Storyblok Raises $80M Series C - Read News

What’s the True Total Price of Enterprise CMS? Find out here.

Skip to main content

Effective from September 1st, 2023 to May 10, 2024

Data Processing Agreement

for Storyblok Services

1. Subject of the Agreement & Role of the Parties

Customers may upload and manage a variety of content such as texts, images, videos or other files to and via the Storyblok Services. Such content may contain Personal Data Customer chooses to include. In this context, Storyblok is a Processor of such Customer Data on Customer‘s behalf. Storyblok will only process such Customer Data pursuant to this DPA. This DPA serves as a supplement and forms an integral part of the Agreement. The Parties agree to comply with the terms and conditions of this DPA in connection with Processing of Personal Data.

2. Definitions

2.1 “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2 “Controller” the entity which determines the purposes and means of the Processing of Customer Data; Controller under this DPA is the Customer.

2.3 “Processor” the entity which Processes Personal Data on behalf of the Controller; Processor under this DPA is Storyblok.

2.4 “Processing” or to “Process” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2.5 “Customer” means the entity that executed or signed the Order Form and/or entered into the Terms; Customer is the Controller under this DPA.

2.6 “Customer Data ” means Personal Data submitted by or on behalf of Customer as part of Customer Content to the Storyblok Services as more closely defined in Annex 1.

2.7 “Applicable Data Protection Laws” means all data protection and privacy laws, legislation and regulations under EU law and the Member State Law that apply to the Data Processor, including the GDPR and local laws implementing or supplementing the GDPR (and in each case, as may be amended, superseded or replaced).

2.8 “GDPR” or “General Data Protection Regulation” means Data Protection Directive 95/46/EC and as of 25 May 2018 the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2.9 “Standard Contractual Clauses” or “SCC” means the Standard Contractual Clauses pursuant to GDPR and the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2.10 “Security Incident” means any actual unauthorized disclosure of or access to Customer Data, or compromise of the Storyblok Services or Storyblok’s systems that (as determined by Storyblok) resulted in such disclosure or access, and excluding any unauthorized disclosure or access that is caused by Customer or Customer's failure to adequately secure infrastructure, equipment, systems or accounts. Security Incidents shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

2.11 “DPA” means this data processing agreement.

2.12 “Terms” shall mean the General Terms and Conditions (“GTC”) of Storyblok available under https://www.storyblok.com/terms and/or any other binding agreement entered into between Customer and Storyblok for the provision of Storyblok Services such as Order Form and/or any other binding agreements.

2.13 “Privacy Policy” shall mean the Storyblok Privacy Policy available under https://www.storyblok.com/privacy-policy.

2.14 “Third Country” means a country which is not a member of the European Union (EU) or the European Economic Area (EEA).

2.15 “Storyblok” means Storyblok GmbH, Peter Behrens-Platz 2, 4020 Linz, Austria being the Processor under this DPA.

2.16 All other capitalized terms not defined herein shall have the meaning set forth in the Terms.

3. Description of Processing and Personal Data Processed

3.1 In Scope: Storyblok Processes Customer Data Customers choose to include as part of Customer Content. In this context, Storyblok is a Processor of Personal Data. Storyblok will only Process such data pursuant to the Agreement, including this DPA. A description of the Processing of Customer Data is set out in Annex 1. The Parties acknowledge and agree that the description of Processing can be updated by Storyblok from time to time to reflect new products, features or functionality within the Storyblok Services. Storyblok will update relevant documentation to reflect such changes.

3.2 Out of Scope: Subject to the foregoing, this DPA does not apply to data relating to the Customer’s use, support and/or operation of Storyblok Services and websites, including information relating to Customer personnel such as contact data, log-in information, activity logs, use patterns, cookie data or other information regarding the use of Storyblok Services and websites. To the extent any such data is considered Personal Data, Storyblok is responsible as a Data Controller, and processes such data in accordance with its Privacy Policy and Applicable Data Protection Law.

