Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement (hereinafter referred to as “DPA") has been executed by and between “Tappa Operations Inc.” providing the Services under the Terms of Service (“TOS” or “Terms”) and the Client.

In this DPA, (“Tappa”) and the Client (you) shall be referred to as "Party" individually and "Parties" jointly.

Regarding the processing activities undertaken by the Parties, Tappa will act as a Processor, and the Client will act as a Controller.

1. Where Tappa will process personal data (“Personal Data”) on behalf of the Client, it shall act as a Processor for the Client and undertakes to comply with the GDPR and these Clauses in accordance with and for the purposes of Article 28 of the GDPR.

2. Tappa undertakes to carry out the Personal Data processing operations in accordance with the obligations imposed by the GDPR, these Clauses and the instructions subsequently issued by the Client. The Processor undertakes to immediately inform the Controller when, in its opinion, it considers that an instruction issued by the Controller violates the GDPR or other legal provisions of national or Union law on data protection.

3. The Controller's instructions are reflected in these clauses. Subsequent instructions may also be issued by the Controller during the processing of personal data, but they must always be documented and kept in writing, including in electronic form, and communicated in advance.

4. The instructions shall include the following details of the processing:

• subject-matter: Performance by the Processor of the services covered by the Terms of Use;

• duration of the processing: Personal Data will be processed only as long as necessary for the performance of the services under the TOS, unless there are deletion or return instructions from the Controller prior to termination of the services;

• nature and purpose of processing: Carrying out the necessary processing operations with regard to Personal Data in order to achieve the purposes pursued by the execution of the services under the Terms of Use;

• type of personal data : Depending on the actual service provided under the Contract, they may cover data in the following categories: general biographical data, and other categories of data specific to the services provided under Terms of Use;

• categories of data subjects : Depending on the actual service provided under the Terms of Use, they may target the following categories of data subjects: respondents.

5. The Processor and any person acting under his/her authority who has access to personal data shall process them exclusively in accordance with the instructions received from the Controller, solely to perform the Services and not for any other purpose or in any other way, unless they are bound to do so on the basis of a legal provision.

6. If the Processor is required by a legal obligation to process personal data to which he has access in his capacity as a processor of the Controller, he shall notify the Controller of this legal obligation without delay prior to the processing, unless such notification is prohibited by law for important reasons relating to the public interest.

7. The Processor declares that it has designated its employees or contractors who are authorized to carry out any operation relating to the processing of Personal Data only on a need-to-know basis for the purpose of the Service and in accordance with these clauses and the TOS. In this respect, the Processor must ensure that these authorized persons are subject to confidentiality undertakings or professional or legal obligations of confidentiality and that they are duly trained on the principles and measures relating to the protection of Personal Data.

8. The Processor shall take and maintain all security measures referred to in Article 32 of the GDPR, as well as any other appropriate preventive measure to avoid data processing that is not permitted or that is not in accordance with the purposes of providing the Services and the provisions of the GDPR. In the event of a personal data security breach affecting the data processed by the Processor for or on behalf of the Controller, the Processor shall take all necessary and appropriate corrective measures, immediately inform and cooperate with the Controller.

9. The Processor shall assist the Controller in complying with the Controller's obligations relating to the handling of requests to exercise data subjects' rights, the security of personal data, namely those relating to data protection impact assessment and prior consultation, the handling of requests received from public authorities, including the supervisory authority, taking into account the nature of the processing and the information to which the Processor has access.

10. The Processor will return all original documents and will delete or destroy all materials in any medium containing personal data, unless there is a legal obligation for the Processor to store that data. The Processor may continue to retain documents containing personal data where applicable law requires the storage of such personal data (for example, including, but not limited to, legal tax, financial and accounting, archiving obligations).

11. The Processor shall provide the Controller with all materials, documents or other information reasonably necessary to enable the Controller to confirm that the Processor has acted in accordance with its data protection obligations under these Clauses.

12. Only by way of exception and only to the extent that the materials, documents and information provided by the Processor to the Controller in accordance with the previous clause would not be sufficient to assess the compliance of the Processor with the data protection obligations under these Clauses, the Controller shall have the right to conduct an inspection at the premises of the Processor. The request for such inspection shall be communicated to the Processor by the Controller at least 5 days in advance.

13. The Controller shall grant the Processor a general written authorization to engage subcontractors. The list of sub-processors, as well as any subsequent changes to the list, shall be communicated by the Processor to the Data Controller. The Data Controller shall have the right to object to the amendment of the list within 30 days of the communication by the Processor, stating the reasons.

14. Where the Controller grants the Processor written consent to disclose personal data to its sub-authors, the Processor shall, prior to such disclosure, enter into a valid and enforceable written contract with such sub-processors, which contract shall include terms that (i) are substantially identical to the obligations applicable to personal data as set out in these clauses, (ii) require that such sub-authors comply with the terms and conditions of these clauses with respect to the processing of personal data.

15. The Processor hereby declares that the sub-processors will process personal data in Member States of the European Union and the European Economic Area or in countries that ensure adequate protection of personal data in accordance with the European Commission's adequacy decisions in force at the date of signing this Agreement. If the sub-processors intend to process personal data in countries that are not considered adequate by the European Commission, the Processor shall ensure that the sub-processor signs the standard contractual clauses as defined by the ICO/European Commission's decision in force and as applicable at the date of signing this Contract.

US Processing Terms

The following terms apply where Tappa processes personal data subject to the US State Privacy Laws:

1. To the extent Personal Data includes personal information protected under US State Privacy Laws that Tappa Processes , on behalf of the Controller, Tappa will process such personal data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Controller's written instructions, as necessary for the limited and specified purposes identified in this DPA.

2. Tappa will not:

(a) retain, use, disclose or otherwise process such personal data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement or as otherwise permitted under US State Privacy Laws;

(b) "sell" or “share” such personal data within the meaning of the US State Privacy Laws; and

(c) retain, use, disclose or otherwise process such personal data outside the direct business relationship with the Controller and not combine such personal data with personal information that it receives from other sources, except as permitted under US State Privacy Laws.

3. Tappa will inform the Controller if it determines that it can no longer meet its obligations under US State Privacy Laws within the timeframe specified by such laws, in which case the Controller may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized processing of such personal data.

4. To the extent the controller discloses or otherwise makes available deidentified data to Tappa or to the extent Tappa creates deidentified data from personal data, in each case in Tappa will:

(a) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household;

(b) commit to maintain and use such deidentified data in a de-identified form and to not attempt to re-identify the deidentified data, except that Tappa may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and

(c) before sharing deidentified data with any other party, including Sub-processors, contractors, or any other persons, contractually obligate any such recipients to comply with all requirements of this “US Processing Terms Section.