Data processing terms
These Data Processing Terms (hereinafter the “Terms”) govern the rights and obligations between the Client and AppAgent.
THE SUBJECT OF THE TERMS
These Terms, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter as the “GDPR”), governs the rights and obligations in connection with processing and security of personal data that are processed by AppAgent on behalf of Client while providing Services to the Client (hereinafter as the “Personal Data”).
The meaning of capitalized words is stated in the Terms or in the Contract.
ROLES AND DATA PROCESSING INSTRUCTIONS
The Parties acknowledge and agree that:
AppAgent is a processor of Personal Data;
Client is a controller or processor, as applicable, of Personal Data; if Client is a processor, he warrants to AggAgent that instructions and actions with respect to Personal Data, including its appointment of AppAgent as another processor, have been authorized by the relevant controller;
each Party will comply with the obligations applicable to it under the applicable law with respect to the processing of Personal Data.
By entering into these Terms, Client instructs AppAgent to process Personal Data only in accordance with applicable law:
to provide the Services;
as further specified via Client’s use of the Services;
as documented in the Contract, including the Terms;
as further documented in any other written instructions given by Client and acknowledged by AppAgent.
AppAgent shall process the Personal Data based only on above-mentioned instructions from the Client, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or state law to which AppAgent is subject; in such a case, AppAgent shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
DURATION OF PERSONAL DATA PROCESSING
Processing of Personal Data shall be performed for the duration of the Contract or until the Personal Data is deleted in accordance with the Terms.
NATURE AND PURPOSE OF PERSONAL DATA PROCESSING
AppAgent shall process Personal Data through means of automated or manual processing for the purpose of providing Services to the Client.
TYPES OF PERSONAL DATA AND CATEGORIES OF SUBJECTS
Personal Data that will be processed by AppAgent, will depend on the scope of the Service. The maximum scope of Personal Data processed by AppAgent may include IP address of data subjects, IDFA (Identifier for advertising of iOS devices) of data subjects, AAID (Google Advertising ID for Android devices) of data subjects or email addresses.
Personal Data will concern the following categories of data subjects:
Data subjects about whom AppAgent collects personal data in its provision of Services (mostly data subjects targeted, reached or affected by advertising performed by AppAgent on behalf of Client); and/or
Data subjects about whom personal data is transferred to AppAgent in connection with Services by, at the direction of, or on behalf of Client (mostly data subjects targeted, reached or affected by advertising performed by Client itself).
RIGHTS AND OBLIGATIONS OF THE PARTIES
If any third person, particularly a data subject or supervisory authority, requests any Party to provide any information in relation to personal data processing under the Terms, or in this relation makes any claim or exercises any right against any Party, the Party undertakes to inform the other Party about such procedure without undue delay, but not later than 14 days from the request.
Client is liable for fulfilling all obligations in relation to Personal Data processing, particularly for informing data subjects about Personal Data processing, obtaining consent if necessary and dealing with data subjects’ requests relating to the exercise of their rights. The Client is further liable for fulfilling notification obligations towards any supervisory authority relating to Personal Data processing, especially for notifying the supervisory authority on any personal data breach.
Client is solely responsible for reviewing the Terms and evaluating for itself whether the security measures and AppAgent’s commitments hereunder meet Client’s needs, including with respect to any security obligations of Client under the applicable law.
Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context, purposes and differently probable and differently serious risks to individuals) the security measures implemented and maintained by AppAgent as set out in the article 7 of Terms provide a level of security appropriate to the risks in respect of the Personal Data.
For the duration of Personal Data processing, if AppAgent receives any request from a data subject in relation to Personal Data, AppAgent shall advise the data subject to submit its request to Client, who will be responsible for responding to any such request.
For the purpose of the Personal Data protection, AppAgent undertakes, for the duration of processing Personal Data under the Terms, that it:
Shall take appropriate steps to ensure compliance with the security measures by its employees, contractors and sub processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Shall implement and maintain technical and organizational measures to protect Personal Data;
Shall not engage another processor without prior authorization of the Client, except for the processors mentioned in paragraph 6.7. AppAgent shall ensure to obligate all processors mentioned in paragraph 6.7. and all processors authorized by Client to adhere to these Terms or to otherwise comply with the same obligations as set in these Terms.
In the scope appropriate to the nature of processing and available information, AppAgent shall be supportive of the Client with ensuring appropriate technical and organizational measures to secure the personal data, notifying the personal data breach to any supervisory authority or data subject, assessing data protection impact and with prior consultations with the supervisory authority;
Shall provide the Client with the necessary information, which can be fairly demanded from AppAgent, to fulfill the Client’s obligation to react to the data subject’s request to exercise its rights under the data protection legislation;
Shall, at the choice of the Client, delete or return all the Personal Data to the Client after the termination of the provision of Services, and delete existing copies unless European Union or state law requires storage of the personal data. Client is responsible to remove all access permissions to the respective databases after the end of provision of Services;
Shall provide the Client with all information necessary to demonstrate AppAgent’s compliance with the obligations stated in the Terms and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client according to audit terms stipulated in paragraphs 6.8. to 6.10 of Terms.
List of approved sub-processors
Google Ireland Limited, provider of cloud services (Storage, BigQuery database, Virtual Machine instance)
Matillion Limited, provider of ETL tool
Funnel Holding AB, marketing data platform.
Client must send any requests for the audit solely to the AppAgent’s email address firstname.lastname@example.org. AppAgent shall immediately inform the Client if, in AppAgent’s opinion, an audit infringes GDPR or other data protection provisions and will provide Client relevant reasons confirming this opinion. Client can’t commence with an audit if those reasons are relevant, and in this case, the audit can be replaced by information necessary to demonstrate compliance with the obligations of the processor. AppAgent may object in writing to an auditor appointed by Client to conduct any audit, if the auditor is, in AppAgent’s reasonable opinion, not suitably qualified or independent, a competitor of AppAgent, or otherwise manifestly unsuitable. Any such objection by AppAgent will require Client to appoint another auditor or conduct the audit itself.
Following receipt by AppAgent of a request for audit AppAgent and Client will discuss and agree in advance on the reasonable date(s) of and security and confidentiality controls applicable to any audit and on the reasonable commencing date, scope and duration of and security and confidentiality controls applicable to any audit. If the terms of the audit are not agreed within 30 days of receipt of the audit request from Client in accordance with paragraph 6.8. of Terms, AppAgent shall determine the terms of the audit.
AppAgent may charge a fee (based on its reasonable costs) for any audit requested by the Client. AppAgent shall provide Client with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
As from the Terms effective date, AppAgent will implement and maintain the security measures set out in this article. AppAgent may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the processing.
AppAgent shall periodically review the risk of information security, in connection with Personal Data. Fulfillment of the AppAgent’s obligation to assure the data security is performed by AppAgent’s employee specialized in the area of information security.
AppAgent shall implement measures to secure Personal Data against human failure, particularly:
Adopting and maintaining internal regulation and documentation on internal security;
Training on the rules of dealing with personal data and the risk of information security;
Ensuring that all employees, contractors, suppliers and other third persons with access to Personal Data have committed themselves to contractual liability and to confidentiality or are under an appropriate statutory obligation of confidentiality.
AppAgent shall implement appropriate technical measures to secure the Personal Data, particularly:
Antivirus protection against malware;
Network security solution, combining firewall, the configuration of network features and other technologies (especially VPN when connected to public networks);
Strong passwords (using LastPass manager, PINs, face recognition or fingerprint based access on both computers and mobile phones;
Encryption of employees HDDs, external HDs and mobile phones;
Important infrastructure and data backup;
Remote mobile phone lock, erasure or localization in case of loss or theft;
Always updated software on all devices (including routers);
Two-phase e-mail login authentication.
To secure the personal data stored in written form and the IT devices, AppAgent shall particularly implement personal data access processes and policies and premises and on-site/digital repository security.
Should any of the provisions hereof be or become invalid, void, ineffective or unenforceable, this fact shall not affect the rest of the Terms. The Parties agree to replace any such invalid, ineffective, void or unenforceable provisions of the Terms with a provision that is valid, effective, not considered void, enforceable and with the same business and legal meaning within 14 (fourteen) days of receiving a request from the other Party.
In the event of changes to the applicable law or changes to the interpretation rules or practices for interpretation of the applicable law, AppAgent may amend the Terms within a reasonable scope. The amendment of the Terms shall be reported by AppAgent on its website and by e-mail to the last known email address of the Client used for the communication with AppAgent and it takes effect one month after the notification.