Updated: October 15, 2024
This Data Processing Addendum (“DPA”) is entered into between TapOnIt, LLC (“TapOnIt” or “Company”) and the counterparty agreeing to these terms (“Customer”), which has entered into or will enter into a Master Subscription Agreement or other written or electronic agreement for the Services provided by TapOnIt (along with any applicable Order Form, the “Agreement”). Customer and TapOnIt are individually referred to as “Party” and collectively as the “Parties.”
To the extent that TapOnIt processes any Customer Personal Data (as defined below) on behalf of the Customer (or, where applicable, the Customer Affiliate) in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.
2. Definitions
Capitalized terms used in this DPA but not defined shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA are defined as follows:
2.1 “Account Information” means Customer’s information, including Personal Data of Customer and Customer Affiliate’s users, provided for account creation, access, administration, and maintenance, and may include names, usernames, login credentials, phone numbers, email addresses, and billing information associated with a TapOnIt account;
2.2 “Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement;
2.3 “Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time;
2.4 "Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
2.5 “Customer Personal Data” means the Personal Data processed by TapOnIt on behalf of Customer or Customer Affiliate in connection with the provision of the Services, which, however, specifically excludes Personal Data contained in Account Information;
2.6 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension of the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce and the European Commission regarding the collection, use, and retention of GDPR Personal Data transferred from the European Union, United Kingdom, and Switzerland to TapOnIt in the United States.
2.7 "Data Protection Laws” mean the relevant data protection and data privacy laws, rules, and regulations applicable to the processing, privacy, and protection of Personal Data, which include but are not limited to:
- (i) the GDPR;
- (ii) the Swiss Federal Act on Data Protection 1992 and/or the Swiss Data Protection Act 2020;
- (iii) California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 – 1798.199, 2018) and California Privacy Rights Act of 2020 (2020 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§ 1798.100 et seq.) (together, “CCPA”);
- (iv) the Colorado Privacy Act (Colorado Rev. Stat. 6-1-1301 et seq.); and
- (v) the Virginia Consumer Data Protection Act (Code of Virginia Title 59.1, Chapter 52), as each may be amended or restated from time to time.
2.8 “Data Subject” shall have the meaning given to that term under the GDPR, “consumer” under the CCPA, or such similar terms under Data Protection Laws.
2.9 “GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), and any local implementations or applications of the same in any EEA Member State; and/or the “UK GDPR” as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018, as the context permits and to the extent applicable to a Party.
2.10 "GDPR Personal Data” means Personal Data pertaining to:
- (i) Data Subjects located in the United Kingdom, or European Economic Area (“EEA”), or Switzerland (collectively “Europe”); and
- (ii) Customers that notify TapOnIt that their Processing of Personal Data of Data Subjects outside the areas listed in (i) is subject to GDPR. For purposes of this DPA, Personal Data shall also encompass Sensitive Personal Data, if applicable. The Personal Data and the specific uses of the Personal Data are detailed in Annex 1.
2.11 “Personal Data” means any information relating to an identified or identifiable individual or device, or is otherwise “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable data protection laws;
2.12 “Process” shall have the meaning given to that term under the GDPR.
2.13 "Processor” has the meaning given to that term under the GDPR, and in the context of this DPA, that term or “Service Provider” means an entity that Processes Personal Data on behalf of the Customer.
2.14 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems managed by or otherwise controlled by or on behalf of TapOnIt, and includes any “Personal Data Breach,” as defined under Data Protection Laws, affecting Personal Data.
2.15 "Sensitive Personal Data” shall have the meaning assigned to the terms “sensitive personal data” or “special categories of personal data” under Data Protection Laws and shall include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a person, or data concerning health or data concerning a person’s sex life or sexual orientation.
2.16 “Services” means the “Services” as defined in the Agreement.
2.17 “Sub-processor” means TapOnIt Affiliates and third-party processors appointed by TapOnIt to process Customer Personal Data;
2.18 “US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy, and/or data protection in force from time to time in the United States.
3. Interaction with the Agreement
3.1 This DPA supplements and, in the event of any contradictions, supersedes the Agreement concerning the processing of Customer Personal Data.
3.2 With respect to Customer Affiliates, by entering into the Agreement, Customer warrants it is duly authorized to enter into this DPA for and on behalf of any such Customer Affiliates and, subject to clause 3.2, each Customer Affiliate shall be bound by the terms of this DPA as if they were the Customer.
3.3 Customer warrants that it is duly mandated by any Customer Affiliates on whose behalf TapOnIt processes Customer Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Customer Affiliates, and to act on behalf of the Customer Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Customer Affiliates.
3.4 The Parties agree that any notice or communication sent by TapOnIt to Customer shall satisfy any obligation to send such notice or communication to a Customer Affiliate.
4. Role of the Parties
4.1 The Parties acknowledge and agree that:
- 4.1.1 For the purposes of the GDPR, TapOnIt acts as the “processor” or “sub-processor.” TapOnIt’s function as processor or sub-processor will be determined by the function of the Customer:
- In general, Customer functions as a controller.
- In certain cases, Customer functions as a processor on behalf of Customer’s customers where Customer and Customer’s customer have concluded a data processing agreement in relation to the processing of Personal Data of Customer’s customers.
- 4.1.2 For the purposes of the US Data Protection Laws, TapOnIt will act as a “service provider” or “processor” in its performance of its obligations pursuant to the Agreement.
4.2 Account Information shall not be governed by this DPA and shall be subject to TapOnIt’s Privacy Policy.
5. Details of Data Processing
5.1 The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data, and data subjects) are described in the Agreement and in Schedule 1.
5.2 Customer Personal Data will only be processed on behalf of and under the instructions of Customer and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall be Customer’s instructions for the processing of Customer Personal Data. Customer may issue further written instructions in accordance with this DPA.
5.3 If Customer’s instructions will cause TapOnIt to process Customer Personal Data in violation of Applicable Data Protection Laws or outside the scope of the Agreement or the DPA, TapOnIt shall promptly inform Customer thereof, unless prohibited by Applicable Data Protection Laws (without prejudice to the SCCs).
5.4 TapOnIt may store and process Customer Personal Data anywhere TapOnIt or its Sub-processors maintain facilities, subject to clause 6 of this DPA.
6. Sub-Processors
6.1 To the extent necessary to fulfill TapOnIt’s contractual obligations under the Agreement, Customer hereby authorizes the engagement of Sub-processors to Process Personal Data provided TapOnIt enters into written agreements with the Sub-processors regarding such Sub-processors’ Processing of Personal Data. A current list of Sub-processors is available here: https://taponit.notion.site/TapOnIt-Sub-processors-120d36399259800cac0cd7a948dbbffe..
6.2 TapOnIt shall (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than TapOnIt’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA.
6.3 TapOnIt shall provide Customer with at least fifteen (15) days' notice of any proposed changes to the Sub-processors it uses to process Customer Personal Data (including any addition or replacement of any Sub-processors). Customer may reasonably object to TapOnIt’s use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs) by providing TapOnIt with written notice of the objection within ten (10) days after TapOnIt has provided notice to Customer of such proposed change (an “Objection”). In the event Customer objects to TapOnIt’s use of a new Sub-processor, Customer, and TapOnIt will work together in good faith to find a mutually acceptable resolution to address such Objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such Objection period, TapOnIt may suspend the affected portion of the Services.
6.4 Confidentiality: Any person authorized to Process Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality. TapOnIt shall limit access to Personal Data to only those employees and other personnel with a need to have access to such Personal Data to carry out the terms of the Agreement.
7. Data Subject Rights Requests
7.1 As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Customer Personal Data (“Data Subject Request”).
7.2 TapOnIt will forward to Customer without undue delay any Data Subject Request received by TapOnIt or any Sub-processor from an individual in relation to their Customer Personal Data and may advise the individual to submit their request directly to Customer.
7.3 TapOnIt will (taking into account the nature of the processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests. TapOnIt may charge Customer, and Customer shall reimburse TapOnIt, for any such assistance beyond providing self-service features included as part of the Services.
8. Security and Audits
8.1 TapOnIt will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Customer Personal Data, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to, and/or alteration of Customer Personal Data) and against accidental loss, destruction, or damage of or to it.
8.2 TapOnIt will implement and maintain as a minimum standard the measures set out in Schedule 2. TapOnIt may update or modify the security measures set by TapOnIt of such measures in accordance with clause 8.6 of the SCCs, provided that such updates and/or modifications do not reduce the overall level of protection afforded to the Customer Personal Data by TapOnIt under this DPA.
8.3 Customer or its independent third-party auditor reasonably acceptable to TapOnIt (which shall not include any auditors who are not suitably qualified or independent or are a competitor of TapOnIt) may audit TapOnIt’s compliance with its obligations under this DPA up to once per year or more frequently in the event a Security Incident has occurred or to the extent required by applicable data protection laws, including where mandated by Customer’s regulatory or governmental authority.
8.4 To request an audit, Customer must submit a detailed proposed audit plan to TapOnIt at least two weeks in advance of the proposed audit date. TapOnIt will review the proposed audit plan and work cooperatively with Customer to agree on a final audit plan. All such audits must be conducted during regular business hours, subject to the agreed final audit plan and TapOnIt’s health and safety or other relevant policies, and may not unreasonably interfere with TapOnIt business activities. Nothing in this clause shall require TapOnIt to breach any duties of confidentiality.
8.5 If the requested audit scope is addressed in an ISO 27001 certification, SOC 2 Type 2 report or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and TapOnIt confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
8.6 Customer will promptly notify TapOnIt of any non-compliance discovered during the course of an audit and provide TapOnIt any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
8.7 Any audits are at Customer’s expense. Customer shall reimburse TapOnIt for any time expended by TapOnIt or its Sub-processors in connection with such audits.
8.8 TapOnIt shall audit its Sub-processors on a regular basis and will, upon Customer’s request, confirm their compliance with data protection law and the obligations set upon Sub-processors according to the data processing agreement concluded with them. Customer may request TapOnIt to conduct further audits only in the event reasonably justified, and in such cases, TapOnIt will conduct further audits to the extent permissible.
8.9 Customer acknowledges and agrees that, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 2 are appropriate to ensure the security of the Customer Personal Data.
9. Security Incident
9.1 Security Incident Procedure: TapOnIt will deploy and follow policies and procedures designed to detect, respond to, and otherwise address Security Incidents including procedures designed to: (i) identify and respond to suspected or known Security Incidents, investigate Security Incidents and reasonably cooperate with Customer’s (and any law enforcement or regulatory official’s) investigation of the Security Incident, mitigate harmful effects of Security Incidents; and (ii) restore the availability or access of Personal Data in a timely manner.
9.2 Notice: TapOnIt shall provide Customer with notice promptly and without undue delay if TapOnIt is made aware that a Security Incident has taken place. Such notice will include information available and required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. TapOnIt’s notification of or response to a Security Incident under this clause will not be construed as an acknowledgment by TapOnIt of any fault or liability with respect to the Security Incident.
10. Cross-Border Data Transfers
10.1 Standard Contractual Clauses: The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 3 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to TapOnIt (as data importer) to the extent and for as long as TapOnIt cannot rely on the DPF according to clause 10.2.
10.2 Data Privacy Framework: TapOnIt is self-certified under the DPF and complies with the data privacy principles thereunder. To the extent and for as long as the DPF is acknowledged as a valid transfer mechanism in the relevant country/region, Personal Data originating from the EEA, UK, or Switzerland, or otherwise being subject to the GDPR shall be transferred on the basis of the DPF.
10.3 Support for Cross-Border Data Transfers: TapOnIt will provide Customer reasonable support to enable Customer’s compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. TapOnIt will, upon Customer’s request, provide information to Customer which is reasonably necessary for Customer to complete a transfer impact assessment (“TIA”). TapOnIt further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Customer’s compliance with requirements imposed on the transfer of personal data to third countries. TapOnIt may charge Customer, and Customer shall reimburse TapOnIt for any assistance provided by TapOnIt with respect to any TIAs, data protection impact assessments, or consultation with any supervisory authority of Customer.
11. Customer Personal Data Subject to the UK and Swiss Data Protection Laws
11.1 To the extent that the processing of Customer Personal Data is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 5 shall apply.
12. Customer Personal Data Subject to US Data Privacy Laws
12.1 To the extent that the processing of Customer Personal Data is subject to US Data Protection Laws, the U.S. Addendum set out in Schedule 6 shall apply.
13. Data Security
13.1 Security: TapOnIt shall implement and maintain a security program that includes appropriate technical and organizational measures that are designed to ensure a level of security appropriate to risk and the nature of the information and that are further designed to protect Personal Data from unauthorized access, destruction, use, modification, or disclosure in accordance with Data Protection Laws. Further, TapOnIt shall require all Sub-processors to maintain an equivalent standard of security measures when Processing any Personal Data, taking into account the specific Processing that is being carried out by those Sub-processors.
13.2 TapOnIt shall assist the Customer in ensuring compliance with the obligations pursuant to Article 32 of the GDPR relating to security of processing, taking into account the nature of processing and information available to TapOnIt.
14. Data Deletion and Return
14.1 Disposal upon Termination: After notification from Customer that Customer seeks to terminate use of all Services, TapOnIt shall, at the Customer’s option, delete or return to Customer all Personal Data, including existing copies, from its possession or control in accordance with Data Protection Laws or provide a self-service functionality allowing Customer to do the same; and within 90 days of termination or expiration of the Agreement, delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by TapOnIt or any Sub-processors. This requirement shall not apply to the extent TapOnIt is required by applicable law to retain some or all records that include Personal Data or where such Personal Data is necessary for defense of legal claims. Upon request, TapOnIt shall provide written certification to Customer that it has destroyed or otherwise disposed of Personal Data. If TapOnIt is prevented from destroying Personal Data due to applicable law, it shall retain such Personal Data for this limited purpose and shall comply with its relevant obligations, subject to the terms and restrictions of this DPA.
15. Contract Period
This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, TapOnIt’s deletion of all Customer Personal Data as described in this DPA.
16. General
The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
This DPA and the Agreement set forth the entire agreement between the Parties with respect to the subject matter of this DPA.
Schedule 1: Details of Processing
Part 1: List of Parties
-
Data Exporter:
The data exporter is Customer and/or the Customer Affiliates operating in the countries which comprise the European Economic Area, UK, and/or Switzerland, and/or – to the extent agreed by the Parties – Customer and/or the Customer Affiliates in any other country to the extent the GDPR or corresponding Swiss law applies.
Customer and Customer Affiliate’s contact person’s position and contact details, as well as (if appointed) the data protection officers and (if relevant) the representative’s contact details will be notified to TapOnIt prior to the processing of personal data via email to support@taponit.com or an available form provided by TapOnIt in Customer’s account in the Services.The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the processing of personal data in connection with the Services further described in this Schedule 1 and in the Agreement.
-
Data Importer:
TapOnIt, LLC
5409 Victoria Ave
Davenport, IA 52807The data importer’s contact person can be contacted at support@taponit.com.
The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in this Schedule 1 and in the Agreement.
Part 2: Description of Transfer
-
Categories of Data Subjects:
The categories of data subjects whose personal data are transferred: Customer and Customer Affiliate subscribers who are recipients of marketing communications and other individuals being targets of other marketing activities of the Customer and/or Customer Affiliates’ or their customers. -
Categories of Personal Data:
The transferred categories of personal data are: Determined by Customer’s configuration of the Services, and may include name, phone number, email address, address data, IP address, device identifiers, usage data (such as interactions between a user and TapOnIt’s online system, website or email, used browser, used operating system, referrer URL). Moreover, Customer and Customer Affiliate may include further personal data of data subjects as specified above (in particular in unstructured form) in connection with their use of the Services according to the Agreement. -
Special Categories of Personal Data (when applicable):
The transferred personal data includes the following special categories of data: N/A – TapOnIt’s Acceptable Use Policy prohibits Customer from using the Services to solicit, display, store, process, send or transmit special categories of data. The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: N/A. -
Frequency of the Transfer:
The frequency of the transfer is: The transfer is performed on a continuous basis and is determined by Customer’s configuration of the Services. -
Subject Matter and Nature of the Processing:
The subject matter of the processing is: to provide a data analytics and marketing automation platform to Customers. -
Purpose(s) of the Data Transfer and Further Processing:
The purpose/s of the data transfer and further processing is: to provide the Services to Customer pursuant to the Agreement so that Customer can analyze customer data, enhance its customer relationships, and send marketing and other communications to its customers. -
Duration:
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: the duration is defined in clause 13 of the DPA. -
Sub-processor (if applicable):
For transfers to sub-processors, specify subject matter, nature, and duration of the processing: as stipulated in clause 6 of the DPA. The Sub-processors may have access to the Personal Data for the term of this DPA or until the service contract with the respective Sub-processor is terminated or the access by the Sub-processor has been excluded as agreed between TapOnIt and Customer.
Part 3: Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs.
-
Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter is established is the competent authority.
-
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie/).
Schedule 2: Technical and Organizational Measures
TapOnIt has implemented the following technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
-
Organizational management and dedicated staff responsible for the development, implementation, and maintenance of TapOnIt’s information security program.
-
Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to TapOnIt’s organization, monitoring and maintaining compliance with TapOnIt’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
-
Utilization of commercially available and industry-standard encryption technologies for Customer Personal Data that is:
- being transmitted by TapOnIt over public networks (i.e., the internet) or when transmitted wirelessly; or
- at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, backup tapes).
-
Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
-
Password controls designed to manage and control password strength, expiration, and usage, including prohibiting users from sharing passwords and requiring that TapOnIt’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on TapOnIt’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
-
System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
-
Physical and environmental security of data center, server room facilities, and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of TapOnIt facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
-
Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from TapOnIt’s possession.
-
Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to TapOnIt’s technology and information assets.
-
Incident/problem management procedures designed to allow TapOnIt to investigate, respond to, mitigate, and notify of events related to TapOnIt’s technology and information assets.
-
Network security controls that provide for the use of firewall systems, intrusion detection systems, and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
-
Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
Schedule 3: Standard Contractual Clauses
-
For the purposes of the Standard Contractual Clauses:
- 1.1 Module Two shall apply in the case of the processing under clause 4.1.1 of the DPA, and Module Three shall apply in the case of processing under clause 4.1.2 of the DPA.
-
Clause 7:
- 2.1 Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
-
Clause 9(a):
- 3.1 Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 6.3 of the DPA.
-
Clause 11(a):
- 4.1 The option in clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
-
Clause 17:
- 5.1 With regard to clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option one shall apply. The parties agree that the governing law shall be the law of the Republic of Ireland.
-
Clause 18:
- 6.1 In clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.
-
Annex I:
- 7.1 For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 1 contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
-
Annex II:
- 8.1 For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 contains the technical and organizational measures.
-
Annex III:
- 9.1 The specifications for Annex III of the Standard Contractual Clauses are determined by clause 6.1 of the DPA. The Sub-processor’s contact person’s name, position and contact details will be provided by TapOnIt upon request.
Schedule 4: Additional Supplementary Measures
-
Commitment to Additional Measures:
- TapOnIt further commits to implementing supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Customer Personal Data in relation to the processing in a third country, as described in this Schedule 4.
-
Additional Technical Measures (Encryption):
- The personal data is transmitted (between the Parties and by TapOnIt between data centers and to a Sub-processor and back) using strong encryption.
- The personal data at rest is stored by TapOnIt using strong encryption.
-
Additional Organizational Measures:
a)Internal policies for governance of transfers, especially with groups of enterprises.- Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels, and standard operating procedures for cases of formal or informal requests from public authorities to access the data.
- Development of specific training procedures for personnel in charge of managing requests for access to personal data from public authorities, which should be periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EEA.
b)Transparency and Accountability Measures:
- Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, insofar publication is allowed by local law.
c)Organizational Methods and Data Minimization Measures:
- Development and implementation of best practices by both Parties to appropriately and timely involve and provide access of information to their respective data protection officers, if existent, and to their legal and internal auditing services on matters related to international transfers of personal data.
d)Others:
- Adoption and regular review by TapOnIt of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the personal data transferred is maintained.
-
Additional Contractual Measures:
a) Transparency Obligations:
-
- TapOnIt declares that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require TapOnIt to create or maintain back doors or to facilitate access to personal data or systems or for TapOnIt to be in possession or to hand over the encryption key.
- TapOnIt will verify the validity of the information provided for the TIA questionnaire on a regular basis and provide notice to Customer in case of any changes without delay. Clause 14(e) of the SCCs shall remain unaffected.
b) Obligations to Take Specific Actions:
- In case of any order to disclose or to grant access to the personal data, TapOnIt commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for TapOnIt.
c)Empowering Data Subjects to Exercise Their Rights:
- TapOnIt commits to fairly compensate the data subject for any material and non-material damage suffered because of the disclosure of his/her personal data transferred under the chosen transfer tool in violation of the commitments it contains.
- Notwithstanding the foregoing, TapOnIt shall have no obligation to indemnify the data subject to the extent the data subject has already received compensation for the same damage.
- Compensation is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from TapOnIt’s infringement of the GDPR.
-
-
Additional Obligations in Case of Requests or Access by Public Authorities:
-
a) TapOnIt shall promptly inform Customer:
- Of any legally binding requests from a law enforcement or other government authority (“Public Authority”) to disclose the personal data shared by Customer (“Transferred Personal Data”); such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided. Such notification shall occur prior to the disclosure of any personal data in response to such requests.
- If it becomes aware of any direct access by public authorities to transfer personal data in accordance with the laws of the country of destination, such notification shall include all information available to TapOnIt.
- If TapOnIt is prohibited from notifying Customer and/or the data subject, TapOnIt agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information as soon as possible. TapOnIt agrees to document its best efforts in order to be able to demonstrate them upon request of the data exporter.
-
b) TapOnIt agrees to review, under the laws of the country of destination, the legality of the public authority’s request, notably whether it remains within the powers granted to the requesting public authority and exhaust all available remedies to challenge the request if, after a careful assessment, TapOnIt concludes that there are grounds under the laws of the country of destination to do so. This includes requests under section 702 of the United States Foreign Intelligence Surveillance Court or Executive Order 12333. When challenging a request, TapOnIt shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. TapOnIt shall not disclose or provide access to the personal data requested until required to do so under the applicable procedural rules and, at such time, shall provide only the minimum amount of information required to comply with the request based on a reasonable interpretation of the request.
-
c) TapOnIt agrees to preserve the information required to comply with this Schedule 4 for the duration of the Agreement and, unless prohibited by applicable law, make it available to the competent supervisory authority upon request and when required by applicable law.
Schedule 5
1. UK and Swiss Addendum
2. UK Addendum
With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Customer (as data exporter) to TapOnIt (as data importer):2.1 The Approved Addendum, as further specified in this Schedule 5, shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to clause 12 of the Mandatory Clauses.
2.2 In deviation to Table 1 of the Approved Addendum and in accordance with clause 17 of the Mandatory Clauses, the parties are further specified in Schedule 1 Part 1 of this DPA.
2.3 The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Schedule 3 of this DPA as amended by the Mandatory Clauses.
2.4 Annex 1 A and B of Table 3 to the Approved Addendum are specified by Schedule 1 of this DPA, Annex II of the Approved Addendum is further specified by Schedule 2 of this DPA, and Annex III of the Approved Addendum is further specified by Schedule 1 clause B.10 of this DPA.
2.5 TapOnIt (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause 19 of the Mandatory Clauses.
2.6 Clause 16 of the Mandatory Clauses shall not apply.
3. Swiss Addendum
As stipulated in clause 11 of the DPA, this Swiss Addendum shall apply to any processing of Customer Personal Data subject to Swiss data protection law or to both Swiss data protection law and the GDPR.3.1 Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Schedule 3 of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:- “This Addendum” means This Addendum to the Clauses.
- “Clauses” means The Standard Contractual Clauses as further specified in Schedule 3 of this DPA.
- “Swiss Data Protection Laws” means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
3.2 This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that it fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
3.3 This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
3.4 Any references to legislation (or specific provisions of legislation) mean that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
4. Hierarchy
In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
5. Incorporation of the Clauses
In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA, including as further specified in Schedule 3 of this DPA to the extent necessary so they operate:- for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
5.1 To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 3 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation):
- References to the “Clauses” or the “SCCs” means this Swiss Addendum as it amends the SCCs and
- Clause 6 Description of the transfer(s) is replaced with:
- “The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”
5.2 References to “Regulation (EU) 2016/679” or “that Regulation” or “GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
5.3 References to Regulation (EU) 2018/1725 are removed.
5.4 References to the “European Union,” “Union,” “EU,” and “EU Member State” are all replaced with “Switzerland.”
5.5 Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws.
5.6 Clause 17 is replaced to state:
- “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws.”
5.7 Clause 18 is replaced to state:
- “Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
- Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities, and legal entities shall receive the same protection under the Clauses as natural persons.
5.8 To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 3 of this DPA, will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.
5.9 Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC, which are required under Swiss Data Protection Laws.
Schedule 6
6. U.S. Addendum
As stipulated in clause 12 of the DPA, this U.S. Addendum shall apply to any processing of Customer Personal Data subject to US Data Protection Laws.
6.1 To the extent required by US Data Protection Laws, TapOnIt is prohibited from:
- (a) selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration;
- (b) sharing Customer Personal Data with any third party for cross-behavioral advertising;
- (c) retaining, using, or disclosing Customer Personal Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by US Data Protection Laws;
- (d) retaining, using or disclosing Customer Personal Data outside of the direct business relationship between the Parties; and
- (e) except as otherwise permitted by US Data Protection Laws, combining Customer Personal Data with Personal Data that TapOnIt receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.
-