Data Processing Agreement

In the course of providing services to End Users, GaggleAMP may process personal data on Customer’s behalf where such personal data is subject to certain data protection laws. To this end, we offer a data processing agreement (“DPA”) as provided below. This DPA is governed by and incorporated by reference into the GaggleAMP Terms and Privacy Policy entered by and between you, the Customer and GaggleAMP (collectively “Agreement”). Please note that because we have so many customers, we are not able to change this data protection addendum for any particular customer.

1. DEFINITIONS

1.1 “Data Protection Law” means all data protection laws and regulations that apply to the Processing of Personal Data by GaggleAMP under the Agreement, which may include, without limitation, GDPR and LGPD.

1.2 “Data Subject” means an identified or identifiable natural person to whom any Personal Data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.3 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.4 “GaggleAMP” means GaggleAMP, Inc.

1.5 “LGPD” means the Brazilian General Data Protection Law, Law No. 13,709, of August 14, 2018.

1.6 “Personal Data” means any data that the Customer submits using the Services for GaggleAMP to Process on Customer’s behalf that is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law.

1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.8 “Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.9 “Services” As described in the Agreement.

1.10 “Standard Contractual Clauses” means with respect to Member States of the European Economic Area (“EEA”), Switzerland and Brazil, the standard contractual clauses adopted by the European Commission as of June 4, 2021, the text of which is available at: https://eur-lex.europa.eu/legal- content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (“EU Standard Contractual Clauses”), and with respect to the United Kingdom, the EU Standard Contractual Clauses supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, the text of which is available at: https://ico.org.uk/media/for- organisations/documents/4019483/international-data-transfer-addendum.pdf (“International Data Transfer Addendum”) (together with the EU Standard Contractual Clauses, the “UK Standard Contractual Clauses”), including any updated, amended, or subsequent version thereof approved by the respective data protection authority.

1.11 “Swiss DPA” means the Swiss Data Protection Act, as amended or replaced.


2. DATA PROCESSING AND PROTECTION

This DPA applies when GaggleAMP Processes Customer’s data for which GaggleAMP will act as “processor” or “service provider” (or other analogous variations of such terms) under Data Protection Law.

2.1 Limitations on Use. GaggleAMP will Process Personal Data only: (a) in a manner consistent with documented instructions from Customer in the Agreement, including (i) to provide the Services described on Annex 1 to the Standard Contractual Clauses, (ii) as otherwise permitted under the Agreement, and (iii) consistent with other reasonable written instructions of Customer; and (b) with prior notice (unless notice is legally prohibited), as required by applicable law. Without limiting the foregoing, GaggleAMP will not collect, retain, use, or disclose the Personal Data for any purpose other than as necessary for the specific purposes of performing the Services, building or improving the quality of its services, detecting data security incidents or protecting against fraudulent or illegal activity, and complying with law, legal inquiry, or law enforcement or exercising or defending legal claims. In particular, GaggleAMP will not collect, retain, use, sell, or disclose the Personal Data for a commercial purpose other than the foregoing purposes.

2.2 Confidentiality. GaggleAMP will subject persons authorized by GaggleAMP to Process any Personal Data to appropriate confidentiality obligations.

2.3 Security. GaggleAMP will protect Personal Data in accordance with requirements under Data Protection Law, including by implementing appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breach per the GaggleAMP InfoSec Overview attached as Annex II.

2.4 Return or Disposal. GaggleAMP will delete all Personal Data after the end of the provision of Services (unless applicable law requires GaggleAMP to store any Personal Data, in which case GaggleAMP will continue to protect the Personal Data in accordance with the terms of this DPA).

2.5 Customer Obligations. Customer will not instruct GaggleAMP to perform any Processing of Personal Data that violates any Data Protection Law. GaggleAMP may suspend Processing based upon any Customer instructions that GaggleAMP reasonably suspects violate Data Protection Law. Subject to the cooperation of GaggleAMP as specified in this DPA, Customer will be solely responsible for safeguarding the rights of Data Subjects, including determining the adequacy of the security measures in relation to Personal Data which Customer uploads to the Services and providing any necessary notice to or obtaining any necessary consent from Data Subjects regarding the Processing. Customer agrees that: (i) it will comply with its obligations as a Data Controller under Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to GaggleAMP; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for GaggleAMP to process Personal Data and provide the Services pursuant to the Agreement and this DPA. Notwithstanding Section 2.3, Customer agrees that except to the extent expressly provided in this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Personal Data uploaded to the Services.

