Tapper Data Processing Agreement
INTERPRETATION
The security of our customer data is of utmost importance to us. We (“TAPPER” as such term is defined in the Order or “We” or “Service Provider”), want to make
Customer’s (as such term is defined below) experience satisfying and safe. Because We secure and process certain types of information, we believe that our customers should fully understand the terms and conditions surrounding the Processing of data through our Services. This Data Processing Agreement (the “DPA”) describes how We process and secure Personal Data (as defined below) and shall be subject to the Terms (as defined below). Any term used herein and not otherwise defined, shall have the meaning ascribed thereto in the Terms.
1. SCOPE
The Customer using the Services under the Terms and the Service Provider are parties to the Terms to which this DPA applies. If Service Provider Processes Personal Data, or if Service Provider has access to Personal Data during its performance of Services under the Terms, the parties shall comply with the terms and conditions of this DPA.
2. DEFINITIONS
All capitalized terms not defined in this DPA, shall have the meanings set forth in the Terms.
“Approved Jurisdiction” means a member state of the European Economic Area (“EEA“), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here:
http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
“CCPA” means the California Consumer Privacy Act of 2018.
“CPRA” means the California Privacy Rights Act of 2020.
“Controller” means Customer, within the meaning of article 4 (7) of the GDPR.
“Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives, and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the GDPR, the UK GDPR, CCPA and CPRA.
“Personal Data” shall have the meaning ascribed to it in the applicable Data Protection Laws.
“Process” or “Processing”shall have the meaning ascribed to it in the applicable Data Protection Laws.
“Processor” means TAPPER, within the meaning of article 4 (8) of the GDPR.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
“Special Categories of Data” shall have the meaning ascribed to it in the applicable Data Protection Laws.
“Standard Contractual Clauses” means the standard contractual clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this DPA.
“Terms” means the agreement entered between the Customer and the Service Provider with respect to the provision of the Services and the Order.
“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
3. DATA PROTECTION AND PRIVACY
If Service Provider has access to, or otherwise Processes Personal Data, then Service Provider shall:
3.1 only Process the Personal Data in accordance with Customer’s documented instructions and on its behalf, and in accordance with the Terms and this DPA.
3.2 take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this DPA).
3.3 Assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the Services provided by Service Provider) related to Service Provider’s Processing of Personal Data.
3.4 notify the Customer without undue delay, and no later than two (2) business days after becoming aware of a Security Incident.
3.5 provide full, reasonable cooperation and assistance to Customer in:
3.5.1 allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the Processing, or the right not to be subject to an automated individual decision making, or do not sell my data.
3.5.2 ensuring compliance with any notification obligations of Personal Data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws.
3.5.3 Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable).
3.6 only Process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Terms.
3.7 as required under Data Protection Laws, maintain accurate written records of all the Processing activities of any Personal Data carried out under the Terms (including the categories of Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the applicable supervisory authority on request.
3.8 make all reasonable efforts to ensure that Personal Data is accurate and up to date at all times while in its custody or under its control, to the extent Service Provider has the ability to do so.
3.9 not lease, sell (including as defined in the CCPA and CPRA) or otherwise distribute Personal Data.
3.10 promptly notify Customer of any investigation, litigation, arbitrated matter, or other dispute relating to Service Provider’s information security or privacy practices as it relates to the Processing of Personal Data, provided such notification is legally permissible.
3.11 promptly notify Customer in writing and provide Customer an opportunity to intervene in any judicial or administrative process if Service Provider is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Customer, provided such notification is legally permissible.
4. SUBPROCESSORS
4.1 Sub-Processors. Customer authorizes the Service Provider to subcontract the Processing of Personal Data to third parties (the “Sub-Processors”). The Sub-Processors listed at https://itlinks.to/Tapper-Security-Report as of at the date of this DPA (the “Sub-Processor List”) are approved by the Customer. Such Sub-Processor List shall be updated by the Service Provider upon any change in the identity of the Sub-Processors. You may review and present material and reasonable objections, if any, which objections must be provided to the Service Provider within 7 days from the update of the list of Sub-Processors. If you object to the use of a certain Sub-Processor (the “Applicable Sub-Processor”), for a legitimate reason and the parties cannot reach an amicable solution on how to proceed further, the Service provider may terminate the Terms.
4.2 The Service Provider shall ensure by way of a written contract that Sub-Processors are required to comply with data protection obligations, which are no less onerous than the obligations to which the Service Provider is subject pursuant to this DPA. The Service Provider will remain liable to Customer for any failure by a Sub-Processor to fulfil its obligations in relation to the Processing of Personal Data.
5. THE TRANSFER OF PERSONAL DATA
5.1 Personal Data may be transferred from the EEA, Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
5.2 If the Processing of Personal Data by Processor includes a transfer (either directly or via onward
transfer):
5.2.1 from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer”), the terms set forth in Part 1 of Schedule 2 (EEA Cross Border Transfers) shall apply.
