Data Processing Agreement (DPA)
Processing personal data in a secure, fair, and transparent way is extremely important to us at Equals One Ventures, the company of the creators of Howuku. To better protect individuals’ personal data, we are providing this agreement to govern Equals One Ventures’s and your handling of personal data (the “Data Processing Agreement” or “DPA”).
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA
- “You” or “Customer” refers to the company or organization that signs up to use the Equals One Ventures Service to analyse the online behavior of your website’s visitors or your app’s users;
- In the course of providing the Howuku (“Service”) to Customer pursuant to the Agreement, Equals One Ventures may process personal data on behalf of Customer.
- In this Data Processing Agreement (“DPA”), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction;
- “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
- The parties agree that Customer is the data controller and that Equals One Ventures is its data processor in relation to personal data that is processed in the course of providing the Service.
Processing of Customer Personal Data
- Depending on how the controller chooses to use the Service, the subject matter of processing of personal data may cover the following types/categories of data:
- IP address (by default the IP address is stored anonymized)
- City, Region, Country, Longitude/Latitude (Latitude and Longitude are often near the center of population. These values are not precise and cannot be used to identify a particular address or household.)
- Browser, Browser version, Device type, Operating system, the User-Agent
- Date, time, timezone
- Pages visited (Page URLs and Page Titles)
- Screens visited
- Referrer URL
- Marketing campaign URL parameters
- Files clicked and downloaded
- Links to an outside domain that were clicked
- Screen resolution
- Session recording storing the HTML page, and all mouse events (movements, scrolls, locations and clicks), and keypresses
- Search terms used on your internal mobile’s and web properties’ search engine
- Custom dimensions and custom variables (any personal or non personal data the controller wishes to process)
- Custom events
- Content pieces
- User ID
- Ecommerce Order ID, Order Date
- Ecommerce Abandoned carts
- Media titles and URLs
- Participation in A/B tests
- The group of data subjects affected by the processing of their personal data under this Agreement includes end-users of the Controller’s websites and apps which make use of the Service provided by the Processor.
Processor’s obligations with respect to the controller
- Equals One Ventures will process Customer Personal Data only in accordance with Instructions from Customer through the settings of the Service, i.e. (a) to operate, maintain and support the infrastructure used to provide the Service; (b) to comply with Customer’s instructions and processing instructions in their use, management and administration of the Service; (c) as otherwise instructed through settings of the Service. Equals One Ventures will only process Customer Personal Data in accordance with the Agreement.
- Equals One Ventures shall notify Customer without undue delay if, in Equals One Ventures’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.
- Equals One Ventures shall guarantee the confidentiality of personal data processed hereunder.
- Equals One Ventures shall ensure that all Equals One Ventures personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Agreement.
- Equals One Ventures shall implement and maintain appropriate technical and organisational security measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
- If Equals One Ventures becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by Equals One Ventures in the course of providing the Service (an “Incident”), it shall without undue delay (not later than 48 hours after having become aware of it), notify Customer by email notification and provide Customer with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer content. Equals One Ventures shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
- Equals One Ventures shall not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the Controller and in accordance to the data retention rules associated to the Controller subscription plan.
- Upon termination of your account, Equals One Ventures shall delete Customer data within 30 days in accordance with our standard backup and retention policy per the Terms of Service.
- Equals One Ventures has designated a representative within the European Union who can be contacted by email [email protected]
Customer undertakings and Equals One Ventures’s assistance
- Customer warrants that it has all necessary rights to provide to Equals One Ventures the personal data for processing in connection with the provision of the Equals One Ventures Services.
- Customer shall comply at all times with Data Protection Legislations in respect of all personal data it provided to Equals One Ventures pursuant to the Agreement.
- Customer understands, as a controller, that it is responsible (as between customer and Equals One Ventures) for:
- determining the lawfulness of any processing, performing any required data protection impact assessments, and accounting to regulators and individuals, as may be needed;
- making reasonable efforts to verify parental consent when data is collected on a data subject under 16 years of age;
- providing relevant privacy notices to data subjects as may be required in your jurisdiction, including notice of their rights and provide the mechanisms for individuals to exercise those rights;
- responding to requests from individuals about their data and the processing of the same, including requests to have personal data altered or erased, and providing copies of the actual data processed;
- implementing your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this DPA;
- notifying individuals and any relevant regulators or authorities of any incident as may be required by law in your jurisdiction.
- Equals One Ventures shall assist the customer by implementing appropriate technical and organizational measures, insofar as this is reasonably and commercially possible (in Equals One Ventures’s sole determination and discretion), in fulfilling customer’s obligations to respond to individuals’ requests to exercise rights under the GDPR.
- Equals One Ventures shall make available to the customer information reasonably necessary to demonstrate compliance with Equals One Ventures’s obligations under this DPA. Such audit shall consist solely of: (i) the provision by Equals One Ventures of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Equals One Ventures’s IT personnel. Such audit may be carried out by Customer or a national privacy supervisory authority composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality (such as the ICO or the CNIL). For the avoidance of doubt no access to any part of Equals One Ventures’s IT system, data hosting sites or centers, or infrastructure will be permitted.
Liability and Indemnity
- Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.
Duration and Termination
- This DPA shall come into effect on May 25, 2018 and shall continue until it is changed or terminated in accordance with the Howuku Terms of Service.
- Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.
Email: [email protected]
Contact form: howuku.org/contact