Data Processing Addendum

Effective Date: May 30, 2023
This Data Processing Addendum ("DPA") forms part of and is subject to the Terms of Master Subscription Agreement ("Agreement") between OAPPS LLC. ("OAPPS") and Subscriber.

1. Definitions

  1. "Subscriber" means the legal entity or individual who accepted OAPPS's Agreement, which includes this DPA.

  2. "Subscriber Data" means any personal data that is processed by OAPPS on behalf of the Subscriber to perform the Services under the Agreement.

  3. "Applicable Data Protection Laws" means all laws applicable to the collection, storage, processing, and use of Subscriber Data as amended, replaced, or superseded from time to time, including the GDPR, the UK GDPR, the Swiss DPA, the Canadian Personal Information Protection and Electronic Documents Act, the Quebec Act respecting the Protection of Personal Information in the Private Sector, the Privacy Act 1988 of Australia, the California Consumer Privacy Act of 2018 and its implementing regulations (collectively CCPA), other United States federal or state privacy, data security, and data breach notification laws and regulations and the Brazilian General Data Protection Law.

  4. "GDPR" means EU General Data Protection Regulation 2016/679.

  5. "Services" means the use of the OAPPS applications and related services provided to Subscriber pursuant to the Agreement.

  6. "Standard Contractual Clauses" means the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the current version as at the date of this DPA is as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021).

  7. "Swiss DPA" means Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance.

  8. "UK Addendum" means the latest version of the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf

  9. "UK GDPR" means the GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

  10. The terms "consent", "controller", "data subject", "member state", "personal data", "personal data breach", "processor", "sub-processor", "processing", and "supervisory authority", and "third party" shall have the meanings given to them, under ascribed to them under Applicable Data Protection Laws or if not defined thereunder, Article 4 of the GDPR and may be lowercase or capitalized herein.

  11. "Helpdesk" means Zendesk, Freshdesk, LiveChat or any further system depending on OAPPS service used by a Subscriber.

  12. "Social networks and messengers" means Instagram, Whatsapp, Telegram, Viber, or any further system depending on OAPPS service used by a Subscriber.

2. Roles and Purpose

  1. Subscriber authorizes OAPPS to process Subscriber Data as needed to perform the Services for which Subscriber is contracting with OAPPS in the Agreement, as described in Annex 1.

  2. The parties agree that Subscriber is the controller, and OAPPS is the processor acting on behalf of Subscriber.

  3. The parties shall each comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws with respect to the processing of Subscriber Data.

  4. The parties agree that Subscriber Data shall remain the property of Subscriber.

  5. For the avoidance of doubt, this DPA shall not apply to personal data for which OAPPS is a controller.

3. Obligations of OAPPS

  1. OAPPS shall only process Subscriber Data for the specific purpose of providing the Services to Subscriber and in accordance with Subscriber's instructions. Such Subscriber's instructions shall be documented in the applicable services description, support request, other written communication, or as directed by Subscriber using the self-service application interfaces.

  2. OAPPS shall not retain, use, or disclose Subscriber Data for any purpose other than for the specific purpose of providing the Services to Subscriber as set out in the Agreement and this DPA.

  3. OAPPS shall at all times have in place a Data Protection Officer who is responsible for ensuring compliance with this DPA and who is the primary contact for Subscriber when seeking assistance in meeting its obligations under Applicable Data Protection Laws.

  4. OAPPS shall immediately inform Subscriber if, in its opinion, Subscriber's processing instructions infringe Applicable Data Protection Law. In such an event, OAPPS is entitled to defer the performance of the relevant instruction until it has been amended by Subscriber or is mutually agreed by both Subscriber and OAPPS.

4. Obligations of Subscriber

  1. Subscriber is and shall remain responsible for compliance with all requirements imposed on controllers, including but not limited to confirming the lawful basis for all processing activities conducted by OAPPS on Subscriber's behalf and obtaining consent from data subjects, where required. Subscriber shall have sole responsibility for the accuracy, quality, and legality of Subscriber Data and the means by which Subscriber acquired Subscriber Data.

  2. Subscriber agrees to limit any Subscriber Data it transfers to OAPPS or to which OAPPS is otherwise given access for processing to only Subscriber Data needed by OAPPS in order to perform the Services.

  3. Subscriber shall ensure that OAPPS's processing of Subscriber Data in accordance with Subscriber's instructions will not cause OAPPS to violate any applicable law, regulation, or rule, including, without limitation, Applicable Data Protection Laws.

5. Sub-processing

  1. Subscriber agrees that OAPPS may engage sub-processors to process Subscriber Data on Subscriber's behalf. The sub-processors currently engaged by OAPPS and authorized by Subscriber are listed in Annex 3. OAPPS shall notify Subscriber if it adds or removes sub-processors at least 10 days prior to any such changes if Subscriber opts in to receive such notifications by emailing privacy@oapps.io.

  2. If within 5 days of receipt of that notice, Subscriber notifies OAPPS in writing of any objections to the proposed appointment on reasonable grounds relating to data protection, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, either party shall have the right to terminate the Agreement for cause.

  3. OAPPS shall be responsible for the acts and omissions of any sub-processors as it is to the Subscriber for its own acts and omissions in relation to the matters provided in this DPA.

6. Security

  1. OAPPS shall implement and maintain appropriate technical and organizational measures to protect Subscriber Data against personal data breaches, as described under Annex 2. Notwithstanding any provision to the contrary, OAPPS may modify or update the technical and organizational measures at its discretion provided that such modification or update does not result in a material degradation of the overall security of the Services.

  2. OAPPS shall ensure that any person who is authorized by OAPPS to process Subscriber Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

  3. OAPPS shall notify Subscriber in accordance with Applicable Data Protection Laws, without undue delay, but in any event within forty-eight (48) hours, in the event of a confirmed personal data breach affecting Subscriber Data and shall take appropriate measures to mitigate its possible adverse effects. Upon written request, OAPPS shall promptly provide Subscriber with such reasonable assistance as necessary to enable Subscriber to notify relevant personal data breaches to competent authorities and/or affected data subjects, if it is required to do so under Applicable Data Protection Laws.

  4. Subscriber is responsible for reviewing the information made available by OAPPS relating to data security and making an independent determination as to whether the Services meet Subscriber's requirements and legal obligations under Applicable Data Protection Laws.

  5. Subscriber is responsible for its secure use of the Services, including securing its user authentication credentials, protecting the security of Subscriber Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Subscriber Data uploaded to the Services.

7. Security Reports and Audit

  1. OAPPS audits its compliance against recognised data protection and information security standards on a regular basis. Such audits are conducted by independent, experienced personnel, and may include OAPPS's internal audit team and/or third party auditors engaged by OAPPS. Upon request, OAPPS shall supply (on a confidential basis) a summary copy of its then-current audit report(s) ("Report") to Subscriber, so that Subscriber can verify OAPPS's compliance with this DPA. OAPPS shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Subscriber related to its Processing of Subscriber Data, including responses to information security and audit questionnaires that are necessary to confirm OAPPS's compliance with this DPA, and allow for and contribute to audits at a mutually agreeable time following reasonable written notice, provided that Subscriber shall not exercise this right more than once per year, except that this right may also be exercised in the event Subscriber is expressly requested or required to provide this information to a data protection authority, or OAPPS has experienced a Security Incident, or other reasonably similar basis.

8. Data Subject Requests

  1. As part of the Services, OAPPS provides specific tools in order to assist Subscribers in replying to requests received from data subjects exercising their rights under Applicable Data Protection Laws. OAPPS shall (considering the nature of the processing) provide reasonable additional assistance to Subscriber to the extent possible to enable Subscriber to comply with its obligations with respect to data subject rights under Applicable Data Protection Laws.

  2. In the event that OAPPS receives any such requests directly from a data subject, it shall, unless prohibited by law, direct the data subject to contact Subscriber (to the extent OAPPS is able to associate the data subject with Subscriber). In the event Subscriber is unable to address the data subject request, OAPPS shall, on Subscriber's request, address the data subject directly, as required under Applicable Data Protection Laws.

9. Data Protection Impact Assessment

  1. To the extent required under applicable Applicable Data Protection Laws, OAPPS shall (considering the nature of the processing and the information available to OAPPS) provide all reasonably requested information regarding the Services to enable Subscriber to carry out data protection impact assessments or prior consultations with data protection authorities as required by Applicable Data Protection Laws. OAPPS shall comply with the foregoing by: (i) complying with Section 7 above; (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-Sections (i) and (ii) are insufficient for Subscriber to comply with such obligations, upon request, providing additional reasonable assistance. Subscriber shall be responsible for all costs relating to such additional assistance, including for any time OAPPS spends on such assistance at OAPPS's then-current professional service rates.

10. Return or Destruction of Data

  1. Subscriber may, by written notice to OAPPS, request the return of all copies of Subscriber Data in the control or possession of OAPPS and sub-processors. OAPPS shall promptly provide a copy of Subscriber Data in a form that can be read and processed further.

