Community Guidelines

Last updated 1st January, 2020

The guidelines below (“Community Guidelines”) supplement and amend the Terms of Service (“ToS”), available at https://teamdream.co.uk/terms. If there is any conflict between the Community Guidelines and the ToS, the applicable terms in the Community Guidelines will prevail. Capitalized expressions not defined in the Community Guidelines have the meaning set out in the ToS.

CustomerResponsibilities

A Customer (Business Customer or Personal Customer) is solely responsible for what happens with his Space he or she owns on the Service. As aCustomer (having control of the Owner Account) it might, for example, be possible to enable, disable or otherwise change settings, options, access and editing right, roles of Members and properties of the Space, invite people, share access, add third-party integrations and much more. The Customer of aSpace is responsible for actions concerning the Space, including causing wanted or unwanted use, disclosure, loss, modification or deletion of any Content,Accounts or Spaces.

As a Customer you warrant that You are a human (not a bot) and at least 18 years old. You also warrant that You have sufficient capacity to enter into legally binding contracts and that You do not break any laws or regulations by entering into the Customer Agreement.

The Customer on a Space is considered an intermediary with the obligation to regulate actions and Content of Accounts with access to the Space. The Customer on a Space is at all times entirely liable for all acts and omissions by people actively or passively allowed to access the Space.

Customer Confidentiality

Unless explicitly authorized in writing by the other Party, neither Party shall disclose to any third Party any confidential Information of the other Party, nor use such Confidential Information in any manner other than to perform its obligations under these ToS. Confidential Information within the context of this Customer Agreement means any non-public information and/or materials that can reasonably be understood to be confidential and is provided by a Party under this Customer Agreement to the other Party. For example, a good indicator that material is considered confidential is if the wordConfidential is featured prominently in the header or footer. This does not cover how we handle Content on our Service.

The foregoing restrictions do not apply to any information that is publicly disclosed through no fault of the receiving Party, is already lawfully in the receiving Party’s possession and not subject to a confidentiality obligation to the disclosing Party, becomes known to the receiving Party from a third party having an apparent bona fide right to disclose the information, or is confidential Information that the receiving Party is obligated to produce pursuant to an order of a court of competent jurisdiction or a valid administrative subpoena, provided the receiving Party supplies the disclosing Party with timely notice of such court order or subpoena.

We are proud of all our Customers. We reserve the right to showcase the name and logo of anyCustomer in lists, online or any promotional material as well as verbally refer to them as Customer. If You would like Us to cease using Your logo and name please contact Us at jack@teamdream.co.uk. TeamDream reserves the right to contact You to ask You for quotes and/or to participate in the writing of aCustomer Case outlining the results of using the Service to be published and disseminated.

Subscriptions

Some of our Services are billed on a subscription basis (fittingly called “Subscription” and “Subscriptions”).

You agree to pay for Subscriptions that You purchase or use, according to the pricing and payment terms presented to You on an order form, on our Service, or in, in special circumstances, on a Subscription offer sent by one of Our employees (an“Offer”).

Billing Cycle and Billing Periods

You can choose to pay for a Subscription either on a monthly basis (“Monthly Billing”) or on a yearly basis (“Yearly Billing”). This “Billing Cycle” governs the length of the“Billing Period”, the time for which a Subscription is paid.

A Billing Period is entered when a Subscription begins or is modified or when You change YourBilling Cycle. The day a Billing Period commences is called the “Start Date” of a Billing Period. The “End Date” of a Billing Period depends on the BillingCycle.

With Monthly Billing, the End Date of a Billing Period is on, or close to the same date the next month. For example, if You are paying with Monthly Billing and You start aSubscription on the 15th of October, You will have the 15th of November as theEnd Date for the Billing Period.

With Yearly Billing, the End Date of a Billing Period is on, or close to the same date the next year. For example, if You are paying with Yearly Billing, starting aSubscription on the 15th of October will have the 15th of October in the nextYear as the End Date for the Billing Period.

In the case that the Start Date is close to the end of the Month, You can experience that theEnd Date over time will shift back some days to stay within the Month. For example, a Customer with Monthly Billing  entering a Billing Period with aStart Date on October 31 will have a corresponding End Date on November 30. TheEnd Date will not automatically shift forward again in longer months.

Automatic Renewal and Recurring Billing

‍You hereby agree to automatic renewal of Subscriptions. This means that any Subscription You purchase will renew at the end of its Billing Period, unless You cancel it before. That is why they are called Subscriptions.

By registering a credit card with TeamDream, You hereby agree to recurring billing. You authorized Us (or a designated third-party provider) to bill and automatically charge Your Credit Card on the (or close to the) same date every BillingPeriod, starting from the time a Subscription is bought or updated or You change Your Billing Cycle. What You are paying for depends on Your choice of Subscription and can be seen at checkout, on Our pricing page at https://teamdream.co.uk/pricing or specified in an Offer.

Please be aware that the price of a Subscription might depend on certain usage parameters, for example the number of ideas collected on a Space. You hereby accept that any changes affecting a Subscription during a Billing Period (e.g upgrades, downgrades, additional or canceled subscriptions, additional usage, fees) are automatically reflected in the next bill sent to You.

Payment Terms, Taxes and Functionality
‍
‍Payments forSubscriptions must always be made in advance and payment is due immediately when Subscribing and will be considered unpaid if it remains unpaid (7) days past the invoice date. In special circumstances, other methods of payments(e.g. a bank transfer) might be requested by TeamDream. Costs of Subscriptions may include fees for payment card processing of up to 4% of a Subscription price. What the Customer is paying for depends on his or her choice ofSubscription and can be seen at the checkout date.

TeamDream Subscriptions are pre-paid and non-refundable. TeamDream does in general not provide refunds or exchange for any partial time of use of its Service, any remaining Credits, data or Content except when required by law or explicitly stated in an Offer. In the event that the credit card registered with TeamDream is invalid for payment for any reason, or an invoice has otherwise been left unpaid then the Customer will remain responsible for any uncollected amounts. In case of non-payment, we reserve the right to apply a monthly late fee of up to 2% of the outstanding amount.

All prices might be stated exclusive of taxes (VAT or otherwise), which may or may not be added to the price, depending on applicable law and Your legal residence. If You a reregistered with official residence outside of the EU, You will not be charged VAT for our Service. If You are registered with official residence in the EU, but have not registered a valid European VAT ID, You will be charged the applicable VAT rate of the EU country You are registered in. If You register payment information for a valid non-British EU company with a valid EU VAT ID, You will not be charged VAT from Us, but reverse charge rules apply. If You register billing information representing a valid British company with a valid British VAT, You will be charged British VAT on the Subscription. You are responsible for paying any applicable taxes or fees.

From time to time we might give insight into when and which new features on Our Service are expected to be available. Buying decisions should not depend on this information, as we cannot guarantee them. We reserve the right to adjust the prices, fees, functionality, and usage limits or other limitations for the Service and Subscriptions from time to time. Adjusted prices for activeSubscriptions shall take effect earliest upon Your subsequent Billing Period of the Service following the date of the price change.

Proration

‍You might changeYour Subscription or the way You Pay, entering a new Billing Period while already in a Billing Period. If You change or add a Subscription or change yourBilling Cycle in a way that results in Us billing You more, You automatically enter a new Billing Period and a calculation process called “Proration” takes place.

Proration occurs for example if an existing Subscription is upgraded to a more expensive one, ifYou add an additional Subscription to Your Subscriptions, if a Subscription exceeds the usage limit, or if You change Your Billing Cycle from Monthly Billing to Yearly Billing. To be clear, Proration can never lead to Us paying out any amounts to You.

