logo
logo
  • Home
  • Pricing
  • About
  • Support
  • Contact us
  • Start 14-Day Free Trial
  • Login

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("Agreement") is entered into between Molecule Data, UAB ("Data Processor") and you ("Data Controller"), collectively referred to as the "Parties".

DEFINITIONS

  1. Definitions:

    1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

    2. “Authorized Affiliate” means any of Customer's Affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between Customer and Triple Whale but has not signed its own agreement with Triple Whale and is not a "Customer" as defined under the Agreement.

    3. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq., as amended by the California Privacy Rights Act of 2020.

    4. The terms, "Controller", "Member State", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.

    5. For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.

    6. “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel, Australia and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, the FADP, the CCPA, and the VCDPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.

    7. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.

    8. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992, and as revised as of 25 September 2020, the “Revised FADP”.

    9. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

    10. “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person, which is processed by Triple Whale solely on behalf of Customer, under this DPA and the Agreement between Customer and Triple Whale.

    11. “Services” means the services provided to Customer by Triple Whale in accordance with the Agreement.

    12. “Security Documentation” means the Security Documentation applicable to the Services purchased by Customer, as updated from time to time, and made reasonably available to Customer by Triple Whale.

    13. “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following:

      • social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof);
      • credit or debit card number;
      • financial, credit, genetic, biometric or health information;
      • information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or
      • account passwords in unhashed form.

    14. “Standard Contractual Clauses” means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or any subsequent final version thereof which shall automatically apply. To avoid doubt, Module 2 shall apply, which governs data transfers from a controller (the data exporter) to a processor (the data importer).

    15. “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Triple Whale.

    16. "UK GDPR" means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

    17. VCDPA means the Virginia Consumer Data Protection Act, Code of Virginia §§ 59.1-589 through 59.1-592.

PURPOSE AND SCOPE

  1. This Agreement sets forth the terms and conditions under which the Data Processor will process Personal Data on behalf of the Data Controller. The parties agree to abide by all applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

PROCESSING OF PERSONAL DATA

  1. The Data Processor shall only process Personal Data on behalf of and in accordance with the Data Controller's written instructions. The Data Controller shall ensure that its instructions comply with all laws, rules, and regulations applicable to the Personal Data, and that the processing of the Personal Data in accordance with its instructions will not violate any laws, rules, and regulations.

PERSONAL DATA PROTECTION

  1. The Data Processor shall implement and maintain appropriate technical and organizational measures designed to protect the Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.

SUBPROCESSORS

  1. Appointment of Sub-processors: The Customer acknowledges and agrees that

    • Processor may engage Subprocessors to Process Personal Data on behalf of Customer;
    • Processor's Affiliates may be engaged as Subprocessors; and
    • Processor and Processor's Affiliates may each engage third-party Subprocessors in connection with the provision of the Services.

  2. Agreements with Sub-processors: Processor has entered into written agreements with each Subprocessor containing data protection obligations that offer a level of protection appropriate to their processing activities.

  3. Notification and Objection to New Sub-processors: Processor may engage with a new Subprocessor to Process Personal Data on Customer's behalf and shall give notice of the planned appointment of any new Subprocessor(s).

DATA SUBJECT RIGHTS

  1. Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR.

DATA STORAGE AND TRANSFER

  1. Data Processor acknowledges that all Personal Data under this Agreement will be stored on Amazon Web Services (AWS) data centers located within the European Union (EU). The Data Processor shall not, without prior written consent of the Data Controller, process or permit the processing of the Personal Data outside these data centers.

  2. In line with GDPR's Article 46, any proposed change by the Data Processor to the processing conditions, including but not limited to transferring the Personal Data to a third country or an international organization outside the EU, will require the Data Controller's prior written consent and assurance that appropriate safeguards are in place to protect the Personal Data.

SECURITY AND AUDITS

  1. Controls for the Protection of Personal Data. Molecule Data, UAB shall maintain industry-standard technical and organizational measures for the protection of Personal Data processed under this Agreement, including protection against unauthorized or unlawful processing, accidental destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data. Molecule Data, UAB will, upon reasonable request and at Customer’s expense, assist Customer in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, considering the nature of the Processing and the information available to Molecule Data, UAB.

  2. Audits and Inspections. Upon Customer’s written request given 14 days in advance at reasonable intervals (not more than once every 12 months), and subject to strict confidentiality agreements, Processor shall provide to Customer information necessary to demonstrate compliance with this Agreement.

RETURN AND DELETION OF PERSONAL DATA

  1. Within 60 days following the termination of the Agreement, Molecule Data, UAB, agrees to delete all Personal Data it has been processing solely on behalf of the Customer, in accordance with the terms set forth in the Agreement. Existing copies of such Personal Data will also be deleted unless otherwise required by Data Protection Laws.

CATEGORIES OF DATA SUBJECTS

  1. The Customer may submit Personal Data to the Services, which may include but is not limited to, Personal Data relating to the following categories of Data Subjects: Customers’ online visitors and shoppers who interact with the Customer and/or purchase products and/or services from the Customer online.

TERM AND TERMINATION

  1. This Agreement shall remain in force for as long as the Data Processor is processing Personal Data on behalf of the Data Controller.

AUDIT AND INSPECTION

  1. Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller, as per Article 28(3)(h) of GDPR.

GOVERNING LAW AND JURISDICTION

  1. This Agreement shall be governed by and construed in accordance with the laws of [Jurisdiction]. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of [Jurisdiction].

CONFIDENTIALITY

  1. The Data Processor shall ensure that any person authorized to process the Personal Data on its behalf is subject to appropriate confidentiality obligations.

PERSONAL DATA BREACH NOTIFICATION

  1. The Data Processor shall notify the Data Controller promptly in the event of a personal data breach.

Molecule Data

Streamlining Success: Turning Data Streams into Golden Insights, valuing joy with productivity, and focusing on what truly matters.

About

  • Home
  • Pricing
  • About
  • Contact us

Follow Us

  • LinkedIn
  • Facebook

Privacy Policy

Terms & Conditions

Data Processing Agreement

© 2023 Molecule Data. All rights reserved.