  2. Subscriber may, by written notice to OAPPS, request the certificate of deletion of all copies of the Subscriber Data in the control or possession of OAPPS and sub-processors. Within 30 days of receipt of that notice, OAPPS shall delete all Subscriber Data processed pursuant to this DPA and provide Subscriber with a certificate of deletion.

  3. Within 15 days following termination of Subscriber's account, OAPPS shall delete all Subscriber Data processed pursuant to this DPA.

  4. These provisions shall not apply to the extent OAPPS is required by applicable law to retain some or all of Subscriber Data.

  5. Subscriber acknowledges and agrees that the certification of deletion of Subscriber Data described in the Standard Contractual Clauses or any Applicable Data Protection Laws shall be provided by OAPPS to Subscriber only upon Subscriber's written request.

11. International Transfers

  1. Subscriber authorizes the transfer, processing and storage of Subscriber Data to and in anywhere in the world where OAPPS and its sub-processors maintain data processing operations in order to fulfill the purpose of the Services. OAPPS shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.

12. Limitation of Liability

  1. Each party's liability arising out of or related to this DPA (including the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the Agreement.

  2. Any claims made against OAPPS under or in connection with this DPA (including the Standard Contractual Clauses) shall be brought solely by the Subscriber entity that is a party to the Agreement.

  3. In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA (including the Standard Contractual Clauses) or otherwise.

13. General Provisions

  1. This DPA shall remain in effect for as long as OAPPS processes Subscriber Data or until termination of the Agreement (and all Subscriber Data has been returned or deleted in accordance with Section 10 above).

  2. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.

  3. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail.

  4. If any provision of this DPA is found by a court of competent jurisdiction to be invalid, it is agreed that such a court should endeavor to give full effect to the parties' intentions as reflected in such provision, and it is agreed that other provisions of this DPA remain in full effect.

  5. The governing law and jurisdiction will be governed by the Agreement, unless otherwise stated herein. Any and all disputes concerning the construction and interpretation of this DPA and/or the parties' obligations under this DPA will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Agreement.

Annex 1

A. LIST OF PARTIES

Data Exporter: Provided in the Agreement signature block
Address: Provided in the Agreement signature block
Contact Person: Subscriber's Data Protection Officer or another legal representative. Subscriber shall make these details available upon OAPPS's request.
Activities Relevant to the Transfer: Consuming the Services as further specified in the Services documentation.
Role: Controller

Data Importer: OAPPS LLC
Address: 1717 Pennsylvania Avenue NW, Suite 1025, Washington DC, 20006, United States of America
Contact Person: Data Protection Officer, privacy@oapps.io
Activities Relevant to the Transfer: Providing the Services as further specified in the Services documentation.
Role: Processor

B. Data Processing Details

"If applicable" means that not every particular OAPPS application uses all of the data listed.

"Integration" means a specific link between a Helpdesk and a Social network or messenger configured using an OAPPS application. Some OAPPS applications support several integrations configured simultaneously within one installation.

Categories of Data Subjects

  1. Helpdesk account information (if applicable).
  2. Social network or messenger users' info (if applicable).
  3. Messages.
  4. Logs

Categories of data

1. Helpdesk account information
  1. IDs of a Social Network or messenger accounts.
  2. Integration name.
  3. A Social Network or messenger username.
  4. Encrypted password (if applicable).
  5. Helpdesk subdomain.
  6. Helpdesk access Tokens.
  7. Subscriber Account locale (if applicable).
  8. Subscriber contact e-mail (if applicable).

2. Data Subject info:
  1. Username and/or IDs.
  2. Avatar (if applicable).
  3. Contact information (if applicable).
  4. Helpdesk-specific personal information (if applicable)

3. Messages (if applicable):
  1. Message texts.
  2. Attachments.

4. Logs
  1. All or some of the information above can be present in log files.

Processing Operations

  1. Helpdesk account information – storage.
  2. A Social Network or messenger users' info – Storage and Delivery.
  3. Messages – Storage and Delivery.
  4. Logs – Storage.

Location of Processing Operations

Data is stored and processed in some Amazon data centers:

  1. EU-west-1 (Ireland) – Instagramer Suite and other apps core services.
  2. Local Proxy servers for Instagramer app:
    • US-west-1 (USA).
    • AP-southeast-1 (Singapore).
    • sa-east-1 (San Paulo, Brazil).
    • me-south-1 (Bahrain).
    • eu-north-1 (Stockholm, Sweden).
    • eu-central-1 (Frankfurt, Germany).
    • ap-southeast-2 (Sydney, Australia).

