Data Processing Addendum
Last Updated: May 16, 2023
This Data Processing Addendum ("DPA") forms part of the Terms of Service available at https://embrace.io/docs/terms-of-service/ or such other location as the Terms of Service may be posted from time to time (as applicable, the "Agreement"), entered into by and between the Customer and Embrace Mobile, Inc. ("Embrace"), pursuant to which Customer has accessed Embrace's Application Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.
If the Customer entity entering into this DPA has executed an order form or statement of work with Embrace pursuant to the Agreement (an "Ordering Document"), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA.
This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Application Services to Customer pursuant to the Agreement, Embrace may process personal data on behalf of Customer. The parties agree to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
Data Processing Terms
In this DPA,
- "CCPA" means California Consumer Privacy Act of 2018, including any regulations and amendments, including as amended by the California Privacy Rights Act.
- "Data Protection Legislation" means applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including GDPR and CCPA.
- "Data Controller" means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable, a Data Controller as defined by GDPR and a Business as defined by CCPA.
- "Data Processor" means the entity that Processes Personal Data on behalf of a Controller, including a "Data Processor" as defined by GDPR and a "Service Provider" as defined by CCPA.
- "Data Subject" means the individual whose Personal Data is Processed, including a "Data Subject" as defined by GDPR and a "Consumer" as defined by CCPA.
- "GDPR" means the a) General Data Protection Regulation (Regulation (EU) 2016/279) and b) the General Data Protection Regulation 2016/679 as amended and incorporated into United Kingdom law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
- "Personal Data" means any "Personal Data", "Personal Information", or similar term as defined under Data Protection Legislation, or, where undefined, information that relates, directly or indirectly, to an identified or identifiable Individual, processed by Embrace on behalf of Customer under the Agreement.
- "Processing" means any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "appropriate technical and organizational measures" shall be interpreted in accordance with applicable Data Protection Legislation.
- "Standard Contractual Clauses" means the relevant standard contractual clauses approved under applicable Data Protection Legislation to enable the cross-border transfer of Personal Data, including any approved amendments, updates or replacements thereof that may be issued by the relevant authority (e.g., European Commission in the EEA). Specifically, it refers to the Standard Contractual Clauses approved by the European Commission in decision 2021/914, with the following modifications to each Module as applicable: 1) Clause 7 shall not apply; 2) Option B shall be selected for Clause 9; 3) The optional language of Clause 11 shall be removed; 4) For any blank sections where an EAA member state must be specified, Ireland shall be selected. Annex 1 of this DPA shall serve as Annex I; Annex 2 shall serve as Annex II. In addition, where applicable for transfers from the United Kingdom, the Standard Contractual Clauses will include the mandatory clauses of addendum required for data transfers governed by United Kingdom's Data Protection Legislation ("UK Addendum"). For purposes of the UK Addendum, the information required for Tables 1 to 3 of Part 1 is set forth in Annex A of this DPA, as applicable, and for Table 4 of Part 1 of the UK Addendum, "neither party" is selected.
- "Business", "Consumer", "Sale", "Sell" and "Share" have the meaning set forth in the CCPA.
The parties agree that Customer is the Data Controller and that Embrace is its Data Processor in relation to Personal Data that is Processed in the course of providing the Application Services. Customer (a) shall comply at all times with Data Protection Legislation in respect of all Personal Data it provided to Embrace pursuant to the Agreement; (b) has provided notice and obtained all consents and rights necessary for Embrace to process Personal Data pursuant to the Agreement and this DPA; (c) will not provide Embrace with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA (e.g., Sensitive Personal Information, Special Categories of Personal Data, health information, credit card or financial account information or social security number or government identification numbers); and (d) shall limit Embrace's access to Personal Data to the minimum amount necessary for Embrace to perform under the Agreement.
The subject-matter of the Processing covered by this DPA is the Application Services ordered by Customer either through Embrace's website or through an Ordering Document, or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Customer's ordering of the Application Services ceases, including any transition services and as required by law or Embrace's data retention policies. For clarity, Application Services do not collect Personal Data about End Users by default. The Application Services will collect session data that is not linked to a person or device (i.e., not personal data). The Customer has the option to send Personal Data to Embrace to link session data with an End User's device or person, but is not required. This DPA applies to the extent Personal Data is Processed by Embrace. Further details of the data processing are set out in Annex 1 hereto.
