Last Updated: 31/08/2022 (Version 1.0.7)
Pitch Software GmbH
In the course of the fulfillment of the contract between Pitch Software GmbH, Joachimstraße 7, 10119 Berlin (the "Processor") and the customer (the "Customer", together with the Processor the "Parties") regarding the provision of the Processor's software to the Customer (the "Contract"), it is possible that the Processor deals with personal data pursuant to Art. 4 no. 1 General Data Protection Regulation ("GDPR"), i.e. any information relating to an identified or identifiable natural person (e.g. names, addresses or phone numbers of persons who are the Customer's customers), with regard to which the Customer acts as a controller pursuant to data protection law (the "Customer Data‟). This agreement (the "Agreement") specifies the data protection obligations and rights of the Parties in connection with the Processor's use of Customer Data to render the services under the Contract. 2. #### Scope of the Processing
The Processor processes the Customer Data in accordance with the instructions of the Customer, unless the Processor is legally required to do otherwise. In the latter case, the Processor shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Customer Data in accordance with this Agreement, the Customer shall indemnify the Processor from all such claims upon first request.
The Processor shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data. 6. #### Security of Processing
The Customer grants the Processor the general authorization to engage further processors with regard to the processing of Customer Data. Further processors engaged at the time of conclusion of this Agreement are listed in Annex 7.2. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Data cannot be excluded, as long as the Processor takes reasonable steps to protect the confidentiality of the Customer Data. In order receive notifications with respect to adding or replacing existing subprocessors Customer may subscribe to a mailing list using to following link: pitchapp.typeform.com/to/Mjivi4yI. Subprocessor notifications will occur no later than 14 days prior to any changes, in order to allow for Customer to object. An objection may only be raised by the Customer for important reasons which have to be substantiated vis-à-vis the Processor. Insofar as the Customer does not object within 14 days after receipt of the notification, the Customer´s right to object to the corresponding engagement lapses. If the Customer objects, the Processor is entitled to terminate the Contract and this Agreement with a notice period of three months until the end of a month.
The Processor shall support the Customer within reason by virtue of technical and organisational measures in fulfilling the Customer's obligation to respond to requests for exercising data subjects' rights.
Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security regarding the Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Customer in a timely manner of any reportable events in the Processor´s area of responsibility. The Processor shall assist the Customer in fulfilling the notification obligations at the Processor's request to the extent reasonable and necessary. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Customer.
|1||Purpose and extent of Data Processing||Provision of the Pitch software as a web application, desktop application, or mobile application, and which functions as a platform for creating, collaborating, and distributing of presentations; the collection, storage, analysis and reporting to the Customer of data and metrics of reader engagement with presentations; fulfilment of the Processor’s obligations under the Contract.|
|2||Types of personal data||Contact data; usage data; any data filled in by the Customer in the Software; Employee Data; Customer Data; Supplier Data; User-generated Data; User data; Profile data; Usernames; password; email; logfiles; data relating reader interaction with presentations;|
|3||Categories of data subjects||Users of the Pitch software; readers of presentations; possibly other data subjects mentioned or included in data filled in by the Customer in the Software.|
According to Art. 32 GDPR controller and processor of personal data must take technical and organizational measures (TOM) to ensure that the security and protection requirements of data protection are met. Technical measures are to be understood as all protection attempts that are physically implementable in the broadest sense, such as securing doors and windows or measures implemented in software and hardware, such as setting up a user account and password requirement. Organizational measures are to be understood as protection attempts that are implemented through instructions, procedures and procedures.
|No.||Category of Measures||Description of Category||Technical Measures||Organisational Measures|
|1||Encryption (Art. 32 (1) a) GDPR)||Cryptographic measures to ensure that information is hashed when transferred internally or externally and can only become readable again by using the correct encryption key.||Encryption of the company website (“data in motion”)|
|Encryption of data carriers on laptops/notebooks and mobile data carriers ("data at rest”)|
|2||Confidentiality – physical access control (Art. 32 (1) b) GDPR)||Measures to prevent unauthorised persons from gaining access to data Processing systems with which personal data is processed or used.||Security of the buildings, windows and doors with an alarm system||Digital keys management system|
|Automated access control system and manual locking system with safety locks|
|Light barriers/motion detectors|
|Video surveillance of entrances|
|3||Confidentiality – data access control (Art. 32 (1) b) GDPR)||Measures to prevent data Processing systems from being used without authorisation.||Authentication with username /password, and/or biometric methods||Allocate user rights, defining user profiles, assignment passwords, and assign user profiles to IT-systems|
|Use of Intrusion-Detection-Systems||Immediate blocking of authorization when employees leave the company|
|Locked housings / security locks|
|Password protected screensavers and automated screen locking in case of inactivity, and two-factor user authentication|
|Implementation of virtual networks for the separation of data streams|
|4||Confidentiality – data usage control (Art. 32 (1) b) GDPR)||Measures to ensure that persons entitled to use a data Processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, altered or removed without authorisation in the course of Processing or use and after storage.||Use of document shredders or appropriate service providers and physical deletion of data mediums before reuse||Development of an authorization concept (Differentiated authorisations for read, edit or delete data) and password procedures (incl. special characters, minimum length, change of password)|
|Assignment of rights by system administrator|
|5||Confidentiality – transmission control (Art. 32 (1) b) GDPR)||Measures to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or transport or storage onto data carriers, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.||Documentation of all interfaces||Documentation of recipients of data and the time periods of planned surrender or agreed erasure time limits|
|6||Confidentiality – separation control (Art. 32 (1) b) GDPR)||Measures to ensure that data collected for different purposes can be processed separately.||Segregation of functions (production/testing)||Development of an authorization concept|
|Separated databases and separate tables within database||Logical client separation|
|7||Integrity – input control (Art. 32 (1) b) GDPR)||Full documentation of data management and maintenance must be maintained - to ensure the ongoing integrity of data. Measures for subsequent checking whether data has been entered, changed or removed (deleted), and by whom.||No local admin privileges||Assignment of authorisations for input|
|Alteration and erasure of data on the basis of an authorisation concept|
|8||Availability – availability control (Art. 32 (1) b) GDPR)||Measures to ensure that personal data is protected from accidental destruction or loss.||Air conditioning in server rooms||Alarm during unauthorized entry into server room|
|Fire extinguishers in server rooms, installation of fire and smoke detection systems, uninterruptible power supply (UPS)||Remote data backup in secure outsourced locations|
|Monitoring of temperature and humidity and power outlet strip with surge protection in server rooms||Development of an emergency plan and a disaster recovery plan, in flood areas: server rooms above waterline|
|Server room not under sanitary facilities|
|9||Availability – job control (Art. 32 (1) b) GDPR)||Measures to ensure that, in the case of commissioned Processing of personal data, the data is processed only in accordance with the instructions of the Controller.||Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)|
|Contractual penalties for breaches|
|Written instructions to the Processor (e.g. Data Processing Agreement) as defined in Art. 28 (2) GDPR|
|Processor has appointed a Data Protection Officer|
|Efficient rights of control agreed with the Processor|
|Putting the Processor's employees under an obligation of data confidentiality (Art. 28 Abs. 3 lit. b GDPR)|
|Assurance of deletion of the data at the end of the provision of services, continuous control of the Processor and its activities|
|Use of Subcontractors requires the Controller's consent and prior verification and documentation of the security measures taken by the Processor|
|10||Resilience (Art. 32 (1) b) GDPR)||Measures to ensure the resilience of the systems and services that guarantee that the systems and services are designed in such a way that even high peak loads and high continuous loads of Processing can be handled.||Testing of storage, access and line capacities|
|11||Restoration of availability (Art. 32 (1) c) GDPR)||Measures to ensure that availability of and access to the data can be restored in a timely manner in the event of a physical or technical incident.||Redundant design of the infrastructure (of hard disks, e.g. RAID)||Backup concept|
|Cloud Service||Testing of data restoration|
|12||Data protection management (Art. 32 (1) d) GDPR)||Measures to ensure a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the Processing.||Checking of the DSB and the IT revision|
|No.||Name of the further processor||Description of processing via this further processor|
Auth0, Inc., 10800 NE 8th Street
Suite 600, Bellevue, WA 98004, USA
Amazon Web Services Inc.
410 Terry Avenue North, Seattle, WA 98109-5210, USA.
|Secure cloud service platform for database storage|
Zebrafish Labs (Imgix), 423 Tehama Street
Floor 1 San Francisco, CA 94103, USA
|Image optimization software|
Longtail Ad Solutions, Inc.
(JWPlayer), 2 Park Ave FL 10, New York, NY, 10016-5675, USA
|Live collaboration enabling software|
28 Scrutton Street London, EC2A 4RP, United Kingdom
|API service for adding real-time bi-directional|
775 14th Street, San Francisco, CA, 94114, USA
|Enterprise SSO software|
340S Lemon Ave #9214, Walnut, CA, 91789, USA
|In-app notification software|
34-37 Liverpool Street,Unit 4.06, 4th Floor, London, EC2M 7PP, United Kingdom
|Video transmission software|
Sendgrid Twilio Germany GmbH
Rosenheimer Str. 143C, 8167, München, Germany
301 Howard St, 3rd floor, San Francisco, CA 94105, USA
Please contact us on email@example.com, should you have any questions.
Version 1.0.7 (31/08/2022)
Absolutely! While the Pitch application is written mostly with Clojure, we use lots of more widely-known libraries and languages (e.g. React.js) as well. Every engineer who joins without prior knowledge of Clojure can expect extensive mentorship, time, and resources to learn Clojure and our codebase before diving into the deep-end.
Yes, of course. Pitch wants to hire the best and brightest regardless of where they're based geographically. On occasion, teams have a preference for candidates whose working hours overlap with the rest of their team, but there is always flexibility.
No. While we do have an office in Berlin, physical presence there is 100% optional.
Absolutely, feel free to submit a speculative application.
We do our best to get back to all applicants within one week of their applications. That being said, the application review process has lots of moving parts and depends on the availability of our hiring teams, holidays, and other unpredictable factors. We do our best, but appreciate your patience if it takes >1 week to respond to you.
Given the high volume of applications we receive, it's not possible for us to give tailored feedback to candidates who aren't selected for first-stage interviews. If you do progress beyond the first-stage interview, however, we try to give specific, tailored feedback should there not be a fit.
The typical Pitch interview processes consists of the following steps, all of which are conducted remotely.
We process and store all data in accordance with GDPR standards. You can request to have your data deleted at any time after applying and we will action this request within 1-2 days.
The average recruitment process lasts between 4-5 weeks to get through all the stages, although there's some variability depending on availability on both the hiring team and candidate side.
The short answer is 'no'. We practice asynchronous communication.
Yes, one might miss having the office as an anchor, or the occasional water-cooler chat with colleagues. But 100% remote work doesn't have to be disengaged and disconnected! At Pitch, we put a lot of emphasis on connecting (not just about work!) through virtual coffee chats, catch-ups via Zoom (as and when needed)... and Slack shenanigans. Additionally, we are big fans of team offsites, yearly company get togethers, and Weekly Bulletins (our async alternative to All-Hands). We believe remote working empowers you to work autonomously and flexibly on something you believe in, and your colleagues are only a Slack away for a second opinion, cheering up, and various meme shenanigans.