Purposes

All the processed data is expected for the main application activity.

Retention periods

  1. Helpdesk account information: permanently until the integration is deleted.
  2. A Social Network or messenger users' info: permanently until the integration is deleted.
  3. Passwords and access tokens: permanently until the integration is deleted (if applicable) or a whole application is uninstalled.
  4. Messages: up to 30 days.
  5. Attachments: up to 180 days.
  6. Logs: no more than ten days.

Annex 2

INFORMATION SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES

OAPPS implements the following measures to protect Subscriber Data.

Physical Access Control

To prevent unauthorized persons from gaining physical access to data processing systems:

  • OAPPS leverages industry-leading cloud infrastructure providers. Access to their data centers is strictly controlled. All data centers are equipped with surveillance and access control systems. Additionally, all providers have industry-standard certifications.
  • OAPPS's corporate headquarters is equipped with surveillance, intruder alarm, and access control systems. Guests and visitors must be accompanied by authorized OAPPS personnel.

System Access Control

To prevent data processing systems from being used without authorization:

  • OAPPS personnel are granted system access to internal and externally hosted systems on a need-to-know basis based on job role, and reviews of access are performed quarterly. Onboarding and offboarding processes are documented to ensure access is properly managed.
  • Unique identifiers are utilized and are not permitted to be shared or re-assigned to another person. Where possible, third-party services leverage single sign-on (SSO) functionality which allows for centralized management and enforces two-factor authentication (2FA).
  • OAPPS personnel utilize a password management system that enforces minimum password length and complexity, and stores passwords in encrypted form.
  • OAPPS applications enforce minimum password length and complexity for Subscriber users. Subscribers who interact with the applications must authenticate before accessing non-public Subscriber Data.
  • Workstations automatically lock after a prolonged period of inactivity. OAPPS applications log out users after a prolonged period of inactivity.
  • Firewalls with strict traffic rules are used to limit unwanted ingress and egress traffic to and from OAPPS infrastructure. These firewalls include intrusion detection systems (IDS) used to detect and prevent potential unauthorized access.
  • OAPPS applications are protected by a web application firewall (WAF) to identify and prevent attacks.
  • Network access is protected by a virtual private network (VPN) and two-factor authentication (2FA).
  • Security patch management and routine vulnerability scanning occur on all workstations and servers to provide regular deployment of relevant security updates and an expedited response to the disclosure of critical vulnerabilities.
  • Up-to-date antivirus software is utilized to ensure workstations and servers are protected against known viruses.

Data Access Control

To ensure authorized users entitled to use data processing systems have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing, use, and storage:

  • Subscriber environments are logically separated at all times. Subscribers have access only to their own data.
  • Subscribers access their data via self-service application interfaces. Subscribers are not allowed direct access to the underlying application infrastructure. The user permissions model is designed to ensure that only the appropriately assigned individuals can access relevant features and data.
  • OAPPS personnel require access to Subscriber Data in order to deliver services, provide effective Subscriber support, product development, and research, and troubleshoot potential problems. Personnel is granted data access on a need-to-know basis based on job role, and reviews of permissions are performed quarterly.

Transmission Control

To ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport:

  • Subscriber Data is encrypted in transit to and from OAPPS systems over public networks. TLS 1.2 with industry-standard cipher suites is used to protect against current and future encryption attacks.
  • OAPPS is alerted to encryption issues through periodic internal risk assessments.

Input Control

To ensure that it is possible to check and establish whether and by whom personal data have been entered, modified, or removed from data processing systems:

  • OAPPS infrastructure is designed to log extensive information about the system behavior, traffic received, system authentication, and other technical events. A log aggregation system centrally stores and indexes system log events and alerts appropriate personnel of malicious, unintended, or anomalous activities.

Availability Control

To ensure personal data is protected from accidental or unauthorized destruction or loss:

  • Data centers are equipped with at least N+1 redundancy for power, networking, and cooling infrastructure.
  • Network protections have been deployed to mitigate the impact of distributed denial of service (DDoS) attacks.
  • OAPPS infrastructure is designed to have redundancy and avoid single points of failure.
  • All data is backed up every 24 hours, and point-in-time recovery is available.
  • Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Subscriber Data is backed up offsite and replicated across multiple geographic regions.
  • OAPPS maintains and regularly tests a disaster recovery plan to help ensure the availability of information following interruption to, or failure of, critical infrastructure.

Annex 3

AUTHORIZED SUB-PROCESSORS AS OF THE DPA EFFECTIVE DATE