Data Processing Agreement
Date: January 20, 2021
The Swrve Service collects certain End User Personal Data regarding the behavior and usage patterns of End Users of Customer App(s). This DPA applies to the processing of End User Personal Data on the Swrve Platform (“Platform Personal Data”) pursuant to the Agreement and subject to Data Protection Laws. You are the controller of End User Personal Data. This DPA governs Swrve’s processing of Platform Personal Data on your behalf.
The documents identified as the “Agreement” in the Terms of Service between Customer and Swrve.
The employees, agents or contractors of Customer or, if permitted under the TOS, Customer’s affiliates, that have been issued with usernames and passwords by Customer, Customer’s affiliates or Swrve.
Means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
The person who, either alone or with others, determines the purpose and means of the processing of Personal Data.
The party identified as “Customer” or “you” in the Agreement.
Means Customer’s online and mobile application(s) using the Swrve Service.
Data Protection Laws
The data protection laws of the EEA, UK and the State of California, USA applicable to processing of Personal Data contemplated by this agreement including, without limitation, the European Union General Data Protection Regulation (“GDPR”), European Union Directive 2002/58/EC (the “EPrivacy Directive”) the UK Data Protection Act 2018, the California Consumer Privacy Act (“CCPA”) and all privacy, security, and data protection laws, rules, and regulations of the EE, UK or the State of California, USA.
An identified or identifiable natural person about whom the Personal Data relates.
The European Economic Area.
Means an end user of Customer App(s).
Means any data relating to living individuals who are or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, our possession.
Personal Data Breach
Means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Platform Personal Data;
Platform Personal Data
End User Personal Data processed on the Swrve Platform.
- Processing and process: has the meaning given to that term in the GDPR.
- Processor: a person who processes Personal Data on behalf of the controller.
The standard contractual clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU attached at Schedule 4.
New Games Technologies Ltd (t/a Swrve New Media UK) or the party identified as “us” or “Swrve” in the Agreement.
Employees, agents and independent contractors of Swrve or of a Swrve affiliate.
Third Party Services
Means the applications and platforms of third parties that may be integrated at the direction of Customer using Swrve Amplify or otherwise.
Capitalised terms not defined in the DPA are as defined in the Agreement.
3. PLATFORM PERSONAL DATA
- 3.1 Customer may choose to operate the Swrve Platform so that (i) the minimum categories of Personal Data required to operate the Swrve Service are processed; or (ii) customize the Swrve Platform to Customer’s requirements and process additional categories of Personal Data. See Schedule 1 for a description of the minimum categories of Personal Data processed in using the Swrve Service.
- 3.2 If Customer intends to process any Personal Data through the Swrve Service other than as described in Schedule 1, Customer must provide Swrve with advance notice detailing the proposed additional processing (an “Additional Processing Notice”). This may be in the form of a notice attaching an amended Schedule 1 showing the additional Personal Data processed.
- 3.3 Customer is not permitted to use the Swrve Platform to process Sensitive Personal Information (as defined in the Terms of Service) without Swrve’s prior written agreement. Additional terms may apply to the processing of Sensitive Personal Information.
- 3.4 Customer must immediately notify Swrve if it is processing any of the categories of data referred in clause 3.3. Swrve will review the Services and either:
i) require Customer to sign additional terms as a condition of continuing to process Sensitive Personal Information, or
ii) require Customer to delete the Sensitive Personal Information from the Swrve Service.
- 3.5 Swrve may provide notice of change to Schedule 1, or to the remainder of this DPA, where an update is required due to changes to the Swrve Platform or Swrve Service or changes required due to applicable Data Protection Laws, including their interpretation.
4. PROCESSING OF PERSONAL DATA
Swrve’s obligations as processor
- 4.1 As the processor with respect to Personal Data, Swrve acknowledges and agrees that:
- 4.1.1 Swrve must, and shall procure that its sub-processors shall, process Platform Personal Data only for the purposes of fulfilling its obligations under the Agreement and in accordance with relevant documented instructions from Customer (unless required to do so by a law to which Swrve is subject; in such a case Swrve shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest).
