Data Processing Agreement

v.10.03.2024

This Data Processing Agreement (“DPA”) constitutes an amendment to the SAAS Agreement between Client and i2H, LLC dba Ambassador Software “Ambassador”, (the “Agreement”) pursuant to which Ambassador provides the Services (as defined in the Agreement) to Client. 

The parties agree to comply with the following provisions with respect to any Personal Data Processed by Ambassador for Client in connection with the provision of the Services. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

     1. DEFINITIONS

• Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
• “CCPA” means the California Consumer Privacy Act as well as any associated regulations promulgated by the California Attorney General’s office. 
• “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
• “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
• “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR; (b) the Federal Data Protection Act of 19 June 1992 (Switzerland), (c) the Data Protection Act 2018 (United Kingdom) (d) the General Law for the Protection of Personal Data,  Law 13.709 of Brazil and/or (e) CCPA (California) and applicable to the Processing of Personal Data under the Agreement.
• “Data Subject” means the individual to whom Personal Data relates.
• “Effective Date” shall have the meaning ascribed to such term in Section 11.
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. For purposes of clarity, references to the GDPR shall include the Federal Data Protection Act of 19 June 1992 (Switzerland) and the Data Protection Act 2018 (United Kingdom).
• “Personal Data” means any information relating to an identified or identifiable person that is subject to the Data Protection Laws as specified in Appendix 1, including but not limited to any personal information as defined by the CCPA. The types of Personal Data and categories of Data Subjects Processed under this DPA include but are not limited to the following: names, email addresses, mobile advertising IDs, IP addresses and cookie ID’s received from Client.
• “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
• “Security Breach” has the meaning set forth in Section 7 of this DPA.
• “Sub-processor” means any sub-processor engaged by Ambassador for the Processing of Personal Data.
• “Term” means the period from the Effective Date to the date the DPA is terminated in accordance with Section 10.1. 
• “Third Party Partner” means any entity engaged by Client for the Processing of Personal Data.

      2. PROCESSING OF PERSONAL DATA

• To the extent the Services involves the Processing of Personal Data governed under Data Protection Laws, the parties agree that Client is the Data Controller and Ambassador is a Data Processor and that the subject matter and details of the processing of such Personal Data are described in Appendix 1. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Ambassador shall keep a record of all processing activities with respect to Client’s Personal Data as required under GDPR.
• Each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Personal Data, including but not limited to providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date. Client shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and Client will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If Ambassador believes or becomes aware that any of Client’s instructions conflicts with any Data Protection Laws, Ambassador shall inform Client. As between the parties, Client shall have sole responsibility for determining the legal basis for processing of Personal Data and (to the extent legally required) obtain all consents from Data Subjects necessary for collection, storage (e.g., via HTTP cookies) and Processing of Personal Data in the scope of the Services. With respect to any cookies placed in connection with https://www.getambassador.com/, Ambassador is responsible for obtaining consents from Data Subjects where required by Data Protection Laws.
• The objective of Processing of Personal Data by Ambassador is the performance of the Services pursuant to the Agreement. During the Term of the Agreement, Ambassador shall only Process Personal Data on behalf of and in accordance with the Agreement and Client’s instructions and shall treat Personal Data as Confidential Information. Client instructs Ambassador to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Client where such instructions are acknowledged by Ambassador as consistent with the terms of the Agreement. Ambassador may Process Personal Data other than on the instructions of the Client if it is mandatory under applicable law to which Ambassador is subject.  In this situation Ambassador shall inform the Client of such a requirement unless the law prohibits such notice. Both parties agree that Client instructions may include Client directing Ambassador to send data to one or more Third Party Partner(s) for further processing.

3. RIGHTS OF DATA SUBJECTS; DATA DELETION

• Ambassador shall provide reasonable and timely assistance to the Client (at the Client’s expense) to enable the Client to respond to: (i) any request from a Data Subject to exercise any of its rights under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject in connection with the processing of the Data.   In the event that any such request, correspondence, enquiry or complaint is made directly to the Ambassador (a “Direct Access Request”), Ambassador shall to the extent legally permitted, promptly inform the Client providing full details of the same and, upon request, provide the Client with contact details of the Data Subject(s). If Client fails to respond to a Direct Access Request within 30 days, Ambassador reserves the right to take appropriate steps in its reasonable judgement to respond to such request(s).

4. Ambassador PERSONNEL

• Ambassador shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.
• Ambassador will take appropriate steps to ensure compliance with the Security Measures outlined in Appendix 2 by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Ambassador.
• Ambassador shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.

5. SUB-PROCESSORS

• Client acknowledges and agrees that (i) Ambassador Affiliates may be retained as Sub-processors; and (ii) Ambassador may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Ambassador has retained them to provide, and are prohibited from using Personal Data for any other purpose. Ambassador will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA. 

• A list of Sub-processors is available in the Ambassador user interface and/or in Appendix 3. Ambassador may change the list of such other Sub-processors by no less than 5 business days’ notice. If Client objects to Ambassador’s change in such Sub-processors on reasonable data protection grounds, Ambassador may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to Client. In the event of such termination, that parties shall negotiate in good faith regarding a pro-rata refund for Client.

