Data Protection and Information Security is core to everything we do at Driftrock.
This DPA is effective upon its incorporation, which incorporation may be specified in the ToS, an Order or the Main Contract (as applicable).
We periodically update these terms. We will let you know when we do via an email or in-app notification.
The following definitions and rules of interpretation apply in this DPA.
Audience Management Service means the Driftrock audience management service.
Customer Data means all End User data and data relating to your customers or to the customers of your clients and which is provided by you or on your behalf to us for the purposes of providing the Services.
Customer Personal Data has the meaning set out in clause 2.4.
CRM and CRM Data has the meaning set out in the Data Protection Appendix.
Data Controller shall have the same meaning as in the Data Protection Laws.
Data Processor shall have the same meaning as in the Data Protection Laws.
Data Protection Appendix means the data protection appendix attached to this DPA.
Data Protection Laws means prior to and including 24 May 2018, the Data Protection Act 1998; and from and including 25 May 2018, (i) unless and until the General Data Protection Regulation ((EU) 2016/679) (“GDPR”)) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
Data Subject shall have the same meaning as in the Data Protection Laws.
Driftrock Apps means Driftrock’s marketing and other applications.
EEA means the European Economic Area.
End User means any employee, contractor or other individual appointed by or permitted by you to use the Software Services.
End User Data means any data relating to the End Users’ use of the Software Services, such as login and user ID credentials.
Fees means the sums payable under this DPA specified in the DPA Summary.
Key Mapping Store has the meaning set out in the Data Protection Appendix.
Lead IDs has the meaning set out in the Data Protection Appendix.
Lead Generation Data has the meaning set out in the Data Protection Appendix.
Lead Generation Form has the meaning set out in the Data Protection Appendix.
Main Contract means main agreement executed by the Parties.
Market Acquisition Service means the Driftrock market acquisition service.
Minimum Term means the minimum term of DPA as specified by the Parties in the Main Contract, Order or otherwise.
Order means Driftrock work order template.
Personal Data shall have the same meaning as in the Data Protection Laws.
Software Services means the Driftrock Apps and associated services (the Market Acquisition Service and/or Audience Management Service) to be supplied to you pursuant to this DPA or as may be agreed by the parties in writing from time to time.
ToS means Driftrock Terms of Service as available at Driftrock’s website: https://www.driftrock.com/terms-of-service/.
Website means Driftrock’s website at www.driftrock.com.
2.2. You agree that you will comply with the Data Protection Laws in respect of any personal data of individuals processed through, or as a consequence of your use of, any Driftrock App (“End Users”). You must as a minimum provide a legally adequate privacy notice and protection for End Users. If End Users provide you with user names, passwords, or other login information or personal data, you must make the users aware that the information may be available to your application and to Driftrock and will be held on third party servers on behalf of Driftrock, including servers located outside the European Union.
2.3. Both parties will comply with all applicable requirements of the Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
2.4. The parties acknowledge that for the purposes of the Data Protection Laws, you are the Data Controller and we are the Data Processor in respect of any Personal Data in the Customer Data (“Customer Personal Data”).
2.5. The scope, nature and purpose of our processing of the Customer Personal Data depends on the type of Software Service to be supplied by us to you under this DPA, and is set out in the Data Protection Appendix.
2.6. Without prejudice to the generality of clause 2.1, you shall ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to us so that we can use such Customer Personal Data for the purposes and duration of this DPA. In particular, where we are providing you with the Market Acquisition Service, you undertake that you will present valid notices to Data Subjects on each Lead Generation Form.
2.7. Without prejudice to the generality of clause 2.1, and to the extent that we process Customer Personal Data on your behalf in providing the Software Services, we will:
a) process the Customer Personal Data only for the purpose of providing the Software Services;
b) process the Customer Personal Data only on your written instructions unless otherwise required by law;
c) take appropriate technical and organisational security measures to protect against unauthorised or unlawful processing and accidental loss or destruction of, or damage to, such personal data:
d) ensure that all personnel who have access to and/or process Customer Personal Data are obliged to keep it confidential;
e) not transfer any Customer Personal Data outside of the EEA unless we have obtained your consent;
f) assist you in responding to any request from a Data Subject and in ensuring compliance with your obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
g) notify you without undue delay on becoming aware of a data breach affecting the Customer Personal Data; and
h) to the extent that we store any Customer Personal Data, at your written request, delete and/or return to you the Customer Personal Data and copies of it on the termination of this DPA, unless we are required by applicable laws to store specific Customer Personal Data beyond the termination of this DPA (in which case we shall delete such Customer Personal Data as soon as we are permitted by applicable laws).
2.8 We will maintain complete and accurate records and information to demonstrate our compliance with this clause 2 and allow for reasonable audits, including inspection of our premises by you or your designated auditor, on reasonable notice, in order to verify compliance with the Data Protection Laws and this clause 2.
2.9 You are responsible for obtaining (at your own cost) all necessary equipment and telecommunications services required to access the Software Services. You are also responsible for ensuring that no person uses your equipment to access the Software Services without your permission. We will be entitled to assume that anyone who accesses the Software Services using your equipment has your permission to do so and you will be responsible for any charges, costs or liabilities that may be incurred by any such persons. You agree that you shall indemnify us against any loss, liability, claim, damage or expense incurred by us arising out of any breach by you of this clause 2.8.
3.1. Nothing in this DPA limits or excludes our liability for: (a) death or personal injury caused by our proven negligence; (b) any loss suffered by you as a result of your reliance on any fraudulent misrepresentation made by us to you; or (c) any other liability which may not by law be limited or excluded.
3.2. Subject to clause 3.1, you agree that we shall not be liable for: (a) any indirect loss, claim or damage, or any punitive, special, incidental or consequential damages of any kind ); or (b) loss or corruption of data (whether direct or indirect) or (c) any loss of profit, loss of opportunity or anticipated savings (whether direct or indirect), in each case whether based in contract, tort (including negligence), strict liability, or otherwise, which arises out of or is in any way connected with (i) any use of the Software Services; (ii) any failure or delay in the use of any component of the Software Services including, without limitation, any unavailability of the Software Services irrespective of duration of any period of unavailability; or (iii) any use of or reliance upon any information, material, software, products, services and related graphics obtained through the Software Services, in all cases even if we have been forewarned of the possibility of such loss or damage.
3.3. Subject to clauses 3.1 and 3.2, Driftrock's total liability arising out of or relating to this DPA whether based on contract, tort (including negligence), strict liability, or otherwise, which arises out of or is in any way connected with (i) any use of the Software Services; (ii) any failure or delay in the use of any component of the Software Services including, without limitation, any unavailability of the Software Services irrespective of duration of any period of unavailability; or (iii) any use of or reliance upon any information, material, software, products, services and related graphics obtained through the Software Services, in all cases even if we have been forewarned of the possibility of such loss or damage shall be limited in respect of all claims in respect of any Contract Year, to the amounts payable by you under or in connection with this DPA in respect of that Contract Year. "Contract Year" means a twelve-month period beginning on the Effective Date or the relevant anniversary thereof.
3.4. Without limiting the effect of clause 3.2 or 3.3 above, due to the inherent risks of using the internet, we cannot be liable for any damage to, or viruses that may infect, your computer equipment or any other property when you are using the Software Services or browsing the Website. The downloading or other acquisition of any materials or information through the Website is done at your own discretion and risk and with your DPA that you will be solely responsible for any damage to your computer system or loss of data that results from the downloading or acquisition of any such materials.
3.5. You agree to indemnify us against any claims or legal proceedings that may arise through your use of the Software Services or from any breach of this DPA by you.
3.6. We will notify you of any such claims or proceedings and keep you informed as to the progress of such claims or proceedings.
4.1. This Agreement shall continue in full force and effect for so long as we are processing Customer Personal Data on behalf of you. The Minimum Term of this DPA is the term of the Main Contract, term of execution of the Order or any other term as agreed by Parties in writing. Termination of the Main Contract, Order will automatically result in the termination of this DPA.
4.2. Without affecting any other right or remedy available to it either party may terminate this DPA with immediate effect by giving written notice to the other party if
a) the other party commits a material breach of any other term of this DPA which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so; or
b) the other party repeatedly breaches any of the terms of this DPA in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this DPA.
4.3. On termination of this DPA for whatever reason, all sums payable to us shall become due immediately without prejudice to any right to claim for interest under the law, or any such right under this DPA.
4.4 On termination of this DPA you must immediately cease use of the Software Services and destroy any materials downloaded or printed from the Website or otherwise in connection with the provision of the Software Services.
4.5. Termination of this DPA for whatever reason shall not affect the accrued rights and liabilities of either you or us as at the time of such termination.
5.1. Any failure or delay by us to enforce any of our rights under this DPA is not to be taken as or deemed to be a waiver of that or any other right unless we acknowledge and agree to such a waiver in writing.
5.2. A person who is not a party to this DPA shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA.
5.3. If any clause or part of a clause of this DPA is, or becomes, invalid, illegal or unenforceable, the remainder of the DPA shall remain valid and enforceable.
5.4. Subject to clause 5.1, you shall have no remedy in respect of any untrue statement made to you upon which you relied in entering into this DPA other than any remedy you may have for breach of the express terms of this DPA. In addition, you acknowledge that, in entering into this DPA, you have not relied on any statement, representation or misrepresentation not expressly set out herein.
5.5. This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with English law and the parties irrevocably agree to submit to the exclusive jurisdiction of the English courts.
5.6. Driftrock may assign the benefit of this DPA without giving notice to you and is entitled to subcontract any of its rights or obligations hereunder.
The following sets out the scope, nature, purpose and duration of our processing of the Customer Personal Data by us, and the relevant categories of Personal Data and Data Subject: