Master Service Agreement - Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement (“DPA“) forms part of the Master Service Agreement between Client”) and Tambourine (“Tambourine”) (“MSA”) which was executed by the Parties for the purpose of having Tambourine provide its Services to Client. Together, this DPA and the MSA, form the “Agreement.”

As demonstrated by their respective signatures, both Client and Tambourine agree that if there is a conflict between the terms and/or clauses of this DPA and the MSA, that the terms and clauses of this DPA will take precedent over, control, and supersede any term or clause to the contrary in the MSA. Client and Tambourine are each referred to as a “Party” and collectively referred to as “Parties” in this Agreement.

WHEREAS:

Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1 “Applicable Data Security and Privacy Law(s)” shall mean US Data Protection Laws, EU Data Protection Laws, and UK Data Protection Laws, including all applicable data security and privacy laws, including any other EU, UK, or United States’ Privacy and Data Security Law that may be applicable to the provision of the Services and/or this Agreement.

1.2 “Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of Personal Data outside the EEA as may be permitted under EU Data Protection Laws;

1.3 “Business Purpose” shall have the same meaning as the term is defined in the CCPA (Cal. Civ. Code § 1798.140 (ag)(1)).

1.4 “Collect” including any variation of that word and equivalent terms if the term collect is not specifically used in Applicable Data Security and Privacy Laws, shall have the same meaning as the term is defined in the defined in the Applicable Data and Security Privacy Laws.

1.5 “Commercial Purposes” and any variation of that word, shall have the same meaning as the term is defined in the CCPA (Cal. Civ. Code § 1798.140 (h)).

1.6 “Complaint” means a complaint or request relating to either Party’s obligations under defined in the Applicable Data and Security Privacy Laws. relevant to the Agreement including any complaint by a Data Subject or any notice, investigation, or other action by a Supervisory Authority or U.S. Regulatory body, such as but not limited to the California Privacy Protection Agency (“CPPA”);

1.7 “Consumer” and any variation of that word, shall have the same meaning as the term is defined in the Applicable Data Security and Privacy Law

1.8 “Controller” shall have the same meaning as the term is defined in the Applicable Data and Security Privacy Laws, and in this Agreement means Client.

1.9 “Data Breach Reporting Statute(s)” means the applicable U.S. State or territories law that mandates the reporting of a Data Breach to affected natural persons.

1.10 “Data Subject” including any variation of that word, shall have the same meaning as the term is defined in the Applicable Data Security and Privacy Law, and shall also include Consumers.

1.11 “Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects the Applicable Data and Security Privacy Laws.

1.12 “EEA” means the European Economic Area.

1.13 “EU Data Protection Laws” means the General Data Protection Regulation (Regulation (EU) 679/2018) (“GDPR”) and laws or regulations implementing or supplementing the GDPR in individual Member States, including any updates to the same;

1.14 “Personal Data” means Personal Information and Sensitive Personal Information.

1.15 “Personal Information” shall have the same meaning as the term is defined in the Applicable Data and Security Privacy Laws.

1.16 “Personal Data Breach” has the meaning given to that term in Applicable Data Security and Privacy Laws and includes any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Protected Data on systems managed by or otherwise controlled by Client excluding unsuccessful attempts or activities that do not compromise the security of Protected Data;

1.17 “Processor” shall have the same meaning as the term is defined in the Applicable Data and Security Privacy Laws, and shall include Service Providers, and in this Agreement means Tambourine.

1.18 “Processing” has the meaning given to that term in Applicable Data Security and Privacy Laws(and related terms such as process have corresponding meanings);

1.19 Protected Data” means any Personal Data received by Tambourine from or on behalf of the Client and processed by Tambourine in connection with the provision of the Services and/or performance of Tambourine’s obligations under the Agreement;

1.20 “Sensitive Personal Information” and any version or variation of that term, shall have the same meaning as the term is defined in the Applicable Data and Security Privacy Laws.

1.21 “Service Provider” shall have the same meaning as the term is defined in the CCPA (Cal. Civ. Code § 1798.140 (ag)(1)).

