Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into between Social Intents and Customer (jointly “the Parties”), and forms a part of the Services Agreement between the Parties, and reflects the Parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of the Data Protection Laws.

By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Social Intents Processes Personal Data for which such Authorized Affiliates qualify as the Controller (or for the purposes of the CCPA - as defined below - as a Business). For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.

This DPA is effective on the date that it has been duly executed by both Parties (“Effective Date”), and amends, supersedes and replaces any prior data processing agreements that the Parties may have been entered into. Any modifications to the terms of this DPA (whether handwritten or otherwise) will render this DPA ineffective unless Social Intents has separately agreed to those modifications in writing.

1. Definitions

1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2. “Authorized Affiliate” means Customer's Affiliate(s) which are subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom Customer shall be responsible for the acts and omissions of its Authorized Affiliates under this Agreement to the same extent Customer would be responsible for its own acts and omissions under the same.

1.3. “CCPA” means the California Consumer Privacy Act and any implementing, derivative, or related legislation, rule, regulation, or regulatory guidance, as amended, extended, repealed and replaced, or re-enacted.

1.4. “Covered Services” or “Services” means the services that are ordered by the Customer from Social Intents involving the Processing of Personal Data on behalf of the Customer.

1.5. “Customer” means the entity that signed the Services Agreement and that determines the purposes and means of Processing of Personal Data. The Customer is considered the “Controller” of the Personal Data provided pursuant to this DPA.

1.6. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer’s Personal Data transmitted, stored or otherwise Processed.

1.7. “Data Protection Laws” means any applicable law, statute, law, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of the Service Agreement, including the laws of the UK Data Protection Act 2018, the EU General Data Protection Regulation (“GDPR”), and the CCPA, as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Service Agreement.

1.8. “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person (‘Data Subject’) that is subject to the Data Protection Laws, which is provided by or on behalf of Customer and Processed by Social Intents pursuant to the Services Agreement.

1.9. “Regulator” means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.

1.10. “Services Agreement” means any agreement between Social Intents and Customer under which Covered Services are provided by Social Intents to Customer.

1.11. “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Customer Personal Data to Data Processors Established In Third Countries pursuant to Commission Decision 2010/87/EU of 5 February 2010 (link), and any amendments to same by the European Commission.

1.12. “Subprocessor” means any Processor engaged by Social Intents to Process Personal Data on behalf of Social Intents.

2. Services Agreement

2.1. This DPA supplements the Services Agreement and in the event of any conflict between the terms of this DPA and the terms of the Services Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA.

3. Data Protection Laws

3.1. Roles of the Parties. The Parties acknowledge and agree that Social Intents will Process the Personal Data in the capacity of a Processor (or, for the purposes of the CCPA, as a Service Provider) and that Customer will be the Controller of the Personal Data (or, for purposes of the CCPA, will be a Business).

3.2. DPO. To the extent required by the GDPR, will each designate a data protection officer (a “DPO”) and provide their contact details to the other Party where required by the Data Protection Laws.

4. Obligations of the Controller

4.1. Instructions. Customer warrants that the instructions it provides to Social Intents pursuant to this DPA will comply with Data Protection Laws.

4.2. Data Subject and Regulator Requests. Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Data, in accordance with Data Protection Laws. To the extent such requests or communications require Social Intents' assistance, Customer shall immediately notify Social Intents in writing of the Data Subject’s or Regulator’s request.

4.3. Notice, Consent and Other Authorizations. Customer agrees that the Personal Data will be collected in compliance with Data Protection Laws, including all legally required consents, approvals and authorizations. Upon Social Intents' request, Customer shall provide adequate proof of having properly obtained all such necessary consents, authorizations and required permissions. Customer shall have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which Customer acquired the Personal Data.

4.4. CCPA. The parties acknowledge and agree that the Personal Information it discloses to Social Intents for Processing pursuant to the Services Agreement is for a Business Purpose.

5. Details of Processing Activities

5.1. The following table sets out the details of Processing:

Purposes for which the

Social Intents will Process Personal Data for the purpose of providing the Covered Services described in the Services Agreement.

Personal Data shall be processed	Customer may submit Personal Data to the Services, and may request for its customers (“End Users”) to submit Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion
Description of the categories of the data subjects	Natural persons who submit personal data to Customer via use of the ServicesNatural persons who are employees, representatives, or other business contacts of Customer
Description of the categories of Personal Data	Personal Data processed includes: name, email address, phone number, and/or other personal information; Personal Data about End Users that Customer provides to the Service or through your End User’s interaction with the Services; Personal Data from Add-ons and other third-party services you use in conjunction with our Services; Data about Customers and End Users' use of the Services, such as but not limited to interactions with the user interface to the Services, and the Internet Protocol Address for the computers with which you use to connect to the Service.

6. Obligations of the Processor

6.1. Scope of Processing. Social Intents will Process the Personal Data on documented instructions from Customer in such manner as is necessary for the provision of Services under the Service Agreement, except as may be required to comply with any legal obligation to which Social Intents is subject. Social Intents may make reasonable effort to inform Customer if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Data Protection Laws based on Social Intents' actual knowledge of Customer’s Processing of Personal Data. In the event Social Intents must Process or cease Processing Personal Data for the purpose of complying with a legal obligation, Social Intents will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.

6.2. Data Subject and Regulator Requests. Social Intents will promptly notify Customer in writing of any complaints, questions or requests received from Data Subjects or Regulators regarding the Personal Data. Taking into account the nature of the Processing and to the extent reasonably possible, Social Intents will assist Customer in fulfilling Customer’s obligations in relation to Articles 13 and 14 of the GDPR, and Data Subject requests, under applicable Data Protection Laws.

6.3. Retention. Upon Customer’s written request, Social Intents will destroy all Personal Data in its possession or return the Personal Data to Customer, as requested. Notwithstanding the foregoing, any return or destruction shall be subject to all applicable laws(including, without limitation, Data Protection Laws), regulations and Social Intents' compliance policies.

6.4. Disclosure to Third Parties. Except as expressly provided in this DPA, Social Intents will not disclose Personal Data to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose the Personal Data, to the extent legally permissible and practicable, Social Intents will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.

6.5. Confidentiality. Social Intents will restrict access to the Personal Data to its personnel (and the personnel of its Affiliates) and to its Subprocessors who need access to meet Social Intents' obligations under the Services Agreement. Further, Social Intents will ensure that all such personnel and Subprocessors are informed of the confidential nature of the Personal Data and have undertaken training on how to handle such data. Social Intents will ensure that personnel authorized to Process the Personal Data are subject to binding confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

6.6. GDPR Articles 32-36. Taking into account the nature of the Processing and the information available to Social Intents, Social Intents will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.

6.7. Use of Personal Information. For purposes of the CCPA, Social Intents shall not retain, use, or disclose the Personal Information for any purpose other than to perform the Services or otherwise as permitted by the CCPA. The restrictions of this Section do not apply to Deidentified or Aggregate Consumer Information.

6.8. Information Security. Taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, Social Intents will take appropriate steps to implement and maintain adequate organizational and technical measures designed to protect the confidentiality, integrity and availability of the Personal Data it Processes on Customer’s behalf (the “Security Measures”). All of the Personal Data Social Intents Processes is stored in the cloud. Social Intents uses only top-tier cloud providers that have confirmed they have implemented and maintain Security Measures in compliance with Article 32 of the GDPR, in storing and keeping secure Personal Data.

7. Audit

7.1. Scope. Social Intents will maintain records of its Processing activities as required by the Data Protection Laws and will make available to Customer information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. Customer’s inspection rights under this DPA do not extend to Social Intents' employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties.

7.2. Process. Subject to reasonable written notice from Customer and at the Customer's additional expense, Social Intents will permit audits conducted by an independent third-party auditor that is not a competitor to Social Intents acting on Customer’s behalf to enable Customer to verify that Social Intents is in compliance with material obligations under this DPA. Audits and inspections will be carried out at mutually agreed times during regular business hours and no more than once annually.

7.3. Confidentiality. All information obtained during any such request for information or audit will be considered Social Intents' confidential information under the Services Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Social Intents' confidential information. The third party auditor may only disclose to Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.

8. Contracting with Subprocessors

Customer hereby consents generally to Social Intents' engagement of Subprocessors in connection with the processing of the Personal Data. Upon written request from Customer, Social Intents will make the list of applicable Subprocessors available to Customer. Customer may reasonably object to any such Subprocessor within 15 days of receiving such list, in which case Social Intents will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid Processing by such Subprocessor. If Social Intents is unable to provide an alternative, Customer may terminate the Services.

9. Information Obligations and Incident Management

9.1. Data Breach. Social Intents will notify Customer of any Data Breach of which it becomes aware without undue delay consistent with measures necessary to determine the scope of the breach and to restore the integrity of Social Intents' systems. Social Intents will use reasonable efforts to investigate the Data Breach and take any actions that are reasonably necessary to mitigate damage, as required by law and as appropriate under the circumstances.

9.2. Notification. Social Intents' notification of a Data Breach, to the extent known, will include: (a) the nature of the Data Breach; (b) the date and time upon which the Data Breach took place and was discovered; (c) the number of Data Subjects affected by the incident; (d) the categories of Personal Data involved; (e) the measures – such as encryption, or other technical or organizational measures – that were taken to address the incident, including measures to mitigate the possible adverse effects; (f) the name and contact details of the data protection officer or other contact; and (g) a description of the likely consequences of the Data Breach.

9.3. Coordination. Social Intents will reasonably assist Customer in fulfilling its obligations to notify Data Subjects and the relevant authorities in relation to a Data Breach, provided that nothing in this section shall prevent either Party from complying with its obligations under Data Protection Laws. The Parties agree to coordinate in good faith on developing the content of any related public statements.

10. Obligations Post Termination

Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA.

11. Liability and Indemnity

Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Services Agreement.

12. Severability

Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.

13. Mutual Notice

Any notice, consent, instruction or communication related to this DPA will be provided in writing to the Company email address specified in the signature block below. All notices to Social Intents must be provided via email to service@socialintents.com.

Signed for and on behalf of the Customer

Print name:
Company email address: Company name:
Title:
Date:

Signed for and on behalf of Social Intents

Print name:
Company email address: Company name:
Title:
Date: