Data Processing Agreement
Last Updated: July 28, 2022
This Data Processing Agreement (“DPA”) is entered into as of the last date executed below by and between Playbook Software Inc., a Delaware corporation having its principal place of business at 1321 Upland Dr. PMB 16562 Houston, Texas 77043 (“Company” or “Rollout”), and Counterparty (defined below).
Rollout provides its proprietary, Software-as-a-Service solution for integrating and automating workflows between third party apps and partner apps (“Service(s)”) to Partner and Users (each as defined below). The provision of the Service involves the Processing of Personal Data subject to the Data Protection Laws, and the purpose of this DPA is to set forth the terms under which Rollout Processes the Personal Data.
THIS DPA APPLIES BETWEEN THE PARTIES WHERE COUNTERPARTY CLICKS A BOX INDICATING ACCEPTANCE, TRANSFERS PERSONAL DATA TO ROLLOUT FOR PROCESSING BY MEANS OF SERVICE, OR OTHERWISE AFFIRMATIVELY INDICATES ACCEPTANCE OF THIS DPA. BY DOING SO, YOU: (A) AGREE TO THIS DPA ON BEHALF OF THE ORGANIZATION, COMPANY, OR OTHER LEGAL ENTITY FOR WHICH YOU ACT (“COUNTERPARTY”); AND (B) REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND COUNTERPARTY AND ITS AFFILIATES TO THIS DPA. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THIS DPA, YOU MAY NOT DIRECTLY OR INDIRECTLY TRANSFER PERSONAL DATA TO ROLLOUT. ROLLOUT RESERVES THE RIGHT TO MODIFY OR UPDATE THE TERMS OF THIS DPA IN ITS DISCRETION, THE EFFECTIVE DATE OF WHICH WILL BE THE EARLIER OF (I) 30 DAYS FROM THE DATE OF SUCH UPDATE OR MODIFICATION AND (II) COUNTERPARTY’S CONTINUED TRANSFER OF PERSONAL DATA.
If Partner and Rollout have executed a written data processing agreement governing the processing of personal data (including Partner Data and/or User Data as applicable) by means of the Service, then the terms of such signed data processing agreement between the parties will govern and will supersede this DPA.
In the provision of services by Rollout involving Counterparty, the following roles (“Roles”) apply among the parties:
Counterparty | Description | Data Processing Function(s) |
---|---|---|
Partner | Party that purchases a Subscription to the Service or individually purchases Services | For Partner Personal Data Processed by Rollout, Partner is the Controller and Rollout is a Processor For User Personal Data Processed by Rollout, Partner is a Processor and Rollout is a Processor and/or subprocessor |
User | The Partners customer or user that enables integration between the Service and Partner’s platform or Third Party App in order for Rollout to Process the User’s Personal Data for their benefit | For User Personal Data Processed by Rollout, User is the Controller; Partner is a Processor; and Rollout is a Processor and/or subprocessor |
Third Party App | Provider of a SaaS solution used by User (e.g., Slack, Dropbox, Google Suite) | User is the Controller; Third Party App is the Processor; Rollout is the Processor to User |
1. Definitions#
All capitalized terms used in this DPA will have the meanings given to them herein or as set forth in the applicable Agreement between Rollout and the Counterparty.
“Agreement” means the applicable terms between Rollout and Counterparty regarding use of or integration with the Service.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this DPA is as set forth in the Roles table above.
“CCPA Personal Information” means “personal information” (as defined in the CCPA) that Rollout Processes on behalf of Counterparty in connection with Rollout’s provision of the Service.
"Data Protection Laws” means the following laws to the extent applicable, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together, “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Rollout Processes on behalf of Counterparty in connection with Rollout’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Rollout Processes on behalf of Counterparty as described in Section 4 of this DPA, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Rollout on behalf of Counterparty.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this DPA is as set forth in the Roles table above.
“Standard Contractual Clauses” or “SCCs” or “Clauses” means (i) where the GDPR applies, the terms available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council 4 June including Modules 2 and 3, as applicable in accordance with the Roles; and (ii) where the UK GDPR applies, the terms available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and issued pursuant to Section 119A of the Data Protection Act 2018.
2. Compliance With Laws#
Each party will comply with the Data Protection Laws as applicable to it, including with respect to the Processing of Personal Data.