4. Processing

4.1 Permitted Purpose: Storyblok will Process Customer Data strictly in accordance with the documented lawful instructions of Customer. Customer hereby instructs Storyblok, to process the Customer Personal Data as necessary to provide the Storyblok Services and to perform its obligations pursuant to the Agreement („Permitted Purpose“). Storyblok will inform Customer of any unlawful instructions or legal requirement which prevents it from complying with Customer’s instructions, unless prohibited from doing so by applicable law.

4.2 Customer Obligations: Customer shall be responsible for complying with Applicable Data Protection Law, in particular in relation to the allocation of Processing with respect to Storyblok, and for the lawful Processing of Customer Data itself. Customer is responsible for providing any necessary notices to, and obtaining and maintaining any necessary rights, consents, and authorizations from, Data Subjects whose Personal Information is provided by Customer to Storyblok for Processing pursuant to the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Customer shall only transfer Customer Data to Storyblok using secure, reasonable, and appropriate mechanisms. Customer remains the owner or holder of all relating rights of Customer Data.

4.3 Error Correction: Customer shall inform Storyblok without undue delay when noticing any mistakes, errors or other irregularities. Storyblok shall without undue delay correct such mistakes, errors or irregularities.

4.4 Cooperation: To the extent Storyblok is required under Applicable Data Protection Laws, Storyblok shall provide reasonably requested information and assistance regarding the Storyblok Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

5. Sub-Processors

5.1 Engagement of Sub-Processors: Customer acknowledges that Storyblok may engage third-party sub-processors in connection with the provision of the Storyblok Services. Customer hereby authorizes Storyblok to appoint sub-processors in accordance with this section.

5.2 Authorized Sub-Processors: The current list of sub-processors which are engaged in Processing Customer Data for the performance of Storyblok Services, including countries of location, are attached hereto as Annex 3 (“Authorized Sub-Processors”). Storyblok has entered into a written agreement with each Authorized Sub-Processor containing, in substance, data protection obligations no less protective than those in the DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Storyblok Services provided by such Authorized Sub-Processor. Customer hereby authorizes Storyblok to engage the Authorized Sub-Processors and consents to their location and Processing activities.

5.3 Change of Sub-Processors and new Sub-Processors: Customer provides a general written authorization to Storyblok to engage sub-processors for the processing of Customer Data, subject to Section 5.4 of this DPA and the following requirements: (i) Storyblok will restrict access to Customer Data by sub-processors to what is reasonably necessary to provide the services of such sub-processor, (ii) Storyblok will agree upon data protection obligations with the sub-processor in accordance with GDPR, (iii) Storyblok shall be liable for the acts and omissions of its sub-processors to the same extent Storyblok would be liable if performing the services of each sub-processor directly under the terms of this DPA.

5.4 Notification of changes to Sub-Processors and right to object. Storyblok will inform (via electronic notice, email or other reasonable means) Customer within reasonable time prior of any change of Authorized Sub-Processors or new sub-processors it plans to engage. Storyblok will update the list of Authorized Subcontractors when authorizing new sub-processors to Process Personal Data in connection with the provision of Storyblok Services. Customer may object to Storyblok’s engagement of new sub-processors for commercially reasonable reasons within 30 days after being notified of such update. After such 30 day period any such change or new subcontractor shall be deemed accepted. If Customer provides commercially reasonable objections then both Parties will negotiate in good faith and seek a mutually agreeable solution. If the Parties are unable to find a mutually agreeable solution within a reasonable period of time, which shall not exceed thirty (30) days after Customer’s objection, either Party may terminate the Agreement entered into between the Parties for convenience. In case of termination for such reason, Customer shall – upon written request to Storyblok – be entitled to a pro-rata refund of prepaid fees for the unused subscription period following the effective date of the termination, calculated on a month-by-month basis and excluding any commenced month. Any further claims by Customer resulting from such termination shall be excluded or waived.