5.2.2 from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside the EEA or UK (“UK Transfer”), the terms set forth in Part 2 of Schedule 2 (UK Cross Border Transfers) shall apply.
5.2.3 the terms set forth in Part 3 of Schedule 2 (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.
6. SECURITY STANDARDS
6.1 Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect Personal Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise Processed; all other unlawful forms of Processing; including (as appropriate): (i) the pseudonymization and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
6.2 To the extent that Service Provider processes Special Categories of Data, the security measures referred to in this DPA shall also include, at a minimum (i) routine risk assessments of Service Provider’s information security program, (ii) regular testing and monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
6.3 At a minimum, Service Provider agrees to maintain the security measures detailed in Appendix A attached hereto.
7. RETENTION OF PERSONAL DATA
TAPPER shall delete all Personal Data (to the extent technically feasible) within one hundred and twenty (120) days after the Term (as defined below) ends unless applicable law to which TAPPER is subject requires storage of the Personal Data or as otherwise permitted or required under this DPA. If instructed in writing by Customer, prior to expiration or termination of the Services, we will return a copy of Personal Data within a reasonable period and in a reasonable format at the Customer’s expense. Personal Data which cannot be erased shall be anonymized. If anonymization is not feasible, such data shall be retained “beyond use” and erased (to the extent technically feasible) as soon as reasonably possible (e.g. during periodic purge or deletion processes). Notwithstanding the foregoing, Customer acknowledges that TAPPER shall have the right to process and retain Personal Data for the purpose of provision, operation and support of its Services and for the purpose of administrating the contractual relationship with the Customer, including but not limited for the purposes of billing, audit and recordkeeping, account management, technical support, security, protection against fraudulent or illegal activity, and for the purpose of exercising of and defense from legal claims. To the extent that any data processed for such purposes or under a legal obligation to which TAPPER is subject, is considered Personal Data, TAPPER shall be regarded as an independent Controller of such data and its processing shall be outside the scope of this DPA. Nothing here shall limit or restrict TAPPER ability to use anonymized and/or aggregated data for any purpose without limitation.
8. TERM
The term of this DPA shall be the term as set forth in the Terms.
9. GENERAL
9.1 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and Service Provider will promptly begin complying with such Data Protection Laws.
9.2 Any ambiguity in this DPA shall be resolved to permit Customer to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Service Provider than under this DPA the Data Protection Laws shall prevail.
9.3 If this DPA does not specifically address a particular data security or privacy standard or obligation, Service Provider will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of Personal Data.
9.4 If Service Provider is unable to provide the level of protection as required herein, Service Provider shall immediately notify Customer and cease Processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Terms and Customer shall have the right to terminate the Terms immediately without penalty.
9.5 Please feel free to direct any questions or concerns regarding this DPA or our treatment of Personal Data by contacting us as provided herein below. If you have any questions about this DPA, please feel free to contact us at: support@tapper.aii; At request, TAPPER shall make available to the Customer all information necessary to demonstrate compliance with the applicable articles of the GDPR of the UK GDPR as applicable, including article 28 of the GDPR, and copies of our annual SOC 2 certificates.
9.6 To the extent compliance cannot reasonably be demonstrated through the above mentioned information and certificates TAPPER makes available to Customer, TAPPER will allow for and contribute to audits conducted by the Customer, or another auditor mandated by the Customer, all at the Customer’s own expense, upon reasonable advanced written notice and subject to confidentiality obligations. Such audit shall be conducted no more frequently than once in any rolling twelve (12) month period. To request an audit, Customer must submit to TAPPER ninety (90) working days in advance of the proposed audit data (i) the name of the proposed auditor; (ii) a detailed proposed audit plan to TAPPER. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. TAPPER will review the name of the proposed auditor and the proposed audit plan and may reasonably object where the requested audit could compromise TAPPER’s business conduct, security, privacy, employment, or other relevant policies. In case of objection from TAPPER to the proposed auditor and/or audit plan, TAPPER and Customer agree to cooperate in good faith to find a mutually acceptable solution. Such audit shall be limited to TAPPER’s Processing activities performed on behalf of Customer. The approved auditor must be bound by a confidentiality agreement. TAPPER agrees to promptly notify Customer if TAPPER is unable to comply with this DPA for whatever reason. In such a case, Customer shall have the right to immediately suspend the Processing.
10. GOVERNING LAW AND JURISDICTION
This DPA is governed by the laws as stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms.
11. INTERPRETATION
Any conflict between the provisions of the Order, the Terms, and this DPA, shall be resolved in the following order of precedence, listed sequentially from highest precedence to lowest: (1) this DPA (2) Terms, and then (3) the Order.
Last Updated: January 1, 2024.
Appendix A – TAPPER Security Requirements
See available at: www.tapper.ai/dpa-appendix-a-tapper-security-requirements
Appendix B: DETAILS OF PROCESSING
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the DPA and this
Addendum.
The nature and purpose of the Processing of Personal Data
Service Provider is engaged to provide Services to the Customer which involve the Processing of Personal Data. The scope of the Services is set out in the Terms, and the Personal Data will be Processed by the Service Provider and Service Provider Affiliates to deliver those Services and to comply with the terms of the Terms and this DPA.
The types of Personal Data to be Processed
TAPPER
IP Address.
If using as part of the TAPPER services, the lead protection feature, or Privacy DSAR feature, if the Customer chooses to integrate and apply, then also email addresses, and phone numbers.
The categories of Data Subject to whom the Personal Data relates (insert description)
Visitors of Customer’s website
The obligations and rights of Service Provider and Service Provider Affiliates
The obligations and rights of Service Provider and Service Provider Affiliates are set out in the Terms
and this DPA.
The Processing operations carried out in relation to the Personal Data
Collecting and recording the data, hosting the data, organising the data, adapting, or altering the data, and analyzing the data, in each case for the purposes of providing Services to Customer, the scope of which are set out in the Terms.
SCHEDULE 2 – CROSS BORDER TRANSFERS
PART 1 – EEA Transfers
1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data controller of the Personal Data and TAPPER is the data processor of the Personal Data.
3. Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data processor of the Personal Data and TAPPER is a Sub-processor of the Personal Data.
4. Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
5. Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 5.2 of the DPA.
6. In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
7. In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
8. In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
9. Annex I.A of the Standard Contractual Clauses shall be completed as follows:Data Exporter: Customer.
Contact details: As detailed in the Terms.
Data Exporter Role:
Module Two: The Data Exporter is a data controller.
Module Three: The Data Exporter is a data processor.
Signature and Date: By entering into the Terms and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Terms.
Data Importer: TAPPER.
Contact details: As detailed in the Terms.
Data Importer Role:
Module Two: The Data Importer is a data processor.
Module Three: The Data Importer is a sub-processor.Signature and Date: By entering into the Terms and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
10. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
The categories of data subjects are described in Appendix B (Details of Processing) of this DPA.
The categories of personal data are described in Appendix B (Details of Processing) of this DPA.
The Parties do not intend for Sensitive Data to be transferred.
The frequency of the transfer is a continuous basis for the duration of the Terms.
The nature of the processing is described in Appendix B (Details of Processing) of this DPA.
The purpose of the processing is described in Appendix B (Details of Processing) of this DPA.
The period for which the personal data will be retained is for the duration of the Terms, unless agreed otherwise in the Terms and/or the DPA.
11. Annex I.C of the Standard Contractual Clauses shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above.
12. The Security Measures in Appendix A serve as Annex II of the Standard Contractual Clauses.
13. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Terms, the provisions of the Standard Contractual Clauses will prevail.
PART 2 – UK Transfers
This Part 2 is effective from the same date as the Standard Contractual Clauses.
Background:
This Part 2 is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and with respect to data transfers from controllers to processors and/or processors to processors.
Interpretation:
Where this Part 2 uses terms that are defined in the Standard Contractual Clauses, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR: The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
UK: The United Kingdom of Great Britain and Northern Ireland
4.This Part 2 shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.
5. This Part 2 shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this DPA has been entered into.
7. In the event of a conflict or inconsistency between this Part 2 and the provisions of the Standard Contractual Clauses or other related agreements between the Parties, existing at the time the DPA is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
8. This Part 2 incorporates the Standard Contractual Clauses which are deemed to be amended to the extent necessary so they operate:
a. for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
b. to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR
Laws.
9. The amendments required by Section 8 above, include (without limitation):
a. References to the “Clauses” means this Part 2 as it incorporates the Standard Contractual Clauses
b. Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Appendix B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
c. References to “Regulation (EU) 2016/679” or “that Regulation”are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
d. References to Regulation (EU) 2018/1725 are removed.
e. References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”
f. Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner;
g. Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”.
h. Clause 18 is replaced to state:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
i. The footnotes to the Clauses do not form part of this Part 2.
10. The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.
11. The Parties may amend this Part 2 provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Standard Contractual Clauses and making changes to them in accordance with Section 8 above.
12. The Parties may give force to this Part 2 (incorporating the Standard Contractual Clauses) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the Contractual Clauses.
PART 3 – Additional Safeguards
1. In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
a. The Processor shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
b. The Processor will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”);
c. If the Processor becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
I. The Processor shall inform the relevant government authority that the Processor is a processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing;
II. The Processor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Processor’s control. Notwithstanding the above, (a) the Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, the Processor shall notify the Controller, as soon as possible, following the access by the government authority, and provide the Controller with relevant details of the same, unless and to the extent legally prohibited to do so. Once in every 12-month period, the Processor will inform the Controller, at the Controller’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.