Data Processing Agreement
Data Processing Agreement
1.1 “Data Protection Law” means all data protection laws and regulations that apply to the Processing of Personal Data by GaggleAMP under the Agreement, which may include, without limitation, GDPR, LGPD, and PIPEDA.
1.2 “Data Subject” means an identified or identifiable natural person to whom any Personal Data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.4 “GaggleAMP” means GaggleAMP, Inc.
1.5 “LGPD” means the Brazilian General Data Protection Law, Law No. 13,709, of August 14, 2018.
1.6 “Personal Data” means any data that the Customer submits using the Services for GaggleAMP to Process on Customer’s behalf that is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law.
1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.8 “PIPEDA” means the Personal Information Protection and Electronic Documents Act.
1.9 “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.10 “Services” As described in the Agreement.
1.11 “Standard Contractual Clauses” means with respect to Member States of the European Economic Area (“EEA”), Switzerland and Brazil, the standard contractual clauses adopted by the European Commission as of June 4, 2021, the text of which is available at: https://eur lex.europa.eu/legal- content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (“EU Standard Contractual Clauses”), and with respect to the United Kingdom, the EU Standard Contractual Clauses supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, the text of which is available at: https://ico.org.uk/media/for organisations/documents/4019483/international-data-transfer-addendum.pdf (“International Data Transfer Addendum”) (together with the EU Standard Contractual Clauses, the “UK Standard Contractual Clauses”), including any updated, amended, or subsequent version thereof approved by the respective data protection authority.
1.12 “Swiss DPA” means the Swiss Data Protection Act, as amended or replaced.
2. DATA PROCESSING AND PROTECTION
This DPA applies whenGaggleAMP Processes Customer’s data for whichGaggleAMP will act as “processor” or “service provider” (or other analogous variations of such terms) under Data Protection Law.
2.1 Limitations on Use. GaggleAMP will Process Personal Data only: (a) in a manner consistent with documented instructions from Customer in the Agreement, including (i) to provide the Services described on Annex 1 to the Standard Contractual Clauses, (ii) as otherwise permitted under the Agreement, and (iii) consistent with other reasonable written instructions of Customer; and (b) with prior notice (unless notice is legally prohibited), as required by applicable law. Without limiting the foregoing, GaggleAMP will not collect, retain, use, or disclose the Personal
Data for any purpose other than as necessary for the specific purposes of performing the Services, building or improving the quality of its services, detecting data security incidents or protecting against fraudulent or illegal activity, and complying with law, legal inquiry, or law enforcement or exercising or defending legal claims. In particular, GaggleAMP will not collect, retain, use,sell, or disclose the Personal Data for a commercial purpose other than the foregoing purposes.
2.2 Confidentiality. GaggleAMP will subject persons authorized by GaggleAMP to Process any Personal Data to appropriate confidentiality obligations.
2.3 Security. GaggleAMP will protect Personal Data in accordance with requirements under Data Protection Law, including by implementing appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breach per the GaggleAMP InfoSec Overview attached as Annex II.
2.4 Return or Disposal. GaggleAMP will delete all Personal Data after the end of the provision of Services (unless applicable law requires GaggleAMP to store any Personal Data, in which case GaggleAMP will continue to protect the Personal Data in accordance with the terms of this DPA).
2.5 Customer Obligations. Customer will not instruct GaggleAMP to perform any Processing of Personal Data that violates any Data Protection Law. GaggleAMP may suspend Processing based upon any Customer instructions that GaggleAMP reasonably suspects violate Data Protection Law. Subject to the cooperation of GaggleAMP as specified in this DPA, Customer will be solely responsible for safeguarding the rights of Data Subjects, including determining the adequacy of the security measures in relation to Personal Data which Customer uploads to the Services and providing any necessary notice to or obtaining any necessary consent from Data Subjects regarding the Processing. Customer agrees that: (i) it will comply with its obligations as a Data Controller under Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to GaggleAMP, and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for GaggleAMP to process Personal Data and provide the Services pursuant to the Agreement and this DPA. Notwithstanding Section 2.3, Customer agrees that except to the extent expressly provided in this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Services.
DATA PROCESSING ASSISTANCE
3.1 Data Subject’s Rights Assistance. Taking into account the nature of the Processing of Personal Data by GaggleAMP under the Agreement, GaggleAMP will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as possible and as necessary, for the fulfillment of Customer’s obligations to respond to requests for exercising Data Subject’s rights under Data Protection Law with respect to Personal Data solely to the extent Customer does not have the ability to address such Data Subject request without such assistance using functionality provided in the Services. GaggleAMP will promptly inform Customer of any Data Subject request relating to Processing of Personal Data.
3.2 Security Assistance. To assist Customer in its efforts to ensure compliance with the security requirements under Data Protection Law, GaggleAMP has made available to Customer its GaggleAMP InfoSecOverview per section 2.3 above.
