Data Processing Agreement

Data Protection and Information Security is core to everything we do at Driftrock.

This Driftrock Data Processing DPA (“DPA”) reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Driftrock Terms of Service (the “ToS”). This DPA, ToS and the Privacy Policy set out the full extent of our obligations and liabilities concerning the Website and the Software Services and replace any previous DPAs, representations and understandings between us and you.

This DPA is effective upon its incorporation, which incorporation may be specified in the ToS, an Order or the Main Contract (as applicable).

We periodically update these terms. We will let you know when we do via an email or in-app notification.

1.DEFINITIONS

The following definitions and rules of interpretation apply in this DPA.

Audience Management Service means the Driftrock audience management service.

Customer Data means all End User data and data relating to your customers or to the customers of your clients and which is provided by you or on your behalf to us for the purposes of providing the Services.  

Customer Personal Data has the meaning set out in clause 2.4.

CRM and CRM Data has the meaning set out in the Data Protection Appendix.

Data Controller shall have the same meaning as in the Data Protection Laws.

Data Processor shall have the same meaning as in the Data Protection Laws.

Data Protection Appendix means the data protection appendix attached to this DPA.

Data Protection Laws means prior to and including 24 May 2018, the Data Protection Act 1998; and from and including 25 May 2018, (i) unless and until the General Data Protection Regulation ((EU) 2016/679) (“GDPR”)) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.

Data Subject shall have the same meaning as in the Data Protection Laws.

Driftrock Apps means Driftrock’s marketing and other applications.  

EEA means the European Economic Area.

End User means any employee, contractor or other individual appointed by or permitted by you to use the Software Services.

End User Data means any data relating to the End Users’ use of the Software Services, such as login and user ID credentials.  

Fees means the sums payable under this DPA specified in the DPA Summary.

Key Mapping Store has the meaning set out in the Data Protection Appendix.

Lead IDs has the meaning set out in the Data Protection Appendix.

Lead Generation Data has the meaning set out in the Data Protection Appendix.

Lead Generation Form has the meaning set out in the Data Protection Appendix.

Main Contract means main agreement executed by the Parties.

Market Acquisition Service means the Driftrock market acquisition service.

Minimum Term means the minimum term of DPA as specified by the Parties in the Main Contract, Order or otherwise.

Order means Driftrock work order template.

Personal Data shall have the same meaning as in the Data Protection Laws.

Software Services means the Driftrock Apps and associated services (the Market Acquisition Service and/or Audience Management Service) to be supplied to you pursuant to this DPA or as may be agreed by the parties in writing from time to time.

ToS means Driftrock Terms of Service as available at Driftrock’s website: https://www.driftrock.com/terms-of-service/.

Website means Driftrock’s website at www.driftrock.com.

2. PRIVACY AND DATA PROTECTION

2.1. Driftrock’s privacy policy which can be found at www.driftrock.com/privacy_policy and Driftrock’s ToS which can be found at https://www.driftrock.com/terms-of-service/ are expressly incorporated into this DPA.  

2.2. You agree that you will comply with the Data Protection Laws in respect of any personal data of individuals processed through, or as a consequence of your use of, any Driftrock App (“End Users”). You must as a minimum provide a legally adequate privacy notice and protection for End Users. If End Users provide you with user names, passwords, or other login information or personal data, you must make the users aware that the information may be available to your application and to Driftrock and will be held on third party servers on behalf of Driftrock, including servers located outside the European Union.

2.3. Both parties will comply with all applicable requirements of the Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.

2.4. The parties acknowledge that for the purposes of the Data Protection Laws, you are the Data Controller and we are the Data Processor in respect of any Personal Data in the Customer Data (“Customer Personal Data”).

2.5. The scope, nature and purpose of our processing of the Customer Personal Data depends on the type of Software Service to be supplied by us to you under this DPA, and is set out in the Data Protection Appendix.  

2.6. Without prejudice to the generality of clause 2.1, you shall ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to us so that we can use such Customer Personal Data for the purposes and duration of this DPA. In particular, where we are providing you with the Market Acquisition Service, you undertake that you will present valid notices to Data Subjects on each Lead Generation Form.  

