Data Processing Agreement

1. Scope, Order of Precedence, and Term

1.1 This Data Processing Agreement ("DPA") is an addendum to the Customer Terms of Service ("Agreement") between Bamboozle Web Services Inc. ("Bamboozle") and the Customer. Bamboozle and Customer are individually a "party" and, collectively, the "parties."

1.2 This DPA applies where and only to the extent that Bamboozle processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the appropriate jurisdiction, including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

1.3 The duration of the Processing covered by this DPA shall be in accordance with the duration of the Agreement.

2. Definitions

2.1 The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

• Controller means the entity that determines the purposes and means of the Processing of Personal Data.
• Data Protection Law means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the GDPR (Regulation 2016/679) and the California Consumer Privacy Act (CCPA).
• Data Subject means an identified or identifiable natural person.
• De-identified Data means a data set that does not contain any Personal Data. Aggregated data is De-identified Data.
• EEA means the European Economic Area.
• Standard Contractual Clauses means the European Union standard contractual clauses for international transfers, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• Personal Data means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject.
• Personal Data Breach means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• Process or Processing means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
• Processor means an entity that processes Personal Data on behalf of another entity.
• Sensitive Data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health; data concerning a natural person's sex life or sexual orientation; government identification numbers; payment card information; and precise geolocation.
• Subprocessor means a Processor engaged by a party who is acting as a Processor.

3. Description of Personal Data Processing Activities

3.1 The schedules attached to this DPA describe the purposes of the parties' Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing.

3.2 The schedules list the parties' statuses under relevant Data Protection Law.

4. International Data Transfer

4.1 With respect to Personal Data of Data Subjects located in the EEA, Switzerland, or the United Kingdom that Customer transfers to Bamboozle or permits Bamboozle to access, the parties agree that by executing this DPA they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this DPA.

5. Data Protection Generally

5.1 Compliance. The parties will comply with their respective obligations under Data Protection Law and their privacy notices.

5.2 Customer Processing of Personal Data. Customer represents and warrants that it has the consent or other lawful basis necessary to collect Personal Data in connection with the Services.

5.3 Cooperation.

• Data Subject Requests. The parties will provide each other with reasonable assistance to enable each to comply with their obligations to respond to Data Subjects' requests to exercise rights under Data Protection Law.
• Governmental and Investigatory Requests. Customer will promptly notify Bamboozle if Customer receives a complaint or inquiry from a regulatory authority indicating that Bamboozle has or is violating Data Protection Law.
• Other Requirements of Data Protection Law. Upon request, the parties will provide relevant information to each other to fulfill their respective obligations to conduct data protection impact assessments or prior consultations with data protection authorities.

5.4 Confidentiality. The parties will ensure that their employees, independent contractors, agents, and representatives are subject to an obligation to keep Personal Data confidential and have received training on data privacy and security commensurate with their responsibilities.

5.5 De-identified Data. The parties may create De-identified Data from Personal Data and Process the De-identified Data for any purpose.

6. Data Security

6.1 Each party will maintain a written information security policy that defines security controls based on the party's assessment of risk to Personal Data that the party processes and the party's information systems.

7. Bamboozle's Obligations as a Processor or Service Provider

7.1 Bamboozle will have the obligations set forth in this Section 7 if it processes Personal Data in its capacity as Customer's Processor or Service Provider. These obligations do not apply to Bamboozle in its capacity as a Controller, Business, or Third Party.

7.2 Scope of Processing. Bamboozle will Process Personal Data to provide Services to Customer under the Agreement and comply with applicable law. Bamboozle will notify Customer if the law changes and those changes cause Bamboozle not to be able to comply with the Agreement.

7.3 Data Subjects' Requests. Bamboozle will promptly inform Customer if Bamboozle receives a request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law. Customer will be responsible for responding to such requests. Bamboozle will provide Customer with commercially reasonable assistance upon request to help Customer respond to a Data Subject's request.

7.4 Bamboozle's Subprocessors.

• Existing Subprocessors. Customer agrees that Bamboozle may use the Subprocessors listed in the relevant Schedule.
• Use of Subprocessors. Customer grants Bamboozle general authorization to engage Subprocessors if Bamboozle and a Subprocessor enter into an agreement that requires the Subprocessor to meet obligations that are no less protective than this DPA.
• Notification of Changes. Bamboozle will notify Customer of any additions to or replacements of its Subprocessors via email and will provide Customer with at least 30 days to object to the addition or replacement of Subprocessors.
• Liability for Subprocessors. Bamboozle will be liable for the acts or omissions of its Subprocessors to the same extent as Bamboozle would be liable if performing the services of the Subprocessor directly under the DPA.

7.5 Personal Data Breach. Bamboozle will notify Customer without undue delay of a Personal Data Breach affecting Personal Data Bamboozle processes in connection with the Services. Upon request, Bamboozle will provide information about the Personal Data Breach to the extent necessary for Customer to fulfill any obligations to investigate or notify authorities.

7.6 Deletion and Return of Personal Data. Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent Bamboozle is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems.

7.7 Audits. Bamboozle shall maintain records of its security standards. Upon Customer's written request, Bamboozle shall provide copies of relevant external ISMS certifications, audit report summaries and other documentation reasonably required by Customer to verify Bamboozle's compliance with this DPA. Bamboozle shall provide written responses to all reasonable requests for information made by Customer, provided that Customer shall not exercise this right more than once per year.

Contact Us

If you have any questions about this Data Processing Agreement, please contact us at [email protected].