5.5 Third Country Transfers: Storyblok may transfer Customer Data to service providers located in Third Countries on the condition that any such transfer is in compliance with GDPR and all appropriate safeguards required by Applicable Data Protection Laws are in place. Unless an adequacy decision or alternative transfer mechanism applies, Storyblok shall enter into and shall maintain Standard Contractual Clauses with sub-processors located in Third Countries. In such case where SCCs shall apply, Storyblok shall assess each transfer prior to any data being transferred by conducting transfer impact assessments. Following such assessment, Storyblok shall identify, adopt and monitor appropriate supplementary technical, contractual, and organizational measures to protect the transferred data.

6. Term & Termination

6.1 Term: The DPA enters into effect simultaneously to the effective date of the Agreement and remains in full force and effect during the term of the Agreement plus any period after termination or expiration during which Storyblok Processes Customer Data (either as required by law or as agreed in the Agreement). For the sake of clarity, the possibility of extraordinary termination for cause or in the case of a breach of the Terms remains unaffected for Storyblok. This DPA will terminate automatically upon the termination or expiration of the Agreement, plus any period after the termination or expiry of the Agreement during which Storyblok will process Customer Personal Data in accordance with the Agreement or applicable law.

6.2 Consequences of Termination: Upon termination or expiration of the Storyblok Services according to the Agreement, Storyblok and its sub-processors shall, within reasonable time, permanently return, erase, or (in case Customer Data is contained in an archived computer system backup that was made in accordance with Storyblok‘s security and/or disaster recovery procedures) block for access for any third party any Customer Data, unless there is a legal obligation for the storage of Personal Data, whereas in such case Customer Data will be continued to be Processed for the time laid out by law. Upon Customer’s request Storyblok will confirm the return, destruction, erasure, and/or blocking of all information and records by Storyblok and, where applicable, its sub-processors, within reasonable time.

7. Security

7.1 Technical and Organizational Measures: Storyblok shall implement and maintain appropriate technical and organizational measures to ensure the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data as defined in more detail in Annex 2 (Technical and Organizational Measures). Storyblok regularly monitors compliance with these measures and may update, modify or implement alternative adequate measures from time to time provided that Storyblok will not materially decrease the overall security of the Storyblok Services during a Subscription.

7.1 Confidentiality of Processing: Storyblok shall ensure that all the persons engaged in the Processing of Personal Data (including e.g. Storyblok’s staff, agents, contractors, advisors and/or sub-processors) either (i) had been obliged to maintain confidentiality or (ii) are subject to an appropriate statutory obligation of confidentiality, prior to taking up their activity. To the extent permitted by applicable law, this duty of confidentiality shall remain in force also after the employment or engagement for Storyblok has ceased.

7.3 Security Incident: Storyblok will notify Customer if a Security Incident occurs in such a way that the Customer can fulfill its legal obligations, in particular in accordance with Articles 33 and 34 of the GDPR, within 72 hours of confirming the existence of a Security Incident. Storyblok will without undue delay take all necessary and reasonable measures to remedy the Security Incident. Both Parties shall take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident. Storyblok may limit the scope of, or refrain from delivering, any disclosures to the extent reasonably necessary to avoid compromising the integrity of the Storyblok Services or Storyblok, an ongoing investigation, or any other customer’s data. Notification(s) of Security Incidents, will be delivered to Customer’s registered notification email address. It is Customer’s sole responsibility to ensure that it maintains accurate contact information on the service management console and secure data transmission at all times.

7.4 Support & Assistance: In case of Security Incident, Storyblok will, to the best of its ability, assist Customer in ensuring compliance with its obligations pursuant to Applicable Data Protection Laws by providing relevant information which may include: (a) the nature of the Security Incident, including, where possible, the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) the likely consequences of the Security Incident; (d) the measures taken or to be taken to address the Security Incident, including, where appropriate, the measures to mitigate its possible adverse effects and (e) justifications for any delay in notification.

