Data Processing Agreement

DATA PROCESSING ADDENDUM FOR DATAHAPPY SERVICES

This Data Processing Addendum for Datahappy Services (“DPA”) forms a part of the Datahappy Terms of Use between Drivn Ltd and Customer (“Agreement”) which apply to the Customer’s use of the Datahappy service. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

This DPA is an addendum to and forms a part of the Agreement, and shall be legally binding with effect from the commencement of the Agreement. If any terms of this DPA are inconsistent with the terms of the Agreement, including the exhibits thereto, then the terms of this DPA shall prevail.

  1. BACKGROUND

    1. This DPA applies to Customer Personal Data provided by Customer as a Data Controller in connection with their use of Datahappy. It states the technical and organizational measures Drivn uses to protect Customer Personal Data in the course of acting as a Data Processor when providing Datahappy.
    2. If processing of Customer Personal Data involves an International Transfer, the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses, as the case may be, apply, and as stated in Section 5 and are incorporated by reference.
  2. APPENDICES

    Customer as a Data Controller determines the purposes of collecting and processing Customer Personal Data in Datahappy. Appendix 1 states the details of the processing Drivn will provide via Datahappy under the Agreement. Appendix 2 states the technical and organizational measures Drivn applies to Datahappy, unless the Agreement states otherwise. Appendix 3 defines the applicable modules and options for the EU Standard Contractual Clauses and the UK Standard Contractual Clauses.

  3. DRIVN OBLIGATIONS

    1. Drivn will follow instructions received from Customer with respect to Customer Personal Data, unless they are (i) legally prohibited or (ii) require material changes to Datahappy. In the event and to the extent the functionality of Datahappy does not allow Customer or authorized users to do so, Drivn may correct, block or remove any Customer Personal Data in accordance with Customer’s instruction. If Drivn cannot comply with an instruction, it will notify Customer (email permitted) without undue delay.
    2. Drivn will use the appropriate technical and organizational measures to protect all Customer Personal Data.
    3. Drivn shall notify Customer without undue delay but in no event later than seventy-two (72) hours of its discovery of a Security Breach.
    4. At Customer’s request, Drivn will reasonably support Customer in dealing with requests from Data Subjects or regulatory authorities regarding Drivn’s processing of Customer Personal Data.
    5. Upon termination of the Agreement for whatever reason, and upon Customer’s written request made within thirty (30) days after such termination, Drivn will (as applicable) return to Customer or destroy all Customer Personal Data. After such 30-day period, Drivn will destroy such Personal Data.
  4. SUBPROCESSORS

    1. Customer authorizes Drivn to subcontract the processing of Customer Personal Data to Subprocessors. Drivn is responsible for any breaches of the Agreement caused by its Subprocessors.
    2. Subprocessors will have the same obligations in relation to Drivn as Drivn does as a Data Processor (or Subprocessor) with regard to their processing of Customer Personal Data.
    3. Drivn will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection. Subprocessors may have security certifications that evidence their use of appropriate security measures. If not, Drivn will regularly evaluate each Subprocessor’s security practices as they relate to data handling.
    4. Drivn’s use of Subprocessors is at its discretion, provided that:
      1. Drivn will notify Customer in advance (by email or such other means which Drivn makes available to its customers) of any changes to the list of Subprocessors in place as of the commencement of provision of Datahappy (except for Emergency Replacements or deletions of Subprocessors without replacement).
      2. If Customer has a legitimate reason that relates to the Subprocessors’ processing of Customer Personal Data, Customer may object to Drivn’s use of a Subprocessor, by notifying Drivn in writing within thirty days after receipt of Drivn’s notice. If Customer objects to the use of the Subprocessor, the parties will come together in good faith to discuss a resolution. Drivn may choose to: (i) not use the Subprocessor or (ii) take the corrective steps requested by Customer in its objection and use the Subprocessor. If none of these options are reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days’ written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.
      3. If Customer’s objection remains unresolved sixty days after it was raised, and Drivn has not received any notice of termination, Customer is deemed to accept the Subprocessor.
      4. The list of Subprocessors current as of the commencement of provision of Datahappy is set out in Appendix 1.
    5. Drivn may change a Subprocessor where the reason for the change is outside of Drivn’s reasonable control. In this case, Drivn will inform Customer of the replacement Subprocessor as soon as possible. Customer retains its right to object to a replacement Subprocessor under Section 4.4.2.
  5. INTERNATIONAL TRANSFERS

    1. Personal Data from EEA, UK, or Swiss Data Controller(s) may only be exported to or accessed by Drivn or its Subprocessors outside the EEA, the UK, or Switzerland, as applicable (“International Transfer”):
      1. if the recipient, or the country or territory in which it processes or accesses Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction; or
      2. in accordance with Section 5.2.
    2. The UK or EU Standard Contractual Clauses (as applicable) apply where:
      1. there is an International Transfer to a country that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Customer Personal Data as determined by the European Commission or another regulatory body of competent jurisdiction, and/or
      2. there is an International Transfer to a recipient that is not covered by an appropriate safeguard, including, but not limited to, binding corporate rules, an approved industry code of conduct, and individual adequacy decision by a regulatory body of competent jurisdictions, or an individual transfer authorisation granted by a regulatory body of competent jurisdiction.
    3. For Third Country Subprocessors, Drivn shall ensure that such Subprocessor has entered into the unchanged version of the UK or EU Standard Contractual Clauses prior to the Subprocessor’s processing of Personal Data.
    4. Nothing in this DPA will be construed to prevail over any conflicting clause of the UK or EU Standard Contractual Clauses.
  6. DEFINITIONS

    Customer Personal Data” means any Personal Data that the Customer or any of its Users uploads to Datahappy.