• Ambassador shall be liable for the acts and omissions of its Sub-processors to the same extent Ambassador would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

• Client acknowledges and agrees that Third Party Partners are not Sub-processors and Ambassador assumes no responsibility or liability for the acts or omissions of such Third Party Partners.

6. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS

• Ambassador shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Client’s Personal Data. Ambassador will implement and maintain technical and organizational measures to protect Client Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to protect Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Ambassador’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Ambassador may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

• Ambassador will (taking into account the nature of the processing of Client Personal Data and the information available to Ambassador) assist Client in ensuring compliance with any of Client’s obligations with respect to the security of Personal Data and Personal Data breaches applicable to GDPR, including (if applicable) Client’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Appendix 2; and (b) complying with the terms of Section 7 of this DPA.

• No more than once per year, Client may engage a mutually agreed upon third party to audit Ambassador solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”).  To request an audit, Client must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to [email protected]. The auditor must execute a written confidentiality agreement acceptable to Ambassador before conducting the audit. The audit must be conducted during regular business hours, subject to Ambassador’s policies, and may not unreasonably interfere with Ambassador’s business activities.  Any audits are at Client’s expense.

• Any request for Ambassador to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law.  Client shall reimburse Ambassador for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Client and Ambassador shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Ambassador. 

• Client shall promptly notify Ambassador with information regarding any non-compliance discovered during the course of an audit.

7. SECURITY BREACH MANAGEMENT AND NOTIFICATION

• If Ambassador becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Client Personal Data transmitted, stored or otherwise Processed on Ambassador’ equipment or facilities (“Security Breach”) which, in the reasonable opinion of Ambassador’ Data Protection Officer, requires such notification, Ambassador will promptly notify Client of the Security Breach. Notifications made pursuant to this section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps Ambassador recommends Client take to address the Security Breach.

• Client agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Client Personal Data or to any of Ambassador’s equipment or facilities storing Client Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.

• Notification(s) of Security Breaches, if any, will be delivered to one or more of Client’s business, technical or administrative contacts by any means Ambassador selects, including via email. It is Client’s sole responsibility to ensure it maintains accurate contact information on Ambassador’s support systems at all times.

• Ambassador’s notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by Ambassador of any fault or liability with respect to the Security Breach.

• Ambassador shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Client Personal Data. As technical and organizational measures are subject to technological development, Ambassador is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Law.

• Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Client Personal Data as well as the risks to individuals) the Security Measures provide a level of security appropriate to the risk in respect to the Client Personal Data.

8. RETURN AND DELETION OF CLIENT DATA

• Ambassador will enable Client to delete Client Data during the Term in a manner consistent with the functionality of the Services. If Client uses the Services to delete any Client Data during the Term and that Client Data cannot be recovered by Client, this use will constitute an instruction to Ambassador to delete the relevant Client Data from Ambassador’s systems in accordance with Data Protection Laws. Ambassador will comply with instructions from the Client to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
• On expiry of the Agreement, Client instructs Ambassador to delete all Client Data (including existing copies) from Ambassador’s systems and discontinue processing of such Client Data in accordance with Data Protection Law. Ambassador will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that Ambassador has archived Client Data on back-up systems so long as Ambassador securely isolates and protect such data from any further processing except to the extent required by applicable law. Without prejudice to this Section, Client acknowledges and agrees that Client will be responsible for exporting, before the Agreement expires, any Client Data it wishes to retain afterwards. Notwithstanding the foregoing, the provisions of this DPA will survive the termination of this Agreement for as long as the Ambassador retains any of the Client Personal Data.

• CROSS-BORDER DATA TRANSFERS

• Ambassador may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area, Switzerland, the United Kingdom and the United States.

• If the Services involve the storage and/or Processing of Client’s Personal Data which transfers such Personal Data out of the European Economic Area or Switzerland to a jurisdiction that does not have adequate Data Protection Laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the parties agree that the EU Commission Implementing Decision (EU) 2021/914 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj(as amended or updated from time to time) (“Standard Contractual Clauses”) will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Client and Ambassador, the parties agree that: (a) Roles of the Parties: Client is a Data Controller and “data exporter” and Ambassador is the Data Processor and “data importer” under the Standard Contractual Clauses, (b) Governing Law and Supervisory Authority: The Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established and enforced by the Supervisory Authority of such EU Member State. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of an EU Member State that does allow for third-party beneficiary rights. In such case, the Parties agree that this shall be the laws of Ireland; (c) Sub-Processors: the parties select general written authorization for Sub-processors; (d) Redress: The parties elect to omit the optional text; and (e) Annex I, II and III are provided at the end of this DPA as Appendix A and to the extent that there’s a conflict as between the DPA and the Appendix A, the Appendix A shall govern. 
• The parties further agree that if Transferred Personal Data includes Personal Data from Data Subjects located in the United Kingdom, the parties will safeguard such data using mechanisms which are equivalent to those of the Standard Contractual Clauses until such time as the United Kingdom formally approves a set of UK Standard Contractual Clauses at which point the parties shall execute the UK standard Contractual Clauses.  
• At Client’s written request, or if the Services involve the storage and/or processing of Client’s Personal Data collected from persons located in Argentina, Brazil or another jurisdiction not described above but which restricts the transfer of such Personal Data (each a “Restricted Transfer Country”) outside of each Restricted Transfer Country to a place that does not have adequate data protection laws, the parties agree to execute each applicable Restricted Transfer Country’s model clause agreement to ensure that such transfers are conducted in accordance with Data Protection Laws. 
• To the extent Client is the recipient of Personal Data from Ambassador pursuant to this DPA, Client agrees that Client will provide at least the same level of protection for the information as Ambassador has agreed to provide herein.
• If the Standard Contractual Clauses or any other model clause transfer agreement are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified transfer mechanism. 