7.5 Supervisory authority & Government requests: In case Storyblok receives a request from a competent supervisory authority, government, government agencies or similar third parties (“Requesting Party”) requiring access to or inspections of Customer Data Storyblok shall advise such Requesting Party that all Customer Data belongs to Customer, not Storyblok and that Customer Data is confidential. To the extent legally possible, Storyblok will not disclose information to the Requesting Party without first providing notice to Customer about the request and give Customer the opportunity to consent or object the request and seek for an appropriate protective order. If Storyblok is prohibited from giving such notice to Customer or from giving such notice prior to access, Storyblok will try to challenge the access request if it is invalid or unlawful to the extent recourse is available. If no such recourse exists or if Storyblok is unsuccessful in challenging the request, Storyblok will make all reasonable efforts to narrow the scope of the request to the extent permitted by law. If a transfer of Customer Data is to take place, Storyblok shall ensure that it takes place subject to confidentiality obligations similar to those stipulated in this DPA. In case of valid and lawful requests, Customer and Storyblok shall cooperate, on request, with the Requesting Party.

8. Data Subject Rights

8.1 Data Subject Rights: Customer is responsible for responding to any request by a Data Subject to exercise their rights under Applicable Data Protection Laws. Storyblok shall implement and maintain technical and organizational measures to enable Customer to fulfil the rights of Data Subjects pursuant to Applicable Data Protection Law (information, disclosure, correction and deletion, data portability, objection, as well as automated decision making in individual cases) within the statutory deadlines and shall provide Customer with all the information reasonably required to comply with such rights.

8.2 Data Subject Requests: If a request is submitted directly to Storyblok which mistakenly considers Storyblok the Controller of Personal Data, Storyblok will forward the request to Customer without undue delay and inform the requester accordingly. Customer is responsible for responding to any request by a Data Subject to exercise their rights under Applicable Data Protection Laws. Storyblok will not in its own discretion respond to data subject requests concerning data subject rights on behalf of the Customer, but only on documented instructions from Customer.

9. Audits

9.1 Information Requests: Storyblok, upon at least 15 (fifteen) business days prior written request of Customer, shall make available to Customer all information legally required to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR, including responding to security or audit questionnaires or requests for information. Storyblok may at its sole discretion also provide a copy of its most recent relevant third-party audits or certifications to customer to demonstrate compliance with this DPA. Customer shall exercise such requests only in reasonable intervals. Any responses, information or documentation provided by Storyblok shall be considered Confidential Information.

9.2 Customer Audit Requests: Customer may request an audit of Storyblok’s processing activities under this DPA affecting Customer Data. Such audits may by conducted by Customer or a third-party auditor contracted by Customer, when: (i) the information made available pursuant Section 8.1 of this DPA is not sufficient to demonstrate compliance with the obligations set out in this DPA; (ii) Customer has received a notice from Storyblok of a Security Incident; or (iii) such an audit is required by the Applicable Data Protection Laws or by decision of a competent supervisory authority.

9.3 Process & Requirements for Audits:

Any audits may only be conducted subject to following requirements: (i) any audit has to be announced with at least 30 (thirty) days’ advance written notice to Storyblok and shall be limited to facilities operated by Storyblok; Customer and Storyblok shall mutually agree upon the scope, timing, and duration of the audit prior to any audit; (ii) Customer may not audit Storyblok more than one time per year unless (a) Storyblok experienced a Data Breach or (b) Customer is able to evidence material non-compliance with this DPA or (c) an earlier audit has identified non-conformity with this DPA or Applicable Data Protection Law or (d) such audit is required by law or decision of a competent supervisory authority; (iii) any costs and additional expenses for Storyblok (including costs for the resources expended by or on behalf of Storyblok) resulting from audits shall be borne by Customer and reimbursed to Storyblok, unless the audit is required due to the fault of Storyblok; (iv) Customer or any third-party auditor appointed by Customer shall act reasonably, in good faith, taking into account the nature and complexity of the Storyblok Services; any audit may only be conducted during Storyblok’s normal business hours, for a reasonable duration and shall not unreasonably interfere with Storyblok’s business operations; Storyblok shall have the right to reasonably adapt the scope of any audit to avoid or mitigate risks with respect to service levels, availability, integrity of the Storyblok Services and/or confidentiality of Storyblok’s or other Storyblok customers’ information; Storyblok shall in any case not be required to disclose to Customer or its third party auditors, or to allow Customer or its third party auditory to access: (a) any data or information of any other Storyblok customer; (b) any trade secret or internal accounting or financial information of Storyblok; (c) any information that, in Storyblok’s reasonable opinion, could compromise the security of Storyblok Services or premises or cause Storyblok to breach obligations under Applicable Data Protection Law or security or confidentiality obligations to any other Storyblok customer or any third party; or (d) any information that Customer or its authorized representatives or third party auditors seek to access for any reason other than the good faith fulfilment of Storyblok's obligations under the Applicable Data Protection Law and Storyblok's compliance with the terms of this DPA; (v) Customer and its authorized representatives and/or any third party auditor contracted by Customer participating in an audit shall be qualified to conduct such audit, must not be or be engaged by a Competitor of Storyblok and shall have entered into applicable non-disclosure agreements with Storyblok; third party auditors shall be a reputable, internationally recognized and independent entity; Storyblok has the right to object to any Customer representative or third party auditor on the basis that they do not comply with these prerequisites; (vi) Customer shall provide Storyblok with information regarding any non-compliance discovered during the course of an audit without undue delay; any responses, information, documentation or other findings obtained during audits shall be kept strictly confidential and shall be stored for the minimum time required; Customer shall certify deletion of such information upon Storyblok’s request.

10. General

10.1 Order of precedence: In case of discrepancies between the rest of the Agreement and this DPA, the terms and conditions of this DPA shall prevail.

10.2 Amendments: Amendments and additional agreements to this DPA must be made in written form and explicit references to this DPA.

10.3 Severability: If and to the extent any provision of this DPA is held invalid or unenforceable at law, such provision will be deemed stricken from the DPA and the remainder of the DPA will continue in effect and be valid and enforceable to the fullest extent permitted by law.

10.4 Assignment: This DPA is binding upon and inures to the benefit of the parties and their heirs, executors, legal and personal representatives, successors and assigns, as the case may be.

10.5 Governing Law & Jurisdiction: This DPA is to be governed and construed under the laws of Austria, without regard to its choice of law provisions. The parties agree that the exclusive jurisdiction and venue for any action to enforce this DPA shall be the competent court in Linz, Austria.

Annex 1 - Description of Processing and Personal Data Processed

Categories of Personal Data included in Customer Content:Personal Data uploaded to the Service by Customer as part of Customer Content.

(Customer may include Personal Data in the Customer Content submitted to the Storyblok Services, the extent of which is determined and controlled by Customer in its sole discretion which may include the following categories of data: employees, contractors, representatives, agents, and other individuals, Customer’s customers, partners, users, and vendors; etc)
Personal Data included in Customer Content: Personal Data uploaded to the Service by Customer as part of Customer Content.

(Customer may include Personal Data in the Customer Content submitted to the Storyblok Services, the extent of which is determined and controlled by Customer in its sole discretion)
Sensitive Data: None; Customer is prohibited from using the Storyblok Services to process any such data under the terms of the agreement.
Processing Activities: Provision of cloud based content management infrastructure, software as a service; organization, order, storing, dissemination and other art of provision, deletion of data;
Nature & Purpose of Processing See Section 4.1 of the DPA
Duration of Processing See Section 6.1 of the DPA
Frequency of Processing Continuous

Annex 2 - Technical and Organizational Measures

CONFIDENTIALITYDatacenter: Storyblok is hosted in datacenter that comply with security standards and compliance certifications like ISO 27001, NIST 800-171, or FedRAMP. Storyblok verifies that these standards are audited by a third party. Special attention is paid to access control against unauthorized entrance to the data processing locations, e.g.: key, swipe or chip cards, electric door openers, porters, security personnel, alarm systems, video systems; the internal data processing systems are only accessible to the administrator with a key and possible with a two-step authentication; data processing locations are monitored via CCTV.

Internal Access: Employee access to company data is monitored and controlled via Mobile Device Management tools.

Access control: No unauthorized reading, copying, changing or deleting of production data is possible. Access to the database is secured with password and two-step authentication. Access to the server is only possible via SSH and for authorized users only. Granted authorizations are periodically reviewed. All access attempts and successful log-ins to internal systems shall be registered.

-Pseudonymisation: If possible for the respective data processing, the primary identification features of the personal data is removed within the respective data application and stored separately.
-Data classification scheme: In accordance with the statutory obligations or self-assessment (confidential/internal/public). All data is classified as internal by default and only clearly marked or obvious marketing materials are considered public data.
-Client-Separation: Client separation for data processing leverages a tagging system with universal unique identifiers that are coupled with the authentication token. This applies to all entry types associated with a particular user or space.

Data encryption: All data is encrypted in transit and at rest (servers, databases, and devices). Storyblok uses only industry proven cryptographic mechanisms (TLS, AES, …) and follows international best practices when discontinuing outdated or insecure algorithms.
INTEGRITYDisclosure control: No unauthorized reading, copying, changing or deleting during electronic forwarding or transport of data, e.g.: encryption, Virtual private Networks (VPN), electronic signatures;

Input control: Review of changes made to personal data. Automatic logging of access attempts and changes to data.

Patch management: We distinguish between patch management for libraries and environments for the Storyblok product. For both patch management processes automatic procedures are in place to keep the environments up-to date. Implementation of patch related changes is handled via the change management process.
AVAILABILITY & CAPACITYAvailability control: Protection against random or deliberate destruction or loss of data , e.g.: backup strategy (on- line/off-line; on-site/off-site), uninterrupted power supply (UPS, diesel generator), virus protection, firewall, reporting channels and emergency plans; security checks at the infrastructure and application level, multi-level security concept with encrypted outsourcing to a backup data centre, standard processes in case of staff transfer/retirement; disaster recovery and business continuity plans.

Recoverability: All systems are designed with high availability mechanisms. Failover infrastructure is leveraged to support data processing. Data backups are tested on a regular basis.

Deletion periods: For the data as well as the meta data such as log files, etc. deletion periods are defined in accordance with legal requirements.
PROCEDURES FOR REGULAR REVIEW, ASSESSMENT AND EVALUATIONData privacy policy: Data privacy policy is in place, available to all parties and regularly reviewed.

Data protection management: Storyblok operates an information security management system (ISMS) that is following the ISO27001 standards. Regular reviews are conducted ad-hoc and on-demand by third-party security specialists.

Security reviews: ISO 27001 audits are conducted on an annual basis by a registered external auditor. Penetration tests are conducted by external experts at least twice per year. Vulnerability scans are conducted on an on-going basis internally using automated tools that scan every code change committed to the source code repositories.

Incident-response-management: Incidents are handled on a case-by-case basis. First the incident will be mitigated and all necessary remediation strategies will be put into place. As soon as we know that there is a security incident all customers will be informed within 12 hrs no matter if their data is affected or not. The information if they are affected, not affected, or if we don’t know yet will be included in the notification.

Procurement process: No processing of order data pursuant to Art 28 GDPR without corresponding instructions for the Data Controller, e.g.: transparent contract design, formalized order management, strict selection of the order processor (ISO certification, ISMS), due diligence, follow-up controls.

Annex 3 - Authorized Subprocessors

AWS

Amazon Web Services EMEA SARL

38 avenue John F. Kennedy, L-1855, Luxemburg
ActivityCloud Hosting Provider; hosting of Customer Content;
Datacenter LocationDefault EU Datacenter
Websitehttps://aws.amazon.com/?nc2=h_lg
Privacy Policyhttps://aws.amazon.com/privacy/?nc1=f_pr
GDPR compliance information, Technical & Organizational Measures:https://aws.amazon.com/compliance/gdpr-center/