Data Processing Agreement

This Data Processing Agreement (“DPA”), by and between You and Us  is entered into pursuant to the Terms of Service governing Your use of Our Services (the “Agreement”) and is intended to address legal requirements under any national law of an EU member state adopted pursuant to Regulation (EU) 2016/679 (“GDPR”). The terms “personal data,” “processing”, “processor”, “controller”, and “data subject” will have the meaning defined in the GDPR. “Controller” refers to You, and “Processor” refers to Us. The term “subprocessor” refers to any entity appointed by or on behalf of Processor to process personal data on behalf of Processor in connection with this DPA.  Capitalized terms not defined in this DPA have the meanings given to such terms in the Agreement between You and Us.

1. Controller hereby instructs Processor to process the personal data provided to Processor by and on behalf of Controller to provide the Services in accordance with the Agreement.
2. Processor will not engage any subprocessor without written authorization from Controller.  Processor currently utlizes subprocessors to provide Services in accordance with the Agreement.
   1. Payment Processing Service Providers such as CardConnect and Democracy in Action.
   2. Fraud Dection Service Providers such as Sift Science.
   3. Data Append and Data Validation Service Providers such as Smarty Streets and Melissa Data.
   4. Hosting Service Providers such as CoreSite.
   5. Cloud Computing Service Providers such as AWS (Amazon Web Services)
3. In its performance of the Services, Processor will, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.
4. Processor will:
   1. process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by law to which the Processor is subject; in such a case, the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
   2. require that persons authorized to process personal data under the Agreement are subject to appropriate confidentiality obligations;
   3. in the event that Processor engages a subprocessor for carrying out specific processing activities on behalf of the Controller, Processor will impose the same data protection obligations as set out in the Agreement and this DPA on such subprocessor by way of a written contract, which written contract will provide sufficient guarantees that the subprocessor will implement appropriate technical and organizational measures in such a manner that the processing by such subprocessor will meet the requirements of GDPR;
   4. taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject’s rights under the GDPR or applicable national data protection laws;
   5. assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor;
   6. at the choice of the Controller and within the period specified in the Agreement, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless applicable EU or national data protection laws require storage of the personal data; and
   7. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller; provided, that any audit and inspection: (i) may be limited in scope by Processor to the extent reasonably necessary to prevent the violation of Processor’s and its subprocessors’ confidentiality obligations related to the information of Processor’s and its subprocessors’ other clients; and (ii) shall at all times be supervised by and performed in the presence of Processor security personnel and in accordance with Processor’s security policy and procedures. Independent third party audit reports provided by Processor’s subprocessors shall fulfill the foregoing requirements with respect to the applicable subprocessor to which the report relates. Each auditor who is not subject to rules of professional conduct requiring confidentiality must enter into a written agreement with Processor protecting the confidentiality of any information gathered during the conduct of such audit. The results of such audit, as well as any documentation prepared by the auditor or Controller as a result of the conduct of such audit, shall be shared with Processor and be deemed the Confidential Information of both Processor and Controller.
5. Processor will immediately inform the Controller if, in its opinion, an instruction from Controller to Processor infringes the GDPR or applicable national data protection laws that apply to Processor in its performance of the Services.
6. Processor will without undue delay, and within forty-eight (48) hours of Processor’s discovery of any loss or breach of security of the personal data, inform the Controller of such loss or breach. Processor shall report on the nature of the breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
7. This DPA will remain effective as long as Processor provides Services for Controller or processes personal data received from Controller or in the context of providing Services for Controller.
8. All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.