Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by and between RewardLion ("RewardLion") and the undersigned party, hereinafter referred to as Customer ("Customer"). The purpose of this DPA is to govern the Processing of Personal Data by RewardLion on behalf of Customer in connection with the provision of business solutions across various sectors and fields.

This Data Processing Agreement (DPA) constitutes an integral component of the Terms of Service (the “Agreement”) and becomes operative upon execution or at another specified time as outlined within the Agreement, an Order, or an executed amendment to the Agreement. In the event of any conflict or inconsistency with the provisions of the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency, thereby superseding any prior agreements. 

1. Definitions

  1. Controller: The Controller is the entity or organization that determines the purposes and means of the processing of Personal Data. In simpler terms, the Controller is the one who decides why and how Personal Data is processed. 
  2. CCPA: California Civil Code Sec. 1798.100 et seq., including the California Consumer Privacy Act of 2018. 
  3. Processor: The Processor is the entity or organization that processes Personal Data on behalf of the Controller. They act under the authority of the Controller and follow their instructions when processing Personal Data. 
  4. Data Subject: The Data Subject is the individual to whom the Personal Data relates. In other words, it's the person about whom the Personal Data pertains. For example, it could be a customer, an employee, or any other individual. 
  5. Personal Data: Personal Data refers to any information relating to an identified or identifiable natural person. This includes information that directly identifies an individual (such as name, email address, identification number) as well as information that, when combined with other data, could identify an individual. 
  6. Personal Data Breach: A Personal Data Breach is a security incident in which Personal Data is accessed, disclosed, altered, or destroyed without authorization. It compromises the confidentiality, integrity, or availability of the Personal Data. 
  7. Process and Processing: Process and Processing refer to any operation or set of operations performed on Personal Data, whether by automated means or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data. 
  8. Customer Personal Data: Information relating to an identified or identifiable individual within Customer Data provided under the Agreement and protected under Data Protection Laws. 
  9. Data Protection Laws: Applicable worldwide legislation relating to data protection and privacy. 
  10. European Data Protection Laws: Data protection laws applicable in Europe, including GDPR, Directive 2002/58/EC, UK GDPR, and Swiss DPA. 
  11. GDPR: General Data Protection Regulation((EU) 2016/679), and the retained UK version. 
  12. Standard Contractual Clauses: Standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021
  13. UK Addendum: International Data Transfer Addendum issued by the UK Information Commissioner under the Data Protection Act 2018. 

2. TERMS AND CONDITIONS

2.1 Compliance: Both parties commit to adhering to all relevant requirements stipulated by Data Protection Laws. This provision supplements the parties' existing obligations and rights under Data Protection Laws and does not absolve, diminish, or replace such obligations or rights.

2.2 Controller/Processor: The parties have mutually agreed that, pursuant to Data Protection Laws, RewardLion shall function as the processor of Customer Personal Data on behalf of the Customer. The Customer may assume the role of either a Controller or Processor under Data Protection Laws.

2.3 Consents: The Customer warrants that it has obtained all necessary and appropriate consents and notifications to facilitate the lawful transfer of Customer Personal Data to RewardLion. Additionally, the Customer assures the lawful collection of such data by utilizing RewardLion Services for the duration and purposes outlined in the Agreement and DPA. The Customer agrees to indemnify RewardLion against any losses or damages, including fines, resulting from a failure to fulfill this obligation.

2.4 Customer Personal Data:  Annex A delineates the scope, nature, and purpose of processing Customer Personal Data by RewardLion. It also specifies the duration of processing, the types of Customer Personal Data involved, and the categories of Data Subjects affected.

2.5 Customer Instructions: RewardLion undertakes to process Customer Personal Data solely in accordance with documented instructions provided by the Customer, except where compelled by applicable laws to deviate from such instructions. The Agreement and DPA constitute the primary instructions from the Customer, although the parties may agree to additional instructions. RewardLion commits to notifying the Customer if, in its judgment, the Customer's instructions contravene Data Protection Laws.

