Data Processing Agreement
This Data Processing Agreement (the “DPA”) constitutes an integral part of all agreements, including the GT Full Stack Terms of Service (the “Master Agreements”), by and between GT Full Stack GmbH (“Full Stack”) and you (together with its affiliates and subsidiaries, “You” or “Your”). In the event of any conflict between the DPA and the Master Agreements, this DPA shall prevail to the extent of such conflict.
IT IS AGREED:
1. Definitions and interpretation
Definitions: In this DPA, the following terms shall have the following meanings:
i. “Applicable Data Protection Law” means all applicable laws and regulations, including without limitation international, federal, national and state privacy, data security, and data protection laws and regulations, and industry-tested and accepted methods for protecting data, that apply to the Processing of Personal Data that is the subject matter of the Master Agreements (including, where applicable, European Data Protection Law and the California Consumer Privacy Act).
ii. Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
iii. “Destroy” means to burn, pulverize, or shred papers, or to destroy or erase electronic files or media, so that all such information cannot be read or reconstructed.
iv. “European Data Protection Law” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and any applicable national laws made under the GDPR.
v. “Personal Data” means any information relating to an identified or identifiable natural person. Within the scope of this DPA, the term Personal Data shall refer to data processed by Full Stack on Your behalf within the meaning of Art. 4 no. 8) GDPR and includes (but not be limited to) advertising identifiers, IP addresses and any other information which is deemed “personal” under Applicable Data Protection Law.
vi. “Process” means to perform any operation or set of operations upon Personal Data, whether manually or by automatic means, including but not limited to collection, recording, sorting or organization, structuring, accessing, storage, adaptation or alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
vii. “Processor” means an entity that Processes Personal Data on behalf of the Controller.
2. Data Protection
b. Purpose limitation: Full Stack shall Process the Data as a Processor as necessary to perform its obligations under the Master Agreements, and strictly in accordance with the documented instructions of You (the “Permitted Purpose”). Should Full Stack consider any of the Your instructions to be in breach of applicable statutory provisions, it shall abstain from performing such instruction and inform You accordingly. No claim whatsoever may be exercised against Full Stack due to its failure to execute an instruction it deems in breach of statutory law.
c. International transfers of Data: Full Stack may process Data outside of the EU, in particular when cooperating with sub-Processors (see sec. f) below) based in third countries. Any such transfer of data to a third country shall be based on an appropriate legal basis according to art. 44 et seq. GDPR. Transfers of data to Full Stack affiliates based in third countries – if any – shall in particular be based on standard contractual clauses approved by the European Commission and be subject to further security measures.
d. Confidentiality of Processing: Full Stack shall keep strictly confidential all Personal Data that it Processes on behalf of You in accordance with the confidentiality provisions of the Master Agreements. Full Stack shall ensure that any person that it authorizes to Process the Data (including Full Stack’s staff, agents and subcontractors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to Process the Data who is not under such a duty of confidentiality. Full Stack shall ensure that only Authorized Persons will have access to, and Process, the Data, and that such access and Processing shall be limited to the extent strictly necessary to achieve the Permitted Purpose.
e. Security: Full Stack shall implement and maintain reasonable and appropriate physical, technical and organizational measures to ensure the ongoing integrity, confidentiality and availability of Data, and the resilience of systems and services Processing Data, as appropriate to the nature and scope of Full Stack’s activities and services, and in accordance with Applicable Data Protection Law. Such measures will include, without limitation, protecting the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorized disclosure or access (a “Security Incident”). Full Stack will implement and maintain comprehensive and written privacy and information security policies and procedures and provide such documents in ten business days upon written request to the You. You shall have the right to have the Full Stack audited as necessary for GDPR compliance by a recognized third-party data protection auditor.
f. Subcontracting: You consents to Full Stack engaging third party sub-Processors to Process the Data, provided that Full Stack imposes data protection terms on any sub-Processor it appoints that protect the Data to the same standard provided for by this DPA. Full Stack reserves the right to appoint and/or replace sub-Processors by giving notice to You in good time. Unless You objects to such changes of sub-Processors, the change shall be deemed as accepted. In case of any objection, the parties will exert their best efforts to find an amicable solution.
g. Cooperation and individuals’ rights: Full Stack shall provide all reasonable and timely assistance to You to enable You to respond to: (i) any request from an individual to exercise any rights under Applicable Data Protection Law ( including rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from an individual, regulator, court or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Full Stack, Full Stack shall promptly inform any Data Subjects that they should contact You with those requests.
h. Security Incidents: Upon becoming aware, or if there is a reasonable belief, of a Security Incident, Full Stack shall inform You without undue delay and shall provide all such timely information and cooperation as You may require in order for You to fulfill any data breach reporting obligations under (and in accordance with the timescales required by Applicable Data Protection Law.
i. Deletion or Return of Data: Upon termination or expiration of the Master Agreements, Full Stack shall Destroy all Data in its possession or control within 180 calendar days. This provision shall not apply to the extent that Full Stack or You is required by any applicable law to retain some or all of the Data, in which event Full Stack shall isolate and protect the Data from any further Processing except to the extent required by such law.
3. Your Responsibilities
b. Compliance with Applicable Data Protection Law: You shall comply with all Applicable Data Protection Laws, including any relevant privacy laws applicable to minors, and shall only send the Full Stack such Data that the Full Stack can lawfully process.
c. Compliance with all relevant Ad Network Terms of Service: You is responsible for understanding its obligations under its agreements with its ad network partners and taking appropriate steps to comply.
d. Implement Necessary Consents and Opt-Outs: Where required by law, the You must ask the user before collecting any Data and sending that Data to Full Stack for processing. The You is responsible for determining where and when these consents are necessary and only sending Data to Full Stack when the necessary consents have been obtained (or the consents are unnecessary). Where required by law, You must also ask the user if they would like to opt-out and should delete data and stop processing data accordingly (or clearly direct Full Stack to delete data or stop processing data).
e. Comply with all applicable data retention requirements: You is responsible for deleting data when required by law or as required by Your agreements with other data owners, such as ad networks. Full Stack deletes data from DataVault after 90 days. Only under exceptional circumstances, data can be kept up to 180 days, subject to the agreement of both Parties. If You copies data from DataVault, You is responsible for deleting the Data as necessary.