1.22 “Sub-Processor” means a third party processor engaged by Client for carrying out processing activities in respect of the Protected Data on behalf of the Tambourine;

1.23 “Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Applicable Data Security and Privacy Lawsincluding but not limited to the Information Commissioner’s Office, the European Data Protection Board, Data Protection Authorities, and the California Privacy Protection Agency.

1.24 “UK Data Protection Laws” means the UK General Data Protection Regulation (“UK GDPR”), and any implementing or supplement regulations and laws enacted to support or enhance the same, including any amendments thereto;

1.25 “US Data Protection Laws” means any applicable and relevant US law that controls the privacy rights of Data Subjects and security of Protected Data, including but not limited to the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100-199.100, et seq.), as amended by the California Privacy Rights Act of 2020, and including the implementing regulations (Cal. Code Regs. Tit. 11 §§ 7000-7304), including any subsequent updates and amendments thereto (“CCPA”), Virginia’s Consumer Data Protection Act, (Va. Code Ann. § 59.1-575-584) and any implementing regulations (“VCDPA”), the Utah Consumer Privacy Act (Utah Code § 13-16, et seq.) and any implementing regulations (“UCPA”), the Colorado Privacy Act (C.R.S §6-1-1301 – 1313) and its implementing regulations (“CPA”); and the Connecticut Data Privacy Act (Public Acts 2022, No. 22-15), and its implementing regulations (“CTDPA”).
DATA PROCESSOR AND DATA CONTROLLER
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