    Data Protection Legislation” means the Data Protection Act 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council, (the General Data Protection Regulation); any other existing or future law, directive or regulation (anywhere in the world) relating to the Processing of Personal Data or privacy, to which Drivn is subject.

    Data Controller”, “Data Processor”, “Data Subject”, “Processing” and “Personal Data” have the meanings given to those expressions or any equivalent or corresponding expressions in the Data Protection Legislation.

    EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Lichtenstein and Norway.

    EU Standard Contractual Clauses” shall mean the standard contractual clauses promulgated by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (C/2021/3972) on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.

    Security Breach” means a confirmed accidental or unlawful destruction, loss, alteration, or disclosure that results in the compromise of the integrity and/or confidentiality of Personal Data. They include Appendices 1 and 2 attached to this DPA.

    Subprocessor” means Drivn affiliates and third parties engaged by Drivn or Drivn’s affiliates to process Personal Data.

    Third Country Subprocessor” means any Subprocessor incorporated outside the EEA and outside any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

    UK Standard Contractual Clauses” means the UK Data Transfer Addendum, being the applicable EU Standard Contractual Clauses as amended by a data transfer addendum in a form adopted by the UK ICO, as amended, superseded or replaced from time to time.

APPENDIX 1

DETAILS OF DATA PROCESSING

Data Exporter

Name: The Customer acting as a Data Controller subscribed to a Service that allows authorized users to enter, amend, use, delete or otherwise process Personal Data, as identified in the Agreement.

Address: As stated in the Agreement.

Contact person’s name, position and contact details: As stated in the Agreement.

Role: (Controller/Processor): Controller

Data Importer

Name: Drivn and its Subprocessors, each as identified in the Agreement.

Address: As stated in the Agreement.

Contact person’s name, position and contact details: As stated in the Agreement.

Role: (Controller/Processor): Processor

Purpose(s) of the data transfer and further processing

Provision by Drivn of Datahappy, including:

  • Monitoring Datahappy
  • Release and development of fixes and upgrades to Datahappy
  • Monitoring, troubleshooting and administering the underlying Service infrastructure
  • Security monitoring, network-based intrusion detection support, penetration testing

Description of Transfer

Categories of Data Subjects whose personal data is transferred

Unless provided otherwise by the Data Exporter, transferred Customer Personal Data relates to the following categories of data subjects: individuals to whom the Customer wishes to market its products or services

Categories of personal data transferred

The transferred Customer Personal Data submitted to Datahappy may concern the following categories of data: Customer, in its sole discretion and control, determines the categories of Customer Personal Data in accordance with Datahappy component(s) ordered under the Agreement. Customer can configure the data fields during implementation of Datahappy or as otherwise provided by Datahappy, subject to the functionality of the related Service component(s). The transferred Customer Personal Data submitted into Datahappy may include, but is not limited to the following categories of data:

  • Data subject name and contact information and user IDs
  • Device identifers of the data subject’s browser and/or computer equipment
  • Device IP address
  • Any personal data contained in advertising network cookies shared with Drivn by the Customer

Sensitive data transferred

None.

Processing Operations (Activities relevant to the data transferred under the DPA)

The transferred Customer Personal Data is subject to the following basic processing activities:

  • use of Customer Personal Data to set up, operate, monitor and provide Datahappy
  • integration with the Customer’s social media and other marketing platforms
  • communication to authorized users
  • upload any fixes or upgrades to Datahappy
  • execution of instructions of Customer in accordance with the Agreement

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

As defined in the Agreement.

Competent supervisory authority

United Kingdom

List of Subcontractors as of the Effective Date

Company Purpose Location of data hosting
Digital Ocean Backend code (API) hosting, data storage EU
Amazon Web Services CDN, config storage EU

APPENDIX 2

TECHNICAL AND ORGANIZATIONAL MEASURES

The following sets out Drivn’s current technical and organizational security measures. Drivn may change these at any time without notice so long as it maintains a comparable or better level of security. This may mean that individual measures are replaced by new measures that serve the same purpose without diminishing the security level.

  1. Storage limitation
    1. The Data Processor is required to limit the storage of personal data processed for the Data Controller by:
      • Deleting personal data stored concerning users of the service within 12 months after time of collection.
      • Upon request from the Data Controller delete personal data concerning users of services or customer service representatives.
  2. Information security policy
    1. The Data Processor shall have a documented information security policy, which is defined and approved by the management, published and communicated to its staff and other relevant parties.
  3. Information security organisation
    1. The Data Processor shall have staff with appointed responsibilities for ensuring an appropriate information security.
  4. Staff security
    1. The Data Processor shall in the recruitment process conduct adequate controls for applicants according to applicable legislation, which shall be in proportion to the business operations, the categories of personal data given access to and risk levels.
    2. The Data Processor shall ensure that all personnel with access to personal data processed for the Data Controller have a confidentiality obligation towards the Data Processor and receive continued information security training.
    3. The Data Processor shall have an employee offboarding process which includes removal of access rights and return of IT equipment.
  5. Personal data handling
    1. The Data Processor shall handle personal data processed for the Data Controller as confidential information.
  6. Access Control
    1. Users shall only have access to personal data, personal data processing resources, networks and network services that are needed to perform their duties and for which they have received explicit permission to access.
    2. The Data Processor shall prevent unauthorised access to personal data processed for the Data Controller by (at least) implementing activity logs which register user activities and can give information about what personal data has been exposed to unauthorised access, modification, erasure or destruction.
  7. Physical security
    1. Physical access to the Data Processor’s systems and processing environment shall be restricted to authorised personnel.
    2. Physical access to personal data processed for the Data Controller shall be restricted and require indentifiable and personal authentication scheme.
    3. Equipment shall be placed and protected to minimise risks for environment related threats and dangers and unauthorised access.
  8. Communication security
    1. Personal data processing resources containing personal data or which are part of the system of the processing shall be protected by firewalls.
    2. The Data Processor shall apply up-to-date security measures for electronic messages to actively protect against viruses, malware, ransomware and other harmful software.
    3. Development, test and production environments shall be separated to minimise the risk for unauthorised access or changes in the production and other environments.
    4. Data from the Data Controller cannot be used in test or development environments without removing or anonymising personal data.

APPENDIX 3

STANDARD CONTRACTUAL CLAUSES

EU Standard Contractual Clauses

EU SCC term Amendment / Selected option
Module Module 2 (Controller to Processor)
Clause 7 (Docking clause) Not included
Clause 9 (Use of sub-processors) / Annex III Option 2 shall apply.
The list of sub-processors already authorised by Customer is contained in Appendix 1.
Clause 11 (Redress) Not included
Clause 13 (Supervision) and Annex 1.C The supervisory authority with responsibility for ensuring compliance by the data exporter is:

where the data exporter is established within an EU member state, the supervisory authority of that EU member state OR

where the data exporter is subject to EU GDPR pursuant to Article 3(2) EU GDPR and has appointed a representative in the EU, the supervisory authority of that EU member state OR

where the data exporter is subject to EU GDPR pursuant to Article 3(2) EU GDPR, but has not appointed a representative in an EU member state, the supervisory authority of the EU member state where the relevant data subjects are located.
Clause 17 (Governing law) Ireland
Clause 18 (Choice of forum and jurisdiction) Ireland
Annex I.A (List of parties) The relevant data exporters and data importers are specified in Appendix 1.
Annex I.B (Description of the transfer) The categories of data subject, personal data categories, purposes of international transfer and processing, any additional safeguards, and if applicable the duration of processing and any maximum data retention periods are specified in Appendix 1.
Annex II (Technical and organisational measures) The relevant technical and organisational measures are specified in Appendix 2.

UK Standard Contractual Clauses

UK Data Transfer Addendum Incorporating EU Standard Contractual Clause terms Amendment / Selected option
Clause 7 (Docking clause) Not included
Clause 9 (Use of sub-processors) / Annex III Option 2 shall apply.
The list of sub-processors already authorised by Customer is contained in Appendix 1.
Clause 11 (Redress) Not included
Clause 13 (Supervision) and Annex 1.C The competent supervisory authority is the UK Information Commissioner’s Office.
Clause 17 (Governing law) England
Clause 18 (Choice of forum and jurisdiction) England
Annex I.A (List of parties) The relevant data exporters and data importers are specified in Appendix 1.
Annex I.B (Description of the transfer) The categories of data subject, personal data categories, purposes of international transfer and processing, any additional safeguards, and if applicable the duration of processing and any maximum data retention periods are specified in Appendix 1.
Annex II (Technical and organisational measures) The relevant technical and organisational measures are specified in Appendix 2.
Our website uses cookies. Please see our Cookie Policy for more details.

Cookie Settings

We use cookies to improve user experience. Choose what cookie categories you allow us to use. You can read more about our Cookie Policy by clicking on Cookie Policy below.

These cookies enable strictly necessary cookies for security, language support and verification of identity. These cookies can’t be disabled.

These cookies collect data to remember choices users make to improve and give a better user experience. Disabling can cause some parts of the site to not work properly.

These cookies help us to understand how visitors interact with our website, help us measure and analyze traffic to improve our service.

These cookies help us to better deliver marketing content and customized ads.