DATA PROCESSING AGREEMENT

Last Updated: May 24th, 2018

This Data Processing Agreement (DPA) is a supplement to and made a part of the Customer Terms of Service (“Agreement”) between you, our Customer (hereinafter referred to as “Client”, or “Controller”), and us ManageByStats LLC (referred to as “Processor”).

1. DEFINITIONS

All capitalized terms used in this DPA shall have the meanings given to them below:

1.1 Applicable Data Protection Law: means all applicable international, federal, national and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the DPA (including, where applicable, European Data Protection Law).

1.2 Controller: means the entity that determines the purposes and means of the processing of Personal Data, and for the purposes of this DPA means Client.

1.3 European Data Protection Law: means: (i) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, and any applicable national implementation of it; and (ii) on and after 25 May 2018, the EU General Data Protection Regulation 2016/679 (“GDPR”) and any applicable national laws made under the GDPR.

1.4 Personal Data (“Data”): means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.5 Processor: means an entity that processes Personal Data on behalf of the Controller, and for the purposes of this DPA means ManageByStats LLC.

1.6 Service (“Services”): means any product or service provided by the Processor to the Client pursuant to the DPA and the Agreement.

The definitions not present have the same meaning as in the General Data Protection Regulation of 2016/679.

2. GENERAL DATA PROTECTION OBLIGATIONS

2.1 Relationship of the Parties:  As between the Parties, Client is the Controller and appoints ManageByStats LLC as a Processor to process the Personal Data described in section 1.4.

2.2 Purpose limitation:  Processor shall process the Data as a Processor only for the purposes described in Annex 1 and strictly in accordance with the documented instructions of the Client (the “Permitted Purpose”) and processing outside the scope of these instructions (if any) shall require prior written agreement between Client and ManageByStats LLC.

Notwithstanding anything to the contrary in the Agreement (including this DPA), Client acknowledges that ManageByStats LLC shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, ManageByStats LLC is the Data Controller of such data and accordingly shall process such data in accordance with the ManageByStats LLC  Privacy Policy and Data Protection Laws.

2.3 International transfers of Data:  Processor shall, at all times provide, an adequate level of protection for the Data, wherever processed, in accordance with the requirements of Applicable Data Protection Law. Processor shall not process or transfer any Data originating from the European Economic Area (EEA) in or to a territory which has not been designated by the European Commission as providing an adequate level of data protection unless it has first obtained Client’s prior written consent.

2.4 Confidentiality of processing:  The Processor shall keep strictly confidential all Personal Data that it processes on behalf of Client. The Processor shall ensure that any person that it authorises to process the Data (including the Processor’s staff, agents and subcontractors) (each an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Processor shall ensure that only Authorised Persons will have access to, and process, the Data, and that such access and processing shall be limited to the extent strictly necessary to achieve the Permitted Purpose.  Processor accepts responsibility for any breach of this DPA caused by the act, error or omission of an Authorised Person.

2.5 Security:  Processor shall implement appropriate technical and organisational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, unauthorized alteration, unauthorised disclosure of, or unauthorized access to the Data.  At a minimum, such measures shall include the security measures identified in Annex 2 to this DPA.

Client acknowledges that the Service is not intended or designed for the Processing of Sensitive Information, and the Client agrees not to provide any Sensitive Information through the Service.

2.6 Subcontracting:  Controller consents to Processor engaging third party sub-Processors, including Certified Partners of Processor, to process the Data provided that:

1. Processor will provide to Client an up-to-date list of its then-current sub-Processors upon request;
2. Processor provides at least thirty (30) days’ prior written notice of the addition or removal of any sub-Processor (including the categories of Data processed, details of the processing it performs or will perform, and the location of such processing).

In all cases, Processor shall impose the data protection terms on any sub-Processor it appoints that at a minimum meets the requirements provided for by this DPA.

2.7 Cooperation and individuals’ rights:  To the extent permitted by Applicable Law, Processor shall provide reasonable and timely assistance to Client to enable Client to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from an individual, regulator, court or other third party in connection with the processing of the Data.  In the event that any such communication is made directly to Processor, Processor shall instruct such individual to contact Client directly.

2.8 Data Protection Impact Assessment:  If Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of individuals, it shall promptly inform Client of the same. Processor shall provide Client with all such reasonable and timely assistance as Client may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.

2.9 Security incidents:  Upon becoming aware of a Security Incident, Processor shall inform Client without undue delay (and, in any event, within 32 hours) and shall provide such timely information and cooperation as Client may require in order for Client to fulfil its data breach reporting obligations under (and in accordance with the timeliness required by) Applicable Data Protection Law and relevant contractual obligations owed by Client to its subscribers.  Processor shall cooperate with Client in taking all appropriate measures and actions as are necessary to remedy or mitigate the effects of the Security Incident, shall manage and modify its systems to remedy or mitigate such Security Incident and the likelihood of future similar Security Incidents, and shall keep Client informed of all developments in connection with the Security Incident. Processor shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) Client has agreed to such notification, and/or (b) notification is required to be made by Processor under Applicable Data Protection Laws. For the avoidance of doubt, Processor shall have the right to comply with the terms of its contracts with other customers with respect to their data.

2.10 Deletion or return of Data:  Upon termination or expiry of the DPA, Processor shall (at Client’s request) destroy all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing); provided, however, that customer data (including Data) may be retained on backup for a period of up to eighteen (18) months for legal and compliance purposes.  Notwithstanding the foregoing, Processor shall not reduce the security measures at any time until such Data is permanently deleted.

2.11 Audit:  Processor shall permit Client (or its appointed third-party auditors) to audit Processor’s compliance with this DPA, and shall make available to Client all information, systems and staff necessary for Client (or its third-party auditors) to conduct such audit. Processor acknowledges that Client (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Client gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Processor’s operations.  Client will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Client believes a further audit is necessary due to a Security Incident suffered by Processor. Processor shall also respond to any written audit questions submitted to it by Client.

2.12 General cooperation to remediate: In the event that Applicable Data Protection Law, or a data protection authority or regulator, provides that the transfer or processing of Personal Data under this DPA is no longer lawful or otherwise permitted, then the Parties shall agree to remediate the processing (by amendment to this DPA or otherwise) to the extent practical in order to meet the necessary standards or requirements. If Processor is unable to remediate the processing, then Client will be entitled to terminate the DPA (and any other agreement between the Parties relating to the provision of services by Processor to Client) without penalty.

3. TERM

3.1 The obligations placed upon the Processor under this DPA shall survive so long as Processor and/or its sub-Processors Process Personal Data on behalf of Client.

ANNEX 1

DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Controller Personal Data

The subject matter and duration of the Processing of the Controller Personal Data are set out in the Agreement and this DPA.

The nature and purpose of the Processing of Controller Personal Data

ManageByStats LLC will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Service Documentation, and as further instructed by Client in its use of the Services.

The types of Controller Personal Data to be Processed

Client may submit Personal Data to the ManageByStats LLC services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

• Profile data
  • First and last name
  • Email
  • Phone number
  • Address
  • Title
  • Birth date
  • Age
  • Gender
  • Company
  • Identification data
• Authentication data
  • WiFi MAC Address
  • IP Address
  • Username
  • Password
• Activity data
  • Identifier of a Data Subject
  • Type of activity
  • Content of the activity (for example email)
  • Timestamp of the activity
• Location data
  • Device identifier (such as WiFi or BLE MAC address
  • Timestamps
  • Position data (X,Y of a map or distance indicator for a point of interest)

Client may also upload content to Client’s Service account which may include Personal data and special categories of data, the extent of which is determined and controlled by the Client in its sole discretion.

The categories of Data Subject to whom the Controller Personal Data relates

Customer may collect Personal Data with the Service, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following category of data subjects:

• Any individual: (i) whose personal data is included in the Client’s Account; (ii) whose information is stored on or collected via the Services.

ANNEX 2

DESCRIPTION OF THE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This Annex 2 includes the description of the technical and organizational security measures implemented by the Data Processor.

ManageByStats LLC currently observes the security practices described in this Annex 2. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, ManageByStats LLC may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in this DPA.

Outsourced processing: ManageByStats LLC hosts its Service with outsourced cloud infrastructure providers. Additionally, ManageByStats LLC maintains contractual relationships with vendors in order to provide the Service in accordance with this DPA. ManageByStats LLC relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: ManageByStats LLC hosts its product infrastructure with multi-tenant, outsourced infrastructure providers.

Authentication: ManageByStats LLC  implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of ManageByStats LLC’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key

1. ii) Preventing Unauthorized Product Use

ManageByStats LLC implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: ManageByStats LLC is using an industry standard Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Security reviews of code stored in ManageByStats LLC’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

iii)    Limitations of Privilege & Authorization Requirements

Product access: A subset of ManageByStats LLC’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are performed periodically. Employee roles are reviewed at least once every six months.

All ManageByStats LLC are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

1. b) Transmission Control

In-transit: ManageByStats LLC makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for every Splash Page hosted on ManageByStats LLC’s  products. ManageByStats LLC HTTPS implementation uses industry standard algorithms and certificates.

At-rest: ManageByStats LLC stores user passwords following policies that follow industry standard practices for security.

1. c) Input Control

Detection: ManageByStats LLC designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities.

Response and tracking: ManageByStats LLC maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, ManageByStats LLC  will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

Communication: If ManageByStats LLC becomes aware of unlawful access to Customer data stored within its products, ManageByStats LLC will: 1) notify the affected Customers of the incident; 2) provide a description of the steps ManageByStats LLC is taking to resolve the incident; and 3) provide status updates to the Customer contact, as ManageByStats LLC deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form ManageByStats LLC selects, which may include via email or telephone.

1. d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power and network.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

ManageByStats LLC’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists ManageByStats LLC operations in maintaining and updating the product applications and backend while limiting downtime.