Data Processing Agreement

Last updated: January 15, 2024

1. Definitions and Interpretation

In this Data Processing Agreement ("DPA"):

  • "Controller" means the entity which determines the purposes and means of processing Personal Data
  • "Processor" means BrandPassPro, which processes Personal Data on behalf of the Controller
  • "Data Subject" means the individual to whom Personal Data relates
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data
  • "Data Protection Laws" means GDPR, CCPA, and other applicable data protection regulations

2. Processing of Personal Data

2.1 Processor's Role

BrandPassPro shall process Personal Data only as a Processor on behalf of and in accordance with the Controller's documented instructions.

2.2 Purpose of Processing

Personal Data shall be processed solely for the purpose of:

  • Creating and managing digital passes
  • Distributing passes to designated recipients
  • Providing analytics and reporting services
  • Maintaining platform security and functionality
  • Fulfilling legal obligations

2.3 Controller's Instructions

The Controller's instructions for processing are:

  • As specified in the Terms of Service
  • As initiated through the Service interface
  • As otherwise agreed in writing

3. Processor's Obligations

BrandPassPro shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure security
  • Not engage Sub-processors without prior written authorization
  • Assist the Controller in responding to Data Subject requests
  • Delete or return Personal Data at the end of the service relationship
  • Make available all information necessary to demonstrate compliance
  • Notify the Controller if instructions infringe Data Protection Laws

4. Security Measures

4.1 Technical Measures

  • Encryption of data in transit (TLS 1.2 or higher)
  • Encryption of data at rest (AES-256)
  • Regular security patches and updates
  • Firewalls and intrusion detection systems
  • Regular security vulnerability assessments
  • Secure development practices

4.2 Organizational Measures

  • Access controls based on least privilege principle
  • Regular security training for personnel
  • Background checks for employees with data access
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Regular security audits

5. Sub-processors

5.1 Authorized Sub-processors

The Controller consents to the following Sub-processors:

Sub-processor Service Location
Amazon Web Services Cloud Infrastructure United States
Stripe, Inc. Payment Processing United States
SendGrid Email Delivery United States
Twilio SMS Delivery United States

5.2 New Sub-processors

BrandPassPro shall notify the Controller of any intended changes concerning Sub-processors, giving the Controller the opportunity to object to such changes.

6. International Data Transfers

6.1 Transfer Mechanisms

For transfers of Personal Data outside the EEA, BrandPassPro shall ensure:

  • Standard Contractual Clauses are in place
  • Adequate level of protection as required by GDPR
  • Compliance with Chapter V of GDPR
  • Additional safeguards where required by law

6.2 Data Localization

Upon request and subject to technical feasibility, data may be stored in specific geographic regions.

7. Data Subject Rights

7.1 Assistance with Requests

BrandPassPro shall assist the Controller in fulfilling Data Subject requests for:

  • Access to Personal Data
  • Rectification of Personal Data
  • Erasure of Personal Data
  • Data portability
  • Restriction of processing
  • Objection to processing

7.2 Response Timeline

Assistance shall be provided within reasonable timeframes to enable Controller to meet statutory deadlines.

8. Personal Data Breach

8.1 Notification

BrandPassPro shall notify the Controller without undue delay upon becoming aware of a Personal Data breach, providing:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8.2 Cooperation

BrandPassPro shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.

9. Audits and Compliance

9.1 Right to Audit

The Controller may conduct audits to verify compliance with this DPA:

  • Upon reasonable notice
  • During regular business hours
  • No more than once per year unless required by law
  • Subject to confidentiality agreements

9.2 Compliance Certifications

BrandPassPro maintains the following certifications:

  • SOC 2 Type II (planned)
  • ISO 27001 (planned)
  • PCI DSS compliance for payment processing

10. Data Retention and Deletion

10.1 Retention Period

Personal Data shall be retained only for the duration necessary to provide the Services, unless:

  • Otherwise instructed by the Controller
  • Required by applicable law
  • Necessary for legal claims

10.2 Deletion or Return

Upon termination, BrandPassPro shall, at the Controller's choice:

  • Delete all Personal Data
  • Return all Personal Data in a commonly used format
  • Provide certification of deletion

11. Liability and Indemnification

11.1 Limitation of Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitations set forth in the Terms of Service.

11.2 Indemnification

Each party shall indemnify the other against claims resulting from its breach of Data Protection Laws or this DPA.

12. Term and Termination

12.1 Duration

This DPA shall remain in effect for the duration of the Service agreement between the parties.

12.2 Survival

Obligations relating to security, confidentiality, and data deletion shall survive termination.

13. General Provisions

13.1 Governing Law

This DPA shall be governed by the laws specified in the Terms of Service.

13.2 Order of Precedence

In case of conflict, this DPA shall take precedence over the Terms of Service with respect to data processing matters.

13.3 Amendments

Amendments to this DPA must be in writing and agreed by both parties.

14. Contact Information

For matters related to this DPA:

Data Protection Officer: dpo@brandpasspro.com

Security Team: security@brandpasspro.com

Legal Department: legal@brandpasspro.com

Address: BrandPassPro, Inc.
123 Main Street
San Francisco, CA 94105
United States

Appendix A: Technical and Organizational Measures

Detailed security measures are available upon request and subject to NDA.

Appendix B: Standard Contractual Clauses

The EU Standard Contractual Clauses for Controller-to-Processor transfers are incorporated by reference and available upon request.