• LIABILITY

• Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.
• Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

• MISCELLANEOUS

• This DPA will take effect on the date it is executed by Client and Ambassador at the bottom of this Agreement (the “Effective Date”) and will remain in effect until, and automatically expire upon, the deletion of all Client Data by Ambassador as described in this DPA.
• Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA. 
• Where Client’s Affiliates are Data Controllers of the Personal Data, they may enforce the terms of this DPA against Ambassador directly.
• This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one Agreement.

APPENDIX A

ANNEX I

Data exporter

The data exporter is CLIENT 

Data importer

The data importer is i2H, LLC dba Ambassador Software, a company focused on marketing automation, analytics and CRM software.

Purpose of Processing

As described in the Agreement. 

Data subjects

The personal data transferred concern the following category of data subjects: Client’s Ambassadors as described in the Agreement as well as Client personnel to the extent necessary to provide the Services .

Categories of data

The personal data transferred concern the following categories of personal data:

• Tracking of audience traffic and their conversions. Personal details, including payment details. Mobile Advertising ID and/or cookie ID;
• Age;
• IP-address;
• Purchase history; 
• Banking details (from Client only). 
• In order to manage the Agreement, Ambassador will process Personal Data from Client’s employees and other personnel such as name, title, email address, telephone number and (for billing purposes) Client’s payment details. 

Special categories of data (if appropriate)

None.

Processing operations

The personal data transferred will be subject to the following basic processing activities: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached)

INFORMATION SECURITY AND CONFIDENTIALITY 

The Data Processor shall, in order to assist the Data Controller to fulfil its legal obligations including but not limited to; security measures and privacy risk assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data which is processed and shall thereby follow any written information security requirements or policies communicated by the Data Controller from time to time. The measures shall at least result in a level of security which is appropriate taking into consideration: 

1. (i)  existing technical possibilities; 
2. (ii)  the costs for carrying out the measures; 
3. (iii)  the particular risks associated with the processing of Personal Data; and 
4. (iv)  the sensitivity of the Personal Data which is processed. 

The Data Processor shall maintain adequate security for the Personal Data. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by Data Processor shall include as appropriate: 

1. (i)  the pseudonymisation and encryption of Personal Data; 
2. (ii)  the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data; 
3. (iii)  the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and 
4. (iv)  a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 

Further to the technical and organizational measures mentioned in section 0, the Data Processor shall implement the following measures: 

1. (i)  physical access protection whereby computer equipment and removable data containing personal information at the Data Processor’s premises shall be locked up when not under supervision in order to protect against unauthorized use, impact and theft. 
2. (ii)  a process for testing read back after Personal Data has been restored from backup copies. 
3. (iii)  authorization control whereby access to the Personal Data is managed through a technical system from authorization control. Authorization shall be restricted to those who need the Personal Data for their work. User IDs and passwords shall be personal and may not be transferred to anyone else. There shall be procedures for allocating and removing authorizations. 
4. (v)  secure communication whereby external data communication connections shall be protected using technical functions ensuring that the connection is authorized as well as content encryption for data in transit in communication channels outside systems controlled by the Data Processor. 
5. (vi)  a process for ensuring secure data destruction when fixed or removable storage media shall no longer be used for their purpose. 
6. (vii)  routines for entering into confidentiality agreements with suppliers providing repair and service of equipment used to store Personal Data. 
7. (viii)  routines for supervising the service performed by suppliers at the premises of the Data Processor. Storage media containing the Personal Data shall be removed if supervision is not possible. 
8. (ix)  any additional measures as instructed by the Data Controller in Appendix 1. 
9. All technical and organizational security measures required by this DPA are being taken by Ambassador. Details of all security measures can be found in the attached document “Ambassador Information Security Program”

Supplemental Measures implemented pursuant to The European Data Protection Board (EDPB) Recommendations 01/2020 on measures which supplement mParticle’s transfer tools to ensure compliance with the EU level of protection of personal data Version 2.0 and adopted on 18 June 2021 are available upon request

ANNEX III

LIST OF SUB-PROCESSORS

Ambassador publishes and maintains a public list of sub-processors at https://trust.getambassador.com/subprocessors. Users may subscribe to email notifications regarding changes to the list via the Ambassador Trust Center.