- 4.1.2 Customer agrees to provide Swrve with documented instructions relating to Personal Data under the Agreement. Where the Services are also to be provided to the Customer’s affiliates, Swrve can rely on the instructions provided by Customer as being the instructions of the controller. Swrve can rely on the instructions provided by Customer personnel or Customer representatives in relation to Platform Personal Data.
- 4.1.3 Swrve agrees to make reasonable efforts to assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR or equivalent obligations under Data Protection Laws taking into account the nature of the processing and the information available to Swrve.
- 4.1.4 Other than to the sub-processors listed at Schedule 2, Swrve will not disclose any Platform Personal Data to a third party, except at Customer’s specific request or where obliged to do so under any statutory or other legal requirement (in which case Swrve will use reasonable endeavors to advise Customer in advance of such disclosure and in any event immediately thereafter); and
- 4.1.5 Swrve will only transfer Platform Personal Data outside the European Economic Area (“EEA”), under the terms of clause 11.
Customer’s obligations as controller
- 4.2 In addition to Customer’s other responsibilities set out elsewhere in the Agreement, Customer acknowledges and agrees that Customer shall, at all times, comply with Customer’s obligations as controller and shall procure that Customer’s subcontractors or agents and all Authorised Users comply with their obligations under applicable Data Protection Laws in relation to Platform Personal Data processed on Customer’s behalf under this DPA.
- 4.3 Customer warrants, represents and undertakes, that:
- 4.3.1 All instructions given by it to Swrve in respect of Platform Personal Data shall at all times be in accordance with Data Protection Laws; and
- 4.3.2 Customer is satisfied that:
- (a) Swrve’s processing operations are suitable for the purposes for which Customer proposes to use the Swrve Platform and engage Swrve to process the Personal Data; and
- (b) Swrve has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
- 4.3.3 Customer shall not withhold, delay or condition Customer’s agreement to any reasonable change to this DPA requested by Swrve in order to enable the Services and Swrve (and each sub-processor) comply with Data Protection Laws.
5. SECURITY MEASURES
- 5.1 Each party agrees to take appropriate and industry standard technical and organizational measures against unauthorized or unlawful access or processing of Platform Personal Data and against its accidental loss, destruction or damage, such as appropriate Swrve Platform and network access controls, intrusion detection and prevention, network segmentation and encryption.
- 5.2 Swrve shall, and shall procure that its sub-processors shall, take all reasonable steps to ensure that Platform Personal Data is processed in compliance with the obligations under Article 32 of the GDPR relating to security of processing.
6. PERSONAL DATA BREACH NOTIFICATIONS
- 6.1 Swrve will promptly notify Customer of any known or reasonably suspected breach of security leading to a Personal Data Breach.
- 6.2 In respect of any Personal Data Breach, Swrve will:
- 6.2.1 notify the Customer of the Personal Data Breach without undue delay; and
- 6.2.2 provide the Customer with such details as the Customer reasonably requires regarding:
- (a) the nature of the Personal Data Breach (including the categories and approximate numbers of data subjects and Personal Data records concerned);
- (b) any investigations into such Personal Data Breach;
- 6.2.3 the likely consequences of the Personal Data Breach; and
- 6.2.4 any measures taken, or that Swrve recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects, provided that, (without prejudice to the above obligations) if Swrve cannot provide all these details within the timeframes set out in this clause 6.2, it shall (before the end of such timeframes) provide the Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give the Customer regular updates on these matters.
- 6.3 Customer acknowledges and agrees that AWS, a sub-processor of Swrve, will only provide notification of Personal Data Breaches if AWS becomes aware of such breach “at Director level (compliance)” at which point AWS will inform Swrve “without undue delay”.
6.4 If a Personal Data Breach occurs Swrve shall:
- 6.4.1 take such reasonable steps and do all acts and things as the Customer reasonably requires in order to mitigate the effects of the Personal Data Breach; and
- 6.4.2 restore to the last available backup any Personal Data that has been lost, damaged or destroyed by the Personal Data Breach.
Swrve will make available to Customer all information necessary to demonstrate compliance with the data processing obligations laid down in this DPA including by allowing for and contributing to reasonable audits to determine Swrve’s compliance with its obligations under this DPA. These audits (of frequency of no more than once per year, except where there is reason to suspect a breach of the obligations may have occurred) may be conducted by Customer, auditors mandated by Customer, or public authorities in competent jurisdictions, subject to Customer and Customer’s auditors (if relevant) undertaking reasonable and appropriate confidentiality obligations.
Swrve shall procure that the Customer is similarly entitled to conduct audits in respect to the Sub-processors save that in the specific case of the Sub-processor Amazon Web Services (AWS) there shall be no equivalent right of audit and inspection that includes a physical onsite inspection and instead AWS has obtained third party certifications and audits, and these certifications can be accessed directly by controller on request from AWS.
Swrve shall, and shall procure that its sub-processors shall, ensure that any persons to whom Swrve discloses Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data.
9. TRANSFER OF PLATFORM PERSONAL DATA TO THIRD PARTY PROVIDERS
Sub-processors appointed by Swrve:
- 9.1 The Swrve Platform is provided on a software-as-a-service, hosted basis. As such, Swrve uses third party providers, affiliates and contractors to provide certain services, including hosting. These are listed at Schedule 2.
- 9.2 These sub-processors will have access to certain data, including relevant Platform Personal Data, however such sub-processors are only permitted to process Platform Personal Data, for the purposes of providing their specifically contracted services to Swrve.
- 9.3 Swrve will use commercially reasonable efforts to ensure that such sub-processors utilize reasonable industry recognized security measures to protect against loss, misuse and unauthorized viewing of the information Customer provides to Swrve.
10. PROCESSING OF PLATFORM PERSONAL DATA BY SUB-PROCESSORS OF SWRVE
- 10.1 Swrve may only authorise a sub-processor to process Platform Personal Data provided that Swrve has entered into a written agreement with such sub-processor on terms which are substantially the same as those set out in this DPA. Where a sub-processor fails to fulfil its data protection obligations, Swrve shall remain liable to Customer for the performance of the data protection obligations of the relevant sub-processor.
- 10.2 Customer provide a general authorisation to Swrve to engage the sub-processors as are appointed on the date this DPA comes into force as listed at Schedule 2.
- 10.3 Swrve will with thirty (30) days’ notice inform Customer of any intended change in the sub-processors list and Customer shall be entitled to make any objections thereto. If no objections have been received within ten (10) days, the proposed sub-processor shall be deemed accepted. If Customer does not agree to the sub-processor, the parties shall attempt to settle the disagreement and if the parties cannot agree on the use of a sub-processor, Swrve may terminate this agreement by providing written notice, such termination to take effect on the later of (i) the date on which Swrve will commence using the services of the relevant sub-processor in relation to the Swrve Platform provided to Customer or (ii) one (1) month after the date of Customer’s written notice.
11. TRANSFERS OF PLATFORM PERSONAL DATA OUTSIDE THE EEA:
- 11.1 Platform Personal Data may be transferred or stored outside the country where Customer or Customer’s Authorised Users are located in order to carry out the Swrve Service and our other obligations under the Agreement.
- 11.2 Some of the sub-processors listed at Schedule 2 provide their services from outside the EEA. Where this is the case, the adequacy mechanism is as described in Schedule 2. Where a Customer has requested that their Platform Personal Data be processed within the EEA, the data will be processed within the EEA. Customers must not subscribe to optional services that process data outside the EEA if they wish to process Platform Personal Data within the EEA.
- 11.3 Other than with respect to the transfer of Platform Personal Data to the sub-processors listed at Schedule 2, Swrve will only transfer Platform Personal Data outside the EEA on Customer’s specific request. Examples of why Customer may make such a request are transfers of such data to Customer or Customer’s affiliates, where Customer or Customer’s affiliate is based outside the EEA; a transfer to a third party outside of the EEA for further processing of the data; a specific request by Customer that Swrve use a third party hosting provider or where Customer opts to integrate with a Third Party Service outside of the EEA.
