Data Processing Agreement

  1. Operative Provisions.

(a) Definitions.

  1. In this Agreement:


European Data Protection Laws means European Data Protection Laws of the EU (including the United Kingdom), including the GDPR;


Controller Has the meaning given in applicable Data Protection Laws from time to time


Customer Means the Subscriber to Supplier


Data Protection Laws Means, as binding on either party or the services: All applicable worldwide data protection legislation which applies to the respective party in their role as a Data Processor, including but not limited to the European Data Protection Laws, the CCPA and similar such laws; in each case as amended, repealed, consolidated, or replaced from time to time.


Data Subject Has the meaning given in applicable Data Protection Laws from time to time


GDPR means the General Data Protection Regulation, Regulation (EU) 2016/679;


International Organization Has the meaning in the GDPR


Personal Data Has the meaning given in applicable Data Protection Laws from time to time


Personal Data Breach Has the meaning given in Applicable Data Protection Laws from time to time;


Processing Has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed, processing, and processes shall be construed accordingly)


Processor Has the meaning given in applicable Data Protection Laws from time to time


Protected Data Means personal data received from or on behalf of the Customer in connection with the performance of the Supplier’s obligations under this Agreement


Sub-Processor Means any Processor engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data on behalf of the Customer.


Supplier means Stacker Solutions, LLC


(b) Customer’s Compliance with Data Protection Laws.


The parties agree that the Customer is a controller and that the Supplier is a processor for the purposes of processing protected data pursuant to this Agreement. The Customer shall at all times comply with all Data Protection Laws in connection with the processing of protected data. The Customer shall ensure all instructions given by it to the Supplier in respect of protected data (including the terms of this Agreement) shall at all times be in accordance with all Data Protection Laws.


(c) Supplier's Compliance with Data Protection Laws.



The Supplier shall process protected data in compliance with the obligations placed on it under Data Protection Laws and the terms of this Agreement.


(d) Indemnity


The Customer shall indemnify and keep indemnified the Supplier against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands, and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Customer of its obligations under this Agreement.


(e) Instructions.


  1. The Supplier shall only process (and shall ensure Supplier personnel only process) the protected data in accordance with Section (a) of Part 2 of this Agreement and this Agreement (including with regard to any transfer to which the section on International Transfers relates), except to the extent:
  2. that alternative processing instructions are agreed between the parties in writing —or —
  3. otherwise required by Data Protection Laws (and shall inform the Customer of that legal requirement before processing, unless Data Protection Laws prevent it doing so on important grounds of public interest).
  4. Without prejudice to paragraph (ii) of this Part 1, if the Supplier believes that any instruction received by it from the Customer is likely to infringe the Data Protection Laws it shall promptly inform the Customer and be entitled to cease to provide the relevant services until the parties have agreed appropriate amended instructions which are not infringing. The Charges payable to the Supplier shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this paragraph 5.2.


(f) Security.


The Supplier shall implement and maintain the technical and organizational measures set out in Section (b) of Part 2 of this Agreement to protect the protected data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.


(g) Sub-Processing and Personnel.


  1. The Supplier shall:
  2. not permit any processing of Protected Data by any Sub-Processor without the authorization of the Customer;
  3. prior to Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure such Sub-Processor is appointed under a binding written contract containing materially the same obligations as under this Agreement (including those relating to sufficient guarantees to implement appropriate technical and organizational measures) and ensure such Sub-Processor complies with all such obligations;
  4. remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor as if they were its own; and
  5. ensure that all persons authorized by the Supplier or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
  6. For the purposes of this section, a publicly available Data Processing Agreement is considered a authorized Agreement.


(h) List of Authorized Sub-Processors and Further Sub-Processors.


The Customer authorizes the appointment of the Sub-Processors listed here: AWS, Google Maps, Google Geocoding, Places API, Google Calendar, Google Captcha, Google Time Zones, Google People API, Google Workspace, Stream, Firebase, Twilio, SendGrid, PayPal, Stripe, Auth0, Quickbooks, Currency Converter, Outscrapper, Bitly, Microsoft Azure, Microsoft 365, Email Engine, Frola.


The Customer shall reply to any communication from the Supplier requesting any further prior specific authorization of a Sub-Processor promptly and in any event within 10 Business Days of request from time to time. The Customer shall not unreasonably withhold, delay or condition any such authorization. An email with an update to this Agreement that is not protested by the Customer will assume the Customer has accepted the new terms of this Agreement.


