which the Litmus services operate and outlines our commitment to our obligations as a data processor under GDPR.
4. Why can my organization not modify the Litmus DPA?
The Litmus DPA is specific to the Litmus service offering and our processing activities in connection with the provision of services. Litmus has implemented a comprehensive security and privacy program to adequately support and maintain compliance with GDPR. It would be impracticable, if not impossible, for Litmus to modify our standard polices and procedures on a per customer basis if we are to maintain and execute upon a security and privacy program that aligns to our processing activities and consistently supports all of our customers. Accordingly, we do not permit modifications to the Litmus DPA.
5. What about the main service agreement between the parties?
- Once executed, the Litmus DPA is an addendum to the main service agreement between Litmus and our customer, and is part of that agreement.
- Customers who signed a previous version of the Litmus DPA, or who previously entered into an agreement without signing a DPA, may sign the current Litmus DPA at any time, which can be found here.
6. How does Litmus meet its obligations under GDPR?
Litmus has a dedicated security and privacy team that is responsible to ensure we are GDPR compliant.
- Litmus keeps your data confidential: All Litmus personnel who have access to customer data are subject to confidentiality obligations as part of their terms of employment with Litmus and complete mandatory security training on an annual basis.
- Litmus keeps your data safe and secure: Litmus takes the security of your data seriously. Our information security team has implemented and maintains a security program that aligns with data processing industry standards and best practices. See our Information Security Policy for additional details here.
- Litmus has implemented appropriate technical and organizational measures to assist our customers in meeting their compliance needs: Litmus has implemented technical and organizational measures to help our customers efficiently and effectively fulfill their compliance obligations with respect to the data processing activities performed by Litmus (e.g., responding to data subject requests, providing data protection impact assessments).
- Litmus only uses approved subprocessors: Litmus performs a thorough security and privacy assessment of each subprocessor before we bring them onboard, ensures that appropriate contract provisions are in place, and remains responsible for the acts of our subprocessors. We will also provide notice to customers that sign up to receive notifications whenever we want to add a new sub-processor. A list of our current subprocessors is available here.
- Litmus provides assistance in the event of a data breach: If a data breach occurs at Litmus and your data is affected, we will notify you timely and provide you with details of the breach in order for you meet your notification obligations to applicable supervisory authorities and assess the impact it may have upon your organization.
- Litmus will provide you with the information you require so that you can satisfy yourself that you are choosing a GDPR-compliant service provider: Litmus shall make information available regarding our compliance with our obligations as a data processor. See our Trust Center for details regarding third-party certifications and audits here. If you need additional information, we are happy to assist you by completing reasonable information security and audit questionnaires.
7. How can I execute the Litmus DPA?
The Litmus DPA is available online here, and has been pre-signed by Litmus. To access and review the DPA, enter your name and email address into the landing page. Please note, entering this information does not automatically result in signing the Litmus DPA. You may either (a) review and sign the Litmus DPA online, and a fully-executed copy will be automatically sent to your email address, or (b) download a copy for review, and then sign and return it to firstname.lastname@example.org. Please note that this process only applies to situations where the Litmus DPA is being signed in isolation. Where a customer signs the Litmus DPA as part of their agreement with Litmus, it will not need to follow this process.
8. What is contained within the exhibits to the Litmus DPA?
- Exhibit 1 – Details of Processing sets out the details of the processing undertaken by Litmus, including the types of data and data subjects.
- Exhibit 2 – Security contains a link to the Litmus security documentation.
- Exhibit 3 – EU Standard Contractual Clauses contains the Standard Contractual Clauses to facilitate the transfer of personal data outside the EU, EEA, Switzerland and/or the United Kingdom. Exhibit 3 also contains appendixes detailing data processing (Appendix 1) and incorporating the Litmus security documentation (Appendix 2).
9. I would like to ask some questions that are not answered in this guide
For any additional information, please contact your Account Executive, who will be happy to assist you.
The information contained in this FAQ Guide does not constitute legal advice and does not form part of the agreement between the parties. We recommend that you consult with your own legal counsel in order to obtain advice specific to your own unique situation and how you intend to use the Litmus services. ***A Litmus DPA is only necessary if you intend to send personal data that is subject to GDPR for processing by Litmus.***