In respect of Personal Data processed in the course of providing the Application Services, Embrace:
-
shall Process the Personal Data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement) or as otherwise notified by Customer to Embrace from time to time. If Embrace is required to process the Personal Data for any other purpose provided by applicable law to which it is subject, Embrace will inform Customer of such requirement prior to the Processing unless that law prohibits this on important grounds of public interest. Embrace shall not (a) retain, use or disclose Personal Data for any purpose, including a commercial purpose, other than to provide the Application Services; (b) "Sell or Share" Personal Data; or (c) combine Personal Data with personal information (as defined by the CCPA) that it receives from or on behalf of any person or that it collects from its own interaction with a Consumer; in each case except where and to the extent permitted to do so by the CCPA. Embrace certifies that it understands the restrictions set forth in this section;
-
shall notify Customer without undue delay if, in Embrace's opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation or it can no longer meet its obligations under Data Protection Legislation;
-
shall implement and will apply the technical and organizational measures set forth in Annex 2. Customer has reviewed such measures and agrees that as to the Service the measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the Processing of Customer Data. Embrace may change the measures set out in Annex 2 at any time without notice so long as it maintains a comparable or better level of security overall;
-
shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR, at the Customer's request and cost;
-
may hire other companies to provide limited services on its behalf, provided that Embrace complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Embrace has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Embrace remains responsible for its subcontractors' compliance with the obligations of this DPA. Any subcontractors to whom Embrace transfers personal data will have entered into written agreements with Embrace requiring that the subcontractor abide by terms substantially similar to this DPA. If Customer requires prior notification of any updates to the list of subprocessors, Customer can request such notification in writing by emailing support@embrace.io. Embrace will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that time frame. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor's non-compliance with applicable Data Protection Legislation. If, in Embrace's reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Embrace, terminate the Agreement;
-
shall ensure that all Embrace personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this DPA;
-
at the Customer's request and cost (and insofar as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organizational measures to assist with the Customer's obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Embrace reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
-
shall promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of such data subject's personal data; provided that Embrace shall not respond to any such request without Customer's prior written consent except to confirm that the request relates to Customer and Customer shall be solely responsible to respond to such Data Subject requests;
-
shall take reasonable steps at the Customer's request and cost to assist Customer in meeting Customer's obligations under Article 32 to 36 of the GDPR taking into account the nature of the processing under this DPA, provided that Embrace reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
-
at the end of the applicable term of the Application Services, upon Customer's request, shall securely destroy or return such Personal Data to Customer in accordance with Embrace's data retention policies and except as required to comply with applicable law;
-
shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Embrace in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Embrace is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Embrace of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Embrace IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt, no access to any part of Embrace's IT system, data hosting sites or centers, or infrastructure will be permitted;
-
notify Customer without undue delay if it becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data that is processed by Embrace in the course of providing the Application Services to Customer (an "Incident") under the Agreement, and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Embrace shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
In the event of a restricted transfer of Personal Data via the Application Services from the European Economic Area, the United Kingdom, or Switzerland to another territory not recognized by the applicable competent regulatory authority or governmental body as providing an adequate level of protection for Personal Data, the parties will agree to Standard Contractual Clauses. Any transfer of Personal Data from Embrace to a subprocessor shall be done in compliance with a permitted legal mechanism or agreement as required under Data Protection Law, including, as applicable, the Standard Contractual Clauses, which Customer authorizes Embrace to enter into with a subprocessor on Customer's behalf.
This DPA is effective upon the Effective Date of the Agreement and will continue in effect for as long as Embrace's processes Personal Data. No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Legislation. Any limitations of liability set forth under the Agreement shall also apply to this DPA. Embrace may modify this DPA from time-to-time upon written notice to Customer; provided that such modifications will not diminish the overall level of Embrace's data protection and privacy compliance during the then current term of the Agreement.
Annex 1
Details of the Data Processing
Part A
Data exporter:
Contact details shall be found in the Customer's Agreement, account, and/or Order Form. The signature and date shall be the date of the Agreement incorporating this DPA.