- 11.4 Customer agrees to enter into a SCC agreement with Swrve’s affiliates or contractors, relating to the provision of support services where reasonably required for the provision of the Swrve Service. In the event that the United Kingdom leaves the European Union and where the United Kingdom has not been deemed to provide an “adequate level of protection” for the protection of personal data as such term is understood under the GDPR, the SCCs shall apply to any transfers to the United Kingdom during the term of this Agreement from the date of such exit until such time as the United Kingdom obtains an adequacy determination or the SCC Agreement is superceded by another agreement between the parties. The SCC Agreement shall not apply to transfers to the United Kingdom where an adequacy determination is obtained by the United Kingdom.
- 11.5 All Customer requests to transfer Platform Personal Data outside the EEA, must be made to Swrve via email or in writing.
- 11.6 Where Customer opts to send Platform Personal Data to providers of Third Party Services, Customer agrees that providers of Third Party Services are not sub-processors of Swrve for data protection purposes and such providers are Customer’s directly-contracted data processors acting under Customer’s instructions.
- 11.7 In making a request for Swrve to transfer Platform Personal Data, subject to GDPR and related privacy regulations outside of the EEA, Customer confirms that there is “an adequate level of protection” in place for such transfer as such term in understood under GDPR.
- 11.8 The parties agree to cooperate where, due to changes in law or practice, an alternate data transfer mechanism is required to be put into operation to ensure an “adequate level of protection” is in place for transfer of data outside the EEA under GDPR.
12. SUBJECT ACCESS REQUESTS
- 12.1 Swrve will promptly assist Customer with all notices, requests or other enquiries relating to the data protection rights which may be received by Customer or Swrve, at Customer’s reasonable expense.
- 12.2 Swrve will not respond to any subject access request without the Customer’s prior written approval unless required to do so by law or direction of a relevant regulator.
13. RETURN OR DELETION OF PERSONAL DATA
Within 30 days of termination or expiry of the Agreement (or such other timeframe as specified in the Agreement), Swrve must and shall procure that its sub-processors shall:
- 13.1 Return all Platform Personal Data to Customer; or
- 13.2 Destroy all the Platform Personal Data, in a manner agreed to by Customer; at Customer’s election, unless a law binding on Swrve or its sub-processors prevents it from doing as requested or unless otherwise agreed in the Agreement (for example, where the Customer has requested Swrve continue to store Platform Personal Data in order to ensure compliance with a legal obligation).
14. CCPA TERMS – CALIFORNIA
- 14.1 This clause 14 will apply only with respect to Platform Personal Data that is subject to the protection of the CCPA.
- 14.2 Swrve shall not retain, use or disclose the Personal Data for any purpose (including a commercial purpose) other than to perform the services specified in the Agreement. All uses of the Personal Data by Swrve shall be at the direction of Customer and only as reasonably necessary to provide Customer the Services in furtherance of Customer’s business purposes. Without limiting the generality of the forgoing, Swrve is prohibited from selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, or in writing, or by electronic or other means Platform Personal Data in order to derive a commercial or other benefit to Swrve or to any third party (whether affiliated or not) directly or indirectly other than to receive monetary compensation from Customer in payment of the services, or as expressly permitted by this Agreement. Swrve hereby certifies that it understands the foregoing restrictions on the use of the Personal Data and shall comply with them.
- 14.3 Customer and Swrve agree that (i) any transfer of “Personal Information” (as defined under the CCPA) which occurs in connection with the Agreement does not constitute a “Sale” (as defined under the CCPA) of Personal Information under the CCPA; and (ii) Swrve and the sub-processors as listed at Schedule 2 are deemed to be “Service Providers” as defined by the CCPA.
15. ADDITIONAL MEASURES
Measures and assurances with respect to United States government intelligence activities (“Additional Measures”).
