DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is incorporated into and forms part of Adapty Terms of Service available at https://adapty.io/terms or other written or electronic agreement between the Customer and Adapty (the “Agreement”).
Data Processor and Data Controller hereinafter each referred to as the “Party” and together as the “Parties”.The Data Processor and the Data Controller agree as follows:
1.1. Applicable Privacy Law means all laws, statutes, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data.
1.2. Data Controller means Customer under the Agreement.
1.3. Data Processor means Adapty.
1.4. Data Subject means the directly or indirectly identified or identifiable person to whom the Personal Data relates.
1.5. GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.6. UK GDPR means retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy, and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019 (SI 2019/419).
1.7. Personal Data means any information regulated by Applicable Privacy Law provided by the Data Controller, including information concerning an identified or identifiable individual.
1.8. Processing, processes, and process mean either any activity that involves the use of Personal Data or as the Applicable Privacy Law may otherwise define processing, processes, or process. It includes any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.
1.9. Standard Contractual Clauses (SCC) means contractual clauses established by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.
1.10. Sub-processor means third-party data processor engaged by the Data Processor, who has or potentially will have access to, or processes Personal Data.
2. PROCESSING OF PERSONAL DATA
2.1. The subject matter, duration, nature, and purpose(s) of the processing of Personal Data, as well as the type of Personal Data and categories of Data Subjects are specified in Annex I.
2.2. The Data Processor shall refrain from processing Personal Data that is beyond the scope set forth in Annex I.
2.3. The Parties hereby agree that all aspects of their relationships in the context of the processing of personal data, including ones required to be addressed under the Art. 28 of the GDPR, are stipulated in and regulated by SCC.
3. CROSS-BORDER TRANSFER OF PERSONAL DATA
3.1. Transfer from the EU. Insofar as the processing of the Personal Data is protected by GDPR, the Parties hereby agree that such transfer is subject to SCC, which is incorporated into this DPA by reference and represents an integral part hereof. The Annexes of the SCCs are deemed filled in based on Appendix 1 to this DPA. The options afforded by the SCCs are deemed selected based on Appendix 2 to this DPA.
3.2. Transfers from Switzerland. Insofar as the processing of the Personal Data is protected by the Federal Act of Switzerland of 19 June 1992 on Data Protection («FADP»), the Parties hereby agree that such transfer is subject to SCC with the adaptations that are necessary in order for the SCCs to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a FADP. The list of adaptation is provided in clause 4.3. of the transfer of personal data to a country with an inadequate level of data protection based on dated recognized standard contractual clauses and model contracts dated 27 August 2021 by Federal Data Protection and Information Commissioner (available at https://www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html). Option 2 of Case 2 shall apply.
3.3. Transfers from the UK. Insofar as the processing of the Personal Data is protected by UK GDPR, the Parties hereby agree that such transfer is subject to the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
4.1. Data Controller represents and warrants that: (i) its Processing instructions shall comply with Applicable Privacy Law; and (ii) it will comply with Applicable Privacy Law, specifically with regards to the lawful basis for Processing Personal Data. Data Controller acknowledges and agrees that Data Processor’s Services are dependent and based upon end user’s consent or any other demonstrated lawful basis, that shall be obtained by Data Controller and which Data Processor relies on. Data Controller represents that such consent or any other demonstrated lawful basis exists.
5. CALIFORNIA CONSUMERS’ PRIVACY RIGHTS
5.1. “Personal Information”, “Consumer” and other capitalized terms in this clause 5 shall have the meanings stipulated in the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, as amended from time to time (“CCPA”).
5.2. It is hereby agreed that any sharing of Personal Data between the Parties is made solely in order to fulfill a Business Purpose and Adapty does not receive or process any Personal Data as consideration for the Services.
5.3. Data Controller is therefore solely liable for its compliance with the CCPA with respect to its use of the Services. It is the Data Controller’s sole responsibility and liability to determine whether the sharing or transferring of Personal Data of Consumers during the course of the Services constitutes a Sale of Personal Data.
5.4. The Data Processor shall not retain, use, or disclose Personal Data for a commercial purpose other than providing the services specified in the Agreement.
6.1. This DPA shall be effective as of the effective date of the Agreement. This DPA will remain in force and effect so long as the Agreement remains in effect.
7.1. Should any provision of this DPA be or become, either in whole or in part, void, ineffective, or unenforceable, then the validity, effectiveness, and enforceability of the other provisions of this DPA shall remain unaffected thereby.
7.2. Any such invalid, ineffective, or unenforceable provision shall, to the extent permitted by law, be deemed replaced by such valid, effective, and enforceable provision as most closely reflects the economic intent and purpose of the invalid, ineffective, or unenforceable provision regarding its subject-matter, scale, time, place and scope of application.
7.3. The aforesaid rule shall apply mutatis mutandis to fill any gap that may be found to exist in this DPA.
8. ENTIRE AGREEMENT
8.1. Parties explicitly declare that this DPA and the documents referred to herein constitute the entire agreement between Parties and supersede any prior draft, agreements, undertakings, understandings, conditions, and arrangements, notwithstanding any conflicting order of precedence, of any nature between the Parties, whether or not in writing, in relation to the subject matter of this DPA.
9. GOVERNING LAW AND JURISDICTION
9.1. The DPA shall be governed by law as stipulated in the Agreement.
9.2. The Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity.
10.1. In the case of conflict or ambiguity between:
10.1.1. any provision of the DPA and any provision of the Agreement, the provisions of the DPA shall prevail;
10.1.2. any provision contained in the body of this Agreement and any provision contained in the Appendices, the provisions in the body of this Agreement shall prevail;
10.1.3. any provision of this Agreement and any executed SCC, the provisions of the executed SCC shall prevail.
A. List of Parties
Controller (Data Exporter)
|Name||The Customer entity identified in the Agreement, during the registration or on a separate Order Form|
|Address||The Customer’s address identified during the registration or on a separate Order Form|
|Official registration number||The Customer’s registration number identified during the registration or on a separate Order Form|
|Contact person’s name, position, and contact details||The Customer representative identified during the registration or on a separate Order Form|
|Activities relevant to the data transferred under these Clauses||Transfer of data to the Data Importer in order to enable the Data Importer to provide services under the Agreement|
Processor (Data Importer)
|Name||Adapty Tech Inc.|
|Address||2093 Philadelphia Pike #9181 Claymont, DE 19703 US|
|Contact person’s name, position and contact details||Kirill Potekhin, Chief Technology Officer, [email protected]|
|Activities relevant to the data transferred under these Clauses||Receipt of data from Data Exporter in order to provide services under the Agreement|
B. Description of Transfer (Processing)
|Categories of data subjects whose personal data is transferred||End users of the mobile application(s) operated by the Data Exporter|
|Categories of personal data transferred |
(for each category of data subjects, if several)
|IT information (technical information from the device (IDFA, IDFV, Advertising ID, IP address, device model, OS, language settings), usage data (in-app events), contact information (email, name, last name and other properties that developers deliberately send to us)|
|Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures||The Parties do not intend to transfer sensitive data|
|The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)||Data is transferred on a continuous basis throughout the term of the Agreement|
|Nature of the processing||Receipt, use, storage, deletion|
|Purpose(s) of the data transfer and further processing||Enabling the Data Importer to provide the analytical services under the Agreement to the Data Exporter|
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period||The data will not be retained after expiration/termination of the Agreement|
|For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing||Cloud service providers, used for storing data for the whole duration of the processing|
C. Competent Supervisory Authority
|Identify the competent supervisory authority/ies in accordance with Clause 13||Where the data exporter is established in a European Economic Area country and processes the contemplated personal data in the context of its establishment, the supervisory authority is the one of this European Economic Area country (Art 3.1 of the GDPR). Where the Data Exporter is not established in a European Economic Area country but falls within the scope of the GDPR on an extraterritorial basis (Art 3.2 of the GDPR):– Where it has appointed an EU representative (Art 27 of the GDPR), the supervisory authority is the one of the European Economic Area countries in which the Data Exporter’s representative is located;– Where it does not have to appoint an EU representative, the supervisory authority is that of one of the European Economic Area country in which the data subjects whose data are being transferred pursuant to these SCCs are located.|
Annex II. Technical and organizational measures including technical and organizational measures to ensure the security of the data
|Measures for||Measures taken (Y/N)|
If Yes, please provide specific details
|pseudonymization and encryption of personal data||Personal data is encrypted during transfer.|
|ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services||All data is stored and processed within an internal network closed by a firewall. The data is continuously replicated across multiple data centers. We also store incremental backups.|
|ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident||The data is continuously replicated across multiple data centers. We also store incremental backups.|
|processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing||All code deployed to production is peer-reviewed. Autotests (including security tests) are a part of the deployment process. 3rd party software regularly updated to the latest stable version, including but not limited: to OS, databases, caches, IDE, orchestration services, etc.|
|user identification and authorization||Users are authorized with email and password. All passwords are stored encrypted with randomized salt.|
|protection of data during transmission||All data transferred encrypted thanks to SSL certificates.|
|protection of data during storage||All data is stored and processed within an internal network closed by a firewall.|
|ensuring the physical security of locations at which personal data are processed||Tier 1 data centers are used to store and process data.|
|ensuring events logging||The distributed logging system is used which also stores data behind a firewall.|
|ensuring system configuration, including the default configuration||System configuration, including default configuration, is peer-reviewed and monitored constantly. Default ports and passwords are always changed.|
|internal IT and IT security governance and management||Adapty implements multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans, and other similar harmful code. This includes:• Regular updates of operating systems, hardware, and any third-party software to avoid security vulnerabilities.• Use of firewalls and Intrusion Prevention Systems (IPS) systems to limit access and protect Adapty servers.• Securing remote access communication using multifactor authentication.•Backing up customer data on a daily basis, on a rotating schedule.|
|certification/assurance of processes and products||No|
|ensuring data minimization||Only the personal information which is necessary for the purposes of the provision of the services is collected. No personal information is used for purposes other than those which have been identified in the DPA and the Agreement and only retained for as long as is necessary to fulfill such purposes.|
|ensuring data quality||The Data Exporter can request alteration or deletion of the end-user’s data.|
|ensuring limited data retention||Personal data is retained as per the contractual terms agreed with the Data Exporter and as required by law.|
|ensuring accountability||Personal data is unique, mapped to a specific Data Exporter, and not shared between users. Events and audit trails related to platform and system access are logged, monitored, and reviewed periodically.|
|allowing data portability and ensuring erasure||We guarantee data portability and erasure upon written request.|
Annex III. List of sub-processors
The controller has authorized the use of the following sub-processors:
|Name||Address||Description of processing|
|Amazon Web Services, Inc.||410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A.||Cloud hosting infrastructure|
|OVH US, LLC||11480 Commerce Park Dr Ste 500 Reston, VA, 20191-1556 United States||Cloud hosting infrastructure|
Terms of the SCCs
|Module||Two (controller to processor transfer)|
|Clause 7: Docking clause||The optional docking clause will not apply.|
|Clause 9: Use of sub-processors||Option 2. The time period shall be 30 business days.|
|Clause 11: Redress||The optional language will not apply.|
|Clause 17: Governing law||Option 1. The laws of Ireland|
|Clause 18. Choice of forum and jurisdiction||The courts of Ireland|