3. DATA PROCESSING ASSISTANCE

3.1 Data Subject’s Rights Assistance. Taking into account the nature of the Processing of Personal Data by GaggleAMP under the Agreement, GaggleAMP will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as possible and as necessary, for the fulfilment of Customer’s obligations to respond to requests for exercising Data Subject’s rights under Data Protection Law with respect to Personal Data solely to the extent Customer does not have the ability to address such Data Subject request without such assistance using functionality provided in the Services. GaggleAMP will promptly inform Customer of any Data Subject request relating to Processing of Personal Data.

3.2 Security Assistance. To assist Customer in its efforts to ensure compliance with the security requirements under Data Protection Law, GaggleAMP has made available to Customer its GaggleAMP InfoSec Overview per section 2.3 above.

3.3 Data Protection Impact Assessment Assistance. Taking into account the nature of GaggleAMP’s Processing of Personal Data and the information available to GaggleAMP, GaggleAMP will provide reasonable assistance to Customer as strictly required for Customer to comply with its obligations to conduct data protection impact assessments if required under Data Protection Law in connection with GaggleAMP’s Processing of Personal Data under the Agreement.

3.4 Personal Data Breach Notice and Assistance. GaggleAMP will notify Customer without undue delay after becoming aware of a Personal Data Breach. Taking into account the nature of Processing and the information available to GaggleAMP, GaggleAMP will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any notification obligations required under Data Protection Law related to any Personal Data Breach.

4. AUDITS.


GaggleAMP will also provide written responses to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm GaggleAMP’s compliance with this DPA, provided that Customer will not exercise this right more than once per year. Such responses are GaggleAMP’s Confidential Information. Customer or a third party auditor reasonably acceptable to GaggleAMP, at Customer’s expense, may conduct an audit of GaggleAMP’s processing activities on GaggleAMP’s cloud based systems only when and as required by a supervisory authority or Data Protection Law. Such audit must (i) be scheduled on at least 45 days advance notice at a mutually agreed date and time; (ii) occur during GaggleAMP’s normal business hours; (iii) be permitted only to the extent required to assess GaggleAMP’s compliance with this DPA; (iv) comply with the policies, procedures, and other restrictions reasonably imposed by GaggleAMP and, if applicable, the Subprocessor; and (v) not unreasonably interfere with GaggleAMP’s business activities. Customer’s auditor will not be entitled to access information subject to third-party confidentiality obligations. Customer will provide written communication of any audit findings to GaggleAMP, and the results of the audit will be the confidential information of GaggleAMP.

5. SUBPROCESSORS

Customer authorizes GaggleAMP to use GaggleAMP’s Affiliates and third-party subprocessors to Process Personal Data in connection with the provision of Services to Customer (“Subprocessor”). Customer may view the list of current Subprocessors at the following link: https://accounts.gaggleamp.com/subprocessors. GaggleAMP will (i) provide an up-to-date list of the Suprocessors it has appointed upon written request from Customer; and (ii) notify Customer (for which email will suffice) if it adds or replaces a Subprocessor at least ten (10) days prior to any such changes. If Customer reasonably objects to a Subprocessor, Customer must inform GaggleAMP within five (5) days. If GaggleAMP is unable to resolve Customer’s objection, either party may, upon notice and without liability, terminate the Services that use the objected-to Subprocessor. GaggleAMP will: (i) enter into a written agreement or affirmatively accept online terms of service with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Personal Data to the standard required by applicable Data Protection Law; and (ii) GaggleAMP shall remain liable to Customer for a Subprocessor’s failure to fulfill its data protection obligations.

6. DATA TRANSFERS

Personal Data may be transferred to any country in which GaggleAMP or its Subprocessors maintain facilities. This Section 6 only applies to the transfer of Personal Data from the EEA, the United Kingdom, Switzerland, or Brazil to a third country that has not been deemed adequate by the applicable data protection authority. For each applicable version of the Standard Contractual Clauses between GaggleAMP and Customer: (a) Customer and GaggleAMP are deemed to have executed the Standard Contractual Clauses as of the effective date of this DPA; and (b) Customer is the “data exporter” and GaggleAMP is the “data importer.

6.1 Transfers from the EEA and Switzerland and Brazil. GaggleAMP will conduct the transfers of Personal Data from the EEA, Switzerland, and Brazil pursuant to the attached EU Standard Contractual Clauses or any other data transfer mechanism permitted under Data Protection Law of each applicable jurisdiction. With respect to the EU Standard Contractual Clauses, the following apply if GaggleAMP is an entity outside the EEA or Switzerland or Brazil: (i) Module Two (controller to processor); (ii) Annexes I and II attached hereto; (iii) “Member State” refers to the country from which the Personal Data originates (irrespective of whether the country is a member state of the European Union); (iv) “jurisdiction” and “supervisory authority” refer to the respective data protection authority that enforces Data Protection Law; (v) Clause 7; (vi) in Clause 9, option 2 for general written authorization with a time period of ten days; (vii) in Clause 11, the optional text is not included; (viii) in Clauses 17 and 18, (a) selecting option 2 and specifying Ireland and (b) selecting option 2 and specifying Switzerland or Brazil, respectively, for Personal Data subject to the Swiss DPA or the LGPD; and (vii) for Personal Data subject to the Swiss DPA or the LGPD, references to the GDPR and “that Regulation” will be read as references to the relevant provisions of the Swiss DPA or the LGPD. With respect to a transfer from GaggleAMP to a Subprocessor pursuant to the EU Standard Contractual Clauses, GaggleAMP will conduct the transfer under Module Three (processor to processor) and GaggleAMP shall be the “data exporter” and the Subprocessor shall be the “data importer.”

6.2 Transfers from the United Kingdom. GaggleAMP will conduct the transfer of Personal Data from the UK pursuant to the UK Standard Contractual Clauses or any other data transfer mechanism permitted under UK Data Protection Law, which may include binding corporate rules. With respect to the International Data Transfer Addendum, the following selections and content shall apply: (i) Table 1 shall consist of the content in Sections A-B of Annex I
attached hereto; (ii) for Table 2, the Approved EU SCCs are selected with the following modules, clauses, or optional provisions applied: (a) Module Two (controller to processor); (b) Clause 7; (c) in Clause 9, option 2 for general written authorization with a time period of ten days; and (d) in Clause 11, the optional text is not included; (iii) Table 3 shall consist of the content in Annex I (Sections A-B) and Annex II of this DPA; and (iv) for purposes of Table 4, neither Party may end the Addendum except by mutual agreement.

7. LIMITS OF LIABILITY
Any claims brought under or in connection with this DPA, by and between Customer and GaggleAMP will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. No one other than a party to this DPA, its successors and permitted assignees will have any right to enforce any of its terms, except as specifically provided for by applicable Data Protection Law.

8. MISCELLANEOUS

8.1 If there is a conflict (a) this DPA will prevail over the Agreement and (b) the Standard Contractual Clauses will prevail over this DPA. Except for the matters covered by this DPA, all terms of the Agreement, remain in effect. Capitalized terms not defined in this DPA have the same meaning as in the Agreement. Except as otherwise stated in the Agreement, this DPA and the Standard Contractual Clauses will automatically terminate upon the termination or expiration of GaggleAMP’s services.

8.2 Each party's signature to this DPA shall be considered a signature to the Standard Contractual Clauses. If so required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required. In the event that the parties have entered into the Standard Contractual Clauses hereunder and subsequently the Privacy Shield Principles become a valid transfer mechanism and GaggleAMP becomes compliant with the Privacy Shield Principles, as applicable, the parties agree that their agreement to the Standard Contractual Clauses shall be rescinded, null, and void and the Privacy Shield Principles shall govern.

8.3 If a law enforcement agency sends GaggleAMP a demand for Personal Data (for example, through a subpoena or court order), GaggleAMP will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, GaggleAMP may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then GaggleAMP will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless GaggleAMP is legally prohibited from doing so.




ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: As specified in Customer’s Account Dashboard
Address: As specified in Customer’s Account Dashboard
Contact person’s name, position and contact details: As specified in Customer’s Account Dashboard Activities relevant to the data transferred under these Clauses:
Data Exporter is the legal entity that has entered into an agreement with the Data Importer for use of the Data Importer’s social media services.

Signature and date: As specified in Customer’s Account Dashboard Role: Controller
Data Protection Officer and/or Representative in the European Union:
________________________________________________________________________

Data importer(s):
Name: GaggleAMP Inc.
Address: 9450 SW Gemini Drive, PMB 95302, Beaverton, Oregon 97008-7105
Contact person’s name, position and contact details:
Glenn Gaudet, CEO
9450 SW Gemini Drive, PMB 95302
Beaverton, Oregon 97008-7105

Activities relevant to the data transferred under these Clauses:
GaggleAMP is a provider of an online cloud-based platform providing marketing and third party social media utilization and reporting services.
Signature and date: As specified in the Master Services Agreement
Role: Processor


B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred

Individuals whose personal information is input into the GaggleAMP platform and services by the data exporter as part of the data exporter’s use of the GaggleAMP platform for its social media services.

Categories of personal data transferred
The data processed by GaggleAMP includes: names, contact information, (e.g. address, email, telephone); social media information, and other information input by the Data Exporter in the GaggleAMP system.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The data will be transferred on a continuous basis.

Nature of the processing
The data importer will process personal data to perform the services described in the agreement to which these Clauses are incorporated, including storing, analyzing and otherwise processing such personal data for the duration and scope set forth in such agreement.
Purpose(s) of the data transfer and further processing

GaggleAMP will process personal data to perform the services described in the agreement to which these Clauses are incorporated, including storing, analyzing and otherwise processing such personal data for the duration and scope set forth in such agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the agreement entered into by Data Exporter and Data Importer and up to sixty days thereafter.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The names of sub-processors currently engaged by Data Importer and the nature and scope of their processing can be found at: https://accounts.gaggleamp.com/subprocessors (Annex III)
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Data Protection Commission of Ireland

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

gaggleamp2

GaggleAMP InfoSec Overview
This document is to provide an understanding of how GaggleAMP works within a standard Information Security context.

What is GaggleAMP?
GaggleAMP is a fully hosted SaaS solution that allows employees and other corporate stakeholders to participate in online marketing efforts including the sharing of social media messages, taking part in social interactions, and suggested online activities. GaggleAMP empowers users to do this through two methods:
1. API access to common social media platforms such as Twitter and LinkedIn.
2. Web access to social media platforms and public websites.

What data does GaggleAMP require from the corporate customer?
No company data is required by the company with the exception of an email address to register for an account.

What data is collected on behalf of the corporate customer?
GaggleAMP tracks the effectiveness of messages and activities added to the solution and undertaken by the users. This includes:

  • How many users performed an activity
  • How many users declined an activity
  • What was the potential reach of a shared message
  • How many social interactions took place on a given social media message

GaggleAMP also provides a URL shortening service for messages shared through the solution. This tracks:

  • How many clicks did a URL receive
  • IP address reporting information, such as the geo-location from which a URL was clicked GaggleAMP also provides aggregate analysis of this data.

What personal data is collected from individual users?
The following data is collected by GaggleAMP from individual users (Members) and is exposed to the corporate administrator (Manager):

  • email used to register
  • user name (if they registered a social media account)
  • total number of followers user has across their registered social accounts
  • total points earned by participating in GaggleAMP

The following data is collected by GaggleAMP from individual users (Members) and is NOT exposed to the corporate administrator (Manager):

  • Social media API tokens
  • Individual activity tracking

Where is GaggleAMP hosted?
GaggleAMP is hosted outside of the corporate customer’s firewall. GaggleAMP is hosted by Amazon Web Services. Amazon Web Services (AWS) is a collection of remote computing services, also called web services, that make up a cloud computing platform by Amazon.com.

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely.

AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow our solution to remain resilient in the face of most failure modes, including natural disasters or system failures.

The AWS virtual infrastructure has been designed to provide optimum availability while ensuring complete customer privacy and segregation. For a complete list of all the security measures built into the core AWS cloud infrastructure, platforms, and services, please read their Overview of Security Processes whitepaper.

How is critical data secured?
GaggleAMP takes advantage of both the security and redundancy features of AWS. As an example, the API tokens are stored in a relational database managed by Amazon’s Relational Database Service (RDS). The Diagram below shows our architecture in AWS. The tokens are received by the web server when the user performs the OAuth handshake and then are saved to the database.

GaggleAMP uses a dedicated AWS Virtual Private Cloud (VPC) and Security Groups to manage access to all production data. All public traffic is received by the Application Load Balancer (ALB), which is the only publicly accessible end-point and resides in a separate, DMZ subnet. The ALB directs it to our web servers, which reside in private subnets isolated from the DMZ, and only traffic on known ports is allowed to pass between the two. Finally, the RDS instance is on another isolated, private subnet and Security Groups are configured to only allow traffic from the web server subnet on specific ports. Below is a network diagram of this configuration.

For more info on AWS VPCs, see here: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

1 (1)

How does GaggleAMP manage Backups?
As for backups, we use a Multi-AZ deployment which keeps an up-to-date read replica ready for failover at any time. For snapshots, we use the built-in backup functionality of RDS to save database snapshots on a daily basis. We also copy the snapshot to a separate AWS region every day.

How does GaggleAMP secure web traffic?
All connections to GaggleAMP are secured via SSL/TLS. Any attempt to connect over HTTP is redirected to HTTPS.

What does GaggleAMP use for login security?
Users can login to GaggleAMP via either an email address and password or via SAML integration to corporate customer’s Identity Provider. Password hashes are stored in our database using the bcrypt secure hash algorithm.

GaggleAMP users can further protect their accounts by enabling our optional two-factor authentication with a verification code in addition to their password. The verification code is either delivered via SMS or retrieved from an authenticator app.

Need more information?
Contact your GaggleAMP representative or email infosec@gaggleamp.com