Data importer:
Contact details: support@embrace.io, 1901 Avenue of the Stars, Suite 200, Los Angeles, CA 90067
Signature and date: The signature and date shall be the date of the Agreement incorporating this DPA.
Part B
Categories of Data Subjects whose Personal Data is processed: Customer and Authorized Users, End Users of Customer's websites and apps
Categories of Personal Data Processed:
From Customer's End Users:
- Email (optional)
- Name (optional)
- Username (optional)
- User ID (optional)
- Any other Personal Data that Customer wishes to provide to Embrace (optional)
- Data collected by Embrace and linked to the above, such as city, region, country, time zone, browser, browser version, device version, operating system, screen size, search engine, search engine keyword, views and interactions with the Customer's app, app sessions
- Any other information that Customer wishes to provide to Embrace and link to Personal Data (optional)
From Customer:
- Login information
- Information relating to usage of the Embrace's platform
Sensitive data Processed: Any sensitive data included in custom information about End Users provided to Customer.
Nature of the Processing: To provide the Application Services as described in the agreement
Purpose(s) for which the Personal Data is Processed on behalf of the Data Controller:
Duration of the Processing: For the duration of the Agreement and until Customer requests deletion of Personal Data.
Part C
Annex 2
Security Measures
Embrace maintains a security program that includes the following security measures:
Measure | Applicable Details |
---|---|
Measures of pseudonymization and encryption of personal data | Data transmitted to Embrace is encrypted in-transit and at-rest using industry-standard algorithms. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Access to internal systems is provided only to authorized personnel on a need-to-have basis. Embrace has designed its systems to provide high-availability and has necessary monitoring in place to verify integrity and availability. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Embrace uses redundantly-provisioned components at all steps of its data processing infrastructure. Embrace has procedures in place to ensure ability to restore access to impacted systems, within timelines agreed upon as part of each customer agreement. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Embrace utilizes industry-standard tools to perform external, regularly-scheduled, vulnerability testing. A “penetration test” is performed annually by an external vendor and results of such tests can be provided on request. |
Measures for user identification and authorization | Embrace uses off-the-shelf frameworks to manage our authentication and credentials storage, with user passwords hashed with a strong one-way hash. In addition, we support Single Sign On (SSO) functionality that integrates credential management with external services. As part of such SSO integration, our customers can enforce 2FA for their users when accessing the Embrace dashboard. |
Measures for the protection of data during transmission | Data transmitted to Embrace over industry-standard encrypted TLS protocols. |
Measures for the protection of data during storage | Data is encrypted at-rest using industry-standard AES-256 encryption. |
Measures for ensuring physical security of locations at which personal data are processed | Embrace exclusively relies on its infrastructure provider (Amazon Web Services) to ensure physical security of its facilities. |
Measures for ensuring events logging | Embrace has centralized log aggregation in place. |
Measures for ensuring system configuration, including default configuration | Embrace utilizes “infrastructure as code” methodology, that ensures that all system configuration undergoes peer review, testing and deployment process. |
Measures for internal IT and IT security governance and management | Embrace has procedures in place to ensure secure management of internal tools and applications (such as strict onboarding/offboarding checklists and periodic access reviews). |
Measures for certification/assurance of processes and products | Embrace develops its software under industry-standard agile methodologies, with all changes undergoing peer-review, testing and releases processes. |
Measures for ensuring data minimization | Embrace SDK does not automatically collect any personally identifiable information. As part of customer onboarding, Embrace works with the customer to review any data collected and transmitted by the SDK. |
Measures for ensuring data quality | Embrace built resilience and monitoring in its data processing infrastructure to ensure data quality and completeness. |
Measures for ensuring limited data retention | Embrace's core functionality automatically expires and permanently deletes all data in accordance with retention periods agreed upon as part of each customer agreement. |
Measures for ensuring accountability | Embrace's policies cover accountability of Embrace's employees with company's policies and procedures. |
Measures for allowing data portability and ensuring erasure | Embrace uses industry-standard data formats (such as JSON). Embrace's core functionality automatically expires and permanently deletes all data in accordance with retention periods agreed upon as part of each customer agreement. |
Assistance to be provided to respond to data subject right requests including the scope and extent of such assistance | This DPA covers the rights and responsibilities to ensure full compliance with privacy-related regulations. |