DATA PROCESSING AGREEMENT

Last Revised: 17 February, 2024

BETWEEN:
ON THE ONE HAND
Brand Bowl's customer, who has entered into a service agreement governed by Brand Bowl's Terms and Conditions (the "Principal Agreement") concerning the provision of Brand Bowl's services.
Hereinafter referred to as the "CONTROLLER" or "CUSTOMER".

AND:
ON THE OTHER HAND
Brand Bowl (Sidefort OÜ), a company registered under Estonian law, with its principal place of business at Tornimäe tn 5, 10145, Tallinn, Estonia, duly registered under company number 17061164, represented by Jimmy Barranco, in his capacity of Founder.
Hereinafter referred to as the "PROCESSOR" or "BRAND BOWL".

The CONTROLLER and the PROCESSOR shall collectively be referred to as the "Parties" and individually as a "Party".

1. INTRODUCTION

1.1 The CONTROLLER is a company that utilizes Brand Bowl's services, which enable the management, analysis and share of brand-related data.

1.2 The Parties have entered into the Principal Agreement, governed by Brand Bowl's Terms and Conditions, for the provision of services by the PROCESSOR, including data processing activities.

1.3 This Agreement is established to define the terms under which Brand Bowl processes Personal Data on behalf of the CONTROLLER, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

1.4 This Agreement outlines the respective rights and obligations of the CONTROLLER and the PROCESSOR in relation to data protection and compliance with GDPR requirements.

2. DEFINITIONS

For the purpose of this Agreement, the following definitions apply:

2.1 "Personal Data" refers to any information relating to an identified or identifiable natural person processed under this Agreement.

2.2 "Processing" means any operation performed on Personal Data, such as collection, recording, storage, alteration, retrieval, disclosure, or deletion.

2.3 "Data Subject" means any individual whose Personal Data is processed under this Agreement.

2.4 "Subprocessor" means any third party engaged by the PROCESSOR to process Personal Data on behalf of the CONTROLLER.

2.5 "Security Measures" refer to the technical and organizational safeguards implemented to protect Personal Data.

3. SUBJECT MATTER OF THE AGREEMENT

3.1 The CONTROLLER entrusts the PROCESSOR with the processing of Personal Data as necessary to provide Brand Bowl's services.

3.2 The PROCESSOR shall process Personal Data strictly in accordance with the documented instructions of the CONTROLLER, as required to fulfill the services outlined in the Principal Agreement.

3.3 Both Parties agree to comply with GDPR and any other applicable data protection laws.

4. PROCESSING ACTIVITIES

4.1 Nature of Processing The PROCESSOR processes Personal Data to facilitate brand performance analytics, feedback functionality and customer insights.

4.2 Categories of Personal Data. The PROCESSOR may process the following types of Personal Data:

  • Electronic identification data (e.g., IP addresses, user session data)
  • Brand engagement data
  • Customer feedback and responses

4.3 Categories of Data Subjects:

  • Individuals interacting with Brand Bowl's services
  • Customers providing feedback or engaging with analytics tools

4.4 Purpose of Processing: The PROCESSOR shall only process Personal Data to deliver the agreed-upon services and ensure operational efficiency.

5. DURATION AND TERMINATION

5.1 This Agreement remains in effect as long as the PROCESSOR processes Personal Data on behalf of the CONTROLLER.

5.2 Upon termination of the Principal Agreement, the PROCESSOR shall delete or return all Personal Data to the CONTROLLER unless retention is required by law.

5.3 If instructed by the CONTROLLER, the PROCESSOR shall cease further processing of Personal Data immediately upon contract termination.

6. SECURITY MEASURES

6.1 The PROCESSOR shall implement appropriate technical and organizational measures to ensure the security of Personal Data.

6.2 The PROCESSOR shall regularly evaluate and update its security practices to prevent unauthorized access, disclosure, or loss of Personal Data.

6.3 In the event of a Personal Data Breach, the PROCESSOR shall notify the CONTROLLER without undue delay, providing necessary details about the breach and proposed remediation measures.

7. CONTROLLER'S RIGHTS AND OBLIGATIONS

7.1 The CONTROLLER has the right to request information on the PROCESSOR's data protection practices and compliance with this Agreement.

7.2 The CONTROLLER shall ensure that Personal Data shared with the PROCESSOR is collected and processed lawfully.

7.3 The CONTROLLER shall notify the PROCESSOR of any requests received from Data Subjects concerning their rights under GDPR.

8. USE OF SUBPROCESSORS

8.1 The CONTROLLER authorizes the PROCESSOR to engage Subprocessors for service provision, provided they comply with the same data protection obligations outlined in this Agreement.

8.2 The PROCESSOR shall notify the CONTROLLER of any intended changes to Subprocessors, allowing the CONTROLLER to raise objections where necessary.

8.3 As part of this Agreement the PROCESSOR makes use of the following categories of Subprocessors in order to ensure the performance of the Services to the Data Subjects.

  • Hosting and storage service providers
  • Payment service providers
  • Communication service providers
  • AI service providers

8.4 A list of the PROCESSOR's subprocessors, including their functions and locations, is available at https://www.getbrandbowl.com/gdpr#subprocessors.

As stated in the subprocessor list, the customer data (such as customer's PII) never leaves the EU region, and are stored on AWS and MongoDB Atlas servers in Dublin (Ireland), with the exception of authentication data.

8.5 As stated in the subprocessor list, customer data (such as personally identifiable information, or PII) remains strictly within the EU region and is stored on AWS and MongoDB Atlas servers located in Dublin, Ireland.

8.6 The only exception pertains to authentication data, which is processed by Clerk, a subprocessor located outside of Europe. However, appropriate safeguards and contractual agreements are in place to ensure compliance with GDPR, including the implementation of Standard Contractual Clauses (SCCs) and other legally recognized transfer mechanisms.

8.7 The PROCESSOR remains responsible for ensuring that any such subprocessors, including Clerk, comply with the obligations outlined in this Agreement, maintaining the same level of data protection as required under applicable data protection laws.

9. INTERNATIONAL DATA TRANSFERS

9.1 Personal Data may only be transferred outside the European Economic Area (EEA) if adequate safeguards are in place, in compliance with GDPR.

9.2 Where applicable, data transfers shall be subject to Standard Contractual Clauses (SCCs) or other recognized data transfer mechanisms.

10. LIABILITY

10.1 The PROCESSOR shall be liable for any damages resulting from its failure to comply with GDPR obligations specific to data processors.

10.2 The CONTROLLER shall be liable for ensuring compliance with data protection laws concerning data collection and usage.

10.3 Neither Party shall be liable for indirect damages, such as loss of profits or business opportunities, arising from data processing under this Agreement.

11. GOVERNING LAW AND JURISDICTION

11.1 This Agreement shall be governed by and construed in accordance with the laws of Estonia.

11.2 Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Estonia.

12. FINAL PROVISIONS

12.1 If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.2 This Agreement constitutes the entire agreement between the Parties concerning data processing and supersedes any prior arrangements or understandings.

12.3 Brand Bowl may update this Agreement to reflect changes in regulatory requirements, notifying the CONTROLLER at least 30 days in advance of any modifications. Following this period, the CUSTOMER will be considered to have tacitly accepted the changes.

Brand Bowl may update this Agreement to reflect changes in regulatory requirements, notifying the CONTROLLER at least 30 days in advance of any modifications. Following this period, the CUSTOMER will be considered to have tacitly accepted the changes.

Schedule 1: Technical and Organizational Measures

Governance and Compliance

  • BRAND BOWL has established security practices and ensures compliance with applicable requirements.
  • A designated individual is responsible for enforcing technical and organizational security controls per regulations, contracts, and internal policies.

Continuity

  • BRAND BOWL ensures measures are in place to mitigate risks and enable timely recovery of IT systems supporting the Services in case of an incident or disaster.
  • BRAND BOWL ensures information integrity and availability are maintained through regular backups of data, code, and software.

Media Handling

  • BRAND BOWL applies strict security practices to prevent unauthorized access, disclosure or misuse of information.
  • BRAND BOWL ensures that obsolete media is securely disposed of.
  • BRAND BOWL ensures that system documentation is protected against unauthorized access.

Exchange of Information

  • BRAND BOWL enforces security measures for exchanging information and software, both internally and with third parties, covering exchange agreement, physical media, electronic messaging, and the protection of information associated with the interconnection of business information systems.

Access Control

  • BRAND BOWL has established and implemented access controls to ensure authorized access only to users and to prevent unauthorized access, in particular, to sensitive personal data.
  • BRAND BOWL ensures that key resources that support the Services are protected by multi-factor authentication.
  • BRAND BOWL has processes in place to manage access rights according to the least-privilege principle, with timely adjustments for staff changes.
  • BRAND BOWL regularly reviews user access rights to ensure that the allocation and use of privileges are controlled and restricted where necessary.

Cryptographic Control

  • BRAND BOWL has implemented encryption solutions to protect data at rest and in transit for higher risk situations.
  • Higher risk situations include (but are not limited to):
    • Data processed on behalf of the CUSTOMER
    • Access to sensitive personal data
    • Access to key resources supporting the Services
    • Access to systems supporting the Services

Network Control

  • BRAND BOWL ensures that networks and network controls under its scope of responsibility are adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including data in transit.

Security Training and Awareness

  • BRAND BOWL ensures that all employees, contractors and third-party users are trained on security risks, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their work.
  • BRAND BOWL ensures that its employees, contractors and third party users that handle personal data (including pseudonymized personal data) are aware of the definition of personal data and special categories of personal data as defined under GDPR.
  • BRAND BOWL ensures that where relevant, all employees, contractors and third-party users receive appropriate awareness training.
  • BRAND BOWL ensures that its employees use institutional e-mail addresses and other institutional pre-authorized collaboration tools when communicating or transferring data and/or personal data.

Physical and Environmental Security

  • BRAND BOWL ensures that the appropriate security perimeters and access controls are in place to prevent unauthorized physical access, damage and/or interference to BRAND BOWL's premises and devices.
  • BRAND BOWL ensures that equipment is correctly maintained to ensure continued availability and operational integrity.

Protection of Organizational Records

  • BRAND BOWL enforces data retention and destruction policies aligned with security standards.
  • BRAND BOWL ensures all data is securely deleted, anonymized or otherwise disposed of at the end of its retention period.
  • BRAND BOWL ensures appropriate controls are implemented to prevent records from loss, destruction or falsification during their retention period.

Technical Vulnerability Management

  • BRAND BOWL monitors system vulnerabilities periodically, and takes appropriate action to reduce risks resulting from exploitation of published technical vulnerabilities.
  • BRAND BOWL embeds the necessary security vulnerability testing practices in its development process.

Information Security Incident Management

  • BRAND BOWL has practices in place to ensure a a structured and effective response to security incidents, including reporting and mitigation measures.

Monitoring

  • BRAND BOWL has security practices in place to monitor security events to detect and prevent unauthorized information processing activities.

Malware Prevention

  • BRAND BOWL employs anti-malware defenses to protect against threats.

Third party management

  • BRAND BOWL ensures it engages only with reputable third parties, especially hen they act as (sub)processors of personal data.