SaintsArk EU Data Processing Addendum

Last updated: Aug 02, 2018

This Data Processing Addendum ("DPA"), forms part of the Agreement between ChrisTcradle Charity Foundation, Inc. ("SA") and you, an Admin of a Network. It is effective on July 28, 2018 ("Effective Date").

1. Definitions

All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. Terms used but not defined in this DPA, such as “controller,” “data subject,” “personal data,” “processing,” and “processor” will have the same meaning as set forth in the EU Data Protection Law.

"Affiliate" means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.

"Agreement" means SaintsArks’ Terms of Use, which govern the provision of the Services to, as such terms may be updated by SA from time to time.

"Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including, where applicable, EU Data Protection Law.

"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

"EEA" means the European Economic Area, United Kingdom and Switzerland.

"Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self- certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Host Data.

"Services" means any product or service provided by SA to Host pursuant to the Agreement.

“Subprocessors” means the other processors that are used by SA to process Personal Data. "Host" means any Admin owning or operating a church or group on the SA Network.

"Host Data" means any personal data that SA processes on behalf of Host as a processor in the course of providing Services, as more particularly described in this DPA. Host Data means all personal data provided directly by Host to SA, and all personal data that Members of Host’s Networks provide when they register for and participate in Host’s Networks.

2. Relationship with the Agreement

• 2.1 The parties agree that the DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Services.
• 2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
• 2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
• 2.4 Host further agrees that any regulatory penalties incurred by SA in relation to the Host Data that arise as a result of, or in connection with, Host’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall reduce SA’ liability under the Agreement.
• 2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
• 2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

3. Scope and Applicability of this DPA

• 3.1 This DPA applies where and only to the extent that SA processes Host Data that originates from the EEA or that is otherwise subject to EU Data Protection Law on behalf of Host as a processor in the course of providing Services pursuant to the Agreement.

4. Roles and Scope of Processing

• 4.1 Role of the Parties. As between SA and Host, Host is the controller of Host Data, and SA shall process Host Data only as a processor acting on behalf of Host.
• 4.2 Host Processing of Host Data. Host agrees that (i) it shall comply with its obligations as a controller under Data Protection Laws in respect of its processing of Host Data and any processing instructions it issues to SA; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for SA to process Host Data and provide the Services pursuant to the Agreement and this DPA.
• 4.3 SaintsArk Processing of Host Data. SA shall process Host Data only for the purposes described in this DPA and only in accordance with Host’s documented, lawful instructions. The parties agree that this DPA and the Agreement set out the Host’s complete and final instructions to SA in relation to the processing of Host Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Host and SA.
• 4.4 Details of Data Processing
• 1. Subject matter: The subject matter of the data processing under this DPA is the Host Data.
  2. Duration: As between SA and Host, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
  3. Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Host and the performance of SA's’ obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.
  4. Nature of the processing: SA provides a platform for Hosts to create and manage communities dedicated to an individual, identity, or interest. Hosts invite people (“Members”) to connect with each other, to message, and to exchange information and content. Hosts tailor their SA by the Members they invite, the conversations they organize, what they call their SA, and additional branding they may choose to use.
  5. Categories of data subjects: Any individual accessing and/or using the Services through the Host’s account ("Users"); and any individual who joins one of Host’s Networks (collectively, "End Users" or Members).
  6. Types of Host Data:
     1. Host and Users: Identification and contact data (name, email address, title, contact details, username); employment details (employer, job title, geographic location, area of responsibility); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information);
     2. End Users: Identification and contact data (name, gender, occupation, email address, title), personal interests or preferences (including marketing preferences and, if End User chooses to integrate Network account with social media profile, social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data (depending on End User’s settings) and browser data); financial information if End User must pay to join Network (credit card details, account details, payment information); and all other information provided by End User to Network.
• 4.5 Notwithstanding anything to the contrary in the Agreement (including this DPA), Host acknowledges that SA shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
• 4.6 Tracking Technologies. Host acknowledges that in connection with the performance of the Services, SA and its service providers employ the use of cookies, unique identifiers, and similar tracking technologies ("Tracking Technologies"). SA shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable it and its service providers to deploy Tracking Technologies lawfully on, and collect data from, the devices of Users and End Users in accordance with and as described in the SA Cookie Policy.

5. Subprocessing

• 5.1 Authorized Subprocessors. Host agrees that SA may engage Subprocessors to process Host Data on Host's behalf. The Subprocessors currently engaged by SA and authorized by Host are listed in Exhibit A.
• 5.2 Subprocessor Obligations. SA shall: (i) enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Host Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause SA to breach any of its obligations under this DPA.
• 5.3 The list of Subprocessors as of the Effective Date is at Exhibit A. SA shall provide an up-to-date list of the Subprocessors it has appointed upon written request from Host.
• 5.4 SA shall give Host prior written notice of the appointment of any new Subprocessor. Host may object in writing to SA's’ appointment of additional Subprocessors, provided that such objection is based on reasonable grounds relating to data protection. If, within five (5) business days of receipt of that notice, Host notifies SA in writing of any objections (on reasonable grounds) to the proposed appointment, SA shall not appoint that proposed SubProcessor until reasonable steps have been taken to address the objections raised by Host and the Host has been provided with a reasonable written explanation of the steps taken. If Host and SA are not able to resolve the appointment of a Subprocessor within a reasonable period, Host shall have the right to terminate the Agreement (without prejudice to any fees incurred by Host prior to suspension or termination).

