Default Data Processing Addendum 2019-07-23T11:20:42-04:00

Mattermost, Inc.

Personal Data Protection Policy

This Personal Data Protection Addendum (“Policy”) describes the policies of Mattermost, Inc. (the “Company”) with respect to the Processing of Personal Data.

For purposes of this Policy, the following definitions shall apply:

“Data Subject” means a natural person whose Personal Data is Processed by the Company. Data Subjects include system users of the customer’s self-hosted communication system when the system is connected to HPNS and the sharing of Personal Data is enabled. Data Subjects also include persons whose Personal Data is made available to system users and shared by the system users in messages that trigger push notifications.

“EEA” means the European Economic Area.

“Europe” means the EEA and Switzerland.

“EU Data Protection Law” means the EU Data Protection Directive 95/46/EC, as amended and repealed from time to time including by the EU General Data Protection Regulation 2016/679 (“GDPR”) when it enters into force, the e-Privacy Directive 2002/58/EC as amended by Directive 2009/136/EC and as amended and replaced from time to time, and their relevant EU national transposition legislations; any other applicable EU Directives; the national laws in the EEA implementing such EU directives; the Swiss Federal Act on Data Protection; (as amended and replaced from time to time); the UK Data Protection Act (as amended and replaced from time to time); and the Data Protection Acts of the EEA countries (as amended and replaced from time to time).

“Law(s)” means any statute, regulation, ordinance, rule, order, decree, or governmental requirement enacted, promulgated, or imposed by any governmental authority at any level (e.g., municipal, county, province, state or national). Law(s) includes all Privacy Laws.

“Personal Data” means any information that Provider or its Personnel collect, receive or obtain, from or on behalf of the Company’s customers that (a) relates to an identified or identifiable natural person, or (b) otherwise qualifies as personal data, personal information, or personally identifiable information under one or more of the Privacy Laws. Personal Data may include the following examples, depending on the context: an individual’s name, user name, social security number, driver’s license number, postal address, email address, geolocation, credit account numbers, and vehicle identification number (“VIN”). Personal Data received by HPNS may also be of an arbitrary nature if the customer enables the sending of message preview snippets to HPNS, which allows contents from messages users send to be transmitted.

“Personal Data Breach” means any unauthorized Processing, loss, destruction, use, disclosure, acquisition of, or access to Personal Data.

“Personnel” means any employees, agents, consultants, or contractors of the Company.

“Privacy Laws” means all Laws applicable to the matters covered by this Policy and relating in any way to the privacy, confidentiality, or security of Personal Data, including the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.); the Health and Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d); the Invasion of Privacy Act (Cal. Penal Code §§ 630–638.55); EU Data Protection Law; the Privacy Shield; and implementing Laws of any national, state, or local government with respect to any Privacy Laws.

“Privacy Shield” means the U.S.-EU Privacy Shield Framework and the U.S.-Switzerland Privacy Shield Framework concluded between the U.S. Department of Commerce, and the European Commission and the Swiss government respectively, to enable transfers of Personal Data from Europe to organizations in the U.S. that have self-certified to this framework.

“Process” or “Processing” means, with respect to Personal Data, any operation or set of operations performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processing of Personal Data.

The Company will Process Personal Data only as necessary to perform its obligations under it agreements with its customers, and in compliance with all applicable Privacy Laws. The processing will only take place on written instructions by the Customer. The company will inform the Customer if, in its opinion, an instruction infringes any applicable Privacy Laws. By entering into an agreement with the Company, or by providing Personal Data to the Company, a Customer instructs the to Company Process such Personal Data. Provider shall provide at least the same level of privacy and security protection for Personal Data as is required by this Addendum and applicable Privacy Laws. Personal Data the customer chooses to send to HPNS undergoes Processing for the purpose of being relayed from the customer server to mobile applications used by its end users, provided via iTunes and Google Play. The nature of the processing is to have the HPNS relay receive the information from the customer server and move the information into a transmission to the mobile applications to receive the message sent and any Personal Data the customer chooses to include, before discarding the data, which is only stored in computer memory and not written to persistent storage, such as a hard drive.

Sub-Processing of Personal Data.

The Company may engage third-party Sub-processors in connection with the provision of the Services. In this case, the company will notify the Customer prior to the engagement. The customer then has the right to object to the engagement of another sub-processor. As a condition to permitting a third-party sub-processor to Process Personal Data, the Company will enter into a written agreement with each sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this Policy, to the extent applicable to the nature of the services provided by such sub-processor.

Subject Matter of Processing.

The Company’s Mattermost Enterprise Edition is a self-hosted software system and does not require the Company to come in contact with Personal Data from its customers unless customers choose a specific configuration of the system that uses the optional Mattermost Hosted Push Notification Service (HPNS), in lieu of the self-hosted option also offered. HPNS relays mobile push notification messages from the customer’s self-hosted server to mobile apps in iTunes and Google Play, which are used by end users on the customer’s system. Customers can configure HPNS to share no Personal Data in relaying messages to mobile applications–only notifying users that they have received an alert based on their personal notification preferences–or the customer may choose to enable information that may include the following types of Personal Data: usernames (if the customer enables the feature to display usernames in the HPNS relay), and message preview snippets (which may include Personal Data shared by users in messages, if the customer enables the ability to display message preview snippets for the HPNS relay). While the IP address of the self-hosted server instance is also contained in relay requests, because it does not identify a specific user it is not considered Personal Data in this context. Data subjects include the Company’s end-users including employees and contractors of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by the Company.

Internal records.

The Company will maintain and make available records of all Processing of Personal Data to the extent required by applicable Laws.

Transfers of Data Received in the European Union.

With respect to Personal Data received by the Company from the European Union, the Company will not transfer Personal Data outside the European Union unless the transferee is certified under the Privacy Shield or is located in a country which the European Commission or a national data protection authority has determined to provide an adequate level of protection under EU Data Protection Law, or to a data recipient which has implemented adequate safeguards under EU Data Protection Law such as approved Binding Corporate Rules or Standard Contractual Clauses. There are multiple HPNS servers available to the Company’s customers, and the customer can choose servers located in the United States (various locations by connecting to or in Germany (Frankfurt by connecting to

Privacy Shield Certification.

The Company self-certifies to and complies with the EU-U.S. Privacy Shield Framework, as administered by the U.S. Department of Commerce.

Internal Protection of Personal Data.

The Company will limit access to Personal Data to its Personnel who have a need to know the Personal Data and who have committed themselves to maintain the confidentiality of such Personal Data.

Duration of Processing; Retention of Personal Data.

The duration of the Processing typically happens in less than a fraction of a second between when the Personal Data is received and when it is discarded. The Company will not retain your Personal Data longer than necessary to fulfill the purposes for which it is Processed, including the security of our Processing complying with legal and regulatory obligations (e.g. audit, accounting and statutory retention terms), handling disputes, and for the establishment, exercise or defense of legal claims in the countries where the Company does business. The Company will delete or return  to the data controller all Personal Data after the end of the provision of services relating to Processing.

Internal Governance; Security Safeguards.

The Company will keep in place appropriate training, monitoring and Processing policies to comply with this Policy and with applicable Laws. In addition, the Company will, taking into account the nature of the Personal Data and the risks involved in the Processing, maintain reasonable and appropriate security measures, including technical and organizational safeguards, designed to (a) ensure the security and confidentiality of Personal Data; (b) protect Personal Data against any anticipated threats or hazards to the security and integrity of such information; and (c) protect Personal Data against any actual or suspected unauthorized Processing, loss, use, disclosure or acquisition of, or access to such information.

Data Breach Notification.

In the case of a Personal Data Breach, the Company (i) will notify affected Data Subjects and (if required) the relevant governmental supervisory authority according to the requirements of, and within the timeframes provided for under, applicable Laws and (ii) will assist the Data Controller in ensuring compliance with the obligations of Articles 32-36 of the GDPR, to the extent applicable to the Processing of the Personal Data.

Rights of Data Subjects.

Data Subjects may request from the Company information as to how Personal Data relating to such Data Subject has been stored, how the Personal Data was collected, and for what purpose. If such Personal Data is incorrect or incomplete, the Data Subject can cause the Company to correct or supplement it. The Data Subject may request his/her Personal Data to be deleted if the processing of such Personal Data has no legal basis, or if the legal basis has ceased to apply. The Data Subject may request the identity of the recipient of the Data Subject’s Personal Data if such Personal Data has been transmitted to a third party. The Data Subject can object to the processing of his or her Personal Data for purposes of advertising or market/opinion research. The Data Subject may otherwise object to his/her Personal Data being processed, and the Company will take such objection into account in relation to all applicable Laws. If a Data Subject requests that the data controller take any actions with respect to Personal Data processed by the Company, the Company will, taking into account the nature of the Processing, assist the data controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the data controller’s obligation to respond to such requests.

Contact Information.

Any person with questions about this Policy or about the Company’s handling, Processing or protection Personal Data may contact the Company’s Privacy Officer at