Data Processing Addendum

Last Updated: August 30, 2019

INTRODUCTION

This Data Processing Addendum (this “DPA”) together with the Yapp, Inc. (“we” “our” “us” or “Yapp”) Terms of Service and Privacy Policy, form a single, binding agreement (this “Agreement”) between you and Yapp (each, a “Party” and together the “Parties”). Capitalized terms that are used, but not defined in this DPA have the meanings set forth in our Terms of Service, unless indicated otherwise.

DEFINITIONS

The terms “controller,” “data subject,” “personal data,” “process,” “processing,” and “processor” will have the meanings given to these terms in the EU Data Protection Law.

“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.

“Content” means any Customer Content or End User Content (as defined in Yapp’s Terms of Service), that you make available to the Services, including, without limitation, text, photos, images, audio, video, code and any other materials.

“Customer” means a person or organization that has contacted us regarding the Services, created a the Customer account or otherwise contacted us through the Services (including by using or accessing the Yapp Apps)

“Customer App” means a mobile or web application built by a Customer while using our Services.

“Data Protection Laws” means all data protection and privacy laws applicable to the processing of personal data under this Agreement, including, where applicable, EU Data Protection Law.

“Data Privacy Directive” means Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

“EEA” means the European Economic Area.

“End User” means anyone who uses or accesses a Customer App (for instance, to register for or obtain information about an event).

“EU Data Protection Law” means, to the extent applicable to Customer Controlled Data, any data protection or data privacy law or regulation of Switzerland or any country in the European Economic Area, including (i) prior to 25 May 2018, the Data Privacy Directive and, on and after 25 May 2018, the GDPR; and (ii) the e-Privacy Directive.

“e-Privacy Directive” means Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which is commonly called the General Data Protection Regulation.

“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016) 4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).

“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Controlled Data.

“Services” means any product or service provided by Yapp to the Customer pursuant to this Agreement.

“Subprocessors” means the other processors that are used by Yapp to process personal data.

“Customer Controlled Data” means the personal data in the Content that Yapp processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Customer Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to Your Site) with respect to your End Users’ interactions with Your Site through their browser and technologies like cookies.

“You” means the Customer, as defined in Yapp’s Terms of Service, to whom this Agreement applies.

RELATIONSHIP TO OTHER PARTS OF THIS AGREEMENT

Conflicting Provisions

Except for the changes made by this DPA, the other parts of this Agreement remain unchanged and in full force and effect. If there is any conflict between this DPA and other parts of this Agreement, this DPA shall prevail to the extent of that conflict.

Claims

Any claims brought under or in connection with this DPA shall be subject to the Terms of Service, including but not limited to, the exclusions and limitations set forth in therein.

Total Liability

The Customer further agrees that any regulatory penalties incurred by Yapp in relation to the Customer Controlled Data that arise as a result of, or in connection with, the Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count towards and reduce Yapp’s liability under this Agreement pursuant to the limitations on liability set forth in the other parts of this Agreement.

Enforcing Parties

No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

Governing Law

This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions of this Agreement, unless required otherwise by applicable Data Protection Laws.

SCOPE AND APPLICABILITY

This DPA applies where, and only to the extent that, Yapp processes Customer Controlled Data that (1) originates from the EEA or Switzerland or (2) that is otherwise subject to EU Data Protection Law and where Yapp conducts such processing on behalf of the Customer as a processor in the course of providing Services pursuant to this Agreement.

PROCESSING ROLES AND ACTIVITIES

Customer as Controller

As between Yapp and the Customer, the Customer is controller of Customer Controlled Data, and Yapp shall process Customer Controlled Data only as a processor acting on behalf of the Customer.

Customer Processing

The Customer agrees that (1) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Customer Controlled Data and any processing instructions it issues to Yapp; and (2) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Yapp to process Customer Controlled Data and provide the Services pursuant to this Agreement.

Yapp Processing of Customer Controlled Data

Yapp shall process Customer Controlled Data only for the purposes described in this Agreement and only in accordance with the Customer’s documented, lawful instructions. The parties agree that this DPA together with the rest of this Agreement set out the the Customer’s complete and final instructions to Yapp in relation to the processing of Customer Controlled Data, and that processing outside the scope of these instructions (if any) shall require prior written agreement between the Customer and Yapp.

Yapp as Controller

Yapp may also be an independent controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about the personal data that we control. For clarity, any such data does not fall under the definition of Customer Controlled Data. We decide how to use and process such personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in access to data regarding your End Users’ interactions with your Customer App, you will receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.

Details of Data Processing

1. Subject matter. The subject matter of the data processing under this DPA is the Customer Controlled Data.
2. Duration. As between Yapp and the Customer, the duration of the data processing under this DPA is until the termination of this Agreement in accordance with its terms.
3. Purpose. The purpose of the data processing under this DPA is the provision of the Services to the the Customer and the performance of Yapp's obligations under this Agreement (including this DPA) or as otherwise agreed by the parties.
4. Nature of the Processing. Yapp provides email messaging, analytics technology and other related services, as described in this Agreement.
5. Categories of Data Subjects. Customers and End Users are the data subjects contemplated by this DPA.
6. Types of Customer Controlled Data. Customers may control multiple types of personal data, including, without limitation: identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).

Data Used for Yapp’s Legitimate Business Purposes

Notwithstanding anything to the contrary in this Agreement (including this DPA), the Customer acknowledges that Yapp shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, Yapp is the controller of such data and accordingly shall process such data in accordance with the Yapp Privacy Policy and Data Protection Laws.

Tracking Technologies

The Customer acknowledges that in connection with the performance of the Services, Yapp employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies”). The Customer shall maintain appropriate notice, consent, opt -in and opt-out mechanisms as are required by Data Protection Laws to enable Yapp to deploy Tracking Technologies lawfully on, and collect data from, the devices of End Users (defined below) in accordance with and as described in the Privacy Policy.

SUBPROCESSING

Authorized Subprocessors

The Customer agrees that Yapp may engage Subprocessors to process Customer Controlled Data on the Customer's behalf. The Subprocessors currently engaged by Yapp and authorized by the Customer are listed in Exhibit A.

Subprocessor Obligations

Yapp shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Customer Controlled Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Yapp to breach any of its obligations under this DPA.

Changes to Subprocessors

Yapp shall (i) provide an up-to-date list of the Subprocessors it has appointed upon written request from the Customer; and (ii) notify the Customer (for which email shall suffice) if it adds Subprocessors at least ten (10) days prior to any such changes.

The Customer may object in writing to Yapp’s appointment of a new Subprocessor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may suspend or terminate this Agreement (without prejudice to any fees incurred by the Customer prior to suspension or termination).

DATA SECURITY

Security Measures

Yapp shall implement and maintain appropriate technical and organizational security measures to protect Customer Controlled Data from Security Incidents and to preserve the security and confidentiality of the Customer Controlled Data, in accordance with Yapp's security standards described in this DPA and in the Privacy Policy.

Updates to Security Measures

The Customer is responsible for reviewing the information made available by Yapp relating to data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations under Data Protection Laws. The Customer acknowledges that the Security Measures are subject to technical progress and development and that Yapp may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the the Customer.

Confidentiality of Processing

Yapp shall ensure that any person who is authorized by Yapp to process Customer Controlled Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

Security Incident Response

Upon becoming aware of, and confirming the occurrence of, a Security Incident for which notification is required under applicable Data Protection Laws, Yapp shall notify the Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by the Customer. In order to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, We will provide you with such information about the Security as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as any conflicting confidentiality obligations. Our obligation to report or respond to a Security Incident under this paragraph is not and will not be construed as an acknowledgement by Yapp of any fault or liability of Yapp with respect to the Security Incident. Despite the foregoing, Yapp’s obligations under this paragraph do not apply to incidents that are caused by you or any activity on your Account or which are caused by Third Party Services.

