Master Service Agreement - Data Processing Agreement
Client Data Processing Addendum for Tambourine
This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement between (“Client”) and Tambourine (“Tambourine”) (“MSA”) which was executed on the date of the signed Service Agreement by the Parties for the purpose of having Tambourine provide its Services to Client. Together, this DPA and the MSA, form the “Agreement.”
As demonstrated by their respective signatures, both Client and Tambourine agree that if there is a conflict between the terms and/or clauses of this DPA and the MSA, that the terms and clauses of this DPA will take precedent over, control, and supersede any term or clause to the contrary in the MSA. Client and Tambourine are each referred to as a “Party” and collectively referred to as “Parties” in this Agreement.
THE PARTIES AGREE AS FOLLOWS:
1. Definitions.
Unless otherwise defined below, all capitalized terms in this DPA shall have the meaning given to them in the Agreement:
“Adequate Country” means a country that The European Commission, the United Kingdom’s (“UK”) Information Commissioner’s Office or the Swiss Federal Data Protection and Information Commissioner (as applicable based on respective area of competence) has determined as ensuring an adequate level of data protection for data transfers.
“Applicable Data Protection Law(s)” means all laws, statutes, rules, regulations, or ordinances relating to data protection, privacy, data security, security breach notification, and the collection, use, processing, sharing, selling and storage of Personal Data under the Agreement in any jurisdiction in the United States and the District of Columbia, European Union, United Kingdom or Switzerland, including any and all future amendments thereto or applicable laws.
“Controller” shall have the meanings given in Applicable Data Protection Law, and includes a “Business” under U.S. laws, and in this DPA means Client.
“Data Subject” or “Consumer” shall have the meaning as the terms are defined in the Applicable Data Protection Law.
“Data Privacy Framework” means the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework, set forth by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration.
“EEA” means the European Economic Area.
“Personal Data” means any information that is linked or reasonably linked to an identified or identifiable natural person (Data Subject), household, including via a device, that is a consumer or business to business customer of Client and that is protected as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
“Processing”, “Processed”, and “Process” means any operation or sets of operations performed upon the Personal Data by automated means or otherwise, including the collection, sell or share, combination, retention, use, or disclosure of such Personal Data.
“Processor” shall have the meanings given in Applicable Data Protection Law and includes a “Service Provider” and “Contractor” under US law, and in this DPA means Tambourine.
“Security Breach” means any incident, resulting in unintentional or illegal destruction, misplacement, modification, or unauthorized theft, sharing or access to Personal Data that is computerized data and that is Processed by Tambourine under this DPA.
“Special Categories of Personal Data” or “Sensitive Data” shall have the meanings given in Applicable Data Protection Law.
“Third Country” means a country outside of the EEA, the UK or Switzerland (as applicable) which is not an Adequate Country.
The terms “Business”, “Cross-Contextual Advertising”, “Profiling” “Sale”, “Share” and “Targeted Advertising” shall have the meanings as set forth in Applicable Data Protection Law.
2. Relationship and Roles of the Parties.
2.1. Client appoints Tambourine as a Processor to Process the Personal Data described in Appendix 1 for the purposes of providing the Services to Client and complying with Tambourine’s obligations under the Agreement as further described in Appendix 1 (or as reasonably instructed in writing by Client, to the extent consistent with the terms of the Agreement)(the “Permitted Purpose”). Client shall ensure that its instructions comply with Applicable Data Protection Law and that the Personal Data submitted to Tambourine is limited to what is necessary for the purpose for which it is Processed. Notwithstanding the foregoing, Tambourine may use the Personal Data to improve its Services for all of its customers, to prevent fraud, for aggregated or deidentified analytics, or for other purposes permitted under Applicable Data Protection Laws.
2.2. Tambourine shall not Process the Personal Data outside the direct business relationship between the Parties and for any purpose (including any commercial purpose) other than the Permitted Purpose and as otherwise permitted by Applicable Data Protection Law and this DPA. Tambourine shall not: (a) Sell or Share to third parties Personal Data; (b) Process Personal Data for the commercial benefit of Tambourine or any of Tambourine’s other clients; (c) use, Sell, or Share Personal Data for Cross-Context Advertising, Targeted Advertising, or Profiling; (d) combine or update Personal Data with Personal Data where the Data Subject has opted out or requested that their Personal Data be deleted or erased; and (e) to the extent aggregated or deidentified, re-identify, or attempt to do so with, any Personal Data or any portions thereof.
2.3. Tambourine shall promptly notify Client if it determines that: (a) a Client instruction infringes Applicable Data Protection Law, or (b) it can no longer meet its obligations under Applicable Data Protection Law. Tambourine shall promptly notify Client in a writing before Processing Personal Data other than in accordance with its instructions.
2.4. Each Party shall comply with its respective obligations under Applicable Data Protection Law.
2.5 Client shall ensure that all that its privacy policy and/or related privacy or data protection notices will disclose to consumers in a clear and transparent manner Client’s collection, use, sharing, disclosure, sale, storage and security of Personal Data, in accordance with Applicable Data Protection Laws as define in this Addendum, including without limitation, Tambourine’s processing. Client is responsible is solely responsible and liable for its privacy, data protection and data security compliance with respect to the Tambourine Services, including any and all third party technology.
3. Data Transfer.
3.1 Tambourine shall not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to a Third Country or outside of where the Personal Data is collected, without prior written consent of Client. Client acknowledges that Tambourine has offices in both Mexico and Columbia that will process the Personal Data.
3.2 Prior to transferring Personal Data to any other Third Country, Tambourine shall review the adequacy of data protection laws in the Third Country and shall apply (where necessary) the appropriate measures to ensure that the transferred Personal Data is subject to an essentially equivalent protection as that is required in its original jurisdiction.
3.4. Client acknowledges that Tambourine has self-certified its adherence to the Data Privacy Framework, as operated by the United States Department of Commerce. In the event that Tambourine withdraws from the Data Privacy Framework or if the Data Privacy Framework is otherwise invalidated in any of its parts, (a) Tambourine will inform Client, and (b) any affected transfers of Personal Data will be subject to such measures as are necessary to ensure their compliance with Applicable Data Protection Law. For the avoidance of doubt, a transfer of Personal Data to a Tambourine entity in the United States certified under the Data Privacy Framework shall be deemed a transfer to an Adequate Country, to the extent that the framework is based on an adequacy decision by the relevant authority.
4. Security & Confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Tambourine shall implement reasonable administrative, technical and organizational measures, insofar as this is possible, to provide a level of security appropriate to the risk (in accordance with Applicable Data Protection Law) to protect the Personal Data from (a) accidental or unlawful destruction, and (b) a Security Breach. All data security practices shall be appropriate to the volume and nature of the Personal Data at use, collected, and stored.
4.2 Tambourine shall process the Personal Data as Confidential Information and shall only share it with authorized persons who need access to the Personal Data for the Permitted Purpose and are subject to a statutory or contractual duty of confidentiality or as explicitly permitted under the Agreement.
5. Subprocessing. Client grants Tambourine the general authorization to engage subprocessors provided that Tambourine enters into: (a) written contractual agreements imposing data protection obligations not less protective then the ones set forth herein; and (b) and remain liable for each subprocessor’s compliance with the obligations under this DPA. Tambourine shall conduct due diligence on each subprocessor in accordance with its standard practices and ensure that each subprocessor complies with the Principles of the Data Privacy Framework if such principles apply to the transfer. Tambourine shall maintain a disciplinary process to address any unauthorized access, use, or disclosure of Personal Data by any Subprocessors.
6. Data Subject Rights. Client shall have the sole discretion and responsibility in response to a Data Subject Rights Request, as defined below. Taking into account the nature of the Processing, Tambourine shall assist the Client, to respond to: (a) any request from a Data Subject to exercise its rights under Applicable Data Protection Law related to Client’s use of the Services; and (b) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Data under the Agreement (each, a “Data Subject Request”). To the extent Client cannot address a Data Subject Request through its use of the Services, Client will be responsible for the costs of any additional assistance provided by Tambourine to respond to such Data Subject Request. If Tambourine directly receives a Data Subject Request, Tambourine will, to the extent legally permitted, promptly provide Client with details of the request, and will not respond to the request unless required by Applicable Data Protection Laws.
7. Security Breach. If Tambourine becomes aware of a Security Breach, Tambourine shall inform Client as soon as is practicable and shall provide reasonable information and cooperation to Client so that Client can fulfill any data breach reporting obligations it may have under Applicable Data Protection Laws. Tambourine shall further take such reasonably necessary measures and actions to mitigate the effects of the Security Breach and shall keep Client informed of all material developments in connection with the Security Breach.
8. Deletion or Return of Data. Tambourine shall, at the Client’s written request, either delete or return all the Personal Data to the Client in such form as the Client reasonably requests within a reasonable time after the termination of this Agreement and delete any other existing copies, except for the Data that must be kept under applicable laws and regulations. For any Personal Data that must be kept after the termination of this Agreement, Tambourine agrees to securely delete the same in a reasonable time period after the legal obligation to keep the same has expired.
9. Review, Assessment and Audit.
9.1 Tambourine shall permit the Client, or an independent auditor appointed by the Client, to conduct one audit per year (unless there is a Security Breach, in which case during such year a second audit is permitted). Audits must occur during Tambourine’s business hours, and without interrupting Tambourine’s business operations and shall include access to the written records of Tambourine to show its compliance with this DPA. Remote audits shall be utilized where possible, with on-site audits occurring only where a walk-through of the premises is required where required by a competent supervisory authority. The Parties shall make available any information provided pursuant to an audit to such supervisory authority. Audits shall not include financial records of Tambourine or any records concerning Tambourine’s other clients.
9.2 Upon reasonable notice to Tambourine, Client may take reasonable and appropriate steps to stop and remediate Client’s unauthorized use of Personal Data received in connection with the Agreement to the extent required under Applicable Data Protection Law.
9.3 Tambourine shall provide the necessary information to Client to enable Client to conduct and document data protection assessments.
10. Transparency Reports.
10.1 Tambourine will not disclose or allow any public authorities to access any Personal Data unless required by law or a judicial or governmental subpoena.
11. Changes to DPA. Tambourine may change this DPA if such change is required to comply with Applicable Data Protection Law, a court order or regulatory guidance. In the event of such change, Tambourine shall notify Client of such change.
The parties have caused this DPA to be executed by their duly authorized representatives on the date(s) shown below.
APPENDIX 1- PERSONAL DATA PROCESSING
|
List of Parties |
Client: As defined in the MSA Processor – Tambourine Address: 100 West Cypress Creek Road, Fort Lauderdale 33309 Role: Processor Contact Person: Stephen RosenEmail:s@tambourine.com |
||||
|
Nature and purpose of processing |
The purpose of the processing of Personal Data by Tambourine is the performance of the following Services pursuant to the Agreement website development and hosting and related Services. In addition, the purpose of the Processing of Personal Data by Tambourine includes the following business purposes: improving services, fraud and aggregated analytics. |
||||
|
Duration of Processing |
The duration of the Agreement. Or include a shorter period if applicable |
||||
|
Categories of Consumers |
Consumers whose Personal Data is subject to processing may include customers, business partners, and employees |
||||
|
Categories of Personal Information |
Client may transfer and Tambourine may Process Client Personal Data in order for Tambourine to provide the Services, the extent of which is determined and controlled by Client, which may include, but is not limited to, Client Personal Information concerning the following categories of data:
|
Master Service Agreement & Addendums:
Search Engine Optimization (SEO) Addendum
Addendum to Data Processing Agreement
Last Update June 3, 2025