This Data Processing Agreement (this “DPA”) is entered into by and between, on one hand, Customer and/or Developer (as applicable) and, on the other hand, TapResearch. This DPA and shall be effective as of the Effective Date of the Agreement. In the case of conflict between this DPA and the Master Terms, the Customer Terms, and/or the Developer Terms (as applicable), or between this DPA and any Ordering Document, this DPA shall control. This DPA is incorporated into and forms a part of the Agreement.
1.1. “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 as implemented in any applicable territory (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act (“CCPA”), or any other privacy or data protection laws or regulations in any other applicable territory, in each case as amended, replaced or supplemented and in force from time to time, and all subordinate legislation made under them, together with any codes of practice or other guidance issued by the data protection regulator in the relevant applicable territory;
1.2. “Personal Data” and “Personal Information” mean any information relating to an identified or identifiable natural person or household within the TapResearch Materials and shall, further, have whatever additional meaning is given to such terms under applicable Data Protection Laws, including without limitation GDPR, UK GDPR, and CCPA;``
1.3. "Personnel" means all officers, directors and employees (including of its affiliates), independent contractors or service providers of either Customer, Developer, or TapResearch;
1.4. “Process(ing)” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
1.5. “Services” means any services set out in any agreement between TapResearch, on one hand, and Customer and/or Developer on the other.
2.1. The parties agree that for purposes of this DPA their respective designations as “controller” and/or “processor” shall be as provided in Section 4 of the Customer Terms and Section 6 of the Developer Terms, as applicable.
2.2. Customer and/or Developer and its Personnel shall process the Personal Data only to the extent, and in such a manner, as is necessary perform its obligations under the Agreement and in accordance with TapResearch’s written instructions from time to time; Customer and/or Developer shall not Process Personal Data for any other purpose.
2.3. Customer and/or Developer shall immediately notify TapResearch if, in its opinion, any instruction made pursuant to this DPA infringes applicable Data Protection Laws.
2.4. Upon TapResearch’s request, Customer and/or Developer shall, and shall procure that its Personnel and any sub-processors shall, immediately cease using the Personal Data and promptly deliver in a manner acceptable to TapResearch all documents and materials containing Personal Data or any other data or information disclosed or supplied by TapResearch under or in connection with this DPA or, at TapResearch’s written request and option, destroy them and provide evidence of their destruction to TapResearch unless applicable Data Protection Laws requires the storage of Personal Data.
2.5. Notwithstanding anything to the contrary, the obligations in this DPA will remain in effect until deletion of all Personal Data by Customer and/or Developer as described in this DPA.
3.1. Customer and/or Developer shall ensure that any Personnel with access to Personal Data do not process Personal Data except in accordance with this DPA and agree in writing to comply with the provisions set out in this DPA.
3.2. Customer and/or Developer shall take all such steps as are necessary to ensure the reliability of Personnel who have access to Personal Data.
3.3. Customer and/or Developer shall ensure that access to the Personal Data is limited to: (a) Personnel who need access for the purpose of exercising Customer and/or Developer’s rights or performing Customer and/or Developer’s obligations under this DPA; and (b) in the case of access by any Personnel, such part or parts of the Personal Data as is strictly necessary for performance of such Personnel's duties.
3.4. Customer and/or Developer shall ensure that Personnel: (a) are informed of and maintain the confidential nature of the Personal Data; (b) have undertaken training in the Data Protection Laws relating to handling of Personal Data; and (c) are aware of TapResearch’s duties and obligations under the Data Protection Laws and this DPA.
4.1. Customer and/or Developer shall not appoint a sub-processor without the prior written consent of TapResearch.
4.2. Customer and/or Developer shall ensure that each of its sub-processors are: (a) aware of this DPA; and (b) bound by contractual obligations with respect to the Personal Data which are the same as, or no lesser than, those contained in this DPA.
4.3. Customer and/or Developer shall be liable for the acts and omissions of its sub-processors to the same extent that Customer and/or Developer would be if performing the Processing directly under this DPA.
5. DATA SUBJECT RIGHTS
5.1. To the extent that TapResearch, in its provision of the Services, does not have the ability to report the content of, correct, amend, block, or delete Personal Data as required by the Data Protection Laws, Customer and/or Developer shall, and shall ensure that its sub-processors shall, promptly comply within five (5) calendar days with a request from TapResearch to facilitate such actions at no additional cost to TapResearch.
5.2. If Customer and/or Developer receives a complaint, notice or communication which relates directly or indirectly to the Processing of Personal Data, it shall immediately, and in any event within five (5) calendar days, notify TapResearch and shall provide full co-operation and assistance to enable TapResearch to address the request. TapResearch shall not respond to any such complaint, notice or communication without the prior written consent of TapResearch.
5.3. If TapResearch receives any complaint, notice or communication from a third party which relates directly or indirectly to the Processing of Personal Data by Customer and/or Developer and/or it sub-processors, Customer and/or Developer shall, at its expense, provide, or shall procure the provision of, full co-operation and assistance to TapResearch in relation to any such request.
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Customer and/or Developer shall implement appropriate technical and organizational measures and perform regular security backups of Personal Data to ensure a level of security and integrity appropriate to the risk of unauthorized, accidental or unlawful Processing, access, loss, disclosure or destruction of Personal Data (a “Security Breach”). Without limiting the foregoing, Customer and/or Developer acknowledges and agrees that, with respect to California residents, the 20 controls set forth by the Center for Internet Security’s Critical Security Controls constitute the minimum level of information security requirements as established by the California Attorney General.
6.2. Customer and/or Developer shall promptly and in any event within twenty-four (24) hours inform TapResearch of any actual or suspected Security Breach and any breach of its security obligations contained in paragraph 6.1.
6.3. To the extent that a Security Breach is caused, or is otherwise suffered, by Customer and/or Developer or its sub-processor(s), Customer and/or Developer shall, at its expense, investigate, identify and remediate the Security Breach as soon as possible, and within five (5) business days.
6.4. Customer and/or Developer shall, at its expense, provide full co-operation and assistance and all information as may be reasonably requested by TapResearch in relation to the Security Breach.
6.5. Customer and/or Developer shall consult with TapResearch in advance regarding any public statements to be made relating to the Security Breach which directly references TapResearch. Unless required to do so by law, Customer and/or Developer shall not make any public statement relating to the Security Breach which directly references TapResearch without the prior written consent of TapResearch.
6.6. Customer and/or Developer shall record and retain, for a minimum of two (2) years after the expiration or termination of this Agreement, records of any notice to, and consent or request from, individuals regarding the collection, disclosure, retention and use of personal information that is exclusive to the Services under this Agreement. Upon the other party’s request, each party shall make all records, appropriate personnel, and/or any location from which personal information can be accessed available for inspection to demonstrate compliance hereunder, provided that such inspection shall be carried out with reasonable notice during regular business hours and under a duty of confidentiality.
7.1. Customer and/or Developer shall maintain a record of the Processing activities carried out on behalf of TapResearch which shall, at a minimum, contain the following information: (a) a description of the Personal Data Processed by Customer and/or Developer, including the types of Personal Data, the categories of data subjects and the Processing activities carried out on behalf of TapResearch; (b) details of any transfers of Personal Data to a third country and the legal basis for the legitimate transfer of the same under the Data Protection Laws; (c) a general description of the technical and organization security measures used to protect Personal Data in accordance with paragraph 5.1; and (d) the name and contact details of the Customer and/or Developer’s Data Protection Officer, Chief Privacy Officer, Chief Information Security Officer or similarly qualified TapResearch Personnel.
7.2. Customer and/or Developer shall promptly provide such records on request from TapResearch.
Personal Data shall only be transferred to locations as may be required or approved by TapResearch from time to time; in any event, Personal Data shall not be transferred outside of the United States without TapResearch’s prior written consent. If such transfers are required, Customer and/or Developer shall give TapResearch notice pursuant to paragraph 13 of this DPA. Transfers of Personal Data originating from or relating to data subjects in the European Economic Area and/or Switzerland are subject to the updated Standard Contractual Clauses (the “Clauses”), which are available at the foregoing link and incorporated herein by this reference. Transfers of Personal Data originating from or relating to data subjects in the United Kingdom are subject to the previous iteration of the Clauses, which are available at the foregoing link and incorporated herein by this reference. In such cases, for purposes of the Clauses, and notwithstanding anything else in this Agreement, Customer and/or Developer is the “data exporter” and TapResearch is the “data importer.” TapResearch and Customer agree that, with respect to transfers of Personal Data originating from or relating to data subjects in the European Economic Area and/or Switzerland (collectively, the “EEA”), Module Two of the updated Clauses shall govern transfers of personal Data contained in the Survey Data (as defined in Section 3.2 of the Customer Terms), and Module Four shall govern transfers of Personal Data contained in the TapResearch Materials (as defined in Section 4.1 of the Master Terms). TapResearch and Developer agree that, with respect to transfers of Personal Data originating from or relating to data subjects in the EEA, Module Four of the updated Clauses shall govern such transfers.
9.1. On reasonable notice, Customer and/or Developer shall allow TapResearch and any auditors of or other advisers to TapResearch to access any Customer and/or Developer premises, systems, Personnel and relevant records as may be reasonably required in order to undertake verifications of compliance with the provisions of this DPA.
9.2. Customer and/or Developer shall provide TapResearch (and its auditors and other advisers) with all reasonable co-operation, access and assistance in relation to each audit.
10. APPLICABLE LAW
10.1. Customer and/or Developer shall Process the Personal Data in compliance with the Data Protection Laws.
10.2. Without limiting the foregoing, Customer and/or Developer represents, warrants, and covenants that it is and shall at all times remain in compliance with CCPA. If Customer and/or Developer is collecting personal information of California residents, Customer and/or Developer shall provide consumers with all notices required under CCPA, including without limitation the appropriate collection notice and, as necessary, a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” with the appropriate disclosures required by CCPA. Customer and/or Developer shall not collect categories of personal information, and shall not use a consumer’s personal information for any purpose, other than those disclosed in the appropriate notices.
11. ENTIRE AGREEMENT
11.1. This DPA constitutes the entire agreement between the parties with respect to the subject matter contained herein and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
11.2. Each party agrees that it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this DPA.
12. JURSIDCTION AND GOVERNING LAW
12.1. The validity, construction and performance of this DPA (and any claim, dispute or matter arising under or in connection with it or its enforceability) and any non-contractual obligations (including negligence) arising out of or in connection with it, shall be governed and construed in accordance with the laws as stated in the Master Terms.
12.2. Each party irrevocably submits to the dispute resolution mechanism set forth in the Master Terms between the parties over any claim, dispute or matter arising under or in connection with this DPA or its enforceability or the legal relationships established by this DPA (including non-contractual disputes or claims).
All notice to TapResearch under this DPA (except the Security Breach notice described in paragraph 6) shall be made in accordance with the Master Terms.
Customer and/or Developer shall defend, indemnify and hold harmless TapResearch and its affiliates and each of their respective managers, officers, directors, employees and agents (the “Indemnified Parties”
) from and against all third party claims, demands or causes of action, losses, damages or liabilities including reasonable attorney’s fees and court costs incurred by the Indemnified Parties to the extent arising out of any alleged or actual violation of this DPA.