This Data Processing Agreement (“DPA") is an integral part of Start.io Data License Agreement between Start.io Inc. and/or its affiliates and the Partner (“Data License Agreement”), and available at: https://www.start.io/startio-data-license-dpa/. Each of Start.io and Partner may be referred to as a ”Party”, and together as the ”Parties”.
- Definitions
“Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or from time to time.
"Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), “Personal Data Breach” and "Special Categories of Personal Data" shall have the meanings given in EU Data Protection Law.
“Start.io Data” means data collected by Start.io (including without limitations, IDs) and shared with the Company subject to the Company Agreement and for the purpose of providing the Services.
“Start.io Privacy Policy” means Start.io End User Privacy Policy available at: https://www.start.io/policy/privacy-policy/, as may be amended by Start.io from time to time.
"EU Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
“ID” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application.
“Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
- Applicability
This DPA applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Agreement, including if: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party. Notwithstanding the above, this DPA and the obligations hereunder do not apply to aggregated reporting or statistics information a party may collect from end users or provide to the other party.
- Relationship of The Parties
The parties acknowledge that they are each a separate and independent Controller of the Personal Data Processed under the Agreement. In no event will the parties Process the Data as joint controllers. Each party shall be individually and separately responsible for complying with the applicable Data Protection Law, including the EU Data Protection Law.
- Processing of Personal Data and Compliance with Data Protection Law
(a) Each party shall identify and provide contact details for its contact point within its organization authorized to respond to enquiries concerning Processing of the Personal Data or its Data Protection Officer (“DPO”), as applicable. Each party will cooperate in good faith with the other party, the Data Subject and the Supervisory Authority concerning all such enquiries within a reasonable time; (b) Description of the Personal Data Processed is attached as Annex 1A to this DPA; (c) Special Categories of data shall not be Processed or shared in connection with the performance of each party’s obligations under the Agreement; (d) Unless otherwise agreed to in writing by the parties, a party shall not share any Personal Data with the other party that contains Personal Data relating to children under 16 years old; (e) Each Party shall maintain a publicly-accessible privacy policy that is available via a prominent link that satisfies transparency disclosure requirements of Data Protection Law, specifically in compliance with Article 13 and Article 14 of the GDPR.
- Rights of Data Subject and Parties Cooperation Obligations
It is agreed that where either party receives a request from a Data Subject in respect of Personal Data Processed by the other party, where relevant, the party receiving such request will direct the Data Subject to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent permitted under Data Protection Law. Notwithstanding the above, the parties shall cooperate reasonably and in good faith in order to respond to any correspondence or request by the Commission or Supervisor Authorities in accordance with any requirements under Applicable Data Protection Law.
- Notification of Security Incident
The Company will notify Start.io without undue delay, and, in any event within forty-eight (48) hours, upon becoming aware that an actual Security Incident has occurred. The Company will, as soon as possible, provide Start.io with at least the following information with respect to the Security Incident: (a) a description of the cause and nature of the Security Incident including the categories and approximate numbers of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the measures being taken to contain, investigate and remediate the Security Incident; (c) the likely consequences and risks for Start.io and its Data Subjects as a result of the Security Incident; and (d) any mitigating actions taken and a proposed plan to mitigate any risks for Data Subjects as a result of the Security Incident. Further, the Company shall (i) immediately and without delay, take necessary steps to contain, remediate, minimize any effects of the Security Incident and to identify its cause; (ii) co-operate with Start.io and provide Start.io with applicable assistance and information as it may reasonably require in connection with the mitigation of the Security Incident; and (iii) immediately notify Start.io in writing of any request, inspection, audit or investigation by a Supervisory Authority.
- Technical and Organizational Measures
Start.io has implemented appropriate technical and organizational measures to protect the Personal Data as detailed herein: https://www.start.io/start-io-computer-policy/. The Company shall implement and maintain the technical and organizational measures and take all other measures required pursuant to Article 32 of the GDPR including all organizational and technical security measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Start.io Data, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and in any event, with respect to Start.io Data the security measures implemented are at least as strict as Start.io’s.
- Third Party Processor
Each Party acknowledges that in the provision of its engagement herein, it may transfer Personal Data to and otherwise interact with third party data Processors. Each party agrees that if and to the extent such transfers occur, the transferring party is responsible for entering into separate contractual arrangements with such third-party Processors binding them to comply with obligations in accordance with Data Protection Law and this DPA.
- Audit
Upon reasonable request of Start.io, the Company will submit its data processing facilities, data files and documentation as reasonably needed by Start.io for the purpose of auditing or inspecting the Company to ensure compliance with the warranties and undertakings under this DPA (“Audit”). The Audit will be conducted (i) by Start.io or any independent or impartial inspection agents or auditors agreed between the parties; and (ii) by providing reasonable notice and during regular business hours. The request will be subject to the extent permitted under applicable law.
- Conflict
During the performance of the Agreement, Start.io may share with or transfer Personal Data to the Company. It is acknowledged by the Parties that the Personal Data has been or is Processed by Start.io for the Purpose only, and pursuant to Start.io End User Privacy Policy, available at: https://www.start.io/policy/privacy-policy/ (“Start.io Privacy Policy”). Company is fully responsible (i) for its data collection and/or Process practices and its compliance with any applicable laws; and (ii) to analyze or verify its rights or lawful basis to Process Personal Data considering the consents, authorizations or permissions granted by or obtained from End Users within the scope of Start.io Privacy Policy or otherwise.
In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of Start.io Privacy Policy, Start.io Privacy Policy shall prevail. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail.
* * *
ANNEX 1A OF ANNEX A
DESCRIPTION OF THE TRANSFER
(CONTROLLER TO CONTROLLER)
Data subjects
The Personal Data transferred concerns the Data Subjects in the EEA.
Categories of data
The Personal Data transferred is the Personal Data provided by the data exporter to the data importer in connection with its use of the Services.
Special categories of data
N/A
Purposes of the transfer(s)
The transfer is intended to enable the data importer to determine the purposes and means of the processing of Personal Data obtained through data exporter’s products to facilitate the services provided by Start.io and for advertising to Data Subjects.
Recipients
The Personal Data may be disclosed only to the following recipients or categories of recipients depending on the Services: (i) third parties that have, or may have, a commercial relationship with the data exporter (e.g., buyers, sellers, advertisers); who have a legitimate business purpose for the processing of such Personal Data and who have been bound to comply with Data Protection Laws and other data protection obligations at least as strict as those found in this DPA; (ii) personnel of the data importer who are involved in sales, business operations or other activities (e.g., partners business email address may be provided to the team to enable them to contact him or her) provided they have been bound to comply with applicable Data Protection Laws and other data protection obligations at least as strict as those found in this DPA with regard to the type of data involved; (iii) third party service providers (such as CRM database administrators and IT systems and hosting service providers) who have been bound to comply with applicable Data Protection Laws and other data protections terms at least as strict as those found in this DAP, including all technical security, data integrity and audit obligations; (iv) law enforcement or government authorities where necessary to comply with applicable law; and (v) legal counsel or other advisors subject to appropriate non-disclosure agreements or obligations.
Data Transfer
Where EU Data Protection Law applies, neither party shall transfer or permit any Personal Data shared by the other party to be transferred to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Last update: January 5, 2021