Data Processing Agreement
LAST UPDATED: April 23rd, 2024
This Data Processing Agreement, including its Exhibits, (“DPA”) forms part of and is subject to the terms and conditions of the Growth FullStack Software-as-a-Service License Agreement available at https://www.growthfullstack.com/terms/ (the “Agreement”) by and between the customer named in such Agreement or identified within Tenjin systems upon creating a Growth FullStack Account (“Customer”) and Tenjin, Inc. and its Affiliates (“Tenjin”).
- Subject Matter and Duration.
a) Subject Matter. This DPA reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Tenjin’s execution of the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its Exhibit conflicts with the Agreement, this DPA shall control.
b) Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this DPA if it is completed after the effective date of the Agreement. Tenjin will Process Customer Personal Data until the relationship terminates as specified in the Agreement.
- Definitions.
For the purposes of this DPA, the following terms and those defined within the body of this DPA apply. All capitalized terms not defined herein shall have the meaning set forth in the Agreement and in the applicable data protection law.
a) “Ad Network Terms” means all terms, conditions, and/or policies applicable to any advertising activities on or in connection with any third-party advertising network through which Customer intends to place advertisements or has otherwise integrated.
b) “Affiliate” means, with respect to a Party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party. For purposes of this DPA, “control” means an economic or voting interest of at least fifty percent (50%) or, in the absence of such economic or voting interest, the power to direct or cause the direction of the management and set the policies of such an entity.
c) “Authorized User” means Customer’s employees that Customer has expressly authorized to use and access the Services through Customer’s Tenjin account.
d) “Customer Personal Data” means Personal Data made available to Tenjin or the Services by or on behalf of Customer or any Authorized User or via Customer’s use of the Services including, but not limited to, advertising campaign data.
e) “Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
f) “Sources and Destinations” means companies and services added to the Tenjin account on this page: https://app.growthfullstack.com/dashboard.
g) “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
h) “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
i) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Tenjin.
j) “Services” means the services that Tenjin performs under the Agreement.
k) “Subprocessor(s)” means Tenjin’s authorized vendors and third-party service providers that Process Customer Personal Data.
- Processing Terms for Customer Personal Data.
a) Documented Instructions. Tenjin shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this DPA, any applicable Statement of Work, and any instructions agreed upon by the parties. Tenjin will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
b) Authorization to Use Subprocessors. To the extent necessary to fulfill Tenjin’s contractual obligations under the Agreement, Customer hereby authorizes Tenjin to engage Subprocessors.
c) Tenjin and Subprocessor Compliance. Tenjin shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for Tenjin’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
d) Right to Object to Subprocessors. Where required by Data Protection Laws, Tenjin will notify Customer via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
e) Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
f) Personal Data Inquiries and Requests. Where required by Data Protection Laws, Tenjin agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
g) Sale of Customer Personal Data Prohibited. Tenjin shall not sell Customer Personal Data as the term “sell” is defined by the CCPA.
h) Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Tenjin agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgment, the type of Processing performed by Tenjin requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
i) Demonstrable Compliance. Tenjin agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Customer’s reasonable request.
j) Service Optimization. Where permitted by Data Protection Laws, Tenjin may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
k) Aggregation and De-Identification. Tenjin may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
- Information Security Program.
a) Security Measures. Tenjin shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data. You can review the latest technical and organizational measures implemented by Tenjin by visiting our Trust Center.
- Security Incidents.
a) Notice. Upon becoming aware of a Security Incident, Tenjin agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
- Cross-Border Transfers of Customer Personal Data.
a) Cross-Border Transfers of Customer Personal Data. Customer authorizes Tenjin and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
b) Data Transfer Impact Assessment Questionnaire. Tenjin agrees that it has provided true, complete, and accurate responses to the Data Transfer Impact Assessment Questionnaire attached hereto as Exhibit A.
c) EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Tenjin in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Standard Contractual Clauses attached hereto as Exhibit B. The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Standard Contractual Clauses will be provided upon Customer’s written request; (ii) the measures Tenjin is required to take under Clause 8.6(c) of the Standard Contractual Clauses will only cover Tenjin’s impacted systems; (iii) the audit described in Clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 7 of this DPA; (iv) Tenjin may engage Subprocessors using European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors or any other adequacy mechanism provided that such adequacy mechanism complies with applicable Data Protection Laws and such use of Subprocessors shall not be deemed to comply with Clause 9 of the Standard Contractual Clauses; (v) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Standard Contractual Clauses will be limited to the termination of the Standard Contractual Clauses, in which case, the corresponding Processing of Customer Personal Data affected by such termination shall be discontinued unless otherwise agreed by the parties; (vi) unless otherwise stated by Tenjin, Customer will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Standard Contractual Clauses; (vii) the information required under Clause 15.1(c) will be provided upon Customer’s written request; and (viii) notwithstanding anything to the contrary, Customer will reimburse Tenjin for all costs and expenses incurred by Tenjin in connection with the performance of Tenjin’s obligations under Clause 15.1(b) and Clause 15.2 of the Standard Contractual Clauses without regard for any limitation of liability set forth in the Agreement. Customer’s acceptance of the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.
d) Data Transfer Impact Assessment Outcome. Taking into account the information and obligations set forth in this DPA and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the attached Standard Contractual Clauses to a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable Data Protection Laws.
- Audits.
a) Customer Audit. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may carry out an audit of Tenjin’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit must be: (i) conducted during Tenjin’s regular business hours; (ii) with reasonable advance notice to Tenjin; (iii) carried out in a manner that prevents unnecessary disruption to Tenjin’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.
- Customer Personal Data Deletion.
a) Data Deletion. At the expiry or termination of the Agreement, Tenjin will delete all Customer Personal Data, except where Tenjin is required to retain copies under applicable laws, in which case Tenjin will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
- Customer’s Obligations.
a) Customer’s Obligations. Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that allows for the Processing of Customer Personal Data as contemplated herein and complies with all Ad Network Terms; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iv) the Processing of Customer Personal Data as contemplated by the Agreement will not violate Data Protection Laws, the right of any third party (including, without limitation, any intellectual property right or right of privacy), or cause a breach of any agreement or obligations between Customer and any third party (including, without limitation, any Ad Network Terms).
b) No Selling of Customer Personal Data. Customer may not use the Services or DataVault to facilitate the sale of Customer Personal Data (unless the data subjects to whom Customer Personal Data relates have given Customer specific consent to sell their Customer Personal Data).
c) Additional Terms for DataVault. If Customer uses Tenjin’s DataVault, Customer represents and warrants that any Customer Personal Data was obtained, and is being stored, with the informed consent of the data subject. Customer also represents and warrants that it will not use DataVault and the Customer Personal Data contained therein for any purpose that violates any Data Protection Laws.
- Miscellaneous.
a) Customer Data. Customer acknowledges and agrees that Tenjin may Process Personal Data about Customer’s Authorized Users (“Account Data”) in accordance with its privacy notice available at: https://www.tenjin.com/privacy. Account Data is not Customer Personal Data.
b) Third-Party Services. Certain features and functionalities within the Services may allow Customer or its Authorized Users to interface or interact with, access, use, and/or disclose Customer Personal Data to compatible third-party services, products, technology, content, and Sources and Destinations (collectively, “Third-Party Services”) through the Services. For clarity, Tenjin may send Customer Personal Data including, but not limited to, device information such as advertising ID and IP address, to certain Sources and Destinations that Customer adds to Customer’s Tenjin account for the purposes of install attribution and other aspects of the Service. Tenjin will do so via Customer’s agreement with the Sources and Destinations and according to the applicable Terms of Service. Customer represents and warrants that all Sources and Destinations that Customer adds to Customer’s account are compliant with all Data Protection Laws and there is a legally valid basis for the transfer of Customer Personal Data. Tenjin does not provide any aspect of the Third-Party Services and is not responsible for any compatibility issues, errors or bugs in the Services or Third-Party Services caused in whole or in part by the Third-Party Services or any update or upgrade thereto. Customer is solely responsible for maintaining the Third-Party Services and obtaining any associated licenses and consents necessary for Customer to use the Third-Party Services in connection with the Services.
- Processing Details.
a) Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
b) Duration. The Processing will continue until the expiration or termination of the Agreement.
c) Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement.
d) Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Tenjin is the performance of the Services.
e) Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.
- Contact Information.
a) Customer and Tenjin agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:
Customer Designated POC: Customer POC named in the Agreement or identified within Tenjin systems upon creating a Growth FullStack Account.
Tenjin Designated POC: Francesco Perrone, Director of Data Security and Compliance, privacy@tenjin.com
EXHIBIT A TO THE DATA PROCESSING AGREEMENT
DATA TRANSFER IMPACT ASSESSMENT QUESTIONNAIRE
This Exhibit A forms part of the DPA. Capitalized terms not defined in this Exhibit A have the meaning set forth in the DPA.
- What countries will Customer Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from? If this varies by region, please specify each country for each region.
- Answer: U.S.A.
- What are the categories of data subjects whose Customer Personal Data will be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: End users of Customer’s mobile app and viewers of Customer’s online advertisements
- What are the categories of Customer Personal Data transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: Customer Personal Data that is Processed under the Agreement including, but not limited to, advertising ID, vendor ID, IP address, device type, device model, device locale, device country, OS platform, bundle ID, and Apple search attribution as well as information about an end user’s use of Customer’s mobile app.
- Will any Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom? If so, are there any restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures?
- Answer: Not to Tenjin’s knowledge.
- What business sector is Tenjin involved in?
- Answer: Software as a Service for online advertisers.
- Broadly speaking, what are the services to be provided and the corresponding purposes for which Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: Tenjin provides advertising and analytics services. Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom in order to provide the Services.
- What is the frequency of the transfer of Customer Personal Data outside of outside of the European Economic Area, Switzerland, and/or the United Kingdom? E.g., is Customer Personal Data transferred on a one-off or continuous basis?
- Answer: Customer will determine the frequency by which it transfers Customer Personal Data to Tenjin.
- When Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom to Tenjin, how is it transmitted to Tenjin? Is the Customer Personal Data in plain text, pseudonymized, and/or encrypted?
- Answer: Data collected via Tenjin’s SDK and API integrations. Data is encrypted in transit and at rest.
- What is the period for which the Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period?
- Answer: Customer Personal Data will be retained in accordance with the Agreement.
- Please list the Subprocessors that will have access to Customer Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom:
Name of Subprocessor | Subject matter, nature, and duration of processing | Location (Country) | Adequacy Mechanism Supporting Transfer |
AWS | Cloud IAAS, on a continuous basis | U.S.A. | SCCs |
GCP | Cloud IAAS, on a continuous basis | U.S.A. | SCCs |
DataDog | performance metrics and event monitoring | U.S.A. | SCCs |
- Is Tenjin subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where Customer Personal Data is stored or accessed from that would interfere with Tenjin fulfilling its obligations under the attached Standard Contractual Clauses? For example, FISA Section 702. If yes, please list these laws.
- Answer: As of the effective date of the Agreement, no court has found Tenjin to be eligible to receive process issued under the laws contemplated by Question 11, including FISA Section 702 and no such court action is pending.
- Has Tenjin ever received a request from public authorities for information pursuant to the laws contemplated by Question 11 above (if any)? If yes, please explain.
- Answer: No.
- Has Tenjin ever received a request from public authorities for Personal Data of individuals located in the European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain.
- Answer: No.
EXHIBIT B TO THE DATA PROCESSING AGREEMENT
This Exhibit B forms part of the Agreement.
STANDARD CONTRACTUAL CLAUSES
Module 2: Controller To Processor