- 15.1 As of the date of this DPA, Swrve has not received any national security orders of the type described in Paragraphs 150-202 of the judgment in the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.
- 15.2 No court has found Swrve to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- 15.3 Swrve will notify Customer if Swrve can no longer comply with the Standard Contractual Clauses or these Additional Measures, without being required to identify the specific provision with which it can no longer comply.
16. OBLIGATIONS INDEPENDENT OF OTHER PROVISIONS
The obligations contained in this DPA are without prejudice to Swrve's other obligations under this Agreement and apply notwithstanding any permitted use or disclosure of confidential information in this Agreement.
- 17.1 Subject to clauses 17.2 and 17.3, the costs of Swrve and its sub-processors to comply with their respective obligations as data processors under Data Protection Laws shall be borne by Swrve and its sub-processors to the extent compliance with such obligations is necessary for Swrve and/or its sub-processors’ compliance with applicable Data Protection Laws in their role as data processors.
- 17.2 Notwithstanding clause 17.1, if Customer request Swrve to take on compliance activities which go beyond the activities that Swrve is required to do as a processor under applicable Data Protection Laws, Swrve shall be entitled to its reasonable costs and the above shall be notified to Swrve and agreed pursuant to an SOW.
- 17.3 Should changes to applicable Data Protection Laws, including the interpretation thereof, entail increased costs for Swrve or its sub-processors, Swrve may, subject to providing written notice Customer, increase the rates charged to Customer to reflect the increased costs. The increase to Customer should be fair and reasonable and should be proportional to what other similar customers are being asked to pay.
18. WARRANTY AND SWRVE LIABILITY
- 18.1 In using the Swrve Platform to process Platform Personal Data, Customer warrants and represents, that Customer’s collection and processing of Platform Personal Data does not breach the rights of any person or entity, including rights of publicity, privacy or under applicable Data Protection Laws, that Customer is entitled to transfer the relevant Platform Personal Data to Swrve, and that Swrve is entitled to transfer Platform Personal Data to its sub-processors and all third party providers (as directed) so that they each respectively may lawfully use, process and transfer such Platform Personal Data in accordance with this DPA and the Agreement.
- 18.2 The liability of Swrve relating to Platform Personal Data processed in connection with the Swrve Service is limited to direct losses related to:
- 18.2.1 any breach by Swrve of any of its Personal Data obligations under this DPA; or
- 18.2.2 Swrve (or any person acting on its behalf) acting outside or contrary to the lawful processing Instructions of the Customer in respect of the processing of Platform Personal Data.
- 18.3 To the fullest extent permitted by applicable law, in no event will Swrve’s aggregate liability to Customer or anyone claiming by or through Customer, arising out of or in connection with this DPA for any damages, losses, claims and/or causes of actions, whether in contract, tort (including negligence, product liability or other theory) warranty or otherwise, exceed the fees actually paid to Swrve by Customer in respect of the Swrve Service for the previous twelve (12) months.
- 19.1 The parties agree that this DPA shall replace any existing data protection terms the parties may have previously entered into in connection with the Swrve Service relating to Platform Personal Data.
- 19.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
Schedule 1 – Details of the Processing
- 1. The subject matter of the processing is: communications and interactions between Customers, Customer App(s) and End Users that are processed through the Services.
- 2. The duration of the processing is: below details how we store Platform Personal Data and for how long that Platform Personal Data is maintained within the Platform. Note that these retention policies apply to Customer Apps that are being actively processed by Swrve during the term of the Agreement. Our retention policies that apply on termination of the Agreement are detailed in clause
- Event Log Data:
Swrve records all events received from Customer App(s) in our event warehouse. Swrve retain all event log data for a period of 1 year. After this point, event log data will expire.
- KPI and Report Metrics Data:
All KPI data and metrics for reports are retained for a period of 15 months. This does not contain any End User Personal Data.
- End User Data:
End User Data (the live record of a user and their associated properties and state used for targeting and segmentation) is maintained for a period of 1 year after the last activity of the End User. An activity is any event received for that End User. If an End User is entirely inactive for more than 1 year that End User is removed from our active targeting system. If the End User subsequently sends an event, the End User is deemed to be new and is allocated a new ID.
- User DB Export Data:
Swrve builds a full database of all Customer’s End Users on a regular or on-demand basis. These exports are made available to Customer in a number of formats, through our UserDB, export API and via download links in the dashboard. Swrve does not provide historical snapshot access to these database exports.
- 3. Nature and purpose of the processing is: processing of events and End User actions from the Customer’s App(s); segmentation of End Users into message audiences; provision of personalized and localized “push” messages to devices; provision of personalized and localized graphical and interactive messaging to devices; delivery of data based on End User actions to other Customer systems and Third Party Services; and anonymising Personal Data to analyse for optimum delivery method and time for messages.
- 4. The type of Personal Data is:
Identifying devices and End Users in Swrve
Screen parameters, used to decide what graphic rendering to send to End Users
swrve.android_device_xdpi swrve.android_device_ydpi swrve.device_dpi swrve.device_height swrve.device_name swrve.device_width
Data aquired to configure push messages and their display
swrve.can_receive_authenticated_push swrve.gcm_token swrve.ios_token swrve.support_rich_attachment swrve.support_rich_buttons swrve.support_rich_gif swrve.support.rich_gif
Permissions status of device to ensure conformation to End User choices
swrve.permission.android.location.background swrve.permission.android.location.fine Swrve.permission.ios.camera Swrve.permission.ios.contacts Swrve.permission.ios.location.always Swrve.permission.ios.location.when_in_use Swrve.permission.ios.photos Swrve.permission.ios.push_bg_refresh Swrve.permission.ios.push_notifications swrve.permission.notifications_enabled swrve.permission.notifications_importance swrve.permission.web.push_notifications
Data used for localization of languages and timezone to establish correct scheduling of messages
swrve.sim_operator.code swrve.sim_operator.iso_country_code swrve.sim_operator.name swrve.timezone_name swrve.utc_offset_seconds swrve.language swrve.device_region
Items used for internal accounting for capabilities of devices and in-app purchases
swrve.app_store swrve.browser_name swrve.browser_version swrve.conversation_version swrve.device_name swrve.install_date swrve.ios_min_version swrve.os swrve.os_version swrve.sdk_flavour swrve.sdk_init_mode swrve.sdk_version
Geoplace detection related properties – Customers that have enabled Geoplace detection only
swrve.geo_config.android.fg_notification_enabled swrve.geo_config.android.max_display_window_enabled swrve.geo_config.android.post_prompt_enabled swrve.geo_config.android.pre_prompt_enabled swrve.geo_config.custom_filter_enabled swrve.geo_provider_version swrve.geo_sdk_version swrve.geo_state swrve.setting.android.location.ble_scan_enabled swrve.setting.android.location.wifi_scan_enabled swrve.setting.location.service_enabled
Additional Customer-provided Personal Data as described in the Customer’s Additional Processing document.
5. The categories of Data Subjects are: End Users.
6. The obligations and rights of the controller are as detailed in this DPA.
Schedule 2 – Sub-processor List
|#||Name||Purpose||Relevant Customers||Location||Adequacy Mechanism|
|1.||AWS||Hosting||All Customers||EEA or United States other than those that have requested EEA processing.||SCC Agreement|
|4.||Swrve Ireland Affiliate||Support Services||All Customers||Ireland||N/A|
|5.||Swrve UK Affiliate||Support Services||All Customers||UK||SCC Agreement (as required)|
|6.||Swrve US Affiliate||Support Services||USA||SCC Agreement|
|7.||Swrve Contractors||Support Services||All Customers||EEA||N/A|
Schedule 3 – Technical and Organisational Measures
The Swrve Platform uses cloud deployment, with regular backups, DDoS mitigation and machine level redundancy to maximise availability of the service. Real-time metrics provide the basis for instant alerting to an on-call operations team if issues arise. Our development process includes rigorous testing to minimize the number of potential defects.