2.1 Processor shall only process Protected Data:
- 2.1.1 in compliance with the obligations of Processors and Service Providers under Applicable Data Security and Privacy Laws;
- 2.1.2 as directed by Controller via in this DPA; and
- 2.1.3 to provide its Services to the Controller as per the terms of this Agreement.
2.2 Processor shall notify Controller as soon as possible:
- 2.2.1 if it determines that it can no longer meet the obligations contained in this DPA or pursuant to the requirements of Applicable Data Security and Privacy Laws; and
- 2.2.2 if it learns or determines that any processing instructions contained in this DPA or otherwise provided, are not in compliance with Applicable Data Security and Privacy Laws. In such a situation, Controller shall have the right to correct any such processing instructions and re-issue the same to Processor.
2.3 Processor shall not:
- 2.3.1 share or sell the Protected Data that has been shared with the Processor, except to share it with Sub-Processors who are necessary to provide the Services to Controller;
- 2.3.2 use or disclose any Protected Data for any Commercial Purpose, except for the Processor’s Business Purpose of providing the Services as outlined in this Agreement; and
- 2.3.3 retain any Protected Data after the expiration of this Agreement, and it shall either securely destroy the Protected Data or, if requested, return it to Controller;
2.4 Controller shall comply with:
- 2.4.1 all Applicable Data Security and Privacy Laws in connection with the collection and processing of Protected Data and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications and paying all fees for Controllers as required under Data Protection Laws; and
- 2.4.2 the terms of this Agreement.
2.5 Controller warrants that:
- 2.5.1 all Protected Data sourced by the Controller and/or provided by or on behalf of the Controller to Processor for use in connection with the Services shall comply in all respects, including in terms of its collection, storage, and processing (which shall include, if applicable, the Processor providing all of the required fair processing information to and obtaining all necessary consents from Data Subjects), with Applicable Data Security and Privacy Laws;
- 2.5.2 all of its processing instructions to Processor in respect of Personal Data shall at all times be in accordance with Applicable Data Security and Privacy Laws; and
- 2.5.3 it has undertaken due diligence in relation to Processor’s processing operations, and it is satisfied that:
  - 2.5.3.1 Processor’s processing operations are suitable for the purposes for the Processing activities which the Controller has engaged the Processor for; and
  - 2.5.3.2 Processor has sufficient expertise, reliability, and resources to implement technical and organizational measures that meet the requirements of Applicable Data Security and Privacy Laws.
2.6 Controller shall not unreasonably withhold, delay, or condition its agreement to any change in the Processor’s Services which may be requested by Processor and which is made in order to ensure that the Processor’s Services and Processor (and each Sub-Processor) can comply with Applicable Data Security and Privacy Laws
INSTRUCTIONS AND DETAILS OF PROCESSING
3.1 When Processor processes Protected Data on behalf of the Controller, it:
- 3.1.1 unless required to do so otherwise by applicable law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Controller’s documented instructions as set out in this clause III and Annex 1 (“Data processing details”), as may be updated from time to time by written agreement between the Parties and/or as further specified via the Controller’s use of the Processor’s Services (“Processing Instructions”); and
- 3.1.2 if applicable law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Controller of any such requirement before processing the Protected Data (unless applicable law prohibits such information on important grounds of public interest).
3.2 If the Controller uses any third party applications or other processors in connection with or alongside the Processor’s Services, this DPA does not apply to the processing of any Protected Data in connection with the provision of that third party application and any responsibility for the processing of such Protected Data is between the Controller and the relevant third party provider.
TECHNICAL AND ORGANIZATIONAL MEASURES
4.1 Processor shall implement and maintain, at its cost and expense, reasonably appropriate technical and organizational measures to:
- 4.1.1 reasonably ensure the security, integrity, availability, and confidentiality of the Protected Data and protect against accidental, malicious, or unauthorized, loss or destruction of, or damage to Protected Data, with such measures to be appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction, or damage and the nature of the Protected Data having regard to the state of technological development and the cost of implementing any measures; and
- 4.1.2 taking into account the nature of the processing, assist the Controller as needed to respond to Data Subject Requests relating to Protected Data (but subject to clause VI below).
USING STAFF AND OTHER PROCESSORS
5.1 The Processor acknowledges and agrees that:
- 5.1.1 it engages and will use some or all of those Sub-Processors whose details are published at Annex 1 to support the provision of Processor’s Services. Controller consents to Processor engaging such Sub-Processors; and
- 5.1.2 it will notify Controller in advance of any changes or additions to the list of Sub-Processors for use for the processing for this Agreement and Controller may object to the same, provided that it has reasonable grounds for doing so.
- 5.1.3 If Controller objects to any change or addition to the list of Sub-Processors, then Processor shall be entitled to address the objection through one of the following options to be exercise in Processors’ sole discretion:
  - 5.1.3.1 cease to use the relevant Sub-Processor;
  - 5.1.3.2 take steps suggested by the Controller to address the objection; and
  - 5.1.3.3 with Controller’s consent, which shall not be unreasonably withheld, cease to provide the particular Services which involves the relevant Sub-Processor.
5.2 Processor shall, prior to allowing any approved Sub-Processor to perform processing activities or receive Protected Data:
- 5.2.1 Ensure that such Sub-Processor has signed a written contract containing obligations which offer materially the same level of protection for the Protected Data as those set out in this DPA and meet the requirements of Applicable Data Security and Privacy Laws.
- 5.2.2 Controller acknowledges and agrees that it has no right to audit and inspect a Sub-Processor’s facilities and premises, and that Processor shall not be obliged to include such rights in the written contract with its Sub-Processors, but that Processor remains liable for the acts and omissions of its Sub-Processors
5.3 Processor shall ensure that all persons authorized by it (or by any Sub-Processor) to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with applicable law, in which case Client shall, where practicable and legally permissible, notify the Processor of any such requirement before such disclosure).
ASSISTANCE WITH THE CONTROLLER’S COMPLIANCE AND DATA SUBJECT RIGHTS
6.1 Processor shall promptly refer all Data Subject Requests it receives to the Controller upon receipt of the request, and shall to the extent necessary, reasonably assist the Controller with Data Subject Requests.

