Where a customer uses Gearset’s data migration, masking and/or backup solutions, Gearset processes the Personal Data within the Customer’s Salesforce Orgs on behalf of the Customer. In order to comply with applicable data protection laws, Gearset’s Master Services Agreement ("MSA") incorporates by reference a Data Processing Addendum ("DPA") which governs how we process that Personal Data.
For more information on how Gearset handles Personal Data, see here.
What's in Gearset's DPA?
Gearset's DPA sets out the terms on which Gearset will process the Personal Data in a customer's Salesforce orgs, on behalf of that customer. It sets out the nature and scope of the personal data being processed, and the duration and extent of processing, and outlines the rights and obligations of Gearset and the customer, and the rights of the subjects of the Personal Data. It also sets out the level of security and protection that we afford the Personal Data, details how we engage Sub-processors, and explains what happens in the event of a data incident.
Do I need a DPA with Gearset?
If you use Gearset’s data migration, masking and/or backup solutions, then we will process the Personal Data within your Salesforce Orgs on your behalf, so the DPA will apply.
If you're only using Gearset's metadata features, then the DPA most likely does not apply, as metadata does not generally contain Personal Data. If your metadata does contain Personal Data, then the DPA will apply.
How can I sign a DPA with Gearset?
Our DPA is incorporated into our MSA by reference, so there is no need to sign any additional documentation.
If you have any questions, please speak to your usual Gearset contact, or email [email protected].