Swrve deploys host- and network-based intrusion detection systems to quickly spot and remediate anomalies. The Swrve Service is hosted in a virtual private cloud, accessible through VPN only. Customer’s User Data are logically separated. Only Swrve staff that are operating the live service are permitted access to the production systems, and all access is logged.
All data sent to the Swrve Service is encrypted by default. Platform Personal Data are kept in encrypted storage. Only Swrve staff that are operating the live service are permitted access to the production systems, and all accesses are logged.
Processing details are provided to the controller as part of a Data Processing Agreement. The result of processing may be observed in the Swrve Service dashboard.
We will provide a DPO contact address and a support portal firstname.lastname@example.org as entry points for the registration of Subject Access Requests.
Data portability is implemented by the use of well-known data structures that are both human and machine legible (CSV files).
Access to the Swrve Service production system is logged, with monitoring including the nature of access, time information and the relevant Swrve staff member.
Data retention and deletion
Platform Personal Data will be stored while the End User is active on the Customer App. All event data from the Customer App is stored for 1 year by default or until the end of the period the Customer can request return or deletion of the Platform Personal Data at the termination of the Agreement. If the Customer App is deleted by an End User, the event data, including Platform Personal Data, is deleted at the next deletion event, which occurs once per quarter.
Physical security of the datacentre is provided by Amazon Web Services and is detailed in their whitepaper here: https://aws.amazon.com/whitepapers/overview-of-security-processes/
Schedule 4 – SCC Agreement
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation: Customer name as detailed in the Commercial Terms.
Address: Customer address as detailed in the Commercial Terms
Tel.: Customer contact information as detailed in the Commercial Terms
(the data exporter)
Data importer 1: Swrve New Media Inc.
Address: 703 Market St, 13th Floor, San Francisco, CA 94103, USA
Other information needed to identify the organisation: N/A
Data Importer 2: New Game Technologies t/a Swrve New Media UK,
Address: Suite 10.16, Working From _ Southwark, 70 Colombo Street, South Bank, London, SE18DP, UK
Other information needed to identify the organisation: N/A
(each thea data importer, together the data importers)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
- (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- (b) 'the data exporter' means the controller who transfers the personal data;
- (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
- (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- 1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- 2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- 3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- 4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
- (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
- (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
- (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- (e) that it will ensure compliance with the security measures;
- (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
- (j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer 1
The data importer agrees and warrants:
- (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
- (d) that it will promptly notify the data exporter about:
- (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- (ii) any accidental or unauthorised access, and
- (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
- (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
- (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
- (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
- 1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- 2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- 3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- 1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- 2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- 3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- 1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses 2. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
- 2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- 3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- 4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
2. This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.
Obligation after the termination of personal data processing services
- 1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- 2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Signature: Deemed signed upon Customer signature of the Agreement or the Commercial Terms unless Customer has requested only EEA-based processing of Platform Personal Data.
On behalf of data importer 1 and data importer 2
Signature: Deemed signed upon Swrve signature of the Agreement or the Commercial Terms unless Customer has requested only EEA-based processing of Platform Personal Data.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is engaged in activities relating to sale of their services.
The data importer is engaged in activities relating to marketing campaign management and communications for the data exporter.
The personal data transferred concerns the following categories of data subjects (please specify):
- End Users
Categories of data
The personal data transferred concern the following categories of data (please specify):
- See Schedule 1 to the DPA
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
None, unless specified in a Additional Processing Document.
The personal data transferred will be subject to the following basic processing activities (please specify):
- The provision of support services relating to Customer’s user of the Swrve Service and Swrve Platform
Signature: Deemed signed upon Customer signature of the Agreement or the Commercial Terms unless Customer has requested only EEA-based processing of Platform Personal Data.
On behalf of the data importer 1 and data importer 2:
Signature: Deemed signed upon Swrve signature of the Agreement or the Commercial Terms unless Customer has requested only EEA-ba