This Data Processing Agreement (\u201cDPA<\/b>\u201d) is entered by and between Feedzai (\u201cFeedzai<\/b>\u201d or \u201cController<\/b>\u201d) and the Services Provider (\u201cServices Provider<\/b>\u201d or \u201cProcessor<\/b>\u201d), as identified in the signatures section, and reflects the Parties\u2019 Agreement with respect to the terms governing the Processing of Personal Data by the Services Provider on behalf of Feedzai under the applicable Services Agreement signed between the parties or even, if necessary, before its signature, which is governed by the following clauses:<\/p>\n
<\/b>Definitions<\/b><\/span>. \n<\/b>1.1.<\/strong> \u201cController<\/b>\u201d means the natural or legal person who determines the purposes and means of the Processing of Personal Data, who in this DPA is Feedzai. \u201cData Subject\u201d means the identified or identifiable natural person whose Personal Data is Processed. \n1.2.<\/strong> \u201cData Incident<\/b>\u201d means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. \n1.3.<\/strong> \u201cData Protection Laws<\/b>\u201d means all data protection, privacy or similar laws and regulations anywhere in the world, including but not limited to laws and regulations of the EU, the EEA and their member states, Switzerland, the United Kingdom, which applies to the Processing of Personal Data under this DPA. \n1.4. <\/b>\u201cEffective Date\u201d <\/b>means the date in which this DPA is executed and corresponds to the date of the last signature below or the date of the first disclosure of Personal Data in the event that any Personal Data has been previously disclosed. \n1.5.<\/strong> \u201cEU<\/b>\u201d means European Union. \n1.6.<\/strong> \u201cEEA<\/b>\u201d means European Economic Area. \n1.7.<\/strong> \u201cFeedzai\u2019s Personal Data<\/b>\u201d means any Personal Data Processed by the Services Provider or another Subprocessor on behalf of Feedzai, pursuant to or in connection with the Services Agreement. \n1.8.<\/strong> \u201cGRPD<\/b>\u201d means the Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data and repealing Directive 95\/46\/EC (General Data Protection Regulation). References to \u201carticles\u201d or \u201cchapters\u201d of the GDPR shall be construed accordingly. \n1.9.<\/strong> \u201cPersonal Data<\/b>\u201d means any information relating to an identified or identifiable natural person (\u201cData Subject\u201d); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as well as the categories of data referred to in Exhibit A which may be supplied to and Processed by the Services Provider on behalf of the Controller pursuant to or in connection with the Services Agreement. \n1.10. <\/strong>\u201cPersonnel<\/b>\u201d means the Services Provider\u2019s employees or other individuals with a contractual relationship with Services Provider. \n1.11.<\/strong> \u201cProcessor<\/b>\u201d means the Services Provider as the natural or legal person which processes Personal Data on behalf of the Controller. \n1.12.<\/strong> \u201cProcessing<\/b>\u201d means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or\u00a0 not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. \n1.13.<\/strong> \u201cRestricted Transfers<\/b>\u201d means the transfer of Personal Data to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations, to the extent such transfers are subject to such Data Protection Laws and regulations. Includes transfers of Feedzai\u2019s Personal Data from Feedzai to the Services Provider and onward transfers of Personal Data, including from a Subprocessor to another Subprocessor or between two establishments of a Subprocessor. \n1.14.<\/strong> \u201cServices<\/b>\u201d means the Services provided by the Services Provider to Feedzai as defined on the applicable Services Agreement. \n1.15.<\/strong> \u201cStandard Contractual Clauses<\/b>\u201d means the Standard Contractual Clauses approved by Commission Decision 2021\/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016\/679 of the European Parliament and of the Council, and (ii) the International Data Transfer Addendum to the EU SCC\u2019s issued by the Information Commissioner\u2019s Office (\u201cUK SCCs\u201d) as included in Exhibit B. \n1.16.<\/strong> \u201cSubprocessor<\/b>\u201d means an entity engaged by the Processor, exclusively for the Processing activities to be carried out pursuant to or in connection with the Services Agreement on behalf of Feedzai and in accordance with its instructions, as transmitted by Feedzai.<\/li>\n
Duration of the DPA.<\/b> \nUnless otherwise agreed in writing, this DPA will take effect on the date of the Services Agreement Effective Date. Notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Feedzai\u2019s Data by the Services Provider as described in this DPA.<\/li>\n
Scope of Processing<\/b>.<\/b> \nThe subject-matter of Processing of Personal Data by the Services Provider is the performance of the Services pursuant to the Services Agreement. For that purpose, by entering into this DPA, the Services Provider acts as a Processor and shall Process Feedzai\u2019s Personal Data as confidential information. The Services Provider shall only Process Personal Data, on behalf of Feedzai in accordance with i) the requirements of the applicable Data Protection Laws, ii) Feedzai\u2019s documented instructions in accordance with the terms of this DPA, including the details of the Processing stated on Exhibit A attached hereto. Services Provider must inform Feedzai immediately in case it believes that its instructions provided i) infringe Data Protection Laws, ii) to be insufficient.<\/li>\n
Data Security. \n<\/b>4.1.<\/strong> Security Schedule<\/span><\/span>.<\/span> All data security measures, including how to handle Security Incidents shall be governed by the Security Schedule as included in Exhibit C. \n<\/span>4.2.<\/strong> Audits of Compliance<\/span><\/span>. \n4.2.1<\/strong> Reviews of Security Documentation. In addition to the information contained in this DPA and respective Agreement, Services Provider shall and shall procure that any Subprocessor on request, makes available to Feedzai information necessary to demonstrate compliance with this DPA.<\/span> \n4.2.2<\/strong> Feedzai\u2019s and Controller\u2019s Audit rights. Services Provider shall procure that any Subprocessor allows Feedzai and\/or Controller to perform any audits in relation to the Processing of Personal Data under the Agreement which might include access to its premises by Feedzai, Controller or an auditor mandated for this purpose. Feedzai shall give Services Provider reasonable notice of any audit or inspection to be conducted under this Section and ensure that each of its mandated auditors use its best efforts to avoid causing any damage, injury or disruption to the Services Provider premises, equipment, Personnel, data, and business while its Personnel and\/or its auditor\u2019s Personnel (if applicable) are on those premises in the course of any on-premise inspection.<\/span> \n4.3.<\/strong> Supervisory Authority.<\/span><\/span> Services Provider shall fully cooperate with and assist Feedzai in relation to the response to any notifications from a supervisory authority, in connection with the Personal Data, including without limitation, the preparation of supporting documentation to be submitted to the relevant supervisory authority and provision of supporting documentation sufficient to evidence that Services Provider\u00a0 is legally bound by the terms of this DPA. \n4.4.<\/strong> Impact Assessment<\/span><\/span>.<\/span> \n4.4.1.<\/strong> Disclosure. Where requested to do so, Services Provider shall disclose the information reasonably required by Feedzai to demonstrate compliance with the applicable Data Protection Laws without undue delay but no later than within 5 days after the request.<\/span> \n4.4.2. <\/strong><\/span>Mitigation actions. Services Provider shall assist Feedzai to carry out a privacy impact assessment of the Services and work with Feedzai to implement agreed mitigation actions to address privacy risks identified.<\/span><\/li>\n
Data Subject Rights<\/b><\/span>.<\/b> \n<\/span>5.1.<\/strong> <\/span>Data Subject Requests<\/span>. \n<\/span>5.1.1.<\/strong> Notification. Services Provider shall notify Feedzai if it receives a request from a Data Subject to exercise any of the Data Subject’s rights, such as the right of access, to rectification, restriction of Processing, erasure (\u201cright to be forgotten\u201d), data portability, object to the Processing, or the right not to be subject to an automated individual decision making (\u201cData Subject Request\u201d) without undue delay but no later than within 5 days from such request.<\/span> \n5.1.2.\u00a0<\/strong><\/span>Processor\u2019s Data Subject Assistance. Considering the nature of the Processing, Services Provider shall assist Feedzai by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Feedzai\u2019s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, if Feedzai does not have the ability to address a Data Subject Request, the Services Provider shall upon Feedzai\u2019s request provide all the necessary assistance to Feedzai in responding to such Data Subject Request without undue delay but no later than within 5 days after Feedzai request. \n5.2.<\/strong>\u00a0Data Deletion<\/span>.<\/span> \nUnless otherwise stipulated by the applicable Data Protection Laws, the Services Agreement or this DPA, notwithstanding any failure of Feedzai to provide written instructions, Services Provider shall and shall procure that the Subprocessors shall delete or destroy all Personal Data stored, collected or Processed on behalf of Feedzai, upon termination of the Services Agreement.\u00a0 Following expiry or termination of the Services Agreement, and at any other time upon Feedzai\u2019s written request, the Services Provider shall and shall procure that all Subprocessors shall immediately and permanently delete all electronic copies of the Personal Data from its\/their computer systems (including without limitation servers, hardware and mobile devices) and from digital media in its\/their possession or control; and in respect of hard copies of the Personal Data, securely destroy all originals and copies of Personal Data in its, or its Subprocessors, possession, custody, or control. Upon Feedzai\u2019s request, the Services Provider shall provide a certification confirming that all Personal Data Processed under the Services Agreement has been securely destroyed. \n5.3.<\/strong>Consent for Marketing Purposes (if applicable)<\/i><\/span>. \nIf the Services under the applicable Services Agreement involve the generation of leads in which the Services Provider makes the direct contact with the data subject, Services Provider warrants and represents that is responsible for collecting the necessary consent from each data subject whose Personal Data the Services Provider provides Feedzai so that Feedzai and its Partners may lawfully send direct marketing.<\/span><\/li>\n
<\/b>Data Transfers<\/b><\/span>. \n6.1.\u00a0<\/b>Restricted Transfers<\/span>. The Services Provider agrees that no Personal Data Processed on behalf of Feedzai shall be Processed by any Subprocessor outside the EU\/EEA without Feedzai\u2019s previous written consent and otherwise than in accordance with adequate transfer mechanisms, namely the Standard Contractual Clauses. \n6.2.<\/strong> Standard Contractual Clauses<\/span>. The Parties hereby enter into the Standard Contractual Clauses (Exhibit B) in respect of any Restricted Transfers from Feedzai to the Services Provider. The Standard Contractual Clauses shall come into effect on commencement of the relevant Restricted Transfers.<\/li>\n
Subprocessors. \n7.1.<\/strong> <\/b>Subprocessor Engagement. The present clause applies whenever the Services Provider engages a Subprocessor for Processing Personal Data pursuant to this DPA. Services Provider must choose Subprocessors that provide sufficient guarantees in respect of the technical security measures and organizational measures governing the Processing. The Subprocessors engaged must ensure compliance with the requirements and\/or obligations foreseen in the Data Protection Laws and this DPA. Before the Subprocessor first Processes Personal Data on behalf of Feedzai, Services Provider must carry out due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by this DPA and Data Protection Laws. \n7.2.<\/strong> Requirements for Subprocessor Engagement. With respect to each Subprocessor, the Services Provider shall ensure that the arrangement between the Services Provider and any prospective Subprocessor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this DPA, and that the Subprocessors act in accordance with Feedzai\u2019s instructions. Services Provider shall notify and keep Feedzai updated regarding the names of its Subprocessors Processing the Personal Data of Feedzai. \n7.3.<\/strong> Cooperation. Services Provider shall procure that the Subprocessors shall promptly provide to Feedzai with necessary assistance and all the information in Subprocessor\u2019s possession or control in relation to the Processing of the Personal Data under this DPA as may reasonably be required for Feedzai to assess whether the Processing of the Personal Data is in accordance with this DPA. \n7.4.<\/strong> Control of Subprocessors. Services Provider shall conduct periodic audits to the Subprocessors appointed that shall be documented and made available to Feedzai also upon request. \n7.5.<\/strong> Opportunity to Object to Subprocessor. For security reasons, Feedzai will have the opportunity to object to any Subprocessor identified. If the Services Provider has chosen an unsuitable Subprocessor, that causes Feedzai to terminate this DPA as well as the applicable Services Agreement, then Feedzai is entitled to be indemnified for any damages caused, as referred to in section 8 (\u201cLiability\u201d). In addition, where a Subprocessor fails to fulfill its data protection obligations, Services Provider will remain liable to Feedzai for the performance of such Subprocessor\u2019s obligations.<\/li>\n
Liability.<\/b><\/span> \nServices Provider will indemnify and keep indemnified Feedzai against all and any loss, liability, damage and expenses (including reasonable legal fees) incurred by it as a result of any breach by Services Provider of its obligations under this DPA. Nothing contained herein shall be considered as prohibiting or limiting Feedzai from pursuing any other remedies available to it.<\/li>\n
Costs. \n<\/b><\/span> Services Provider shall not charge any additional costs in order to comply with its cooperation duties set forth in this DPA. For the avoidance of doubt, the actions referred on section 4.4. shall be undertaken at the expenses of the Services Provider, without prejudice to Feedzai seek any legal remedy as a result of the Data Incident. In addition, Services Provider shall reimburse Feedzai of all costs, losses and expenses related to the management of a Data Incident.<\/li>\n
<\/b>Data Enricher (if applicable<\/i>)<\/b><\/span>. \n10.1.\u00a0<\/span><\/b>Scope<\/span>.<\/span> For the avoidance of any doubts, the present clause applies exclusively to cases in which the Services Provider is a Data Enricher engaged to provide data enrichment services in accordance with the Services Agreement. A Data Enricher means the Services Provider that provides data enrichment services by managing databases, updating outdated data as well as by enriching incomplete and inaccurate data. For that purpose, Feedzai shares its Personal Data with the Services Provider and the Services Provider shares Personal Data with Feedzai or provides access to that data. \n10.2.\u00a0<\/strong>Services Provider Personal Data<\/span>.<\/span> The parties acknowledge and agree that, with regard to all Personal Data held within Services Provider\u2019s databases that are accessible to or shared with Feedzai through use of the enrichment services, Services Provider is a separate Controller, instead of a Processor. Services Provider\u2019s purpose and means of Processing are independent from Feedzai\u2019s (or any of its Affiliates) Processing of the same Personal Data. The Services Provider is independently responsible for compliance with the applicable Data Protection Laws, namely responsible for identifying a lawful basis of Processing, for complying with all necessary transparency and lawfulness obligations for the collection, Processing and use of the Personal Data as well as responding to data subjects\u2019 requests to exercise their rights. \n10.3.<\/strong> Feedzai\u2019s Personal Data.<\/span> In turn, with regard to the Processing of Personal Data belonging to or provided by Feedzai to the Services Provider, Feedzai is the Controller and the Services Provider is the Processor and the Processing activities remain subject to all the provisions of this DPA, with the exception of clause 10.2.<\/span><\/li>\n