Data processing agreement
This Data Processing Agreement (“DPA“) is incorporated into and forms part of Adapty Terms of Service (as defined below) entered into by and between Customer and Adapty that governs Customer’s use and Adapty’s provision of Services.
Customer and Adapty are hereinafter jointly referred to as the “Parties” and individually as the “Party“. The details of Parties are set out in the Schedule 1.
In case of any conflict or inconsistency with the terms of Adapty Terms of Service, this DPA will take precedence over other terms in Adapty Terms of Service to the extent of such conflict or inconsistency.
Capitalized terms not otherwise defined herein shall have the meaning given to them in Adapty Terms of Service.
BACKGROUND
The DPA, including all Schedules, specifies the data protection obligations of the Parties regarding to the Personal Data Processed by Adapty on behalf of the Customer as described in Schedule 1 to this DPA in accordance with Applicable Privacy Law.
1. Definitions
1.1. Adapty Terms of Service means terms of service available at https://adapty.io/terms/ or other written or electronic agreement between the Customer and Adapty.
1.2. Applicable Privacy Law means all laws, statutes, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data.
1.3. Data Controller means the natural person or entity that determines the purposes and means of the Processing of Personal Data or otherwise is in charge of making decisions regarding the processing of Personal Data.
1.4. Data Processor means a natural or legal person, or other body which Processes Personal Data on behalf of the Controller.
1.5. Data Subject Request shall have the meaning given in clause 3.2 of this DPA.
1.6. Data Subject means the directly or indirectly identified or identifiable person to whom the Personal Data relates.
1.7. GDPR means Regulation of the European Parliament and the Council of the EU No. 2016/679 on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
1.8. UK GDPR means retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy, and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019 (SI 2019/419).
1.9. Personal Data means any information that relates to an identified or identifiable natural person and is regulated by Applicable Privacy Law provided by the Customer for Processing u, including information concerning an identified or identifiable individual.
1.10 Personal Data Breach shall have the meaning given clause 6.1 of this DPA.
1.11. Processing, processes, and process mean either any activity that involves the use of Personal Data or as the Applicable Privacy Law may otherwise define processing, processes, or process. It includes any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.
1.12. Standard Contractual Clauses (SCC) means the standard contractual clauses as approved by the European Commission (as updated, amended, replaced, or superseded from time to time by the European Commission.). If the European Commission replaces the Standard Contract Clauses with amended or new standard contractual clauses, then, to the extent the relevant supervisory authority approves of the use of such amended or new standard contractual clauses, the references herein to “Standard Contract Clauses” will be read to refer to such amended or new standard contractual clauses.
1.13. Sub-processor means third-party data processor engaged by the Adapty, who has or potentially will have access to, or processes Personal Data.
1.14. Sub-Processor Change Notice shall have the meaning given in clause 4.1 of this DPA.
2. Processing of personal data
2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Adapty is the Processor.
2.2. Data Processing Details. The subject matter, duration, nature, and purpose(s) of the processing of Personal Data, as well as the type of Personal Data and categories of Data Subjects are specified in Schedule 1.
2.3. Scope of Processing. The Adapty shall refrain from processing Personal Data that is beyond the scope set forth in Customer’s documented reasonable and customary instructions, as specified in the Adapty Terms of Service or this DPA, unless such Processing is required by applicable laws to which Adapty is subject.
2.4. The Customer’s instructions. The Customer’s instructions for the Processing of Personal Data shall comply with the Applicable Privacy Law. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data. Without limitation, Customer shall be solely responsible for ensuring it has an appropriate lawful basis and right to enable the Processing of Personal Data pursuant to the terms of the Adapty Terms of Service and this DPA. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject.
2.5. Legal basis of processing. Customer acknowledges and agrees that Adapty’s Services are dependent and based upon demonstrated lawful basis, that shall be obtained by Customer and which Adapty relies on. Customer represents that such lawful basis exists.
2.6. Children Privacy. When Processing Personal Data of children (as described in Applicable Privacy Law), Customer is obliged to comply with additional requirements set by platform policies, regulations, and Applicable Privacy Law designed to protect children. Some of these laws are specifically focused on children (such as COPPA), while others are broader but include specific protections for children (such as GDPR and similar regional laws).
3. Data Subject Requests
3.1. Responds to Data Subject Requests. The Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Applicable Privacy Law. The Parties agree and acknowledge that Adapty does not have an ability to respond to Data Subject Requests.