(i) Assitance.


  1. The Supplier shall (at the Customer’s cost and expense) assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to the Supplier.
  2. The Supplier shall (at the Customer’s cost and expense) and taking into account the nature of the processing, assist the Customer (by appropriate technical and organizational measures), insofar as this is possible, for the fulfillment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR in respect of any Protected Data.
  3. The Supplier shall at the Customer’s cost and expense refer to the Customer all requests it receives for exercising any Data Subjects’ rights under Chapter III of the GDPR which relate to any Protected Data. It shall be the Customer’s responsibility to reply to all such requests as required by Data Protection Laws.


(j) International Transfers.


The Supplier shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to any country or territory outside the United States or to any International Organization without the prior written authorization of the Customer, except where required by Data Protection Laws (in which case the provisions of paragraph (f) of this Part 1 shall apply).


(k) Audits and Processing.


The Supplier shall, in accordance with Data Protection Laws, make available to the Customer on request such information that is in its possession or control as is necessary to demonstrate the Supplier’s compliance with the obligations placed on it under this Agreement and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to a maximum of one audit request in any 12 month period under this paragraph (k)). To the extent consistent with the forgoing, the Supplier shall, however, be entitled to withhold information where it is commercially sensitive or confidential to it or its other Customers.


(l) Breach.


The Supplier shall notify the Customer without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.


(m) Deletion/Return.

  1. On the end of the provision of the services relating to the processing of Protected Data (the Processing End Date), at the Customer’s cost and expense and the Customer’s option, the Supplier shall either return all of the Protected Data to the Customer or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any Data Protection Laws requires the Supplier to store such Protected Data. To the extent the Customer has not notified the Supplier within 30 days of the Processing End Date that it requires the return of any Protected Data the Supplier may delete all of the Customers Protected Data to maintain compliance.
  2. On request from the Customer the Supplier shall confirm in writing whether or not it has complied with its obligations to dispose of the Protected Data under paragraph (n)(i) of this Part 1.


(n) Survival.


This section shall survive termination or expiry of this Agreement:

  • indefinitely in the case of paragraphs (d) and (n) of this Part 1; and 
  • in the case of all other paragraphs and provisions of this Agreement, until the later of:
  • the termination or expiry of this Agreement; or
  • return or secure deletion or disposal of the last of the Protected Data in the Supplier’s (or any of its Sub-Processor’s) possession or control in accordance with this Agreement.


2. Data Processing and Security Details.


  1. Data Processing Details.
  2. Subject-matter of Processing:

Customers may submit Personal Data the extent of which is full governed by the Customer and controlled by the Customer at their sole discretion.

This Personal Data may include:

a) Contact Information

b) Any other personal data uploaded, sent, received or submitted by Customer or Customer’s end users 


ii. Duration of the Processing:

Continuous


iii. Nature and purpose of the Processing:

Personal Data will be Processed in accordance with the Privacy Policy and this Agreement and may be subject to the following Processing activities:

  1. Storage and other Processing necessary to provide and maintain the Services provided to the Customer
  2. Disclosure in Accordance with the Terms of Service, Privacy Policy and this Agreement as compelled by applicable laws.


(iv) Type of Personal Data:

The Parties do not anticipate the transfer of sensitive data


b. Minimum Technical and Organizational Security Measures.


The Supplier shall implement and maintain the following technical and organizational security measures to protect the protected data: 


  • We maintain contractual agreements with all outside vendors in order to protect data processed.
  • All non-public customer data requires authentication to access via our password policy. 
  • Customers cannot directly access the underlying application infrastructure. We use proper authorization techniques to limit access tp the exact relevant features, views and customization options.
  • We maintain an active web application firewall to avoid any potential intrusion.
  • All code is tested in source code repositories for software flaws.
  • All access to company accounts requires two factor identification and all employees and contractors are limited on what data they have access to. Access is only given on a need-to-access basis. All access by employees is logged and tracked.
  • We maintain and test on a regular cadence all disaster recovery plans.
  • Server architecture and backups are designed to use reasonably commercial efforts to help increase security and uptime.
  • Any security incidents are investigated internally and appropriately dealt with. Should an incident occur, notification will be in accordance with this Agreement.
  • We follow industry standards with respect to login interfaces and passwords. Stored data is encrypted.


Share by: