Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into by and between RewardLion ("RewardLion") and the undersigned party, hereinafter referred to as Customer ("Customer"). The purpose of this DPA is to govern the Processing of Personal Data by RewardLion on behalf of Customer in connection with the provision of business solutions across various sectors and fields.
This Data Processing Agreement (DPA) constitutes an integral component of the Terms of Service (the “Agreement”) and becomes operative upon execution or at another specified time as outlined within the Agreement, an Order, or an executed amendment to the Agreement. In the event of any conflict or inconsistency with the provisions of the Agreement, this DPA shall prevail to the extent of such conflict or inconsistency, thereby superseding any prior agreements.
1. Definitions
- Controller: The Controller is the entity or organization that determines the purposes and means of the processing of Personal Data. In simpler terms, the Controller is the one who decides why and how Personal Data is processed.
- CCPA: California Civil Code Sec. 1798.100 et seq., including the California Consumer Privacy Act of 2018.
- Processor: The Processor is the entity or organization that processes Personal Data on behalf of the Controller. They act under the authority of the Controller and follow their instructions when processing Personal Data.
- Data Subject: The Data Subject is the individual to whom the Personal Data relates. In other words, it's the person about whom the Personal Data pertains. For example, it could be a customer, an employee, or any other individual.
- Personal Data: Personal Data refers to any information relating to an identified or identifiable natural person. This includes information that directly identifies an individual (such as name, email address, identification number) as well as information that, when combined with other data, could identify an individual.
- Personal Data Breach: A Personal Data Breach is a security incident in which Personal Data is accessed, disclosed, altered, or destroyed without authorization. It compromises the confidentiality, integrity, or availability of the Personal Data.
- Process and Processing: Process and Processing refer to any operation or set of operations performed on Personal Data, whether by automated means or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
- Customer Personal Data: Information relating to an identified or identifiable individual within Customer Data provided under the Agreement and protected under Data Protection Laws.
- Data Protection Laws: Applicable worldwide legislation relating to data protection and privacy.
- European Data Protection Laws: Data protection laws applicable in Europe, including GDPR, Directive 2002/58/EC, UK GDPR, and Swiss DPA.
- GDPR: General Data Protection Regulation((EU) 2016/679), and the retained UK version.
- Standard Contractual Clauses: Standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021.
- UK Addendum: International Data Transfer Addendum issued by the UK Information Commissioner under the Data Protection Act 2018.
2. TERMS AND CONDITIONS
2.1 Compliance: Both parties commit to adhering to all relevant requirements stipulated by Data Protection Laws. This provision supplements the parties' existing obligations and rights under Data Protection Laws and does not absolve, diminish, or replace such obligations or rights.
2.2 Controller/Processor: The parties have mutually agreed that, pursuant to Data Protection Laws, RewardLion shall function as the processor of Customer Personal Data on behalf of the Customer. The Customer may assume the role of either a Controller or Processor under Data Protection Laws.
2.3 Consents: The Customer warrants that it has obtained all necessary and appropriate consents and notifications to facilitate the lawful transfer of Customer Personal Data to RewardLion. Additionally, the Customer assures the lawful collection of such data by utilizing RewardLion Services for the duration and purposes outlined in the Agreement and DPA. The Customer agrees to indemnify RewardLion against any losses or damages, including fines, resulting from a failure to fulfill this obligation.
2.4 Customer Personal Data: Annex A delineates the scope, nature, and purpose of processing Customer Personal Data by RewardLion. It also specifies the duration of processing, the types of Customer Personal Data involved, and the categories of Data Subjects affected.
2.5 Customer Instructions: RewardLion undertakes to process Customer Personal Data solely in accordance with documented instructions provided by the Customer, except where compelled by applicable laws to deviate from such instructions. The Agreement and DPA constitute the primary instructions from the Customer, although the parties may agree to additional instructions. RewardLion commits to notifying the Customer if, in its judgment, the Customer's instructions contravene Data Protection Laws.
2.6 CCPA and Application: The parties acknowledge that if the CCPA applies, Customer assumes the role of a “Business” while RewardLion acts as a “Service Provider” as defined under the CCPA. RewardLion shall not retain, use, or disclose California Personal Information collected pursuant to the Agreement for purposes other than performing the Agreement or as permitted by the CCPA. Furthermore, RewardLion shall not retain, use, or disclose California Personal Information collected pursuant to the Agreement outside the direct business relationship between RewardLion and Customer, unless authorized by the CCPA. RewardLion shall refrain from "selling" or "sharing" California Personal Information as defined in the CCPA or combining California Personal Information with personal information acquired from sources other than Customer, except to the extent necessary to fulfill the Agreement. The customer may request and RewardLion shall furnish reasonable evidence of compliance with this section.