3. Personal Data Obligations#
Counterparty undertakes that all instructions for the Processing of Personal Data under the Agreement or this DPA or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not cause Rollout to be in breach of any Data Protection Laws. Counterparty, to the extent that it provides its Personal Data to Rollout, is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Rollout including the means by which the Personal Data was acquired.
4. Data Obligations#
Rollout will Process the Personal Data for the purposes set forth in the Agreement. Rollout will Process the Personal Data in accordance with Counterparty’s instructions as documented in the Agreement and this DPA for the term of the Agreement. Rollout will not access, use or otherwise Process such Personal Data, except as specified in the Agreement, including to provide and/or make available the Service.
Unless prohibited by applicable law, Rollout will notify Counterparty if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Rollout will be entitled to suspend performance of such instruction, until Counterparty confirms in writing that such instruction is valid under the Data Protection Laws. Any additional instructions regarding the manner in which Rollout Processes the Personal Data will require prior written agreement between Rollout and Counterparty.
Rollout will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Rollout receives a binding order from a law enforcement agency for Personal Data, Rollout will notify Counterparty of the request it has received so long as Rollout is not legally prohibited from doing so.
Rollout will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
5. GDPR, UK GDPR and Third Countries; SCCs#
This Section 5 applies to Rollout’s Processing of GDPR Personal Data, or UK GDPR Personal Data, as the case may be, but solely as permitted by this DPA and the Agreement. This DPA, together with the Agreement, including the applicable SCCs, serve as the binding contract referred to in Article 28(3) of the GDPR and Section 59 of the UK GDPR that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the Controller. Rollout may process Personal Data in connection with its provision of the Service in countries that have different data protection regulations than the GDPR and the UK GDPR (“Third Countries”). In such event, subject to the terms of this DPA, the GDPR Standard Contractual Clauses will govern the transfer of Personal Data to such Third Countries, including to Subprocessors in such Third Countries, unless the transfer of Personal Data occurs via an alternative means permitted by relevant Data Protection Laws.
6. Requirements for CCPA Personal Information.#
This Section 6 shall only apply to Rollout’s Processing of CCPA Personal Information as permitted by the Agreement. For the purposes of the CCPA, Rollout and Counterparty acknowledge and agree that Rollout will act as a “service provider” (as defined in the CCPA) in its provision of the Service. Rollout shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purposes of providing the Service, or as otherwise permitted by the CCPA. Rollout acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Service. Rollout will not “sell” (as defined in the CCPA) any CCPA Personal Information.
7. Technical and organizational measures#
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Rollout will in relation to the Personal Data implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk, as further described in Annex II hereto.
In assessing the appropriate level of security, Rollout will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
8. Data Subjects rights.#
Rollout will assist Counterparty in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Rollout will (a) to the extent permitted by applicable law, promptly notify Counterparty of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (b) upon written request from Counterparty, provide Counterparty with information that Rollout has available to reasonably assist Counterparty in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.
9. Data Protection Impact Assessments#
If Counterparty is required under the Data Protection Laws to conduct a Data Protection Impact Assessment, then upon written request from Counterparty, Rollout will assist where reasonably possible in the fulfilment of the Counterparty’s obligation as related to its use of the Service, to the extent Counterparty does not otherwise have access to the relevant information. If required under Data Protection Laws Rollout will provide reasonable assistance to Counterparty in the cooperation or prior consultation with the Data Protection Authorities in relation to any applicable Data Protection Impact Assessment.
10. Audit of Technical and Organizational Measures.#
Rollout agrees to make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Counterparty may, at its sole cost and expense, verify Rollout’s compliance with its data protection obligations as specified in this DPA by: (i) submitting a security assessment questionnaire to Rollout; and (ii) if Counterparty is not satisfied with Rollout’s responses to the questionnaire, then Counterparty may conduct an audit in the form of meetings with Rollout’s information security experts upon a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Rollout’s normal business operations and subject always to Rollout’s agreement on scope and timings. The Counterparty may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Counterparty or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Counterparty will be responsible for any actions taken by its authorized auditor. All information disclosed by Rollout under this Section 10 will be deemed Rollout Confidential Information, and Counterparty will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Rollout will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 10 within a mutually agreeable timeframe.
11. Breach notification.#
If Rollout becomes aware of a Personal Data Breach that results in unlawful or unauthorized access to, or loss, disclosure, or alteration of the Personal Data, which is likely to cause a risk to the fundamental rights and freedoms of the Data Subjects, then Rollout will notify the Counterparty without undue delay after becoming aware of such Personal Data Breach and will co-operate with the Counterparty and take such reasonable commercial steps as agreed with the Counterparty to assist in the investigation, mitigation and remediation of such Personal Data Breach. Rollout will provide all reasonably required support and cooperation necessary to enable Counterparty to comply with its legal obligations in case of a Personal Data Breach pursuant to Articles 33 and 34 of the GDPR and Sections 67 and 68 of the UK GDPR.
12. Sub-processing.#
Counterparty agrees that Rollout may engage either Rollout affiliated companies or third parties providers as “Subprocessors” and hereby authorizes Rollout to engage such Subprocessors in the provision of the Service. Rollout will restrict the Processing activities performed by Subprocessors to only what is strictly necessary to accomplish the purposes of the Agreement and this DPA. Rollout will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this DPA, and Rollout will remain responsible for the Subprocessors’ compliance with the obligations under this DPA.
Rollout maintains a list of all Subprocessors available through its website. Rollout may amend the list of Subprocessors by adding or replacing Subprocessors at any time. Controller will be entitled to object to a new Subprocessor by notifying Rollout in writing the reasons of its objection. Rollout will work in good faith to address Controller’s objections. If Rollout is unable or unwilling to adequately address Controller’s objections to its reasonable satisfaction, then Controller may terminate this DPA and the Agreement, as specified in the Agreement.
13. Return or Deletion of Personal Data.#
Rollout will delete or return, in Counterparty’s discretion and upon Counterparty’s written request, Personal Data within a reasonable period of time following the termination or expiration of the Agreement.
14. Entire Agreement; Conflict.#
Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
15. Appendix & Annexes.#
The Appendix and Annexes to the SCCs, attached to this DPA hereafter, are incorporated into, and apply to, the DPA.
APPENDIX#
ANNEX I#
A. LIST OF PARTIES#
Data exporters(s):#
the Partner as defined above
Role (controller/processor): Controller and/or Processor as specified in the DPA
Data importer(s):#
Name: Playbook Software Inc.
Address: 1321 Upland Dr. PMB 16562, Houston, Texas 77043
Contact person’s name, position and contact details: [email protected]
Name: Alkarim Lalani
Position: Chief Executive Officer
Address: 1321 Upland Dr. PMB 16562, Houston, Texas 77043
Role: Processor (or Subprocessor as the case may be)
Activities relevant to the data transferred under these Clauses: Processing of personal data for the Services pursuant to the Agreement.
B. DESCRIPTION OF TRANSFER#
Categories of data subjects whose personal data is transferred
Partner and its users, third-party apps and their users (e.g., account holders, partners, users, employees, contractors, suppliers and users of the data exporter and the data exporter’s customers, vendors and partners).
Categories of personal data transferred
Categories of personal data chosen by a controller and issued to processor or subprocessor as the case may be, via the Service: such as name, address, email, phone number, authentication information, transactional and account information, and a third-party application specific data that depends on the type of third-party application being integrated by the controller.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive data transferred to processor by a controller, or on its behalf as permitted under the DPA, via the Services (e.g., demographic, financial, etc.)
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
On a continuous basis as determined by a controller or on its behalf as permitted under the Agreement
Nature of the processing
Integration services between joint systems that a controller chooses and made available by processor or subprocessor as the case may be
Purpose(s) of the data transfer and further processing
For processor/subprocessor to provide the Services to a controller (or on their behalf) as required under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the term of the Agreement and until notified by a controller, or controller deletion (via Service API)
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
For the term of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY#
The competent supervisory authority/ies under the DPA are as follows: (a) for the EEA and GDPR, any applicable Member State; and (b) for the UK GDPR, the UK.
ANNEX II#
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA#
Rollout processes all personal data received from Controller, or on its behalf under this DPA in conformity with the following technical and organizational measures:
Information Security Organization#
- Rollout’s Information Security Policy outlines roles and responsibilities for personnel with responsibility for the security, availability, and confidentiality of the Product and Service.
- The Chief Technology Officer is responsible for the design, implementation, and management of the organization’s security policies, which are reviewed at least annually. Annual review includes assessment of internal controls used in the achievement of Rollout’s Service commitments and system requirements. Following review, any deficiencies are resolved in accordance with the Risk Assessment and Management Program.
