Data processing agreement

This Data Processing Agreement (“DPA”) is incorporated into and forms part of Adapty Terms of Service available at https://adapty.io/terms or other written or electronic agreement between the Customer and Adapty (the “Agreement”).

Data Processor and Data Controller hereinafter each referred to as the “Party” and together as the “Parties”. The Data Processor and the Data Controller agree as follows:

If you enter into these Terms on behalf of a company, you represent that you have the authority to bind such entity. If you do not have such authority, or if you do not unconditionally agree to these Terms, you have no right to use the Software.

1.1. Applicable Privacy Law means all laws, statutes, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data.
1.2. Data Controller means Customer under the Agreement.
1.3. Data Processor means Adapty.
1.4. Data Subject means the directly or indirectly identified or identifiable person to whom the Personal Data relates.
1.5. GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.6. UK GDPR means retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy, and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019 (SI 2019/419).
1.7. Personal Data means any information regulated by Applicable Privacy Law provided by the Data Controller, including information concerning an identified or identifiable individual.
1.8. Processing, processes, and process mean either any activity that involves the use of Personal Data or as the Applicable Privacy Law may otherwise define processing, processes, or process. It includes any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.
1.9. Standard Contractual Clauses (SCC) means contractual clauses established by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.
1.10. Sub-processor means third-party data processor engaged by the Data Processor, who has or potentially will have access to, or processes Personal Data.

2.1. The subject matter, duration, nature, and purpose(s) of the processing of Personal Data, as well as the type of Personal Data and categories of Data Subjects are specified in Annex I.
2.2. The Data Processor shall refrain from processing Personal Data that is beyond the scope set forth in Annex I.
2.3. The Parties hereby agree that all aspects of their relationships in the context of the processing of personal data, including ones required to be addressed under the Art. 28 of the GDPR, are stipulated in and regulated by SCC.

3.1. Transfer from the EU. Insofar as the processing of the Personal Data is protected by GDPR, the Parties hereby agree that such transfer is subject to SCC, which is incorporated into this DPA by reference and represents an integral part hereof. The Annexes of the SCCs are deemed filled in based on Appendix 1 to this DPA. The options afforded by the SCCs are deemed selected based on Appendix 2 to this DPA.
3.2. Transfers from Switzerland. Insofar as the processing of the Personal Data is protected by the Federal Act of Switzerland of 19 June 1992 on Data Protection (“FADP”), the Parties hereby agree that such transfer is subject to SCC with the adaptations that are necessary in order for the SCCs to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a FADP. The list of adaptation is provided in clause 4.3. of the transfer of personal data to a country with an inadequate level of data protection based on dated recognized standard contractual clauses and model contracts dated 27 August 2021 by Federal Data Protection and Information Commissioner (available at https://www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html). Option 2 of Case 2 shall apply.
3.3. Transfers from the UK. Insofar as the processing of the Personal Data is protected by UK GDPR, the Parties hereby agree that such transfer is subject to the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.

4.1. Data Controller represents and warrants that: (i) its Processing instructions shall comply with Applicable Privacy Law; and (ii) it will comply with Applicable Privacy Law, specifically with regards to the lawful basis for Processing Personal Data. Data Controller acknowledges and agrees that Data Processor’s Services are dependent and based upon end user’s consent or any other demonstrated lawful basis, that shall be obtained by Data Controller and which Data Processor relies on. Data Controller represents that such consent or any other demonstrated lawful basis exists.

5.1. “Personal Information”, “Consumer” and other capitalized terms in this clause 5 shall have the meanings stipulated in the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, as amended from time to time (“CCPA”).
5.2. It is hereby agreed that any sharing of Personal Data between the Parties is made solely in order to fulfill a Business Purpose and Adapty does not receive or process any Personal Data as consideration for the Services.
5.3. Data Controller is therefore solely liable for its compliance with the CCPA with respect to its use of the Services. It is the Data Controller’s sole responsibility and liability to determine whether the sharing or transferring of Personal Data of Consumers during the course of the Services constitutes a Sale of Personal Data.
5.4. The Data Processor shall not retain, use, or disclose Personal Data for a commercial purpose other than providing the services specified in the Agreement.

6.1. This DPA shall be effective as of the effective date of the Agreement. This DPA will remain in force and effect so long as the Agreement remains in effect.

7.1. Should any provision of this DPA be or become, either in whole or in part, void, ineffective, or unenforceable, then the validity, effectiveness, and enforceability of the other provisions of this DPA shall remain unaffected thereby.
7.2. Any such invalid, ineffective, or unenforceable provision shall, to the extent permitted by law, be deemed replaced by such valid, effective, and enforceable provision as most closely reflects the economic intent and purpose of the invalid, ineffective, or unenforceable provision regarding its subject-matter, scale, time, place and scope of application.
7.3. The aforesaid rule shall apply mutatis mutandis to fill any gap that may be found to exist in this DPA.

8.1. Parties explicitly declare that this DPA and the documents referred to herein constitute the entire agreement between Parties and supersede any prior draft, agreements, undertakings, understandings, conditions, and arrangements, notwithstanding any conflicting order of precedence, of any nature between the Parties, whether or not in writing, in relation to the subject matter of this DPA.

9.1. The DPA shall be governed by law as stipulated in the Agreement.
9.2. The Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity.

10.1. In the case of conflict or ambiguity between:
10.1.1. any provision of the DPA and any provision of the Agreement, the provisions of the DPA shall prevail;
10.1.2. any provision contained in the body of this Agreement and any provision contained in the Appendices, the provisions in the body of this Agreement shall prevail;
10.1.3. any provision of this Agreement and any executed SCC, the provisions of the executed SCC shall prevail.

Appendix 1