2.7 Sub-processors: The Customer grants prior, general authorization for RewardLion to appoint Processors to process Customer Personal Data, provided that RewardLion ensures that the terms on which it appoints such processors comply with Data Protection Laws and align with the obligations imposed on RewardLion herein. RewardLion remains responsible for the acts and omissions of any such Processor as if they were RewardLion's own. Currently, RewardLion has appointed the third parties listed in Annex C to this DPA as Sub-Processors. RewardLion shall notify Customer at least 30 days prior to adding or replacing any Sub-Processors listed in Annex C, provided that Customer opts-in to receive such notifications by contacting RewardLion. RewardLion shall afford substantially the same protections for Customer Personal Data as those outlined in the DPA.
2.8 Transfer of European Data
2.8.1 RewardLion shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data under applicable European Data Protection Laws, unless it takes all necessary measures to ensure compliance with such laws. These measures may include transferring Personal Data to a recipient covered by a suitable framework or other legally adequate transfer mechanism recognized by relevant authorities or courts, a recipient with binding corporate rules authorization in accordance with European Data Protection Laws, or a recipient that has executed appropriate standard contractual clauses adopted or approved in accordance with applicable European Data Protection Laws.
2.8.2 The parties acknowledge that, in performing the Service, RewardLion may receive European Data in the United States. Subject to subsections (2.8.3) below, the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as outlined below:
- EEA Transfers: In connection with European Data governed by the General Data Protection Regulation (GDPR), it is hereby established that the party acting as the "data exporter" is the Customer, while the role of the "data importer" is assumed by RewardLion. In scenarios where the Customer functions as a Controller of European Data, the terms of Module Two are applicable, and when the Customer serves as a Processor of European Data, the provisions of Module Three come into effect. The inclusion of the optional docking clause in Clause 7, the mandatory notification of Sub-Processor changes in Clause 9, and the removal of optional language in Clause 11 are integral aspects of this arrangement. Additionally, Clauses 17 and 18 stipulate that disputes arising under the Standard Contractual Clauses will be governed by the laws of the Republic of Ireland, without recourse to conflicts of law principles. The Annexes of the Standard Contractual Clauses are deemed complete with the information outlined in the Annexes of this Data Processing Agreement (DPA). It is expressly acknowledged that, in the event of any conflict, the Standard Contractual Clauses shall prevail to the extent of such inconsistency.
- UK Transfers: In the context of European Data subject to the UK GDPR, the application of the Standard Contractual Clauses is mandated, albeit with specific modifications. Noteworthy is the fact that these Standard Contractual Clauses are adjusted and interpreted in strict accordance with the UK Addendum, which is hereby incorporated by reference and forms an integral part of the Agreement. Tables 1, 2, and 3 of the UK Addendum are deemed completed with the information set out in the Annexes of this DPA, and Table 4 is considered completed by selecting the option "neither party." Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
- Swiss Transfers: In the context of European Data subject to the Swiss Data Protection Act (DPA), the application of the Standard Contractual Clauses is mandated, but with specific modifications. Pertinently, references to "Regulation (EU) 2016/679" are construed as references to the Swiss DPA, while references to "EU," "Union," and "Member State law" are understood as references to Swiss law. Moreover, references to the "competent supervisory authority" and "competent courts" are replaced with "the Swiss Federal Data Protection and Information Commissioner" and the "relevant courts in Switzerland," respectively.
2.8.3 If RewardLion cannot fulfill its obligations under the Standard Contractual Clauses or breaches any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and Customer intends to suspend the transfer of European Data to RewardLion or terminate the Standard Contractual Clauses or UK Addendum, Customer agrees to provide RewardLion with reasonable notice to rectify such non-compliance. Customer shall reasonably cooperate with RewardLion to identify additional safeguards, if necessary, to remedy such non-compliance. If RewardLion fails to remedy the non-compliance, Customer may suspend or terminate the affected Service in accordance with the Agreement without liability to either party (subject to fees incurred prior to such suspension or termination).
3- RewardLion Obligations:
3.1 Implement and uphold appropriate technical and organizational measures to safeguard Customer Personal Data against Personal Data Breaches, as delineated in Annex B to this DPA ("Security Measures"). Notwithstanding any contrary provision, RewardLion may modify or update the Security Measures at its discretion, provided that such modifications or updates do not result in a significant degradation in the protection afforded by the Security Measures.
3.2 Ensure that all personnel engaged and authorized by RewardLion to process Customer Personal Data have pledged to maintain confidentiality or are subject to an appropriate statutory or common law duty of confidentiality.
3.3 Assist the Customer, to the extent reasonably feasible (taking into consideration the nature of the Processing and available information), and at the Customer's expense and written request, in addressing any Data Subject requests and ensuring the Customer's compliance with its obligations under Data Protection Laws concerning security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.
3.4 Promptly notify the Customer upon becoming aware of a Personal Data Breach involving Customer Personal Data.
3.5 Upon the written direction of the Customer, either delete or return Customer Personal Data and its copies to the Customer upon termination of the Agreement, unless required by applicable law to continue processing such Customer Personal Data. For the purposes of this provision, Customer Personal Data shall be deemed deleted if it is rendered unusable by RewardLion.
3.6 For European Data, aid the Customer in ensuring compliance with Articles 32 to 36 of the GDPR, provide all reasonably necessary information to demonstrate compliance with this DPA to the Customer, facilitate and reasonably contribute to audits and inspections conducted by the Customer to assess compliance with this DPA as required by Data Protection Laws, and furnish all reasonably necessary information to demonstrate compliance with GDPR Article 28 requirements for Processors.
3.7 Maintain records to evidence compliance with this provision.
4- This DPA, Amendments, and Annexes
This DPA has the following Annexes attached to it:
- Annex A: Details of Processing
- Annex B: Added to the Standard Contractual Process
- Annex C: RewardLion Sub-processors
ANNEX A - Details of Processing
A. List of Parties
Data exporter:
- Name: [Customer's Name], as defined in RewardLion’s Terms of Service
- Address: [Customer's Address] as specified by your Platform Account
- Contact person’s name, position, and contact details: [Customer's Contact Person], [Contact Person's Position], [Contact Details] as specified by your Platform Account
- Activities relevant to the data transferred under these Clauses: Performance of the Agreement between the parties as a Controller.
- Role (controller/processor): Controller or Processor
Data importer:
- Name: RewardLion
- Address: Global Digital Business Solution - 333 Las Olas Way # Cu-1, suit 1 Fort Lauderdale, Florida 33301
- Email Address: [email protected]
- Telephone number: 1(800)-876-8984
- Contact person’s name, position, and contact details: Mike Ibrahim, CEO, [P:1-800-876-8984 Ext.700- Email: [email protected]
- Activities relevant to the data transferred under these Clauses: Performance of the Agreement between the parties.
- Role (controller/processor): Processor
B. Description of Transfer
- Categories of Data Subjects whose Personal Data is Transferred: Customers and potential customers of clients.
- Categories of Personal Data Transferred: Personal Data input and collected as decided by the Customer, including name, age, date of birth, phone number, email address, social media profiles.
- Sensitive Data transferred and applied restrictions or safeguards: The parties do not anticipate the transfer of sensitive data.
- Frequency of the transfer: Variable during the Agreement term.
- Subject Matter and Nature of the Processing: RewardLion will provide Services to the Customer under the Agreement between the parties. The Customer will use the Services to collect and process Personal Data of their customers and potential customers for managing and carrying out marketing activities, which may be targeted to their customers and potential customers.
- The Processing will involve collecting, storing, recording, contacting, and managing Personal Data, particularly for running marketing campaigns, providing marketing services, and managing marketing generally.
- Purpose of the transfer and further Processing: RewardLion will Process Personal Data necessary to provide the Service pursuant to the Agreement, as specified in an order form, and as further instructed by Customer in Customer’s use of the Service.
- Period for which Personal Data will be retained: The duration of the period in which the Customer accesses and uses the RewardLion platform under the Services Agreement.
C. Competent Supervisory Authority:
- For the purposes of the Standard Contractual Clauses, the supervisory authority acting as the competent supervisory authority will be determined in accordance with the Transfer Mechanisms for Data Transfers section of this DPA.
ANNEX B – Added to the Standard Contractual Clauses
The delineation of technical and organizational security measures undertaken by the data importer pursuant to Clause 4(d) and Clause 5(c).
| Measure | Description |
|---|---|
|
Measures of pseudonymization and encryption of personal data |
All personal data at rest is encrypted with AES 256 CBC. All personal data in transit is encrypted with TLS V1.2+. |
|
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services |
- Endpoint protection on APIs |
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner |
Personal data backed up on AWS and Google Cloud with 5-minute granularity to enable Processor to restore personal data in case of an incident. |
|
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services |
Encrypted signed tokens and role-based authorizations - Password protection |
|
Measures for the protection of data during transmission |
SSL certificates and HTTPS during personal data transmission. Protected with TLS v1.2+. |
|
Measures for the protection of data during storage |
Personal data is encrypted at rest with AES-256 CBC encryption. |
|
Measures for ensuring physical security of locations at which personal data are processed |
Managed services to ensure physical security of server locations. All personal data stored on AWS and Google Cloud, with physical security described in AWS and Google Cloud Ts&Cs, respectively. |
|
Measures for ensuring events logging |
Logging for all user actions and audit logs. Use of Google Cloud ops for application and infrastructure monitoring. Use of AWS’s Cloudwatch. |
|
Measures for ensuring system configuration, including default configuration |
Configurations stored in version control. Containers created from standardized images hosted by AWS and Google Cloud. Updates and upgrades performed automatically and managed by Google Cloud. Patching managed by Google Cloud. |
|
Measures for internal IT and IT security governance and management |
Use of a third-party vendor (iWerk) for internal IT and IT security. |
|
Measures for certification/assurance of processes and products |
Issuance of a HIPAA Seal of Compliance Certificate by the Compliancy Group. |
|
Measures for ensuring data minimization |
Minimum data requirement set by Processor. Users can decide not to enter personal data into optional fields. |
|
Measures for ensuring data quality |
Enablement of customers to update relevant personal data to the latest date, and use of two-factor authentication. Application monitoring conducted by Google Cloud and custom monitors. |
|
Measures for ensuring accountability |
Restricted Processor access to personal data based on rules. |
|
Measures for allowing data portability and ensuring erasure |
Customers can download their personal data from within the Service. Customers can request a copy or deletion of their personal data upon separation. Processor uses support tickets to ensure the foregoing. |
Describe the specific technical and organizational measures to be taken by the Data Importer to provide assistance to the Data Exporter:
- Self-Service: Personal data can be downloaded by customers from within the Service. Customer admins can set data retention for terminated personnel.
- Customer and Product Support: FAQs, support tickets for specific queries not addressed by collateral on Processor customer/product support website.
ANNEX C – Sub-processors
RewardLion Affiliate Sub-processors
| Name of Authorized Subcontractor | Address | Contact Information | Description of Processing | Country of Subprocessing |
|---|---|---|---|---|
|
HighLevel India |
HighLevel India Private Limited C/O 91 Springboard Business Hub Private Limited, B1/H3, Mohan Co-operative, Mathura Road, Industrial Area, Block B, Pul Pahladpur, New Delhi - 110044, India |
Data storage; support for performance of this Agreement |
India |
|
|
LeadConnector LLC |
400 North Saint Paul St. Suite 920- Dallas, TX 75201 |
Data storage; support for performance of this Agreement |
US |
Third-party Sub-processors
| Name of Authorized Subcontractor | Address | Contact Information | Description of Processing | Country in which Sub-processing will take place |
|---|---|---|---|---|
|
Google LLC/Google Cloud Services |
1600 Amphitheatre Parkway, Mountain View, California 94043, United States |
Data storage; support for performance of this Agreement |
US |
|
|
Amazon Web Services, Inc. |
410 Terry Avenue North, Seattle, WA 98109-5210, United States |
206.266.7010 |
Data storage; support for performance of this Agreement |
US |
|
Twilio |
101 Spear Street |
1-903-500-7655 |
Support for performance of this agreement |
US |
|
Mailgun |
112 E Pecan Street |
(888) 571-8972 |
Support for performance of this agreement |
US |
|
Chargebacks911 |
18167 US Hwy 19 North |
Data storage; support for performance of this Agreement |
US |
|
|
Pendo |
301 Hillsborough Street |
(877) 320-8484 |
Data storage; support for performance of this Agreement |
US |
|
ChartMogul |
ChartMogul GmbH & Co. KG |
Data storage; support for performance of this Agreement |
Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland |
|
|
Freshworks |
2950 S. Delaware Street |
Data storage; support for performance of this Agreement |
Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland, US |
|
|
Yext |
61 Ninth Avenue |
Data transfer; support for performance of this Agreement |
US |
|
|
Zapier |
548 Market Street |
Data storage; support for performance of this Agreement |
Germany. Ireland, UK, Italy, France, Spain, Sweden, Switzerland |
|
|
Stripe |
Corporation Trust Center |
Data storage and transfer of payment information |
US |
|
|
Zoom |
55 Almaden Blvd. |
Support for performance of this agreement |
US |
|
|
Authorize.net |
900 Metro Center Boulevard |
Payment processing |
US |
|
|
FirstPromoter |
Igil Webs SRL, Str. |
Data storage and transfer to run the affiliate program |
US |
|
|
ClickUp |
350 Tenth Ave |
Data storage for project management |
US |
|
|
Loom |
5214F Diamond Heights Blvd |
Data storage and transfer for customer support |
US |
|
|
Open AI |
3180 18th Street |
mailto:[email protected] |
Data storage and transfer of payment information |
US |
|
Meta (for Whats App) |
Meta Platforms, Inc. |
Data storage and transfer for communications |
US |
|
|
Mozart Data |
250 King Street |
Data storage; support for performance of this Agreement |
US |
|
|
Accredible |
800 West El Camino Real |
16282142701 |
Data storage; support for performance of this Agreement |
US |