SharePoint|sapiens Trust-Center
Data Processing Agreement
Version 1.3, 2024-04-03
The following Data Processing Agreement (“Agreement”) applies to the apps and services offered by SapiensIT Consulting GmbH (“Sapiens”, “we” or “us”) through the sharepointsapiens.com website, Microsoft AppSource and the Microsoft Teams Store.
By using one of the following three SharePoint add-ins and the related services hosted on addins.sharepointsapiens.com
- SharePoint|sapiens Event Management
- SharePoint|sapiens Employee Training Management
- SharePoint|sapiens Calendar E-Mail Extension
by using the following SharePoint Framework app
- SharePoint|sapiens Modern User Interface
- SharePoint|sapiens Event Management (replaces the SharePoint|sapiens Event Management Add-in – Learn more)
- SharePoint|sapiens Employee Training Management (replaces the SharePoint|sapiens Employee Training Management Add-in – Learn More)
and the following Teams/Microsoft 365 apps
- Event Management
- Employee Training Management
you (the “Customer”, or “you”) agree to the terms outlined in this Agreement.
1. Definitions
1.1 “Data Protection Law” means any and all data protection laws and regulations that apply to the Processing of Personal Data by us under the Agreement.
1.2 “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.4 “Personal Data” means any data that: (a) is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law; and (b) that you submit using the Services for us to Process on your behalf.
1.5 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
1.6 “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Processing of company personal data
You, the Customer instruct us, the Processor, to process your Personal Data.
We, the Processor will comply with applicable laws and process data only for the purpose of providing the service, including troubleshooting, and diagnosing errors.
3. Data Processing and protection
This Agreement applies when we Process your data for which we will act as “processor” or “service provider” (or other analogous variations of such terms) under Data Protection Law.
3.1 Limitations on Use. We will process Personal Data only: (a) to provide the Services as permitted under the Agreement, including as specified in ANNEX 1 to this DPA; and (b) with prior notice (unless notice is legally prohibited), as required by applicable law.
Without limiting the foregoing, we will not collect, retain, use, or disclose the Personal Data for any purpose other than as necessary for the specific purpose of performing the Services, including not collecting, retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services.
3.2 Confidentiality. Sapiens will ensure that persons authorized by us to process any Personal Data are subject to appropriate confidentiality obligations.
3.3 Security. Sapiens will protect Personal Data in accordance with requirements under Data Protection Law, including by implementing appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breach. View the Security Overview for details. https://www.sharepointsapiens.com/help/trust-center/security-overview/
3.4 Return or Disposal. All the data is stored in your SharePoint sites. If you remove the SharePoint add-in from the SharePoint site, our Services will no longer process your data.
3.5 Customer Obligations. You will not instruct us to perform any Processing of Personal Data that violates any Data Protection Law.
We may suspend Processing based upon any Customer instructions that we reasonably suspect violate Data Protection Law.
Subject to the cooperation of Sapiens as specified in this DPA, you will be solely responsible for safeguarding the rights of Data Subjects.
You will promptly notify us about any faults or irregularities in the Processing by us discovered by you.
4. Sub-processors
We may engage sub-processors. At the time of the DPA, we use the sub-processors listed in Annex 2 to provide the Services. We undertake to inform you of any intended changes concerning the addition or replacement of a sub-processor by providing prior written notice via your business account. If you can document objective and valid reasons not to accept suggested new sub-processors, we may object to the use of these suggested new sub-processors. If we choose not to suggest alternative sub-processors, or if you have valid and objective reasons to object to all suggested alternatives, you are entitled to terminate the contract with us within 14 days after receiving notice hereof.
5. Changes to this agreement
We may update this Agreement from time to time. You are advised to review this Agreement periodically for any changes. Changes to this DPA are effective when they are posted on this page.
6. Contact us
If you have any questions about this agreement, please contact us at support@sharepointsapiens.com.
ANNEX 1
This annex describes the scope of Processing
Subject-Matter and Duration of Processing
We process personal data for the subject matter specified under the Services Agreement and until the Services Agreement terminates or expires, unless otherwise agreed upon by the parties in writing. The subject matter is determined by the Service(s) to which you subscribe and the data which you provide to the Service.
Nature and Purpose of Processing
We will process Personal Data only to provide the Services, to fix and improve them and we will not collect, retain, use, or disclose the Personal Data for any other commercial purpose other than providing the Services.
The nature and purpose of Processing is determined by the Service(s) to which you subscribe and the data which you provide to the Service. For instance:
1. Our services process data provided by users to the Service (by adding or modifying an item in SharePoint), including Personal Data if provided, for example to enroll users into events or courses and to send calendar email invitations or other notification emails.
2. Our services process email replies to calendar email invitations to update the enrollment and display the information to other users.
Types of Personal Data
The following personal data will be processed:
Email address and common name to send email notification:
The service uses the email address combined with the common name from
(a) the user account when enrolling internal users to an event or course or when adding internal users to an event (organizers, instructor, etc.) or
(b) the email address and full name entered when enrolling external users to an event or course or when adding external guest or instructors to an event. The email address is used to send email invitations and notifications to enrolled users or users added to the event (organizers, instructors, etc.). The e-mail address and common name is stored in lists in your SharePoint site and is under your control.
Email address and common name to handle incoming emails:
If an incoming email is a reply to a calendar invitation, the service uses the email address combined with the common name from the email sender to update the reply status and to add an entry to the communication protocol in a list in SharePoint.
Email address for license validation
Applies to the Event Management and Calendar Email Extension add-in.
The service uses the hashed email address of the user that creates or modifies events and topics to uniquely identify the user and to verify if the user has a valid license assigned. Sapiens stores this information as part of the Customer’s license data.
Other Personal Data
You control the types of Personal Data provided via the Services for Processing. You have the option to collect other Personal Data from end users when using the add-in, for example in the enrollment form. This data is stored in lists in your SharePoint site and is under your control.
Special Categories of Personal Data
None anticipated, but you control the types of Personal Data processed via the Services.
Categories of Data Subjects
You control the categories of Data Subjects to which the Personal Data relates. For instance, you may Process via the Services Personal Data that relates to your current or prospective customers, employees or business partners.
External enrollments: This section applies to data external participants enter in the external enrollment form. Our service is intended for use by our customers. As a result, for much of the Personal Information we collect and process in the external enrollment form, we act as a processor on behalf our customer. We are not responsible for the privacy or security practices of our customers, which may differ from those set forth in this agreement.
ANNEX 2
This annex lists the sub-processors we currently use.
| Sub-Processor | Description |
| Microsoft | Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. For customers in Europe, data will be processed in the Netherlands, West Europe. For customers in Australia / Pacific, data will be processed in New South Wales, Australia East. For customers in the rest of the world, data will be processed in the USA, Virginia, East US |
| Stripe.com | If you choose to use credit card to pay the subscription fees, the collected data will be controlled and processed by stripe.com. Their Privacy Policy can be viewed at https://stripe.com/us/privacy |
| Mailgun.com | If you choose to use our mail service instead of your Exchange online e-mail service, the services send and receive e-mail through mailgun’s API and infrastructure. Their Privacy Policy can be viewed at https://www.mailgun.com/privacy-policy/ |