6.2 Processor shall provide such reasonable assistance as the Controller reasonably requires (taking into account the nature of processing and the information available to the Processor) to assist Controller in complying with the Controller’s obligations under Applicable Data Security and Privacy Laws with respect to:
- 6.2.1 security of processing;
- 6.2.2 if applicable, data protection impact assessments (as such term is defined in EU Data Protection Laws);
- 6.2.3 if applicable, prior consultation with a Supervisory Authority regarding high risk processing; and
- 6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Controller in response to any Personal Data Breach and any remedial action required for a Personal Data Breach
INTERNATIONAL DATA TRANSFERS
Processor agrees that if the Protected Data contains the Personal Data of Data Subjects located in the EU or UK, then it will only transfer Protected Data outside of the EEA or, if relevant the UK, pursuant to a contract addendum that satisfies the mandates of the EU Commission Implementing Decision (EU) 2021/914 and the Standard Data Protection Clauses issued by the Commissioner under S119A (1) Data Protection Act 2018, and the International Data Transfer Agreement, as issued by the UK Information Commissioner’s Office, and other relevant Applicable Data Security and Privacy Laws related to such international data transfers.
RECORDS, INFORMATION AND AUDIT
8.1 Processor shall maintain, in accordance with Applicable Data Security and Privacy Laws, written records of all categories of processing activities carried out on behalf of the Controller.

8.2 Processor shall, in accordance with Applicable Data Security and Privacy Laws, make available to the Controller such information as is reasonably necessary to demonstrate Processor's compliance with the obligations of processors under Applicable Data Security and Privacy Laws, and its compliance with this DPA, and allow for and contribute to audits, including inspections, by the Controller (or an auditor mandated by the Controller) for this purpose, subject to Section V(B)(2) and also subject to the Controller
- 8.2.1 giving Processor reasonable prior notice of such information request, audit, and/or inspection;
- 8.2.2 carrying out no more than one audit or inspection in any calendar year except where the Controller reasonably believes it necessary due to genuine concerns as to Processor’s compliance with this DPA or where the Controller is required or requested to carry out such an audit or inspection by Applicable Data Security and Privacy Laws and/or a Supervisory Authority
- 8.2.3 ensuring that all information obtained or generated by the Controller or its auditor(s) in connection with such information requests, inspections, and audits is kept strictly confidential (save for disclosure to the Supervisory Authority if required or as otherwise required by applicable law);
- 8.2.4 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Processor's business
- 8.2.5 ensuring that if it is using an auditor, that such auditor is not a direct competitor of Processor; and
- 8.2.6 pays Processor’s reasonable costs for assisting with the provision of information and allowing for and contributing to such inspections and audits.
8.3 Information and audit rights under this Section VIII only arise to the extent that the Agreement does not otherwise give the Controller information and audit rights meeting the relevant requirements of Applicable Data Security and Privacy Laws.
PERSONAL DATA BREACH NOTIFICATION
9.1 In respect of any Personal Data Breach involving Protected Data, Processor shall, without undue delay notify the Controller of the Personal Data Breach and provide the Controller with details of the Personal Data Breach.

9.2 In the event that the Controller becomes aware of a Personal Data Breach related to Processor’s systems or otherwise in connection with the Services, it shall without undue delay notify Processor of the Personal Data Breach and provide Processor with details of the Personal Data Breach.

9.3 Processor will assist Controller in meeting its obligations to providing notification of a Personal Data Breach to both the Supervisory Authorities and Data Subjects (when and where legally required under Applicable Data Security and Privacy Laws).

9.4 Controller is solely responsible for complying with notification obligations for Personal Data Breaches under Applicable Data Security and Privacy Laws, including providing notification to the relevant Supervisory Authorities and Data Subjects (where required).
DELETION OR RETURN OF PROTECTED DATA AND COPIES
Processor shall, at the Controller’s written request, either delete or return all the Protected Data to the Controller in such form as the Controller reasonably requests within a reasonable time after the termination of this Agreement and delete any other existing copies, except for the Protected Data that must be kept under applicable laws and regulations. For any Protected Data that must be kept after the Termination of this Agreement, Processor agrees to securely delete the same as soon as the legal obligation to keep the same has expired.