2.7. Without prejudice to the generality of clause 2.1, and to the extent that we process Customer Personal Data on your behalf in providing the Software Services, we will:

a) process the Customer Personal Data only for the purpose of providing the Software Services;

b) process the Customer Personal Data only on your written instructions unless otherwise required by law;

c) take appropriate technical and organisational security measures to protect against unauthorised or unlawful processing and accidental loss or destruction of, or damage to, such personal data:

  • which is appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Customer Personal Data to be protected; and
  • having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting the Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by us;

d) ensure that all personnel who have access to and/or process Customer Personal Data are obliged to keep it confidential;

e) not transfer any Customer Personal Data outside of the EEA unless we have obtained your consent;

f) assist you in responding to any request from a Data Subject and in ensuring compliance with your obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

g) notify you without undue delay on becoming aware of a data breach affecting the Customer Personal Data; and

h) to the extent that we store any Customer Personal Data, at your written request, delete and/or return to you the Customer Personal Data and copies of it on the termination of this DPA, unless we are required by applicable laws to store specific Customer Personal Data beyond the termination of this DPA (in which case we shall delete such Customer Personal Data as soon as we are permitted by applicable laws).

2.8 We will maintain complete and accurate records and information to demonstrate our compliance with this clause 2 and allow for reasonable audits, including inspection of our premises by you or your designated auditor, on reasonable notice, in order to verify compliance with the Data Protection Laws and this clause 2.

2.9 You are responsible for obtaining (at your own cost) all necessary equipment and telecommunications services required to access the Software Services. You are also responsible for ensuring that no person uses your equipment to access the Software Services without your permission. We will be entitled to assume that anyone who accesses the Software Services using your equipment has your permission to do so and you will be responsible for any charges, costs or liabilities that may be incurred by any such persons. You agree that you shall indemnify us against any loss, liability, claim, damage or expense incurred by us arising out of any breach by you of this clause 2.8.

3. LIMITATION OF LIABILITY

3.1. Nothing in this DPA limits or excludes our liability for: (a) death or personal injury caused by our proven negligence; (b) any loss suffered by you as a result of your reliance on any fraudulent misrepresentation made by us to you; or (c) any other liability which may not by law be limited or excluded.

3.2. Subject to clause 3.1, you agree that we shall not be liable for: (a) any indirect loss, claim or damage, or any punitive, special, incidental or consequential damages of any kind ); or (b) loss or corruption of data (whether direct or indirect) or (c) any loss of profit, loss of opportunity or anticipated savings (whether direct or indirect), in each case whether based in contract, tort (including negligence), strict liability, or otherwise, which arises out of or is in any way connected with (i) any use of the Software Services; (ii) any failure or delay in the use of any component of the Software Services including, without limitation, any unavailability of the Software Services irrespective of duration of any period of unavailability; or (iii) any use of or reliance upon any information, material, software, products, services and related graphics obtained through the Software Services, in all cases even if we have been forewarned of the possibility of such loss or damage.

3.3. Subject to clauses 3.1 and 3.2, Driftrock's total liability arising out of or relating to this DPA whether based on contract, tort (including negligence), strict liability, or otherwise, which arises out of or is in any way connected with (i) any use of the Software Services; (ii) any failure or delay in the use of any component of the Software Services including, without limitation, any unavailability of the Software Services irrespective of duration of any period of unavailability; or (iii) any use of or reliance upon any information, material, software, products, services and related graphics obtained through the Software Services, in all cases even if we have been forewarned of the possibility of such loss or damage shall be limited in respect of all claims in respect of any Contract Year, to the amounts payable by you under or in connection with this DPA in respect of that Contract Year. "Contract Year" means a twelve-month period beginning on the Effective Date or the relevant anniversary thereof.  

3.4. Without limiting the effect of clause 3.2 or 3.3 above, due to the inherent risks of using the internet, we cannot be liable for any damage to, or viruses that may infect, your computer equipment or any other property when you are using the Software Services or browsing the Website. The downloading or other acquisition of any materials or information through the Website is done at your own discretion and risk and with your DPA that you will be solely responsible for any damage to your computer system or loss of data that results from the downloading or acquisition of any such materials.

3.5. You agree to indemnify us against any claims or legal proceedings that may arise through your use of the Software Services or from any breach of this DPA by you.

3.6. We will notify you of any such claims or proceedings and keep you informed as to the progress of such claims or proceedings.

4. TERMINATION

4.1. This Agreement shall continue in full force and effect for so long as we are processing Customer Personal Data on behalf of you. The Minimum Term of this DPA is the term of the Main Contract, term of execution of the Order or any other term as agreed by Parties in writing. Termination of the Main Contract, Order will automatically result in the termination of this DPA.

4.2. Without affecting any other right or remedy available to it either party may terminate this DPA with immediate effect by giving written notice to the other party if

a) the other party commits a material breach of any other term of this DPA which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so; or

b) the other party repeatedly breaches any of the terms of this DPA in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this DPA.

4.3. On termination of this DPA for whatever reason, all sums payable to us shall become due immediately without prejudice to any right to claim for interest under the law, or any such right under this DPA.

4.4 On termination of this DPA you must immediately cease use of the Software Services and destroy any materials downloaded or printed from the Website or otherwise in connection with the provision of the Software Services.

4.5. Termination of this DPA for whatever reason shall not affect the accrued rights and liabilities of either you or us as at the time of such termination.

5. GENERAL

5.1. Any failure or delay by us to enforce any of our rights under this DPA is not to be taken as or deemed to be a waiver of that or any other right unless we acknowledge and agree to such a waiver in writing.

5.2. A person who is not a party to this DPA shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA.

5.3. If any clause or part of a clause of this DPA is, or becomes, invalid, illegal or unenforceable, the remainder of the DPA shall remain valid and enforceable.

5.4. Subject to clause 5.1, you shall have no remedy in respect of any untrue statement made to you upon which you relied in entering into this DPA other than any remedy you may have for breach of the express terms of this DPA.  In addition, you acknowledge that, in entering into this DPA, you have not relied on any statement, representation or misrepresentation not expressly set out herein.

5.5. This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with English law and the parties irrevocably agree to submit to the exclusive jurisdiction of the English courts.

5.6. Driftrock may assign the benefit of this DPA without giving notice to you and is entitled to subcontract any of its rights or obligations hereunder.

DATA PROTECTION APPENDIX

The following sets out the scope, nature, purpose and duration of our processing of the Customer Personal Data by us, and the relevant categories of Personal Data and Data Subject:


Market Acquisition Service
Customer Audience Syncing
Scope and nature of processing
Where your social media account(s) are linked to the Driftrock Apps, we will process lead generation information provided to us from the social media platform on which your social media accounts are hosted (“Lead Generation Data”). The Lead Generation Data will consist of unstructured data submitted by an individual via a lead generation form linked to your social media account(s) (“Lead Generation Form”), and will include Customer Personal Data.On receipt of the Lead Generation Data, we retain the anonymous ID numbers provided to us by the relevant social media platform, for example, the lead ID, Facebook ID, campaign ID and advert ID (“Lead IDs”). We also create a unique Driftrock ID for each lead. Further, we store any Lead Generation Data (including Customer Personal Data) that you have permitted us to retain by updating the settings for the key mapping store, being the component of the Driftrock Apps that stores such data (“Key Mapping Store”).
We process Customer Personal Data provided by you to us from your CRM system or other customer data store (“CRM”) by an API or other method of electronic data transmission.On receipt of the Customer Personal Data (“CRM Data”), we identify and anonymise the email addresses using a secure hash algorithm (currently SHA-256). We do not use the original email address or any other data within the CRM Data. Such data is stored briefly within temporary memory before being discarded.We compare the hashed email addresses against the previous list of hashed email addresses held by us from the last transfer of CRM Data from your CRM to us. Any updates to the list of hashed email addresses are notified by us to your nominated social media platform.
Purpose of processing
We process the Customer Personal Data in order to provide you with the Software Services.
The processing of CRM Data (not including email addresses) by us is ancillary to the provision of the Software Services. We only process such CRM Data in order to identify and capture the email addresses.We process the email addresses to create hashed email addresses.
Categories of Customer Personal Data
The Lead Generation Data is unstructured, therefore the categories will depend on the fields in each lead generation form. However it is likely to include names, email addresses, contact details and other Customer Personal Data such as age and gender.
The CRM Data includes email addresses and any other Customer Personal Data captured by your CRM, such as names and contact details.
Categories of Data Subject
Individuals that submit information via Lead Generation Forms.
Individuals with Customer Personal Data included in your CRM.
Duration of the processing
By default, the Lead Generation Data is processed momentarily before being discarded.If you have instructed us to retain Lead Generation Data (including Customer Personal Data) within the Key Mapping Store, we will process the Customer Personal Data for as long as required to provide the Software Services to you.Lead IDs and Driftrock IDs are retained indefinitely.CRM Data, including email addresses, are processed momentarily before being discarded.Hashed email addresses are stored for the duration of the DPA.
CRM Data, including email addresses, are processed momentarily before being discarded.Hashed email addresses are stored for the duration of the DPA.