3.2. Data Subject’s Requests. Adapty will, to the extent legally permitted, promptly notify the Customer if it receives any requests from a Data Subject to exercise the Data Subject rights Applicable Privacy Law (each, a “Data Subject Request”).
The cooperation in the implementation of the Data Subject’s rights. Adapty will provide reasonable and timely assistance (including by appropriate technical and organizational measures) to the Customer to enable the Customer to respond to Data.
3.3. Subject Request. If the Customer requests Adapty to assist to respond to the any request, then Adapty will, to the extent possible, provide commercially reasonable efforts to assist the Customer in responding to such request, to the extent Adapty is legally permitted to do so and the response to such request is required under the Applicable Privacy Law.
3.4. Costs. To the extent legally permitted, the Customer shall be responsible for any costs arising from Adapty’s provision of such assistance, including any fees associated with provision of additional functionality. In such cases Adapty will notify you of these costs in advance.
4. Sub-processing
4.1. Appointment of the Sub-Processor. Customer authorizes Adapty to appoint Sub-Processors in accordance with this section and any restrictions in the DPA. The Customer acknowledges and agrees that Adapty may engage Sub-Processors without prior consent of the Customer. As a condition to permitting a third-party Sub-Processor to process Personal Data, Adapty will enter into a written agreement with each Sub-Processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA. Adapty will notify the Customer in written of any intended changes concerning the addition or replacement of Sub-Processors before such changes of Sub-Processors (the “Sub-Processor Change Notice”). The Customer may object to such changes of the Sub-Processor under the clause 4.2 of this DPA.
4.2. Current list of Sub-Processors. Current list of Sub-Processors Adapty engage in Processing is provided in Schedule 3 to this DPA. Within ten (10) days of any changes concerning the addition or replacement of Sub-Processor, Adapty will update the list of Sub-Processors to this DPA.
4.3. Liability. With respect to each Sub-Processor, Adapty shall: (i) take reasonable steps to ensure that the Sub-Processor is committed to provide the level of protection for Personal Data required by the DPA and (ii) remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations where the Sub-Processor fails to fulfill such obligations.
4.4. Objection right for Sub-Processors. The Customer may reasonably object to Adapty of any intended changes concerning the addition or replacement of Sub-Processor (e.g., if making personal data available to the Sub-Processor may violate the Applicable Data Protection Laws or weaken the protections for such personal data) by notifying Adapty promptly in writing within ten (10) days after receipt of the Sub-Processor change notice. Such Customer’s notice shall explain the reasonable grounds for the objection.
If the Customer do notify Adapty of such an objection, the Parties will discuss the issue in good faith with a view to achieving a commercially reasonable resolution. If such objections cannot be resolved within fifteen (15) days, as the Processing cannot continue in proper way without the engagement of such Sub-Processor, Adapty has a right to refuse further Processing under this DPA and terminate Adapty Terms of Service without liability for such termination.
5. Cross-border transfer of personal data
5.1. Transfer from the EU. Insofar as the processing of the Personal Data is protected by GDPR, the Parties hereby agree that such transfer is subject to SCC, which is incorporated into this DPA by reference and represents an integral part hereof. The options and Annexes of the SCCs are deemed filled in based on Appendix 4 to this DPA.
5.2. Transfers from Switzerland. Insofar as the processing of the Personal Data is protected by the Federal Act of Switzerland of 19 June 1992 on Data Protection (“FADP”), the Parties hereby agree that such transfer is subject to SCC with the adaptations that are necessary in order for the SCCs to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a FADP. The list of adaptation is provided in clause 4.3. of the transfer of personal data to a country with an inadequate level of data protection based on dated recognized standard contractual clauses and model contracts dated 27 August 2021 by Federal Data Protection and Information Commissioner (available at https://www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html). Option 2 of Case 2 shall apply.
5.3. Transfers from the UK. Insofar as the processing of the Personal Data is protected by UK GDPR, the Parties hereby agree that such transfer is subject to the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
6. Technical and organization measures
6.1. Technical and organization measures. Adapty shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security, confidentiality and integrity of the Personal Data, including as appropriate and applicable, the measures referred to in Article 32 of the GDPR, as set out in Schedule 2 to this DPA to protect Personal Data from:
- accidental or unlawful destruction, and
- loss, alteration, unauthorised disclosure of, or access to Personal Data
(each referred to as the “Personal Data Breach”).
6.2. Compliance control. Adapty regularly monitors compliance with the measures provided in Schedule 2 to this DPA.
6.3. Assistance in ensuring compliance. Taking into account the nature of Processing and the Personal Data available to Adapty, Adapty assists the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR.
7. Personal Data Breach
7.1. Notification of Personal Data Breach. If Adapty becomes aware of a Personal Data Breach, Adapty shall, to the extent permitted by law, notify the Customer without undue delay via e-mail upon Adapty or any Sub-Processor becoming aware of a Personal Data Breach affecting the Customer’s Personal Data, and shall provide reasonable information (to the extent in Adapty’s reasonable possession and/or control).
7.2. Cooperation. Adapty shall provide cooperation taking into account the nature of the Processing and the information available to Adapty to assist Customer to meet any obligations to inform Data Subjects or data protection authorities of the Personal Data Breach under the Applicable Privacy Law. Adapty shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Personal Data Breach and shall keep the Customer informed of all material developments in connection with the Personal Data Breach.
8. Audit
8.1. Customer’s right to conduct an audit. Adapty makes available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, in relation to the performance of obligations under this DPA.
8.2. Adapty’s cooperation on conducting audit. Adapty shall make available to the Customer all information, systems and staff reasonably necessary for the Customer or its third-party auditors to conduct such audit, provided that the Customer:
8.2.1. gives forty-five (45) days’ prior notices of audits; and
8.2.2. conducts its audit during normal business hours; and
8.2.3. takes all reasonable measures to prevent unnecessary disruption to Adapty’s operations. Such audit shall be strictly within the scope of information that is related to the Processing of the Personal Data.
8.3. Parameters of audit. The Parties shall mutually agree upon the scope, timing and duration of the audit or inspection.
8.4. Confidentiality. All audits under this DPA shall be subject to the confidentiality obligations. Customer shall share the full audit report with Adapty and shall not share it with any third-party except its accountants and legal advisors who are bound to confidentiality. Customer shall not use such audit report for any other purpose than to assess Adapty’s compliance with this DPA.
8.5. Costs. Customer will bear the costs of such an audit unless otherwise agreed by the Parties.
8.6. Audit frequency. The Customer shall not exercise its audit rights more than once in any twelve (12) calendar month period, except:
8.6.1. if and when required by instruction of a competent data protection authority; or
8.6.2. if it is necessary due to a Personal Data Breach suffered by Adapty and (or) Sub-Processors.
9. Confidentiality
9.1. Adapty shall take all reasonable steps to ensure the reliability of any staff authorised to Process Personal Data and ensure such staff is subject to appropriate obligations of confidentiality and at all times act in compliance with the Applicable Privacy Law.
10. Deletion or Return of Personal Data
10.1. Upon (i) termination of this DPA, or (ii) written request by Customer, or (iii) Adapty no longer being required to Process Personal Data in order to fulfill its obligations under Adapty Terms of Service and this DPA, or (iv) Adapty’s refusal Processing under the clause 4.4 of this DPA, Adapty shall, at the Customer’s discretion, either delete, destroy or return all Personal Data to the Customer and destroy or return any existing copies except to the extent that Adapty is required under Applicable Privacy Law to keep a copy of Personal Data for a specified period of time. Upon expiration of such retention period, Adapty shall immediately delete or destroy all remaining Personal Data.
10.2. In the event that Personal Data has been processed by any Sub-Processors, Adapty shall ensure that in specified cases such Sub-Processors will also return, delete, or destroy all Personal Data they hold, in accordance with the terms set forth in this section.
11. California consumers’ privacy rights
11.1. “Personal Information”, “Consumer” and other capitalized terms in this section 11 shall have the meanings stipulated in the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, as amended from time to time (“CCPA”).
11.2. It is hereby agreed that any sharing of Personal Data between the Parties is made solely in order to fulfill a Business Purpose and Adapty does not receive or process any Personal Data as consideration for the Services.
11.3. Customer is therefore solely liable for its compliance with the CCPA with respect to its use of the Services. It is the Customer’s sole responsibility and liability to determine whether the sharing or transferring of Personal Data of Data Subjects during the course of the Services constitutes a Sale of Personal Data.
11.4. Adapty shall not retain, use, or disclose Personal Data for a commercial purpose other than providing the Services specified in the Adapty Terms of Service.
12. Term
12.1. This DPA shall be effective as of the effective date of the Adapty Terms of Service. This DPA will remain in force and effect so long as the Adapty Terms of Service remains in effect.