6. Security

• 6.1 Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights of data subjects, without prejudice to any other security standards agreed upon by the parties, SA shall implement and maintain appropriate technical and organizational security measures to protect Host Data from Security Incidents and to preserve the security and confidentiality of the Host Data, in accordance with SA's’ security standards described in this DPA and at Section XI of SA's’ Privacy Policy ("Security of Your Personal Data").
• 6.2 Updates to Security Measures. Host is responsible for reviewing the information made available by SA relating to data security and making an independent determination as to whether the Services meet Host’s requirements and legal obligations under Data Protection Laws. Host acknowledges that the Security Measures are subject to technical progress and development and that SA may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
• 6.3 Host Responsibilities. Notwithstanding the above, Host agrees that except as provided by this DPA, Host is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of User Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any User Data uploaded to the Services.
• 6.4 Confidentiality of processing. SA shall ensure that any person who is authorized by SA to process Host Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
• 6.5 Security Incident Response. Upon becoming aware of a Security Incident, SA shall notify Host without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Host.

7. Security

• 7.1 Upon reasonable request, SA will verify its compliance with this DPA, provided that Host shall not exercise this right more than once per year.

8. International Transfers

• 8.1 Data center locations. SA may transfer and process Host Data anywhere in the world where SA, its Affiliates or its Subprocessors maintain data processing operations. SA shall at all times provide an adequate level of protection for the Host Data collected, transferred, processed, or retained in accordance with the requirements of Data Protection Laws.
• 8.2 Privacy Shield. SA will not process Host Data related to personal data of data subjects located in the EEA in a location outside of the EEA, except pursuant to the EU-US Privacy Shield, provided that SA obtains and maintains its certification under the EU-US Privacy Shield. SA will provide Host with reasonable prior written notice if it can no longer meet its obligations under the Privacy Shield or if it plans not to renew its certification, at which time, as the parties’ sole remedy, the parties will negotiate entry into an alternative data transfer solution, including entering into the European Commission Standard Contractual Clauses for Data Processors (2010/87/EU) or any replacement thereof. The foregoing will not entitle Host to any termination of cancellation right with respect to the Agreement.
• 8.3 Changes in the Law. To the extent that Host or SA is relying on a specific statutory mechanism to normalize international data transfers (namely, Privacy Shield) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, SA and Host agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.

9. Return or Deletion of Data

• 9.1 Upon termination or expiration of the Agreement, SA shall (at Host's election) delete or return to Host all Host Data (including copies) in its possession or control, save that this requirement shall not apply to the extent SA is required by applicable law to retain copies of some or all of the Host Data, or to Host Data it has archived on back-up systems, which Host Data SA shall securely isolate and protect from any further processing, except to the extent required by applicable law.

10. Cooperation

• 10.1 The Services provide Hosts and Members with controls that Hosts and Members may use to retrieve, correct, delete or restrict Host Data, which Host may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Host is unable to independently access the relevant Host Data within the Services, SA shall (at Host's expense) provide reasonable cooperation to assist Host to respond to any requests from individuals or applicable data protection authorities relating to the processing of personal data under the Agreement. In the event that any such request is made directly to SA, SA shall not respond to such communication directly without Host's prior authorization, unless legally compelled to do so. If SA is required to respond to such a request, SA shall promptly notify Host and provide it with a copy of the request unless legally prohibited from doing so.
• 10.2 If a law enforcement agency sends SA a demand for Host Data (for example, through a subpoena or court order), SA shall attempt to redirect the law enforcement agency to request that data directly from Host. As part of this effort, SA may provide Host’s basic contact information to the law enforcement agency. If compelled to disclose Host Data to a law enforcement agency, then SA shall give Host reasonable notice of the demand to allow Host to seek a protective order or other appropriate remedy unless SA is legally prohibited from doing so.
• 10.3 To the extent SA is required under EU Data Protection Law, SA shall (at Host's expense) provide reasonably requested information regarding the Services to enable the Host to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

11. Changes in Data Protection Laws

• 11.1 SA may modify or supplement this Addendum, with reasonable notice to the Host: (i) If required to do so by a supervisory authority or other government or regulatory entity; (ii) If necessary to comply with applicable law; (iii) To implement new or updated Standard Contractual Clauses approved by the European Commission; or (iv) To adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 GDPR.

Exhibit A

List of SaintsArk Subprocessors

These Subprocessors set out below provide cloud hosting and storage services; content delivery services; analytics; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.

Subprocessor	Location	Function
Facebook	California, USA	Allows sign-in, marketing
Google	California, USA	Delivers Android mobile app, notifications and analytics; tracks web and mobile traffic
Mailgun	California, USA	Content Delivery
Stripe	California, USA	Payment processing