ClickCease Tracking
Legal
Data Protection Agreement

Data Protection Agreement

social.plus Data Processing Agreement

RECITALS

  1. This Data Processing Agreement ("DPA") forms part of and is incorporated by reference into the Master Subscription Agreement and any applicable Order Form governing the Customer's use of the social.plus services ("Agreement").
  2. This DPA applies to the processing of Personal Data by Social Plus Holdings Ltd with its registered office at C/O Kreston Reeves Llp Innovation House, Ramsgate Road, Sandwich, Kent, United Kingdom, CT13 9FF ("Processor"), on behalf of the Customer identified in the applicable Order Form ("Controller"), in connection with the Controller's use of the social.plus product and services.
  3. The Processor shall process Personal Data on behalf of the Controller solely as necessary for the performance of the services and in accordance with this DPA, the applicable Order Form, and the Agreement.
  4. The categories of Personal Data and Data Subjects are further described in Annex I.
  5. Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws require that processing activities carried out by a processor on behalf of a controller be governed by a binding legal act providing specific instructions regarding the processing of personal data.
  6. The Processor provides sufficient guarantees to implement appropriate technical and organisational measures to ensure that processing will meet the requirements of applicable Data Protection Law and ensure the protection of the rights of Data Subjects.
  7. With this DPA, the Controller and the Processor intend to regulate the processing of Personal Data necessary to execute the Agreement in accordance with applicable Data Protection Law.

Now therefore, the Controller and the Processor agree as follows.

1) Purpose of the Regulation

The purpose of this Data Processing Agreement is to govern the processing activities that the Processor will carry out on behalf of the Controller to execute the Agreement and to establish the conditions under which the Processor may process Personal Data relating to Data Subjects.

2. Obligations of the Controller

The Controller shall:

  • ensure that it has a lawful basis for the processing of Personal Data and that it has provided appropriate notices to Data Subjects as required under applicable Data Protection Law;
  • ensure that its instructions to the Processor comply with applicable Data Protection Law;
  • be responsible for the accuracy, quality and legality of the Personal Data and the means by which the Personal Data was obtained.

3. Obligations of the Processor

The Processor undertakes to:

  • process the Personal Data only on behalf of the Controller and solely as necessary to perform the services under the Agreement, in accordance with this DPA, the Controller's documented instructions, and applicable Data Protection Law;
  • ensure that persons authorised to process Personal Data, including employees, contractors and consultants, are bound by appropriate confidentiality obligations and have received appropriate training regarding data protection;
  • implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the processing of Personal Data, taking into account the nature, scope, context and purposes of the processing;
  • maintain appropriate internal records of processing activities where required under applicable Data Protection Law;
  • appoint a Data Protection Officer where required under applicable Data Protection Law and communicate its contact details to the Controller.

4. Sub-processors

The Controller authorises the Processor to engage Sub-processors for the performance of the services under the Agreement.

The Processor shall:

  • ensure that Sub-processors provide sufficient guarantees to implement appropriate technical and organisational measures in accordance with applicable Data Protection Law;
  • impose on Sub-processors contractual obligations that are no less protective than those set out in this DPA;
  • remain responsible for the performance of the Sub-processors' obligations.

The list of authorised Sub-processors is set out in Annex I and may be updated from time to time.

5. Data Subject Requests

The Processor shall notify the Controller without undue delay if it receives a request from a Data Subject relating to Personal Data processed under this DPA.

The Processor shall assist the Controller, taking into account the nature of the processing, in responding to such requests where reasonably necessary.

6. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

The Processor shall provide reasonable assistance to the Controller in: i) investigating the breach; ii) complying with notification obligations to supervisory authorities; and iii) notifying affected Data Subjects where required by applicable Data Protection Law.

7. Audits

Upon reasonable request, the Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA.