3.3 Data Protection Impact Assessment Assistance. Taking into account the nature of GaggleAMP’s Processing of Personal Data and the information available to GaggleAMP, GaggleAMP will provide reasonable assistance to Customer as strictly required for Customer to comply with its obligations to conduct data protection impact assessments if required under Data Protection Law in connection with GaggleAMP’s Processing of Personal Data under the Agreement.
3.4 Personal Data Breach Notice and Assistance. GaggleAMP will notify Customer without undue delay after becoming aware of a Personal Data Breach. Taking into account the nature of Processing and the information available to GaggleAMP, GaggleAMP will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any notification obligations required under Data Protection Law related to any Personal Data Breach.
GaggleAMP will also provide written responses to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm GaggleAMP’s compliance with this DPA, provided that Customer will not exercise this right more than once per year. Such responses are GaggleAMP’s Confidential Information. Customer or a third-party auditor reasonably acceptable to GaggleAMP, at Customer’s expense, may conduct an audit of GaggleAMP’s processing activities on GaggleAMP’s cloud based systems only when and as required by a supervisory authority or Data Protection Law. Such audit must (i) be scheduled on at least 45 days advance notice at a mutually agreed date and time; (ii) occur during GaggleAMP’s normal business hours; (iii) be permitted only to the extent required to assess GaggleAMP’s compliance with this DPA; (iv) comply with the policies, procedures, and other restrictions reasonably imposed by GaggleAMP and, if applicable, the Subprocessor; and (v) not unreasonably interfere with GaggleAMP’s business activities. Customer’s auditor will not be entitled to access information subject to third-party confidentiality obligations. Customer will provide written communication of any audit findings to GaggleAMP, and the results of the audit will be the confidential information of GaggleAMP.
Customer authorizes GaggleAMP to use GaggleAMP’s Affiliates and third-party subprocessors to Process Personal Data in connection with the provision of Services to Customer (“Subprocessor”). Customer may view the list of current Subprocessors at the following link: https://accounts.gaggleamp.com/subprocessors. GaggleAMP will (i) provide an up-to-date list of the Subprocessors it has appointed upon written request from Customer; and (ii) notify Customer (for which email will suffice) if it adds or replaces a Subprocessor at least ten (10) days prior to any such changes. If Customer reasonably objects to a Subprocessor, Customer must inform GaggleAMP within five (5) days. If GaggleAMP is unable to resolve Customer’s objection, either party may, upon notice and without liability, terminate the Services that use the objected-to Subprocessor. GaggleAMP will: (i) enter into a written agreement or affirmatively accept online terms of service with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Personal Data to the standard required by applicable Data Protection Law; and (ii) GaggleAMP shall remain liable to Customer for a Subprocessor’s failure to fulfill its data protection obligations.
Personal Data may be transferred to any country in which GaggleAMP or its Subprocessors maintain facilities. This Section 6 only applies to the transfer of Personal Data from the EEA, the United Kingdom, Switzerland, or Brazil to a third country that has not been deemed adequate by the applicable data protection authority. For each applicable version of the Standard Contractual Clauses between GaggleAMP and Customer: (a) Customer and GaggleAMP are deemed to have executed the Standard Contractual Clauses as of the effective date of this DPA; and (b) Customer is the “data exporter” and GaggleAMP is the “data importer.
6.1 Transfers from the EEA and Switzerland and Brazil. GaggleAMP will conduct the transfers of Personal Data from the EEA, Switzerland, Canada, and Brazil pursuant to the attached EU Standard Contractual Clauses or any other data transfer mechanism permitted under Data Protection Law of each applicable jurisdiction. With respect to the EU Standard Contractual Clauses, the following apply if GaggleAMP is an entity outside the EEA or Switzerland or Brazil: (i) Module Two (controller to processor); (ii) Annexes I and II attached hereto; (iii) “Member State” refers to the country from which the Personal Data originates (irrespective of whether the country is a member state of the European Union); (iv) “jurisdiction” and “supervisory authority” refer to the respective data protection authority that enforces Data Protection Law; (v) Clause 7; (vi) in Clause 9, option 2 for general written authorization with a time period of ten days; (vii) in Clause 11, the optional text is not included; (viii) in Clauses 17 and 18, (a) selecting option 2 and specifying Ireland and (b)selecting option 2 and specifying Switzerland or Brazil, respectively, for Personal Data subject to the Swiss DPA, PIPEDA, or the LGPD; and (vii) for Personal Data subject to the Swiss DPA, PIPEDA, or the LGPD, references to the GDPR and “that Regulation” will be read as references to the relevant provisions of the Swiss DPA, PIPEDA, or the LGPD. With respect to a transfer from GaggleAMP to a Subprocessor pursuant to the EU Standard Contractual Clauses, GaggleAMP will conduct the transfer under Module Three (processor to processor) and GaggleAMP shall be the “data exporter” and the Subprocessor shall be the “data importer.”