13. Severability
13.1. Should any provision of this DPA be or become, either in whole or in part, void, ineffective, or unenforceable, then the validity, effectiveness, and enforceability of the other provisions of this DPA shall remain unaffected thereby.
13.2. Any such invalid, ineffective, or unenforceable provision shall, to the extent permitted by law, be deemed replaced by such valid, effective, and enforceable provision as most closely reflects the economic intent and purpose of the invalid, ineffective, or unenforceable provision regarding its subject-matter, scale, time, place and scope of application.
13.3. The aforesaid rule shall apply mutatis mutandis to fill any gap that may be found to exist in this DPA.
14. Entire agreement
14.1. Parties explicitly declare that this DPA (including the Schedules referred to herein) and the documents referred to herein constitute the entire agreement between Parties and supersede any prior draft, agreements, undertakings, understandings, conditions, and arrangements, notwithstanding any conflicting order of precedence, of any nature between the Parties, whether or not in writing, in relation to the subject matter of this DPA.
15. Governing law and jurisdiction
15.1. The DPA shall be governed by law as stipulated in the Adapty Terms of Service.
15.2. The Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims however arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity.
16. Miscellaneous
16.1. In the case of conflict or ambiguity between:
16.1.1. any provision of the DPA and any provision of the Adapty Terms of Service, the provisions of the DPA shall prevail;
16.1.2. any provision of this Agreement and any executed SCC, the provisions of the executed SCC shall prevail.
Schedule 1. Data Processing Parameters
i.Technical Information
This category includes technical data related to the device used by the End User to access the Customer’s digital services (such as mobile games or apps). Such information may include, for example, IP address, device model, operating system, and language settings.
ii. Identifiers
This category includes various identifiers associated with the End User’s device or application instance. Such identifiers may include, for example, Apple Identifier for Advertisers (IDFA), Identifier for Vendors (IDFV), Google Advertising ID, and other similar identifiers.
ii. Usage DataThis category refers to information about how End Users interact with the Customer’s services. It includes, but not limited the following data: in-app events; End User’s actions such as clicks on Customer advertisements; views (impressions) of Customer ads; app download and installation timestamps; app launches; in-app purchases (including purchase time and amount); any additional event or interaction data the Customer chooses to track and analyze based on the nature of their service.
iv. Contact Information
This category includes personal data that directly identifies or relates to an individual End User and is necessary for communication or user-specific functionality. Such data may include, for example email address, first name, last name, and other attributes that the Customer intentionally transmits to Adapty.
Adapty will not sell Personal Data of the Customer
Schedule 2. Technical and organizational measures including technical and organizational measures to ensure the security of the data
If Yes, please provide specific details
• Regular updates of operating systems, hardware, and any third-party software to avoid security vulnerabilities.
• Use of firewalls and Intrusion Prevention Systems (IPS) systems to limit access and protect Adapty servers.
• Securing remote access communication using multifactor authentication.
• Backing up customer data on a daily basis, on a rotating schedule.
Schedule 3. List of sub-processors
Schedule 4. Terms of the SCCs
1. The Module applicable to the transfer of Controller Personal Data originating from the EU under the Agreement is Module 2 – “Controller to Processor”.
2. The following selections are made, where Commission Implementing Decision (EU) 2021/914 permits selection of options in the Clauses of the EU SCCs:
3. Annex IA to the SCCs shall be considered filled as follows:
- the Data Exporter is the Customer and the Exporter’s details are the same as set out in the Schedule 1 (Part A) to the DPA.
Activities relevant to the data transferred under SCC: transfer of Personal Data to the Data Importer in order to enable the Data Importer to provide Services under the Adapty Terms of Service. - the Data Importer is Adapty and the Adapty’s details are the same as set out in the Schedule 1 (Part A) to the DPA.
Activities relevant to the data transferred under SCC: receipt of Personal Data from Data Exporter in order to provide Services under the Adapty Terms of Service.
4. Annex IB to the SCCs shall be the same as Schedule 1 to the DPA and in addition the following details are included to complete Annex IB: the frequency of the transfer is continuous.
5. Annex IC is completed as follows: The Supervisory Authority of the Republic of Ireland.
6. Annex II to the SCCs shall be the same as Schedule 2 to the DPA.
7. Annex III to the SCCs shall be the same as Schedule 3 to the DPA.