2.6 CCPA and Application: The parties acknowledge that if the CCPA applies, Customer assumes the role of a “Business” while RewardLion acts as a “Service Provider” as defined under the CCPA. RewardLion shall not retain, use, or disclose California Personal Information collected pursuant to the Agreement for purposes other than performing the Agreement or as permitted by the CCPA. Furthermore, RewardLion shall not retain, use, or disclose California Personal Information collected pursuant to the Agreement outside the direct business relationship between RewardLion and Customer, unless authorized by the CCPA. RewardLion shall refrain from "selling" or "sharing" California Personal Information as defined in the CCPA or combining California Personal Information with personal information acquired from sources other than Customer, except to the extent necessary to fulfill the Agreement. The customer may request and RewardLion shall furnish reasonable evidence of compliance with this section.

2.7 Sub-processors: The Customer grants prior, general authorization for RewardLion to appoint Processors to process Customer Personal Data, provided that RewardLion ensures that the terms on which it appoints such processors comply with Data Protection Laws and align with the obligations imposed on RewardLion herein. RewardLion remains responsible for the acts and omissions of any such Processor as if they were RewardLion's own. Currently, RewardLion has appointed the third parties listed in Annex C to this DPA as Sub-Processors. RewardLion shall notify Customer at least 30 days prior to adding or replacing any Sub-Processors listed in Annex C, provided that Customer opts-in to receive such notifications by contacting RewardLion. RewardLion shall afford substantially the same protections for Customer Personal Data as those outlined in the DPA.

2.8 Transfer of European Data

2.8.1 RewardLion shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data under applicable European Data Protection Laws, unless it takes all necessary measures to ensure compliance with such laws. These measures may include transferring Personal Data to a recipient covered by a suitable framework or other legally adequate transfer mechanism recognized by relevant authorities or courts, a recipient with binding corporate rules authorization in accordance with European Data Protection Laws, or a recipient that has executed appropriate standard contractual clauses adopted or approved in accordance with applicable European Data Protection Laws.

2.8.2 The parties acknowledge that, in performing the Service, RewardLion may receive European Data in the United States. Subject to subsections (2.8.3) below, the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as outlined below:

  1. EEA Transfers: In connection with European Data governed by the General Data Protection Regulation (GDPR), it is hereby established that the party acting as the "data exporter" is the Customer, while the role of the "data importer" is assumed by RewardLion. In scenarios where the Customer functions as a Controller of European Data, the terms of Module Two are applicable, and when the Customer serves as a Processor of European Data, the provisions of Module Three come into effect. The inclusion of the optional docking clause in Clause 7, the mandatory notification of Sub-Processor changes in Clause 9, and the removal of optional language in Clause 11 are integral aspects of this arrangement. Additionally, Clauses 17 and 18 stipulate that disputes arising under the Standard Contractual Clauses will be governed by the laws of the Republic of Ireland, without recourse to conflicts of law principles. The Annexes of the Standard Contractual Clauses are deemed complete with the information outlined in the Annexes of this Data Processing Agreement (DPA). It is expressly acknowledged that, in the event of any conflict, the Standard Contractual Clauses shall prevail to the extent of such inconsistency. 
  2. UK Transfers: In the context of European Data subject to the UK GDPR, the application of the Standard Contractual Clauses is mandated, albeit with specific modifications. Noteworthy is the fact that these Standard Contractual Clauses are adjusted and interpreted in strict accordance with the UK Addendum, which is hereby incorporated by reference and forms an integral part of the Agreement. Tables 1, 2, and 3 of the UK Addendum are deemed completed with the information set out in the Annexes of this DPA, and Table 4 is considered completed by selecting the option "neither party." Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. 
  3. Swiss Transfers: In the context of European Data subject to the Swiss Data Protection Act (DPA), the application of the Standard Contractual Clauses is mandated, but with specific modifications. Pertinently, references to "Regulation (EU) 2016/679" are construed as references to the Swiss DPA, while references to "EU," "Union," and "Member State law" are understood as references to Swiss law. Moreover, references to the "competent supervisory authority" and "competent courts" are replaced with "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland," respectively. 

2.8.3 If RewardLion cannot fulfill its obligations under the Standard Contractual Clauses or breaches any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and Customer intends to suspend the transfer of European Data to RewardLion or terminate the Standard Contractual Clauses or UK Addendum, Customer agrees to provide RewardLion with reasonable notice to rectify such non-compliance. Customer shall reasonably cooperate with RewardLion to identify additional safeguards, if necessary, to remedy such non-compliance. If RewardLion fails to remedy the non-compliance, Customer may suspend or terminate the affected Service in accordance with the Agreement without liability to either party (subject to fees incurred prior to such suspension or termination). 

3- RewardLion Obligations: 

3.1 Implement and uphold appropriate technical and organizational measures to safeguard Customer Personal Data against Personal Data Breaches, as delineated in Annex B to this DPA ("Security Measures"). Notwithstanding any contrary provision, RewardLion may modify or update the Security Measures at its discretion, provided that such modifications or updates do not result in a significant degradation in the protection afforded by the Security Measures.

3.2 Ensure that all personnel engaged and authorized by RewardLion to process Customer Personal Data have pledged to maintain confidentiality or are subject to an appropriate statutory or common law duty of confidentiality.

3.3 Assist the Customer, to the extent reasonably feasible (taking into consideration the nature of the Processing and available information), and at the Customer's expense and written request, in addressing any Data Subject requests and ensuring the Customer's compliance with its obligations under Data Protection Laws concerning security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.

3.4 Promptly notify the Customer upon becoming aware of a Personal Data Breach involving Customer Personal Data.

3.5 Upon the written direction of the Customer, either delete or return Customer Personal Data and its copies to the Customer upon termination of the Agreement, unless required by applicable law to continue processing such Customer Personal Data. For the purposes of this provision, Customer Personal Data shall be deemed deleted if it is rendered unusable by RewardLion.

3.6 For European Data, aid the Customer in ensuring compliance with Articles 32 to 36 of the GDPR, provide all reasonably necessary information to demonstrate compliance with this DPA to the Customer, facilitate and reasonably contribute to audits and inspections conducted by the Customer to assess compliance with this DPA as required by Data Protection Laws, and furnish all reasonably necessary information to demonstrate compliance with GDPR Article 28 requirements for Processors.

3.7 Maintain records to evidence compliance with this provision.

4- This DPA, Amendments, and Annexes

This DPA has the following Annexes attached to it: 

  1. Annex A: Details of Processing 
  2. Annex B: Added to the Standard Contractual Process 
  3. Annex C: RewardLion Sub-processors 

ANNEX A - Details of Processing

A. List of Parties

Data exporter:

  • Name: [Customer's Name], as defined in RewardLion’s Terms of Service 
  • Address: [Customer's Address] as specified by your Platform Account 
  • Contact person’s name, position, and contact details: [Customer's Contact Person], [Contact Person's Position], [Contact Details] as specified by your Platform Account 
  • Activities relevant to the data transferred under these Clauses: Performance of the Agreement between the parties as a Controller. 
  • Role (controller/processor): Controller or Processor 

Data importer:

  • Name: RewardLion
  • Address: Global Digital Business Solution  - 333 Las Olas Way # Cu-1, suit 1 Fort Lauderdale, Florida 33301   
  • Email Address: [email protected]  
  • Telephone number: 1(800)-876-8984
  • Contact person’s name, position, and contact details: Mike Ibrahim, CEO, [P:1-800-876-8984 Ext.700- Email: [email protected] 
  • Activities relevant to the data transferred under these Clauses: Performance of the Agreement between the parties.  
  • Role (controller/processor): Processor  

B. Description of Transfer

  • Categories of Data Subjects whose Personal Data is Transferred: Customers and potential customers of clients. 
  • Categories of Personal Data Transferred: Personal Data input and collected as decided by the Customer, including name, age, date of birth, phone number, email address, social media profiles. 
  • Sensitive Data transferred and applied restrictions or safeguards: The parties do not anticipate the transfer of sensitive data.
  • Frequency of the transfer: Variable during the Agreement term. 
  • Subject Matter and Nature of the Processing: RewardLion will provide Services to the Customer under the Agreement between the parties. The Customer will use the Services to collect and process Personal Data of their customers and potential customers for managing and carrying out marketing activities, which may be targeted to their customers and potential customers.
  • The Processing will involve collecting, storing, recording, contacting, and managing Personal Data, particularly for running marketing campaigns, providing marketing services, and managing marketing generally.
  • Purpose of the transfer and further Processing: RewardLion will Process Personal Data necessary to provide the Service pursuant to the Agreement, as specified in an order form, and as further instructed by Customer in Customer’s use of the Service.
  • Period for which Personal Data will be retained: The duration of the period in which the Customer accesses and uses the RewardLion platform under the Services Agreement. 

C. Competent Supervisory Authority:

  • For the purposes of the Standard Contractual Clauses, the supervisory authority acting as the competent supervisory authority will be determined in accordance with the Transfer Mechanisms for Data Transfers section of this DPA.

ANNEX B – Added to the Standard Contractual Clauses

The delineation of technical and organizational security measures undertaken by the data importer pursuant to Clause 4(d) and Clause 5(c).

Measure Description

Measures of pseudonymization and encryption of personal data

All personal data at rest is encrypted with AES 256 CBC. All personal data in transit is encrypted with TLS V1.2+.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services 

- Endpoint protection on APIs
- Uptime monitors for availability
- Access control measures like user-based and subaccount-based authentication - Use of managed services (AWS, Google Cloud) for integrity

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner

Personal data backed up on AWS and Google Cloud with 5-minute granularity to enable Processor to restore personal data in case of an incident. 

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services 

Encrypted signed tokens and role-based authorizations - Password protection

Measures for the protection of data during transmission 

SSL certificates and HTTPS during personal data transmission. Protected with TLS v1.2+. 

Measures for the protection of data during storage 

Personal data is encrypted at rest with AES-256 CBC encryption. 

Measures for ensuring physical security of locations at which personal data are processed 

Managed services to ensure physical security of server locations. All personal data stored on AWS and Google Cloud, with physical security described in AWS and Google Cloud Ts&Cs, respectively. 

Measures for ensuring events logging 

Logging for all user actions and audit logs. Use of Google Cloud ops for application and infrastructure monitoring. Use of AWS’s Cloudwatch. 

Measures for ensuring system configuration, including default configuration 

Configurations stored in version control. Containers created from standardized images hosted by AWS and Google Cloud. Updates and upgrades performed automatically and managed by Google Cloud. Patching managed by Google Cloud. 

Measures for internal IT and IT security governance and management 

Use of a third-party vendor (iWerk) for internal IT and IT security. 

Measures for certification/assurance of processes and products 

Issuance of a HIPAA Seal of Compliance Certificate by the Compliancy Group. 

Measures for ensuring data minimization 

Minimum data requirement set by Processor. Users can decide not to enter personal data into optional fields. 

Measures for ensuring data quality 

Enablement of customers to update relevant personal data to the latest date, and use of two-factor authentication. Application monitoring conducted by Google Cloud and custom monitors. 

Measures for ensuring accountability 

Restricted Processor access to personal data based on rules. 

Measures for allowing data portability and ensuring erasure 

Customers can download their personal data from within the Service. Customers can request a copy or deletion of their personal data upon separation. Processor uses support tickets to ensure the foregoing. 

Describe the specific technical and organizational measures to be taken by the Data Importer to provide assistance to the Data Exporter:

  • Self-Service: Personal data can be downloaded by customers from within the Service. Customer admins can set data retention for terminated personnel.
  • Customer and Product Support: FAQs, support tickets for specific queries not addressed by collateral on Processor customer/product support website. 

ANNEX C – Sub-processors

RewardLion Affiliate Sub-processors

Name of Authorized Subcontractor Address Contact Information Description of Processing Country of Subprocessing

HighLevel India

HighLevel India Private Limited

C/O 91 Springboard Business Hub Private Limited, B1/H3, Mohan Co-operative, Mathura Road, Industrial Area, Block B, Pul Pahladpur, New Delhi - 110044, India 

[email protected]

Data storage; support for performance of this Agreement

India

LeadConnector LLC 

400 North Saint Paul St.  Suite 920- Dallas, TX 75201 

[email protected]

Data storage; support for performance of this Agreement

US

Third-party Sub-processors

Name of Authorized Subcontractor Address Contact Information Description of Processing Country in which Sub-processing will take place

Google LLC/Google Cloud Services

1600 Amphitheatre Parkway, Mountain View, California 94043, United States

[email protected]

Data storage; support for performance of this Agreement

US

Amazon Web Services, Inc. 

410 Terry Avenue North, Seattle, WA 98109-5210, United States 

206.266.7010

Data storage; support for performance of this Agreement 

US

Twilio 

101 Spear Street
Fifth Floor
San Francisco, CA 94105
United States 

1-903-500-7655 

Support for performance of this agreement 

US

Mailgun 

112 E Pecan Street
#1135
San Antonio, TX, 78205
United States 

(888) 571-8972 

Support for performance of this agreement 

US

Chargebacks911 

18167 US Hwy 19 North
#600
Clearwater, FL 33764
United States 

[email protected]

Data storage; support for performance of this Agreement 

US

Pendo 

301 Hillsborough Street
Raleigh, NC 27603
United States 

(877) 320-8484

Data storage; support for performance of this Agreement 

US

ChartMogul 

ChartMogul GmbH & Co. KG
c/o WeWork Kemperplatz 1 10785
Berlin, Germany 

[email protected]

Data storage; support for performance of this Agreement 

Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland 

Freshworks 

2950 S. Delaware Street
Suite 201
San Mateo, CA 94403
United States 

[email protected]

Data storage; support for performance of this Agreement 

Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland, US 

Yext 

61 Ninth Avenue
New York, NY 10011
United States 

[email protected]

Data transfer; support for performance of this Agreement 

US

Zapier 

548 Market Street
#62411
San Francisco, CA 94104
United States

[email protected]

Data storage; support for performance of this Agreement 

Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland 

Stripe 

Corporation Trust Center
1209 Orange Street
Wilmington, DE 19801
United States 

[email protected]

Data storage and transfer of payment information 

US

Zoom 

55 Almaden Blvd.
Suite 600
San Jose, CA 95113
United States 

[email protected]

Support for performance of this agreement

US

Authorize.net 

900 Metro Center Boulevard
Foster City, CA 94404
United States 

[email protected]

Payment processing 

US

FirstPromoter 

Igil Webs SRL, Str.
Talmacelului, nr. 30,
Talmaciu, Sibiu, Romania 

[email protected]

Data storage and transfer to run the affiliate program 

US

ClickUp

350 Tenth Ave
Suite 500
San Diego, CA 92101
United States

[email protected]

Data storage for project management 

US

Loom 

5214F Diamond Heights Blvd
#3391
San Francisco, CA 94131
United States

[email protected]

Data storage and transfer for customer support 

US

Open AI

3180 18th Street
San Francisco, CA 94110
United States

mailto:[email protected]

Data storage and transfer of payment information 

US

Meta (for Whats App) 

Meta Platforms, Inc.
ATTN: Privacy Operations
1601 Willow Road
Menlo Park, CA 94025
United States 

[email protected]

Data storage and transfer for communications 

US

Mozart Data 

250 King Street
#514
San Francisco, CA 94107
United States 

[email protected]

Data storage; support for performance of this Agreement 

US

Accredible 

800 West El Camino Real
Suite 180
Mountain View, CA 94040
United States 

16282142701

Data storage; support for performance of this Agreement 

US