Where required by applicable Data Protection Law, the Controller may conduct an audit of the Processor's compliance with this DPA, either directly or through an independent auditor, subject to:

  • at least ten (10) days prior written notice;
  • confidentiality obligations;
  • audits occurring during normal business hours;
  • audits being limited to what is reasonably necessary to verify compliance; and
  • the Controller bearing all costs associated with such audits.

The Processor can satisfy audit obligations by providing SOC2 Type 2, ISO or other relevant certifications, reports, or other documentation demonstrating compliance.

8. Assistance to the Controller

Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in fulfilling its obligations under applicable Data Protection Law, including in relation to:

  • data protection impact assessments;
  • consultations with supervisory authorities; and
  • implementation of appropriate technical and organisational measures.

9. International Data Transfers

The Processor may process Personal Data in the countries specified in Annex I.

Where Personal Data is transferred outside the European Economic Area or another jurisdiction requiring a transfer mechanism under applicable Data Protection Law, such transfers shall be carried out in accordance with applicable Data Protection Law.

Where required, the Parties agree that the Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR shall apply and form part of this DPA.

10. Return or Deletion of Personal Data

Upon termination or expiration of the Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller, unless retention of such Personal Data is required under applicable law.

11. Liability

Each Party's liability arising out of or in connection with this DPA shall be subject to the limitations of liability set out in the Agreement.

12. Changes to Data Protection Law

If changes in applicable Data Protection Law require modifications to this DPA, the Parties agree to discuss and implement appropriate amendments in good faith.

13. Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14. Order of Precedence

In the event of any conflict between this DPA and the Agreement with respect to data protection matters, this DPA shall prevail.

15. Applicable Law and Jurisdiction

This Data Processing Agreement shall be governed by the laws of England and Wales.

Any disputes arising from or in connection with this DPA shall be brought before the competent courts of England and Wales.

* * * * *

ANNEX I

Description of the Processing

Purpose of Processing

The Personal Data transferred is processed by the Processor for the following purposes:

  • to provide the services pursuant to the Master Subscription Agreement and the Order Form;
  • to ensure the functionality, effectiveness and maintenance of the Product;
  • to provide analytics and usage insights to the Controller through the Product dashboard;
  • to provide the technical support and consulting services requested by the Controller to product performance and/or user engagement.

Duration of Processing

The duration of the Agreement and any applicable data retention period.

Categories of Data Subjects

Users of the Controller's application or digital services.

Categories of Personal Data

  • user identifiers;
  • profile information (such as name, position, organization);
  • user activity and interaction data within the Product;
  • user-generated content.

Special Categories of Data

Not applicable.

Data Storage and Processing Locations

Personal Data shall be stored and processed in the data centers located in the region selected by the Customer for the relevant application environment.

The available regions are:

  • United States (US Region): data will be stored and processed in the United States;
  • ASEAN Region: data will be stored and processed in Singapore;
  • EMEA Region: data will be stored and processed in the European Union.

The Company may use the following infrastructure subprocessors for hosting and related services:

  • Amazon Web Services (AWS);
  • Google Cloud Platform (GCP); and
  • Cloudflare

Each subprocessor maintains infrastructure in the United States, the European Union, and Singapore, and Personal Data will be stored and processed within the region selected by the Customer, utilizing the subprocessor's facilities in that region.

The Company implements appropriate technical and organizational measures to ensure that the Personal Data remains stored and processed in accordance with the selected region, except where temporary access from another location is necessary for maintenance, support, or security purposes.

ANNEX II

Standard Contractual Clauses

Where required under applicable Data Protection Law, the Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 shall apply.

For the purposes of the SCCs:

  • Module Two (Controller to Processor) shall apply;
  • Clause 7 (Docking Clause) shall not apply;
  • Clause 9(a) Option 2 (general written authorisation of sub-processors) shall apply;
  • Clause 11 optional dispute resolution shall not apply;
  • Clause 17 governing law shall be the law of the Netherlands;
  • Clause 18 jurisdiction shall be the courts of the Netherlands.