6.2 Transfers from the United Kingdom. GaggleAMP will conduct the transfer of Personal Data from the UK pursuant to the UK Standard Contractual Clauses or any other data transfer mechanism permitted under UK Data Protection Law, which may include binding corporate rules. With respect to the International Data Transfer Addendum, the following selections and content shall apply: (i) Table 1 shall consist of the content in Sections A-B of Annex I attached hereto; (ii) for Table 2, the Approved EU SCCs are selected with the following modules, clauses, or optional provisions applied: (a) Module Two (controller to processor); (b) Clause 7; (c) in Clause 9, option 2 for general written authorization with a time period of ten days; and (d) in Clause 11, the optional text is not included; (iii) Table 3 shall consist of the content in Annex I (Sections A-B) and Annex II of this DPA; and (iv) for purposes of Table 4, neither Party may end the Addendum except by mutual agreement.
LIMITS OF LIABILITY
Any claims brought under or in connection with this DPA, by and between Customer and GaggleAMP will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. No one other than a party to this DPA, its successors and permitted assignees will have any right to enforce any of its terms, except as specifically provided for by applicable Data Protection Law.
8.1 If there is a conflict (a) this DPA will prevail over the Agreement and (b) the Standard Contractual Clauses will prevail over this DPA. Except for the matters covered by this DPA, all terms of the Agreement, remain in effect. Capitalized terms not defined in this DPA have the same meaning as in the Agreement. Except as otherwise stated in the Agreement, this DPA and the Standard Contractual Clauses will automatically terminate upon the termination or expiration of GaggleAMP’s services.
8.2 Each party's signature to this DPA shall be considered a signature to the Standard Contractual Clauses. If so required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required. In the event that the parties have entered into the Standard Contractual Clauses hereunder and subsequently the Privacy Shield Principles become a valid transfer mechanism and GaggleAMP becomes compliant with the Privacy Shield Principles, as applicable, the parties agree that their agreement to the Standard Contractual Clauses shall be rescinded, null, and void and the Privacy Shield Principles shall govern.
8.3 If a law enforcement agency sends GaggleAMP a demand for Personal Data (for example, through a subpoena or court order), GaggleAMP will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, GaggleAMP may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then GaggleAMP will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless GaggleAMP is legally prohibited from doing so.
LIST OF PARTIES
Name: As specified in Customer’s Account Dashboard
Address: As specified in Customer’s Account Dashboard
Contact person’s name, position and contact details: As specified in Customer’s Account Dashboard Activities relevant to the data transferred under these Clauses:
Data Exporter is the legal entity that has entered into an agreement with the Data Importer for use of the Data Importer’s social media services.
Signature and date: As specified in Customer’s Account Dashboard Role: Controller
Data Protection Officer and/or Representative in the European Union:
Name: GaggleAMP Inc.
Address: 9450 SW Gemini Drive, PMB 95302, Beaverton, Oregon 97008-7105
Contact person’s name, position, and contact details:
Glenn Gaudet, CEO
9450 SW Gemini Drive, PMB 95302
Beaverton, Oregon 97008-7105
Activities relevant to the data transferred under these Clauses:
GaggleAMP is a provider of an online cloud-based platform providing marketing and third party social media utilization and reporting services.
Signature and date: As specified in the Master Services Agreement
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individuals whose personal information is input into the GaggleAMP platform and services by the data exporter as part of the data exporter’s use of the GaggleAMP platform for its social media services.
Categories of personal data transferred
The data processed by GaggleAMP includes: names, contact information, (e.g. address, email, telephone); social media information and activity metrics, and other information input by the Data Exporter in the GaggleAMP system.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). The data will be transferred on a continuous basis.
Nature of the processing
The data importer will process personal data to perform the services described in the agreement to which these Clauses are incorporated, including storing, analyzing and otherwise processing such personal data for the duration and scope set forth in such agreement.
Purpose(s) of the data transfer and further processing
GaggleAMP will process personal data to perform the services described in the agreement to which these Clauses are incorporated, including storing, analyzing and otherwise processing such personal data for the duration and scope set forth in such agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the agreement entered into by Data Exporter and Data Importer and up to sixty days thereafter.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The names of sub-processors currently engaged by Data Importer and the nature and scope of their processing can be found at: https://accounts.gaggleamp.com/subprocessors (Annex III)
COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Data Protection Commission of Ireland
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Technical and Organizational Measures
GaggleAMP, Inc is committed to safeguarding the confidentiality, integrity and availability of all physical and electronic information assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled. The technical and organizational measures (TOMs) provided below apply to the GaggleAMP Platform except where Client is responsible for security and privacy TOMs. Evidence of the measures implemented and maintained by GaggleAMP may be presented in the form of up-to-date attestations, reports or extracts from independent bodies upon request from the Client.
