Data Processing Addendum
This Data Processing Addendum (“DPA”) between Concentric Sky, Inc. (“CSky,” “we,” “us,” or “our”) and you or the entity you represent (“you” or “your”) applies to the services provided by us through our websites (www.badgr.io, www.badgr.com, www.badgr.org, and www.badgerank.org) and our mobile Badgr application (collectively “Badgr”). This DPA forms part of, and is subject to, the Terms of Service (“Terms”) between CSky and you, or such other agreement between you and CSky governing your use of Badgr. Any capitalized terms not defined in this DPA shall have the meaning given in the Terms.
The following definitions apply solely to this DPA:
- 1.1 The terms “Controller,” “Data Subject,” “Personal Data,” “Processor,” “Process,” and “Processing” have the meanings given to such terms in the GDPR.
- 1.2 “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 (as amended or replaced by subsequent legislation).
- 1.3 “Security Measures” means technical and organizational security measures.
- 1.4 “Sub-Processor” means an entity engaged by us to process your Registered User Data.
- 1.5 “Your Controlled Data” means Personal Data that is shared with us for processing on your behalf and pursuant to your instructions, e.g. identifying an Earner, but only to the extent that such Personal Data pertains to Data Subjects located within the European Economic Area.
This DPA only applies to the extent that you provide us with Your Controlled Data and, in such instances, the rights and obligations set forth herein apply only to Your Controlled Data.
3. PROCESSING ROLES AND ACTIVITIES.
- 3.1 CSky as the Processor and You as the Controller. With respect to Your Controlled Data, you are the Controller and we are the Processor.
- 3.3 Processing Activities. We process Your Controlled Data for the purpose of providing you with Badgr and other purposes described in the Terms (the “Purpose”) and CSky is hereby instructed to Process Your Controlled Data for the Purpose in accordance with the Terms. For example, where instructed by you we will process Your Controlled Data in order to issue a Badge to an Earner.
- 3.4 Compliance with Laws. You acknowledge and agree that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You agree that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations, including GDPR. You are responsible for reviewing the information available from us relating to data security pursuant to the Terms and making an independent determination as to whether Badgr meets your requirements and legal obligations. CSky will not access or use Your Controlled Data except as provided in the Terms.
- 3.5 Processing Details.
- a. The purpose of our Processing under this DPA is to provide you with Badgr functionality as initiated by you from time to time.
- b. The subject matter of our Processing under this DPA is Your Controlled Data.
- c. The duration of our Processing under this DPA is determined by you, unless earlier suspended or terminated by us as described in the Terms.
- d. The nature of our Processing under this DPA is described in the Terms and as initiated by you from time to time.
- e. The categories of Personal Data that we Process under this DPA includes Your Controlled Data about you and other individuals whose information we process in accordance with instructions given to us through your Registered User account, e.g. the email address of an Earner given to us to process the award of a Badge.
- f. The categories of Data Subjects that we Process under this DPA include you and other individuals whose Personal Data is included in Your Controlled Data.
4. OUR PROCESSING OBLIGATIONS.
- 4.1 Our Role in Processing. We will process Your Controlled Data for the Purpose and in accordance with the Terms or instructions you give us through your Registered User account. You agree that the Terms and the instructions given through your Account are your complete and final documented instructions with respect to Your Controlled Data.
- 4.2 Reasonable Assistance. To the extent that you cannot reasonably do so through Badgr, your Registered User account, or otherwise, we will provide reasonable assistance to you in respect of your obligations as Controller with respect to requests by Data Subjects, taking into account the nature of Badgr and information available to us. You may be be responsible for our reasonable costs arising from our provision of such assistance.
- 4.3 Security Measures. We will implement Security Measures. We may change these Security Measures but will not do so in a way that unreasonably affects the security of Your Controlled Data.
- 4.4 Breach Notification. We will provide you notice after becoming aware of and confirming the occurrence of a breach for which notification to you is required under the GDPR. To assist you in complying with your notification obligations under the GDPR, we will assist you to the extent we are reasonably able to, taking into account the information available to us and any restrictions on disclosing such information. Our obligation to report or respond to a breach is not and will not be construed as an acknowledgement by us of any fault or liability of CSky with respect to such breach. This section do not apply to incidents that are caused by you.
- 4.5 Notification of Inquiry or Complaint. If required by applicable law, we will provide you notice upon receiving an inquiry or complaint from an individual whose Personal Data is included in Your Controlled Data.
- 4.6 Audits Initiated by Us. We may, but are not required to, use external or internal auditors to verify the adequacy of our Security Measures.
- 4.7 Audits Initiated by You. You agree to exercise any right you may have to conduct an audit or inspection, including under GDPR, by instructing CSky to carry out the audit described in Section 4.6. Before the results of any audit are shared with you, you agree that you may be required to agree to a non-disclosure agreement with us before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If you wish to change this instruction regarding the audit, then you have the right to request a change to this instruction by sending us a written notice as provided for in the Terms. If we decline to follow any instruction requested by you regarding audits, you are entitled to terminate this DPA and the Terms. Electing to terminate will result in loss of access to the Site. This section is intended to clarify the procedures with respect to any audit initiated by you and shall not modify or limit your audit rights under applicable law.
You acknowledge and agree that the delivery of Badgr may require us to share Your Controlled Data with Sub-Processors. We will agree to contractual obligations with our Sub-Processors as required by applicable law, including GDPR. A list of our current Sub-Processors is available upon request by sending an email to firstname.lastname@example.org. If you object to any Sub-Processor, you may cancel or terminate your Registered User account or, if possible, cease using Badgr functionality that involves use of such Sub-Processor.
6. DATA TRANSFERS.
You acknowledge and agree that we may transfer Your Controlled Data away from the country in which such personal data was originally collected, including to the United States. Transfers to the United States shall be made pursuant to the EU-U.S. Privacy Shield Framework, Swiss-U.S. Privacy Shield Framework, or any other lawful transfer mechanism that is recognized under the GDPR.
The liability of each party under this DPA is subject to the exclusions and limitations set out in the Terms. Notwithstanding the forgoing, you agree that any regulatory penalties or claims by Data Subjects or others incurred by CSky in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this DPA or GDPR shall reduce our maximum aggregate liability to you in the same amount as such fine and/or liability incurred by us.