Proration means that We will calculate how much of the current Billing Period You have already used on a day-by-day basis, calling the remaining unused but paid for amount the“Prorated Amount” and subtracting it from Your new Invoice as a discount. For example, You are paying for one Subscription with Monthly Billing in a Billing Period with Start Date on November 15 and End Date on December 15. If it is December 10 and You add an additional Subscription, the Prorated Amount is the amount corresponding to the remaining 5 out of 30 days of use. You will enter anew Billing Period with Start Date on December 10 and You will be issued a new invoice based on the two combined Subscriptions, minus the Prorated Amount.

Trials

‍TeamDream may offer limited-time access to paid Subscriptions (referred to as “Trials”). When using a Trial, You are granted access to the features of a given Subscription on a Space for a limited amount of time (the “Trial Period”), disclosed at the outset of the Trial.

If You have already registered payment information on the relevant Account or Space, theTrial will automatically turn into a paid Subscription with Monthly Billing at the end of the Trial period, if it is not canceled before.

Credit

‍You may have the possibility to acquire virtual currency (“Credit”) for Your Account or for aSpace for certain actions You or third-parties perform. These actions may be, but are not limited to, signing up, referring people to use TeamDream, reaching an activity milestone or completing a survey.

Although theCredit may be visualized in USD or other currencies, this Credit is no legal tender, does not hold inherent value and cannot be refunded, transferred or exchanged for cash, goods or services. It can and may not be traded, sold, bought or exchanged with third parties. However, Credit You have earned can and will automatically be used to reduce the amount to be paid on bills for YourSubscriptions. In doing so, Credit is used up.

We reserve the right to allow for or stop ways to receive or use Credit at Our discretion. Any given Space can only accumulate Credit of up to a virtual equivalent of 300USD. We reserve the right to remove any Credit after 3 months without use.

Termination of Subscriptions

‍As a Customer, ifYou wish to cancel a Subscription, You may do so via the billing page in the settings or by contacting us directly. You may cancel a Monthly Subscription at any time and a Yearly Subscription at any time up to 30 days in advance of the end of the Billing Period. Access to the additional features or limits of theSubscription will stay accessible until the end of the Billing Period. At any point in time, only the Owner Account of a Space can set in motion the start, end or change of a Subscription his or her Space.

If You successfully cancel or otherwise terminate a Subscription in a Billing Period, You will not have to pay for the next upcoming Billing Period. For example, ifYou are paying with Monthly Billing from 14th to 14th of each month and terminate the Subscription on the 13th of one month You will not be billed on the 14th of that month for the next Billing Period.

In case of non-payment for any reason or any violation of this Customer Agreement, TeamDream shall be entitled - without liability - to immediately bar access to theService and/or parts of the Service and/or bar access to paid Subscriptions, and/or to terminate a Space You are in control of. In practice, TeamDream will make reasonable efforts to inform You of unsuccessful, invalid or missing payments before taking such steps.

Termination

Should an Account or Space be terminated, You agree and acknowledge that TeamDream has no obligation to retain Content and that such Data may be irretrievably deleted if the deleted account was removed longer than 30 days prior to the request for renewed access.

You agree and acknowledge that TeamDream has no obligation to retain the Content on a Space, and may delete such Content without prior notice, if the Customer has materially breached this Customer Agreement, including but not limited to failure to pay outstanding fees, and such breach has not been cured within twenty (20) days of notice of such breach; or upon termination of this Customer Agreement for any reason.

Misrepresentation

As a Customer, it is Your responsibility to keep the contact and payment information for the Space current. If We have reasonable grounds to suspect that information You provided for an Account or a Space is untrue, incomplete, not up to date or otherwise misrepresenting or deceiving, We reserve the right to suspend or permanently terminate Your Account, Your use of the Service or parts of the Service and/or access to any Space You are a Customer for.

Privacy Policy

Last updated 1st January, 2020

The policies below (“Privacy Policy”) supplement and amend the Terms of Service, available at https://teamdream.co.uk/terms. If there is any conflict between the Privacy Policy and the Terms of Service, the applicable terms in the Privacy Policy will prevail. Capitalized expressions not defined in the Privacy Policy have the meaning set out in the Terms of Service.

General

We are committed to maintaining robust privacy protections for people using Our Services. Our Privacy Policy (“Privacy Policy”) is designed to help You understand how We collect, use and safeguard the information You provide to Us and to assist You in making informed decisions when using Our Services. By accepting Our Privacy Policy, You consent to Our collection, storage, use and disclosure of Your personal information as described in thisPrivacy Policy.

Information We Collect

We collect “Non-Personal Information” and “Personal Information”.

Non-Personal Information includes information that cannot be used to personally identify You, such as anonymous usage data, general demographic information We may collect, referring/exit pages and URLs, platform types, preferences You submit and preferences that are generated based on the data You submit and the actions You take while using Our Services.

Personal Information includes the information You submit to Us through the registration process of Our Services: Your email, phone number, name, as well as all other Personal information you explicitly decide to share with us while using Our Services. If You are the representative of a Company, You may choose to identify Yourself by Your Company name. If any of the data We have on You is inaccurate or incomplete, you can change it from “Settings” within our Services, or by contacting us directly.

Information collected via Technology

‍To become a Member of any of our Services, You do not need to submit any Personal Information other than Your email address, phone number, and Your name. It is not necessary to submit further Personal Information thereafter.

However, in an effort to improve the quality of the Service, We track information provided to Us by Your browser, such as the website You came from (known as the “referring URL”), the type of browser You use, the device from which You connected to any of our Services, the time and date of access, and other information that does not personally identify You. We track this information using cookies or small text files which include an anonymous unique identifier. This allows Us to collect Non-Personal information about you, such as keeping a record of your theme preferences.

We may use both persistent and session cookies. Persistent cookies remain on Your computer or any of your other devices after You close Your session and until You delete them, or until they expire automatically. Session cookies expire when You close Your browser. For a list of the Cookies used in Our Service, please view Our Cookies Policy accessible at https://teamdream.co.uk/terms.

How We use and share information

Personal Information

‍We do not sell or trade Your Personal Information with third parties without Your consent nor do we otherwise share Your Personal Information with third parties for marketing purposes without Your consent. We do share Personal Information with vendors who are performing services for Us.For example, we share  Your email address with an external vendor for purposes of sending emails from Us to You. No vendors can use your Personal Information unless we explicitly direct them to. You can further inform yourself about Our vendors and their policies on https://teamdream.co.uk/terms. Please be aware that Your Personal information will be sent to servers residing in the United States for some of the Services provided by Our vendors. The vendors we use that are located in the U.S. are all EU-US Privacy Shield certified. Our collection, storage, and use of Your Personal Data will at all times be governed by this Privacy Policy.

In general, the Personal Information You provide to Us is used to help Us communicate with You and to improve our services. For example, We may use Your Personal Information to contact You in response to questions, solicit feedback from You, provide technical support, and/or to proactively inform You about promotional offers or activity that You could perform on Our Service.

In general, when providing Us with Personal Information, You must assume that other Members will be able to view that information on Your profile as long as they are part of the same Space. This does of course not apply to passwords, which are kept secret. Please understand that the use our Our Services means your Content and Activity on the platform may not be anonymous. When You make a contribution to the Website your location on a city level (as approximated by your current IP address) is saved and can be made available to other users of the Service.

Certain features within Our Services might make it possible for You and the Members of your Space to analyze, view, display and ultimately share Personal Information linked with Content or Activity performed by You. An example of this might be a report featuring a specific Member as having created the most ideas on a Space.

Non-Personal Information

‍In general, We use Non-Personal Information to help Us improve our Services and customize Your experience. We also aggregate Non-Personal Information in order to track trends and analyze usage patterns on Our Services. We also reserve the right to perform aggregate analysis of content submitted by Our Members, as long as the sample size is large enough for Members and customers to remain anonymous. If You do not want for Your data to be processed, you have the right to ask us not to, and We will make sure not to include Your data in aggregate analysis. This Privacy Policy does not limit in any way Our use or disclosure of Non-Personal Information, and We reserve the right to use and disclose such Non-Personal Information to Our partners, advertisers and other third parties at Our discretion.

Transferring Information

‍In the event thatWe undergo a business transaction such as a merger, acquisition by another company, or sale of all or a portion of Our assets, Your Personal Information may be among the assets transferred. You acknowledge and consent that such transfers may occur and are permitted by this Privacy Policy, and that any acquirer of Our assets may continue to process Your Personal Information as set forth in this Privacy Policy. If Our information practices change at any time in the future, We will post the policy changes to the Site so that You may opt out of the new information practices before they take effect. We suggest that You check the Site periodically if You are concerned about how Your information is used.

How We Protect Information

We implement security measures designed to protect Your information from unauthorized access. Your account is protected by Your account password and We urge You to take steps to keep Your personal information safe by not disclosing Your password and by logging out of Your Account after each use. We further protect Your information from potential security breaches by implementing certain technological security measures including encryption, firewalls and secure socket layer technology. However, these measures do not guarantee that Your information will not be accessed, disclosed, altered or destroyed by a breach of such firewalls and/or secure server software. By usingOur Service, You acknowledge that You understand and agree to assume these risks.

Use of Tawk.to Services

We use third-party analytics services to help understand Your usage of Our Services. In particular, We provide a limited amount of Your information: Your name, email address, phone number, and sign-up date to Tawk.to, Inc. (“Tawk.to”) and utilize Tawk.to to collect data for analytics purposes when You any of Our services.

Tawk.to analyzes Your use of Our Web application and websites and tracks Our relationship with you so that We can improve Our Services to You. We may also use Tawk.to as a medium for communications, either through email, or through messages within OurServices. As part of Our service agreements, Tawk.to collects publicly available contact and social information related to You, such as Your email address, gender, company, job title, photos, website URLs, social network handles and physical addresses, to enhance Your user experience. If You would like to opt out of having this information collected by or submitted to Tawk.to, please contact us.

For more information on the privacy practices of Tawk.to, please visit https://www.tawk.to/privacy-policy/. Tawk.to’s services are governed by Tawk.to’s terms of use which can be found at https://www.tawk.to/terms-of-service/.

Communication

We might choose to communicate with You via electronic means (e.g. SMS, chat, emails), via post and via telephone calls.

TeamDream will not forward marketing material from third parties to You. If You choose to contact Our customer service we retain the right to write back, call or otherwise contact You back.

We might forward notifications about activity on any of our Services, that We deem relevant forYou, to Your e-mail or as a Push Notification. Examples of such activities are if someone likes an idea You have posted or if You have been invited to aSpace. You can opt out of some of these notifications by changing the notification settings in any of Our Services.

We will forward product news, contests or useful information on how to use our product that we deem relevant to Your use of our Services as We see fit. You can opt out of communication sent to You by unsubscribing from Our emails or by contacting us directly.

Links to Other Websites

As part of our Services, We may provide links to or integrations with other websites or applications. However, We are not responsible for the privacy practices employed by those websites or the information or content they contain. This Privacy Policy applies solely to information collected by Us through our Services. Therefore, this Privacy Policy does not apply to Your use of a third party website accessed by opening a link on Our Web application or websites. To the extent that You access or use Our Services through or on another website or application, the privacy policy of that other website or application will apply to Your access or use of that site or application. We encourage You to read the privacy statements of other websites before proceeding to use them.

Your Rights regarding the use of Your Personal Information

You can indicate that You do not wish to receive notifications from Us in the “Settings” section of any of our Services. This setting does not cover Us contacting You for other purposes.

You have the right at any time to prevent Us from contacting You for marketing purposes. If and when We send promotional content to You, You can opt out of further promotional e-mail communication by following the unsubscribe instructions provided in each promotional e-mail.

Please note that notwithstanding any settings or indication of preferences, We may continue to send You administrative emails with notices that we, at our sole discretion, consider important.

You have the right to retain and reuse the Personal data that You have provided to Us. Upon such a request, we will transfer Your Personal data records to You in a machine-readable format. You have the right to Use and/or transfer this data to another service provider without Our hindrance. If it is technically feasible, we will transfer Your Personal data directly to another service provider, should You request so.

If You don’t want Your data to be processed, for example for analytics purposes, you have the right to ask us not to, and we will accept your request not to do so.

Please also know that You have the right to have all of Your data removed from our Services upon Your explicit request and without Our objection to it, unless we still have legal grounds to preserve it, or if You have outstanding financial commitments to us.

At any time, You have the right to ask Us to send You all of the Personal data we keep on you.We will meet your request by sending you the data in a machine-readable format, including information about how it is processed.

If any part of this Privacy Policy is not clear to You, or if You have further questions, you have the right to request further information from us, and We will respond toYou with further details.

Contacting us with Privacy-related matters

You can get in contact with us in any time to:

• Request access to the Personal information We have on You

• Correct any inaccurate or incomplete information We have on You.

• Delete or transfer any Personal information We have on you.

• Clarify any questions You may have about Our Privacy Policy

Please contact us at:

TeamDream
41 DevonshireStreet,
London, W1G 7AJ

jack@teamdream.co.uk
(+44) 20 3752 7211

ContactInformation for Our Data Protection Officer

‍We have employed a Data Protection Officer to further strengthen Your privacy. This Officer is responsible for matters relating to privacy and data protection and can be reached at:

TeamDream
Att: Jack Sheehan
41 Devonshire Street,
London, W1G 7AJ

jack@teamdream.co.uk

Service Level Agreement

Last updated 1st January, 2020

The Service Level Agreement below (“SLA”) supplements and amends the Terms of Service (“ToS”), available at https://teamdream.co.uk/terms. If there is any conflict between the SLA and the Terms of Service, the applicable terms in the SLA will prevail. Capitalized expressions not defined in the SLA have the meaning set out in the Terms of Service.

General

TeamDream provides certain guarantees for the availability of the TeamDream Service. This SLA describes the levels of Service availability and the support that the Customer can expect to receive from TeamDream for the duration of the Customer Agreement.

Definitions

“Service Credit” means a Credit (as described in the Customer Agreement) denominated in US dollars, calculated as set forth below, that we may credit to an eligible Customer for future invoices. Service Credits cannot be exchanged for cash. Service Credits do not entitle the Customer to a refund or any other payment from TeamDream. Service Credits are not cumulative, that is, there shall only be a single Service Credits given for all Unavailabilities with a single cause.

“Unavailable”and “Unavailability” and “Unavailabilities” means when the Subdomain of a Customer is not reachable on an up-to-date version of a desktop or mobileFirefox, Edge, Internet Explorer or Chrome web browser due to Our fault.

“Monthly Uptime Percentage” means the calculation arrived at by subtracting from 100%the percentage of minutes during the month in which the TeamDream Web AppServices were Unavailable. Monthly Uptime Percentage measurements exclude downtime resulting directly or indirectly from any SLA Exclusion (as defined below).

Uptime Service Commitment

Customers who subscribe to TeamDream Plans covered by this SLA (set forth below) will be entitled to Credits for any Unavailability that fails to meet the Monthly Uptime Percentage. The SLA does not provide any uptime service commitment guarantees for Customers that are not on a paid Subscription of TeamDream. “Outage”means the actual number of minutes the TeamDream Web App Service isUnavailable. “Subscription Price” is the monthly Subscription fee for for the Customer on a given plan.  The monthly uptime percentage, the resulting allowed Outage, the Acceleration Ratio and maximum Service Credit by percentage of invoice for each covered TeamDream Plan is as follows:

As an example calculation, an outage of 4 hours in a given Monthly Billing Period for a Customer on the Business Plan equals to (240 minutes - 43 minutes) = 197minutes of creditable Outage. With 197m times the 20x acceleration ratio divided by a total of 43800 minutes in a month, the Customer is eligible for a Credit of 8.9% of his invoice for that month.

Exclusions

TeamDream is not responsible for failures caused by factors not in TeamDream’s control including but not limited to failures caused by:

1. Problems beyond or outside of the TeamDream Service including: Customer’s own telecommunications, Delivery Service or internet service providers, email domain server availability or mobile push notification providers; Force     Majeure Event; or intentional or accidental filtering of network traffic by national governments, carriers or regulatory bodies. “Force Majeure Event” means:

   • compliance with any act, order, demand or request of any government, governmental authority, or government agency;

   • labour disputes, work stoppages or slowdowns of any kind;

   • fires or hurricane, earthquake, flood and other natural disasters or fires; war, rebellion, act of terrorism, or civil disorder;

   • systemic internet issues or any other act or omission of any telecommunication or services provider;

   • any other cause beyond TeamDream’s reasonable control.

2. Issues that arise from TeamDream’s suspension or termination of Customer’s right to use the Service as allowed or required by the TOS, Acceptable Use Policy, government or court orders, or other agreements.

3. Service degradation or suspension as a result of misuse under the Community Policy guidelines  is not considered as an Outage covered by this SLA.

Service Credit Terms

To apply for a Service Credit, the customer must submit a claim by emailing jack@teamdream.co.uk within thirty (30) days of the month in which the Unavailable Time occurred. The ticket must include (i) "SLA Claim" as the subject of the ticket;(ii) the dates and times of the Unavailable time for which you are requesting aService Credit; and (iii) any applicable information that documents the claimed outage for the given Customer, cleared of any sensitive information that Customer wishes to remain confidential.

In order for a Customer to be eligible to receive a Service Credit under this SLA, the Customer must (1) use the latest version of the TeamDream Web App, (2) make sure that they are using up-to-date Firefox, Chrome, Edge or Internet Explorer web browsers.

ServiceCredit will be applied to the invoice following the Billing Period that theService Credit was accrued. A pending Service Credit does not release a Customer from its obligation to pay TeamDream invoices submitted for payment in full when due.

If the Monthly Uptime Percentage of such request is confirmed by us and is less than the Service Commitment, then we will issue the Service Credit to you within one billing cycle following the month in which your request is confirmed by us.Your failure to provide the request and other information as required above will disqualify you from receiving a Service Credit.

Sole Remedy

Unless otherwise provided in the ToS, your sole and exclusive remedy for any Unavailability, non-performance, or other failure by us to provide the Services is the receipt of a Service Credit (if eligible) in accordance with the terms of this SLA.

Customer Support Commitment

Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services and related components that we are committed to serve to our Customers on the paid Business and Enterprise plans.

‍Customer Support Availability

• Telephone support : 10:00 A.M. to 5:00 P.M. Monday - Friday, London Time.

• Email support: Monitored 9:00 A.M. to 5:00 P.M. Monday - Friday, London Time.

• Emails received outside of office hours will be collected, however, no action can be guaranteed until the next working day.

• Screensharing or call-guided assistance guaranteed within 72 hours during the business week for a maximum of two times a month.

‍Service Request Availability

‍In support of Services, TeamDream will respond to service related incidents and/or requests submitted by the Customer within the following time frames:

• 0-12 hours for issues classified as High priority.

• Within 48 hours for issues classified as Medium priority.

• Within 5 working days for issues classified as Low priority.

• Remote assistance will be provided in line with the above timescales dependent on the priority of the support request.

Revision

TeamDream may revise this SLA upon thirty (30) days’ notice by sending an email to Customer. Customer can cancel their Subscription as outlined the Customer Agreement at any time.

Security Questionnaire

Last updated 1st January, 2020

TeamDream relies on your trust. Without you, there is no us.Innovation and idea sharing can contain highly confidential information and should always be kept safe from harm. For that reason we have put in place extensive security and control processes that help ensure information safety. TeamDream takes pride in providing Enterprise-grade security levels for everyone.

Your data is safe with us because we care about knowing that you can rest easy as you build your innovation community with TeamDream. Below we are giving answers on some of the most common questions we have received from Customers - to give you a fast overview and specific answers.

If a question is missing from this list that you would like to see added, please let us know so we can amend this security questionnaire.

Data Centre Features

Where is customer data stored?

TeamDream persistently store Customer data on the Google Cloud Platform with servers located in the EU, Frankfurt and Dublin. Customer Content (Ideas, Comments etc.) is not stored by any other third-party provider. In addition to this, we have signed Data Processing Addendums (DPAs) with any Sub-Processors of customer data. You can view a full list of Our Sub-Processors at https://teamdream.co.uk/sub-processors.

What security features do TeamDream’s data centres provide?

The Google CloudPlatform data centres are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Access toGoogle's data centre floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics.Only approved employees with specific roles may enter. Additionally, Google data centre physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data centre floor features laser beam intrusion detection. Google meticulously tracks the location and status of all equipment within their data centres from acquisition to installation to retirement to destruction, via barcodes and asset tags.Metal detectors and video surveillance are implemented to help make sure no equipment leaves the data centre floor without authorization. If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest.When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data centre adheres to a strict disposal policy and any variances are immediately addressed.

Is TeamDream SOC2 compliant?

Our data centre provider is of course SOC2 compliant, and you’re always welcome to contact us if you’d like us to provide you with their compliance report. To expedite the process we kindly ask that you include sufficient contact information along with a reason for requesting it.

How is Customer data backed up?

All client data is fully backed up on a daily basis to multiple data centres within the EU, Frankfurt, and Dublin.

Can TeamDream delete Customer data on request?

Currently, customer data can be deleted with written request to TeamDream by the customer.In connection with our GDPR compliance efforts, we will be updating our data deletion abilities to make them part of the user interface.

Does TeamDream have the ability to sanitize computing resources of client data if a customer leaves TeamDream?

Google is our production hosting provider. Google hard drives leverage technologies like FDE(full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data centre adheres to a strict disposal policy and any variances are immediately addressed.

Does TeamDream keep customer information after termination?

TeamDream allows customers to export their raw data at any time in the industry-standard JSON format with a written request from the customer. Additionally, customer data can be deleted upon request at termination or will be deleted in accordance with TeamDream's internal data retention policies.

Data Security and Management

Does TeamDream keep one Customer's data separated?

All sensitive Customer data is only accessible after the successful exchange of a session token from our API that carries with it varying degrees of access rights to a specific Customer’s data depending on multiple factors such as the settings of the Space, the specific user trying to access the resource, as well as the operation that is attempted to be performed on that resource. This provides logical separation between data belonging to multiple customers.Customer Data reside on database systems which house data belonging to multipleCustomers, but our logical authentication and authorization controls separate one Customer’s data from another Customer’s data.Does TeamDream support single sign-on and multifactor authentication?Our product supports Single Sign-On (SSO). We support the SAML standard, including integration with the Active Directory (AD) protocol.. You can set up the SSO yourself under /settings/sso. A guide to installing SSO on TeamDream can be found at in our knowledge base at https://help.teamdream.co.uk

Encryptionand Password Management

Does TeamDream encrypt customer data?

When a user visits a website or application with TeamDream instrumented, the details of their interactions are captured and  sent to TeamDream over HTTPS. All data transferred over HTTPS is encrypted. TeamDream only allows connections over HTTPS exclusively to ensure data is encrypted in transit. TeamDream  uses NIST Suite B compliant cipher suites to secure data in transit and at rest.The Google CloudPlatform encrypts customer data stored at rest by default. Data in Google CloudPlatform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs  are encrypted with (or “wrapped” by) a key encryption key (KEK).

For  more information,  please see https://cloud.google.com/security/#dataencryption

What are TeamDream’s procedures for password management?

Keys  for encryption  of customer data  at rest are managed  by our cloud provider,  Google. You can find additional information about Google's key management procedures here:https://cloud.google.com/kms/. We use public/private keys to secure access to code repositories. Keys used by staff are generated by TeamDream employees on an individual basis and stored on local machines). Access to the repositories can be provisioned or revoked by senior engineering staff.

Are customer passwords encrypted?

Yes. Passwords are hashed using the industry-standard Blowfish block cipher cryptographic algorithm which is an adaptive hash function that is based on a technique called Key Stretching, that is recommended by NIST.

What are TeamDreams corporate password requirements?

We use Google G-Suite as our corporate single sign-on platform. This application controls our access to the various applications that TeamDream uses.  TeamDream uses multi factor authentication to gain access to the system. With regards to the password policy specifically, they are set as follows: (a) passwords must be a minimum of 8 characters; (b) they must contain some lower case letters, and they cannot contain part of the username; and (c) users are locked out after 10 failed login attempts.

To learn more about the security of G-Suite as identity provider, please see

https://static.googleusercontent.com/media/gsuite.google.com/en//security/g-suite-security-ebook.pdf

HR and Corporate Policies

Does TeamDream run background checks on its employees?

We run background checks on all incoming employees, or contractors who will be working in any TeamDream office, before starting at the company. Additionally, all employees sign confidentiality agreements to protect customer information.

Does TeamDream subcontract any of its services?

TeamDream uses a third-party vendors to provide our services, namely the Google Cloud Platform to persistently store customer data. TeamDream additionally uses vendors to monitor the performance of Our Services and for communication purposes after they have been vetted and signed the appropriate contractual protections to handle customer data. In connection with our GDPR compliance, we are disclosing Our full list of Sub-Processors at https://teamdream.co.uk/sub-processors.

GDPR

Does TeamDream process personal information?

TeamDream’s customers can customize and decide what information to send into our database, with certain restrictions as governed in our agreement with a Customer. This may include personal information, but whether there is personal information sent is ultimately determined by the Customer and their decisions on what data to send to TeamDream to process.

Is TeamDream data controller or processor?

When customers send data to the TeamDream platform, TeamDream is the data processor, as defined in the GDPR, for purposes of the services provided; the Customer is the data controller.

Does TeamDream comply with the GDPR?

Yes. More information on Our GDPR compliance can be found at https://teamdream.co.uk/gdpr.

Do TeamDream Sub-Processors comply with GDPR?

Yes, we have in place written Data Processing Agreements (“DPA”) with all of OurSub-Processors. TeamDream imposes data protection terms on each Sub-Processor regarding their security controls and applicable regulations for the protection of personal data. Before engaging a Sub-Processor, we perform extensive due diligence, including detailed security and legal analysis. We do not engage a Sub-Processor unless our quality standards are met.

Audit

Does TeamDream conduct regular security audits?

We perform regular, automated, vulnerability scans on our external and internal networks. Further, security review is an integral part of our development lifecycle, incorporated into our design, implementation, and test processes.

Does TeamDream log events with an audit trail?

Access to the audit trail is restricted to our development team but remains immutable to change. Audit trail records are kept for at least 1 year. TeamDream extensively logs activity by its development team and all Users of the Service automatically as they happen with Google’s inbuilt StackDriver audit logging monitoring. All logs remain immutable, time synced, filterable and exportable. We work with Customers on the Enterprise plan to fulfill any audit trail inquiries and reasonable requests for audit trail exports in a timely manner.

Threat and Vulnerability Management

Does TeamDream have anti-malware programs installed?

Our production servers run Linux, where we achieve security by making all of our services sandboxed in containers that are entirely recycled for each deployment. This prevents malware from gaining a persistent foothold, and ensures that there isa minimal window in which malware could stay memory-resident. In our view, this approach is more robust than relying on a detective approach to preventing malware compromise.

How does account management work at TeamDream?

The TeamDream Service features 4 security levels of accounts: Owner, Admin, Member and Guest. The Owner Account (one per Space) has full access to all Space settings and billing. Admins have full access to create, and delete content, missions and teams as well as invite people and manage member roles. Members and Guests have the ability to create content based on access levels given by Admins.

Is my Data kept private?

When you claim a TeamDream Space, it’s yours and yours alone. All access to the datastore is restricted to only a select few to keep security high and risk low.Well, whenever a customer runs into a bug or an error, we either request direct access to theSpace in question, make use of screen-sharing software or simply run tests using a development environment. You’ll never have to grant access to anything if you don’t want to. It’s that easy. Data is kept in a highly secure environment that can only be accessed with 2FA. TeamDream will never, for any reason or under any circumstances, sell your data to third parties.

Does TeamDream staff access or use Customer data or Content?

TeamDream does not own, control or direct the use of any data stored or processed by our customers as they use our service. This extends to access, retrieval and direct use of such data. We are generally unaware of what is being stored or otherwise internally made available within a Space.

Ownership of Content remains with Customer and its Users. As described in Our Terms ofService, TeamDream and its employees are at no point permitted to view CustomerContent unless We are given explicit consent by the Customer for valid support purposes or if We are compelled by a law or a valid legal or government request. At no point are we allowed to Use Customer Content for Our own purposes.

TeamDream employees, such as our support staff, do not as a standard have access to customer Space. Access to Spaces is only given to employees on the basis of valid urgent support requests and employees are trained on appropriate access, and access is monitored for inappropriate use.

While CustomerContent is not accessed, generalized Customer data in the form of events and usage statistics is collected and used for the purposes of general user experience improvements and product feedback. Any direct product feedback given to Customer Support staff is not considered Customer Content and can also be used to improve our Services. Incident management at TeamDreamIn the event of a security breach, TeamDream will notify you of any unauthorized access to your customer data within 72 hours after first having become aware of the breach.However unlikely such an occurrence is, we have thorough incident management policies and procedures in place to handle such an event with utmost care and efficiency. As part of GDPR compliance we will also have to report such incident to the responsible local government authorities, the UK Data Protection Agency.

How long is data kept?

We do store all data for up to 6 years unless your account is deleted. in which case, we dispose of all data in accordance with our terms of service and privacy policy, within 60 days. information regarding legal transactions between customers and TeamDream will be stored for up to 10 years.

GDPR Resource Centre

Last updated 1st January, 2020

On May25, 2018, the General Data Protection Regulation (GDPR) became fully enforceable across the European Union (EU), creating a higher standard for data protection, privacy, and security for the processing of personal data from the EU. The GDPR applies to the processing of personal data regardless of where that takes place in the world, and impacts any company that handles personal data of EU citizens and others within the EU.

The GDPR is an attempt to strengthen, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it's giving EU citizens and residents control over their personal data while simplifying the regulatory environment for international business that takes place in the EU.

The Data Protection Principles include requirements such as:

· Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
·  Personal data should only be collected to fulfil a specific purpose and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.
·  Personal data should be held no longer than necessary to fulfil its purpose.
· People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.

Why is it important?

GDPR adds some new requirements regarding how companies should protect individuals' personal data that they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. Beyond these facts it's simply the right thing to do. At TeamDream we strongly believe that your data privacy is very important and we already have solid security and privacy practices in place that go beyond the requirements of the GDPR.

Does TeamDream offer a DPA?

TeamDream is committed to GDPR compliance and there are no shortcuts when it comes to meeting these requirements. We offer a data processing addendum (DPA) for our customers who collect data from people in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers.

Our DPA is already part of the Terms of Service, so no further action is really needed on your part. But if you have any special DPA needs, feel free to contact us.

You can always link to https://teamdream.co.uk/dpa in case you need to provide documentation that TeamDream is indeed a GDPR compliant data processor or download the page as a PDF.

Is TeamDream GDPR compliant?

Yes, Our Terms of Service reflect strict GDPR requirements & compliance. We work with the best in the market to ensure complete compliance and data safety so you can rest easy.