Information Security Risk Management
GaggleAMP's approach to information security is risk-based and addresses the likelihood and impact of threats and vulnerabilities to its data. GaggleAMP will maintain a program to periodically assess, monitor and track risks.
Information Security Policies
Policies and procedures will be developed and updated by appropriate staff, reviewed and approved annually or as business needs change, and made available to all relevant audiences, including employees and any supplemental personnel, during onboarding and via training. GaggleAMP will align policies to related documents such as procedures, controls, records, contractual obligations, and laws.
Human Resources Security
Prior to employment, screening will be conducted to ensure candidates understand their responsibilities, background checks are to be carried out according to relevant laws and regulations, a non-disclosure agreement must be signed by all employees, contractors or others who will have information access, and the Acceptable Use Policy must be signed.
During employment, user compliance with IT security policies and procedures will be enforced. Information security awareness, education and training will be delivered to employees and contractors during onboarding, and at least annually thereafter.
Upon termination of employment or contract, all of GaggleAMP's physical assets will be returned as soon as possible and access to all information systems will be disabled and revoked within 24 hours.
An inventory of all devices connected to GaggleAMP's systems is maintained and updated periodically. Classification of information will be used to derive data protection requirements related to loss, value, criticality, and sensitivity to unauthorized disclosure or modification. Information will be classified as one of three categories: Confidential, Non-Public, and Public. GaggleAMP will only collect confidential information that is required to perform the services procured by Customers. Customer Personal and Confidential information is retained for no longer than necessary to provide the services, unless continued retention of a Customer’s Personal and Confidential Information is required by law. No personal information will be migrated from production into a development or test environment.
Procedures are in place for the management of removable/portable storage media which align to classification. Storage media will be disposed of securely and safely when no longer required, using appropriate procedures. GaggleAMP will publish to its customers how it collects, processes and protects the personal information of its users; and the procedures for initiating queries and complaints related to personal information.
GaggleAMP will establish and maintain access control rules and restrictions to its physical and information assets in line with the business justification for access, and applicable laws, regulations and or contractual obligations. Access to networks and networked services will be role based and provisioned based on the rule of least privilege. Access to Non-Public and Confidential data will be based on explicit authorization. Users will have unique combinations of usernames and passwords, except for approved specific administrative accounts. Passwords must be complex and not based on easily guessable words or personal information. Whenever possible user access must include a multi-factor authentication. Privileged access will be limited to users where role or authority level is appropriate. A process will be defined for the periodic review of access for appropriateness and for the removal or adjustment to access in a timely manner.
GaggleAMP will restrict network access to employees, contractors and third-parties that are known to it and will establish set rules for: lockout procedures for unsuccessful access attempts; password complexity; and duration for password resets.
Physical and Environmental Security
GaggleAMP is a remote-first company and all IT equipment is considered to be off premises. Security of equipment and IT assets off premises will address risks inherent to mobile and tele-networking environments. Production systems are hosted in a secure environment according to industry best practices and information security standards.
Operations and Communications Security
GaggleAMP will maintain documentation of the IT equipment. Computer equipment will be safeguarded against viruses and other malicious code. Basic user awareness training will be included in the annual IT Security training and in the onboarding IT Security training.
Regular backups are performed. Backup restore procedures will be tested annually. Encryption is applied when required to protect backups. Hardware, operating system and software updates will be updated timely and documented. Vendor supplied software used in operational systems will be maintained at a level that is supported by the supplier. Network controls will ensure the protection of information transmitted over company networks and security of supporting infrastructure. Information transfer procedures will protect all information communicated within the company and to third parties.
GaggleAMP will employ cryptographic controls where possible. Data in transit and data at rest (on storage media) will be encrypted, as appropriate with their data classification.
Supplier Relationships and Information Systems Acquisition
Contractual partners and contracted consultants must sign a non-disclosure agreement prior to accessing the production systems. Definitions of operational requirements for new systems or enhancements to existing systems must contain security requirements. All changes to production environments should comply with existing routines.
GaggleAMP will develop policies governing the request, documentation, testing and approval of changes, including changes of infrastructure, data, and software development. All technology acquisition, development and maintenance processes are governed by change management procedures.
Information Security Incident Management
GaggleAMP will maintain an incident response plan and follow documented incident response policies including data breach notification to affected parties without undue delay where a breach is known or reasonably suspected to affect Client Data. All information security events and incidents will be documented and investigated.
GaggleAMP will maintain a business continuity plan that will include a documented emergency response process defining what immediate actions must be taken in the event of certain occurrences. It will also define a disaster recovery procedure for each critical system that ensures a timely application recovery. Annual testing and review of disaster recovery plans will ensure that the recovery objectives can be met.