Assistance with Customer Responsibilities

1. Basic Customer Responsibilities. Notwithstanding the above, the Customer agrees that except as provided by this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Controlled Data when in transit to and from the Services and taking any appropriate steps to securely encrypt and backup any Customer Controlled Data uploaded to the Services.
2. Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of your Customer Controlled Data that we process on your behalf and instructions.
3. Cooperation with Customer Response Efforts. The Services provide the Customer with a number of controls that the Customer may use to retrieve, correct, delete or restrict Customer Controlled Data, which the Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that the Customer is unable to independently access the relevant Customer Controlled Data within the Services, Yapp shall (at the Customer's expense) provide reasonable cooperation to assist the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under this Agreement. In the event that any such request is made directly to Yapp, Yapp shall not respond to such communication directly without the Customer's prior authorization, unless legally compelled to do so. If Yapp is required to respond to such a request, Yapp shall promptly notify the Customer and provide it with a copy of the request unless legally prohibited from doing so.
4. Government Requests for Customer Controlled Data. If a law enforcement agency sends Yapp a demand for Customer Controlled Data (for example, through a subpoena or court order), Yapp shall attempt to redirect the law enforcement agency to request that data directly from the Customer. As part of this effort, Yapp may provide the Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Controlled Data to a law enforcement agency, then Yapp shall give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy unless Yapp is legally prohibited from doing so.
5. Impact Assessments. To the extent Yapp is required under EU Data Protection Law, Yapp shall (at the Customer's expense) provide reasonably requested information regarding the Services to enable the the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

COMPLIANCE VERIFICATION

Upon reasonable request, Yapp will verify its compliance with this DPA, provided that the Customer shall not exercise this right more than once per year.

INTERNATIONAL TRANSFERS

You authorize us to transfer your Customer Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer your Customer Controlled Data to the United States. We will transfer Customer Controlled Data outside of the Switzerland and the EEA using the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks or another lawful data transfer mechanism that is recognized under EU Data Protection Law as providing an adequate level of protection for such data transfers.

RETURN OR DELETION OF DATA

Upon termination or expiration of this Agreement, Yapp shall (at the Customer's election) delete or return to the Customer all Customer Controlled Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Yapp is required by applicable law to retain some or all of the Customer Controlled Data, which Customer Controlled Data Yapp shall securely isolate and protect from any further processing, except to the extent required by applicable law.

Exhibit A

List of Yapp Subprocessors

The Subprocessors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.

Analytics Providers

• Google Analytics - provides generalized analytics, including web page views
• Keen.io - powers our customer-facing analytics dashboard, by reporting on usage data in customers’ apps
• Kissmetrics - activity analytics across our dashboard, editor, and mobile environments
• Segment.io - helps us manage our various analytics partners
• Slack - provides an activity stream to help us maintain awareness of new customers and potential customer needs
• FullStory - allows us to more clearly see editor and dashboard behavior to improve our service

Customer Communications

• Calendly - helps us easily schedule demos and phone calls with prospects and users
• Customer.io - platform we use to send behavioral, transactional and marketing emails
• HubSpot - we use this to keep track of customer renewals, and needs and questions of prospective customers, and to communicate accordingly
• Intercom - customer support, help docs, automated on-site messages
• Sendgrid - transactional email platform so customers can send app download instructions to their users

Infrastructure

• Amazon Web Services - web & API hosting
• Heroku - web & API hosting
• imgix - image resizing, cropping, and global image content delivery
• Redis to Go - Data cache for faster performance
• Stripe - payment processing

Performance Monitoring

• Librato - API server activity visualizations and alerting
• NewRelic - performance monitoring
• PaperTrail - log analysis

Marketing

• Google AdWords - to help us promote Yapp on Google’s ad networks
• Facebook Pixel - to help us promote Yapp on Facebook’s ad network