An extensive standardized DPA has been added as an extension of our Terms of Service and includes both the relevant information on data processing along with a list of sub-processors.

We have reviewed our product, its processes and procedures to make sure we meet the necessary GDPR standards:

Which Sub-Processors does TeamDream use?

We only work with industry standard service providers for Our Service to be able to supply a service that is up to the highest standards of availability, stability, security and privacy. We provide a full and up-to-date list of our Sub-Processors that You can review, if necessary.

Our Service is hosted on Google Cloud with all Content stored on servers in the EU. We use Sendgrid for sending you account-related emails with sensitive log-in information such as an initial welcome email or a password reset email. We use Stripe to process payments. Your billing information,including your credit card, email, payment history, and plan information isstored on Stripe.

We Use Google Analytics to store and analyze product usage data. When You interact with Our Service. We do not send the Content of the interaction.  helps us provide support and communicate with You via in-app chat and email. We send Tawk.to Your full name, email address and account information as well as other meta data like which subscription You are on.

We also receive ad marketing analytics from Facebook Business and LinkedIn. Our business infrastructure depends on services for document sharing provided by Google’s G-Suite and work communication software by Slack. Calendar management and demo booking is provided by Calendly. Lastly, we use Xero for our internal accounting and the manual invoicing process for some of Our Customers.

Are your Sub-Processors also GDPR compliant?

Yes, we have in place written Data Processing Agreements (“DPA”) with all of Our Sub-Processors.

Training and Awareness

We've formed a core privacy team of leaders from each area of the TeamDream business, headed by our internal Data Protection Officer (DPO). The representatives in this group are the project managers who will ensure all the requirements of GDPR are covered from Marketing to Engineering to People Ops.

Data Inventory

We have reviewed and identified all the areas of TeamDream where we are collecting and processing Customer data; categorizing and taking inventory of everything from cookies to help desk conversations. Using this matrix we have validated our legal basis for collecting and processing personal data and double checked that we are applying the appropriate security and privacy safeguards across our entire infrastructure and software ecosystem.

Risk assessment

Having a managed data protection impact assessment (DPIA) process is a requirement for GDPR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The TeamDream engineering team has always undergone security and privacy due diligence when making tooling and implementation decisions, so this requirement is an easy one for us.

Any time we introduce a change to the way we handle personal data, we spend time discussing the potential impact on Customers of TeamDream and possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate the data privacy and security risk to anyone who interacts with the TeamDream platform. We will continue to execute this risk assessment process as we expand the TeamDream offerings.

Breach management

We already have in place a breach management and communication plan and have updated this existing process to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.

Your rights under GDPR

Consenting to our Terms of Service is an active step in the sign-up process. However, you’re also free to opt-out and be forgotten as per the GDPR Right-To-Be-Forgotten. As you delete content on your Space, such as a member, all relevant member data will be permanently deleted in our user database, and any peripheral data such as ideas will be transferred to an anonymous placeholder.

You’re always welcome to contact us in case you’d like to access, correct, amend or delete information that we hold about you.

Clear and concise legal terms

At TeamDream we practice transparency internally and we believe that transparency extends to our Customers. With our updated Terms of Service and Privacy Policy we openly describe which personal data we are collecting, processing, why, how we use it, who we share it with and how long we store it.We have always made an effort to keep the language in our Terms of Service and Privacy Policy as clear as possible and we have updated these notices to describe how we are respecting and protecting your personal data. We hope you find it concise, transparent, intelligible and easily accessible.

Consent

We've updated our cookie policy to provide you with complete transparency into what is being set when you visit our site and how it's being used. On our cookie policy page you can also read about steps you can take in order to control how your browser handles cookies.

Individual Data Subject's Rights

We are committed to helping our customers meet the data subject rights requirements of GDPR. TeamDream processes or stores all personal data in fully vetted, DPA compliant vendors.We do store all conversation and personal data for up to 6 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, within 60 days. Information regarding legal transactions between Customers and TeamDream will be stored for up to 10years. We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data and will assist you with any such GDPR related requests free of charge.

We are here for you

We are working with our Customers to answer any questions and address any concerns regarding how we protect their personal data in accordance with GDPR. If you have any questions, please don't hesitate to reach out at jack@teamdream.co.uk.

Data Processing Addendum

Last updated 1st January, 2020

The terms and conditions below (“DPA”) supplement and amend the Terms of Service (“ToS”), available at https://teamdream.co.uk/terms to the extent that TeamDream processes any personal data originating from the European Economic Area, the United Kingdom and Switzerland (“EU Data”) for You as a Customer. Capitalized expressions not defined in the DPA have the meaning set out in the ToS. Words and expressions used in this DPA but not defined in the DPA or in the ToS have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and, for transfers of Data to TeamDream, the Commission implementing Decision 2016/1250 (“Privacy Shield”) (“Applicable Data Protection Law”).

TeamDream as Data Processor

TeamDream should be considered only as a Processor on behalf of its Customer and Users as to any Customer Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this DPA, TeamDream does not independently cause Customer Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third party Sub-Contractors who may process such data on behalf of TeamDream in connection with TeamDream’s provision of Service to Customers.

Such actions are performed or authorized only by the applicable Customer. The Customer is the data controller under the Regulation for any Customer Data containing PersonalData, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.

TeamDream is not responsible for the content of the Personal Data contained in the Customer Data or other information stored on its servers (or its Sub-Contractors’ servers) at the discretion of the Customer nor is TeamDream responsible for the manner in which the Customer or User collects, handles disclosure, distributes or otherwise processes such information.

In the course of providing the Services to Customer pursuant to the ToS, TeamDream may processPersonal Data on behalf of Customer. TeamDream agrees to comply with the following provisions with respect to any Personal Data submitted by or forCustomer to the Service or collected and processed by or for Customer through the Service.

2.General

1. You confirm that You are accepting this DPA in Your capacity as either a Personal Customer or Business Customer.

2. If You are accepting this DPA as a Business Customer, You confirm that You have the authority to bind the entity you represent as a Customer to this DPA.

3. This Data Processing Agreement sets out the rights and obligations that apply to TeamDream’s handling of personal data on behalf of Customer.

4. This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub-section 3 of Regulation 2016/679 of the European Parliament and of the Council (with, including but not limited to, Article 28) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which sets out specific requirements for the content of data processing agreements.

5. TeamDream’s processing of personal data shall take place for the purposes of fulfilment of the ToS, commencing on the date on which You, as a Customer, electronically accept or otherwise agree to Our ToS.

6. The duration of this Order or Contract corresponds to the duration of the ToS. This does not prejudice the right to termination of the contract for cause without notice. Such a cause exists in particular, if an obligation under this     agreement or provisions of the GDPR are intentionally or grossly negligently violated.

7. This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties, including the ToS. EU Standard Contractual Clauses, if applicable, must prevail.

8. Three appendices are attached to this Data Processing Agreement. The Appendices form an integral part of this Data Processing Agreement.

9. Appendix A of the Data Processing Agreement contains details about the processing as well as the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

10. Appendix B of the Data Processing Agreement contains the terms and conditions that apply to TeamDream’s use of Sub-Processors and a list of approved Sub-Processors.

11. Appendix C of the Data Processing Agreement contains instructions on the processing that TeamDream is to perform on behalf of Customer (the subject of the processing), the minimum security measures and how inspection with TeamDream and any Sub-Processors is to be performed.

12. This Data Processing Agreement shall not exempt TeamDream from obligations to which TeamDream is subject pursuant to the General Data Protection Regulation or other legislation.

3.Customer Rights and Obligations as Data Controller

1. Customer shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation and, further, the UK Data Protection Act.

2. Customer shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data.

3. Customer shall be responsible for ensuring that the processing that TeamDream is instructed to perform is authorised in law.

4.TeamDream acts according to instructions

1. TeamDream shall solely be permitted to process personal data on documented instructions from Customer unless processing is required under EU or Member State law to which TeamDream is subject; in this case, TeamDream shall inform Customer of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3, para a.

2. TeamDream shall immediately inform Customer if instructions in the opinion of TeamDream contravene the General Data Protection Regulation or data protection provisions contained in other EU or Member State law.

5.Confidentiality

1. TeamDream shall ensure that only those persons who are currently authorised to do so are able to access the personal data being processed on behalf of Customer. Access to the data shall therefore without delay be denied if such authorisation is removed or expires.   

2. Only persons who require access to the personal data in order to fulfil the obligations of TeamDream to Customer shall be provided with authorisation.

3. TeamDream shall ensure that persons authorised to process personal data on behalf of Customer have undertaken to observe confidentiality or are subject to suitable statutory obligation of confidentiality.

6.Security of processing

1. TeamDream shall take all the measures required pursuant to Article 32 of the General Data Protection Regulation which stipulates that with consideration for the current level, implementation costs and the nature, scope, context and     purposes of processing and the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Processor shall implement appropriate technical and organisational measures to ensure a     level of security appropriate to the risk.

2. Depending on their relevance, the measures may include the following:

   1. Pseudonymisation and encryption of personal data

   2. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.

   3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

   4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

3. TeamDream shall in ensuring the above – in all cases – at a minimum implement the level of security and the measures specified in Appendix C to this Data Processing Agreement.

7.Assistance to Customer

1. TeamDream, taking into account the nature of the processing, shall reasonably assist Customer with appropriate technical and organisational measures, in the fulfilment of Customer obligations to respond to requests for the exercise of the data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.
   
   This entails that TeamDreamshould reasonably assist Customer in Customer compliance with:  

   1. notification obligation when collecting personal data from the data subject

   2. notification obligation if personal data have not been obtained from the data subject

   3. right of access by the data subject

   4. the right to rectification

   5. the right to erasure (‘the right to be forgotten’)

   6. the right to restrict processing

   7. notification obligation regarding rectification or erasure of personal data or restriction of processing

   8. the right to data portability

   9. the right to object

   10. the right to object to the result of automated individual decision-making, including profiling

2. TeamDream shall assist Customer in ensuring compliance with Customer obligations pursuant to Articles 32-36 of the General Data ProtectionRegulation taking into account the nature of the processing and the data made available to TeamDream, cf. Article 28, sub-section 3, para f.
   
   This entails that TeamDream should, taking into account the nature of the processing shall reasonably assist Customer in Customer compliance with:

   1. the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing

   2. the obligation to report personal data breaches to the supervisory authority (UK Data Protection Agency) without undue delay and, if possible, within 72 hours of Customer discovering such breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons

   3. the obligation – without undue delay - to communicate the personal data breach to the data subject when such breach is likely to result in a high risk to the rights and freedoms of natural persons

   4. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons

   5. the obligation to consult with the supervisory authority (UK Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the lack of measures taken by Customer to limit risk

8.Notification of personal data breach

1. On discovery of personal data breach at TeamDream’s facilities or a sub-processor’s facilities, TeamDream shall without undue delay notify Customer.  TeamDream’s notification to Customer shall, if possible, take place within 72 hours after TeamDream has discovered the breach to enable Customer to comply with his obligation, if applicable, to report the breach to the supervisory authority within 72 hours immediately and in any case.

This may mean that TeamDream is required to assist in obtaining the information listed below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation, shall be stated in Customer report tothe supervisory authority:

1. The nature of the personal data breach, including, if possible, the categories and the approximate number of affected data subjects and the categories and the approximate number of affected personal data records 

2.  Probable consequences of a personal data breach

3. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage

9.Erasure and return of data

On termination of the processing services, TeamDream shall be under obligation, at Customer discretion, to erase or return all the personal data to Customer and to erase existing copies unless EU law or Member State law requires storage of the personal data.

10.Commencement and termination

1. This Data Processing Agreement shall become effective on the date on which Customer electronically accepts or otherwise agrees to Our ToS. 

2. This Data Processing Agreement may be terminated according to the terms and conditions of termination, incl. notice of termination, specified in the ToS subject to Section 2.6 (see above).

3. This Data Processing Agreement shall apply as long as the processing is performed. Irrespective of the termination of the ToS and/or this Data Processing Agreement, the Data Processing Agreement shall remain in force until the termination of the processing and the erasure of the data by TeamDream and any sub-processors.

Data Controller and Data Processor Contact

1. Customer may contact TeamDream at jack@teamdream.co.uk

2. TeamDream may contact Customer using the contact information stored on their Account.

Appendix A: Information about the processing

DATA EXPORTER

The data exporter is a Customer of data importer’s communication and productivity software, services, systems and / or technologies.

DATA IMPORTER

The data importer is TeamDream (Cloisters Ventures Ltd), as a provider of communication and productivity software, services, systems and / or technologies.

DATA SUBJECTS

The personal data transferred concern the following categories of data subjects: Users of theService

CATEGORIES OFDATA

The personal data transferred concern the following categories of data:Personal Data subject to Data Protection Laws. Any personal data comprised in Customer Data.“Customer Data” means all data and information submitted by Users to the Services and includes message text, files, comments and links, but does not include third-party products or the Service.

SPECIAL CATEGORIES OF DATA (IF APPROPRIATE)

The personal data transferred concern the following special categories of data:Data Exporter may submit personal data to the Data Importer through the Services, the extent of which is determined and controlled by the Data Exporter in compliance with Applicable Data Protection Law and which may concern the following special categories of data, if any:

• racial or ethnic origin;

• political opinions;

• religious or philosophical beliefs;

• trade-union membership;

• genetic or biometric data;

• health; and

• sex life

PROCESSING OPERATIONS

The personal data transferred will be subject to the following basic processing activities:

• As necessary to complete a contract for the Service.

In more detail, TeamDream makes available its Service to Customer and hereby stores and processes Personal Data about Customer on our Service infrastructure to facilitate speedy authentication, communication and a measure of security to Users of the Service.

TeamDream will send mails to people invited to the platform, allow people to become Members of the Space at the discretion of the Customer and allow Members to share Contenton the Space with the goal to further innovation and idea sharing for Customer.

The purpose of TeamDream’s processing of personal data on behalf of Customer is:

Customer is able to use Our Service, owned, developed and managed by TeamDream to facilitate idea sharing, collecting, commenting, rating, prioritizing, assigning and tracking. In this, Customer and any personal data and Content submitted by Customer is processed by TeamDream. The Personal Data transferred will be processed in accordance with the ToS and may be subject to the following processing activities:

• storage and other processing necessary to provide, maintain and update the Services provided to the Data Exporter;

• to provide customer and technical support to the Data Exporter; and

• disclosures in accordance with the Agreement, as compelled by law

The processing includes the following types of personal data about data subjects:

For membership purposes:

• Name

• Email address

• Telephone number (optional)

• Short biographical description (optional)

• Personal profile picture (optional)

• Member ID

• Submitted Content (optional)

• Customer subdomain

• Customer company name

• Type of subscription

For analytics and customer support purposes:

• IP address

• Time zone

• Browser

• Browser version

• Device

• Current URL

• Initial referrer

• Initial referring domain

• Operating system

• Referrer

• Referring domain

• Screen height and screen width

• Search engine and search keyword

• UTM parameters

• Time on site

• Last seen time

• Approximate geolocation

For billing purposes:

• Customer ID

• VAT ID (optional)

• Full address (optional)

• Payment details (optional)

• Credit card transaction data (optional)

• Credit card user credentials (optional)

Appendix B: Terms of TeamDream’s use of Sub-Processors

1. Terms of TeamDream’s use of Sub-Processors

TeamDream hasCustomer’s general consent for the engagement of Sub-Processors. Customer acknowledges that in connection with the performance of the Services, TeamDream employs the use of cookies, unique identifiers, web beacons and similar analytics and tracking technologies. TeamDream shall maintain appropriate notice, consent and opt­ in mechanisms as are required by Data Protection Laws.

2. Sub-Processors

As Data Processor TeamDream ensures that the Sub-Processors are subject to data protection obligations not less protective as those specified in this Data Processing Agreement on the basis of a contract or other legal document under EU law or the national law of the Member States, in particular providing the necessary guarantees that the Sub-Processor will implement the appropriate technical and organisational measures in such a way that the processing meets the requirements of the General Data Protection Regulation.

Customer acknowledges and agrees that (i) TeamDream’s Affiliates may be retained as Sub­-Processors;and (ii) TeamDream and TeamDream’s Affiliates respectively may engage third­ party Sub­-Processors in connection with the provision of the Services. TeamDream oran TeamDream Affiliate has entered into a written agreement with each Sub­processor containing data protection obligations not less protective than those in thisAgreement and applicable law with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub­processor. If, in the performance of this DPA, TeamDream transfers any Personal Data to a sub-Processor located outside of the EEA, TeamDream shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.

For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the Sub-Processing by TeamDream for purposes of Clause 11 of the StandardContractual Clauses.

3. List of Sub-Processors

TeamDream shall make available to Customer the current list of Sub­Processors for the Services.Such Sub­-Processor lists shall include a specification of the legal entity of those Sub­-Processors and the location of Customer Data. This list is available online at https://teamdream.co.uk/sub-processors.

4. Changes in Sub-Processors

Customer can find a mechanism to subscribe to notifications of new Sub-Processors under (https://teamdream.co.uk/sub-processors. If Customer subscribes, TeamDream shall provide notification of a new Sub­processor(s) before authorizing any new Sub­processor(s) to process personal data in connection with the provision of the Service.

5. Right to Object

TeamDream will give the Customer the opportunity to object to the engagement of the newSub-Processors within 7 days after being notified. The objection must be based on reasonable grounds. If TeamDream and Customer are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Customer shall receive a refund of any prepaid but unused fees for the period following the effective date of termination.

6. International Transfers

TeamDream may transfer and process Customer Data anywhere in the world where TeamDream, its Affiliates or its Sub­processors maintain data processing operations. TeamDream shall at all times provide an adequate level of protection for the CustomerData processed, in accordance with the requirements of Data Protection Laws. Specifically, TeamDream shall ensure a valid legal basis for any such transfer, as outlined in Chapter 5 GDPR and Articles 45­49 thereof.

Instruction pertaining to the use of personal data

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c): Firewalls, SSL certificates, web application firewalls, secure development lifecycle management, secure coding practices, 2FA access, SOC 2Type II audit, internal vulnerability assessments, continuous employee education, virus/malware scanning, and more.

Storage Limits and Erasure

Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the Parties.

Personal data are stored with TeamDream until Customer or a Member requests that their data are erased or returned. TeamDream allows Customers to export their raw data at anytime in the industry standard JSON format. Additionally, customer data can be deleted upon request at termination or will be deleted in accordance with TeamDream’s internal data retention policies.

Inspection and Audit Reports

TeamDream shall provide written responses (on a confidential basis) to reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm TeamDream's compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, TeamDream shall make available to Customer that is not a competitor of TeamDream (or Customer’s independent, third­party auditor that is not a competitor of TeamDream) information regarding TeamDream’s compliance with the obligations set forth in the DPA.

Customer is entitled to contact TeamDream to request an a remote or on­site audit of the architecture, systems and procedures relevant to the protection of PersonalData at locations where Personal Data is stored. Customer shall reimburse TeamDream for any time expended by TeamDream or its third party Sub­processors for any such on­site audit at TeamDream’s then­ current professional services rates, which shall be made available to Customer upon request.

Before the commencement of any such on­site audit, Customer and TeamDream shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All costs will be documented, and reimbursement rates shall be reasonable, taking into account the resources expended by TeamDream, or its third ­party Sub­processors. Customer shall promptly notify TeamDream with information regarding any non­compliance discovered during the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of ninety (60) days notice to TeamDream

Encryption of Customer Content

In the database,We encrypt non-searchable content such as passwords, but do not encrypt your content otherwise so you can search across members and content whenever you need to find that one specific idea.

When a User uses the TeamDream Service, the details of their interactions are captured and sent to TeamDream through API calls over HTTPS. All of our other APIs and websites also  use HTTPS exclusively. Everything Customer and User send toTeamDream, and everything TeamDream sends to Customer and User is sent through fully encrypted channels. TeamDream employs the Transport Layer Security protocol with RSA-2048 encryption to keep our communication private.

The Google CloudPlatform encrypts customer data stored at rest by default. Data in Google CloudPlatform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs  are encrypted with (or “wrapped” by) a key encryption key (KEK). For more information, please see https://cloud.google.com/security/#dataencryption.

Customer Data Separation

Access is granted through sending along an authentication token in requests. This token then holds a set of allowances based on the User's rank and the Space(s), Missions, and all other Content the User has access to.

This provides  logical separation  between data belonging  to multiple Users. TeamDream  is the sole tenant on our infrastructure. A Customer's data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates oneUser from another User's data.

Single-sign on and multifactor authentication

TeamDream supports SAML single sign-on. Depending on what single sign-on provider Customer has, multi-factor authentication is an option Customer can enable with their single sign-on provider.  Details on how to enable single sign-on can be found in access settings.

Location and Storage of Customer Data

GDPR does not require that Personal Data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the Privacy Shield and DPAs.

TeamDream’s application and database servers are located within the European Union, specifically in Frankfurt, Germany on Google Inc. servers. This means, at rest, your Content will never leave the EU. As a company, Google Inc. has certified with the US Department of Commerce that it adheres to the Privacy ShieldPrinciples under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.

The Service itself may be provided using equipment or facilities located in the EuropeanUnion or the United States. The US Sub-Processors are either Privacy Shield compliant or have executed Standard Contractual Clauses (as approved by theEuropean Commission) that provide legal grounds for assuring that, when processed in the United States, the personal data of EU citizens that are processed when using the Service will receive an adequate level of protection within the meaning of Article 46 of Regulation (EU) 2016/679 (General DataProtection Regulation). Personal Data is partly stored and processed by these Sub-Processors.

Google is our production hosting provider. Google hard drives leverage technologies like FDE(full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data centre adheres to a strict disposal policy and any variances are immediately addressed.

Security Checks and Scans

TeamDream runs regular security scans via a third-party service, and our source code is automatically checked as it is committed. Every time TeamDream update any of the external code dependencies, TeamDream performs a full security audit to verify that no vulnerabilities have entered the TeamDream code base. TeamDream also subscribe to various security mailing lists for the software TeamDream uses.

The latter ensures TeamDream is always aware of recently discovered vulnerabilities and can either put workarounds or available patches in place.

Handling of Customer Data by Personnel

Access to the datastore is restricted to a very small number of people, and there is no way for TeamDream to “impersonate” or view Content via an account switcher interface or see it through the admin user interface.

In cases where TeamDream needs to troubleshoot errors, TeamDream will either test it in a development environment or get explicit Customer permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time) or by requesting screen sharing. Access and access requests to TeamDream databases and server infrastructure and all code change commits are logged for security purposes.

As outlined in our Terms of Service, support personnel have access to certain contact information and activity logs by default to be able to service Customer as best as possible. Access to this kind of data is restricted with two-factor authentication at all times and Personal Data is not sold to third parties.

Replication of Customer Data

TeamDream creates back-ups of Customer Data three times a day and retains these back-ups for up to a month. In case of a security, technical, physical or data-loss incident, roll-backs of Customer Data can be initiated in a timely manner.