- The Chief Technology Officer also performs an annual formal risk assessment, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats. The CTO maintains a risk register, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
- The Security team is responsible for identifying and tracking incidents and creating a ‘lessons learned’ document and sharing it with the engineering team. The Engineering team is responsible for Software development and deployment.
Personnel Security#
- Rollout has established a Code of Conduct outlining ethical expectations, behavior standards, and ramifications of noncompliance, as well as Acceptable Use, Data Protection, and Information Security Policies. Internal personnel acknowledge all codes and procedures within 30 days of hire.
- Background checks are performed on full-time employees within 30 days of the employee’s start date as permitted by local laws. Reference checks are performed on contractors who have access to production data.
- Internal personnel complete annual training programs for information security to help them understand their obligations and responsibilities related to security.
Access Controls and Asset Management#
- Internal users are provisioned access to systems based on role as defined in the access matrix, which is reviewed and approved annually by the Chief Technology Officer. The CTO approves any additional access required outside the access matrix.
- The Chief Technology Officer conduct quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation.
- Access to production machines, network devices, and support tools requires a unique ID.
- Internal user access to systems and applications with service data requires two-factor authentication in the form of user ID / password, and one-time passcode.
- Rollout has formal policies for password strength and use of authentication mechanisms.
- Production infrastructure is restricted to users with a valid SSH key; administrative access to production servers and databases is restricted to the Back-end Engineering team.
- Upon termination or when internal users no longer require access, infrastructure and application access is removed within one business day.
- Internal use of the internal admin tool is logged. These logs are reviewed monthly for appropriateness.
- Firewall configurations help ensure available networking ports and protocols are restricted to approved business rules.
- The Engineering team maintains a list of the company’s system components, owners, and their business function, and the Chief Technology Officer reviews this list annually.
Incident Management and Business Continuity#
- Rollout’s Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents through to resolution.
- The Security team tracks identified incidents according to the Incident Response Plan and creates a ‘lessons learned’ document after each high or critical incident. This document is shared with the Engineering team to make any required changes.
- The Chief Technology Officer maintains a disaster recovery plan, which is tested at least annually. The Engineering team reviews test results and makes changes to the plan accordingly.
Change Controls#
- Rollout’s Change Management Process and Standard governs the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
- System changes are tested via automated test scripts prior to being deployed into production.
- Code merge requests are independently peer reviewed prior to integrating the code change into the master branch.
- System users who make changes to the development system are unable to deploy their changes to production without independent approval.
- The Engineering team uses a tool to enforce standard production images for production servers.
- Configuration changes are tested (if applicable) and approved prior to being deployed into production.
- The production and testing environments are segregated; production data is not used in the development and testing environments.
Data and Availability Controls#
- Rollout’s Data Protection Policy details the security and handling protocols for service data.
- Full backups are performed daily and retained in accordance with the Backup Policy. The Engineering team restores backed-up data to a non-production environment at least annually to validate the integrity of backups.
- Access to erase or destroy customer data is limited to the Chief Technology Officer and back-end engineers.
- The Chief Technology Officer and the Engineering team manually delete data that is no longer needed from databases and other file stores in accordance with agreed-upon customer requirements.
- Rollout’s Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
- Encryption is used to protect the transmission of data over the internet; service data is encrypted at rest.
- The Engineering team encrypts hard drives for portable devices with full disk encryption.
- System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
- The Platform is configured to operate across availability zones to support continuous availability.
Vendor and Vulnerability Management#
- Rollout’s Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle. The Chief Technology Officer assesses new vendors according to the Vendor Risk Management Policy prior to engaging with the vendor.
- Rollout’s Vulnerability Management and Patch Program outlines the procedures to identify, assess, and remediate identified vulnerabilities.
- Vulnerability scans are executed on production systems. The Chief Technology Officer and the Engineering team track critical or high-risk vulnerabilities through resolution. Management has implemented intrusion prevention and detection tools to provide monitoring of network traffic to the production environment.
- The Engineering team uses logging and monitoring software to collect data from servers and endpoints, and detect potential security threats and unusual system activity.
- The Engineering team uses alerting software to notify impacted teams of potential security and availability events.
ANNEX III#
LIST OF SUB-PROCESSORS#
The controller has authorised the use of the Subprocessors listed at the following website: