.svg){kind=logo}
This Data Processing Agreement ("DPA") forms part of the Terms of Service available at www.joinsocialcard.com/terms or, if applicable, any other separate written agreement (the "Agreement" or "Services Agreement"), by and between Social Card, LLC, a Delaware LLC ("Social Card") and the Customer named in the Agreement, pursuant to which Customer has purchased a subscription to access and use the Service (as defined in the Agreement). The parties intend this DPA to be an extension of the Agreement that outlines certain requirements for Social Card's processing of personal data provided or made available by Customer, or collected or otherwise obtained by Social Card, in the course of providing services to Customer.
1.1. "GDPR" means the General Data Protection Regulation (EU) 2016/679.
1.2. "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR.
1.3. "Processing" means any operation or set of operations performed on Personal Data as defined in Article 4 of the GDPR.
1.4. "Sub-processor" means any third party appointed by Social Card to process Personal Data on behalf of the Controller.
1.5. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission.
1.6. "UK GDPR" means the GDPR as amended and incorporated into UK law under the UK’s European Union (Withdrawal) Act 2018, and the UK Data Protection Act 2018.
2.1. This DPA applies to the processing of Personal Data by Social Card on behalf of the Customer in the course of providing the services under the Agreement.
2.2. The subject matter, nature, and purpose of the processing, the types of Personal Data, and categories of data subjects are described in Appendix 1 to this DPA.
3.1. Social Card shall process Personal Data in accordance with the functionalities and settings provided by the Service, which are configured by the Controller (the admin or user), unless required to do so by Union or Member State law.
3.2. Social Card shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3. Social Card shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to measures described in Appendix 2.
3.4. Social Card shall assist the Controller in ensuring compliance with the Controller's obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Social Card.
3.5. Social Card shall, at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
3.6. Social Card shall maintain documentation of its data processing activities and security measures and shall make this information available to the Controller upon request to demonstrate compliance with this DPA. Social Card shall cooperate with audits and inspections conducted by the Controller or another auditor mandated by the Controller, provided such audits are reasonable and do not disproportionately disrupt Social Card's business operations.
4.1. The Controller authorizes the use of Sub-processors by Social Card.
4.2. Social Card shall maintain an up-to-date list of its Sub-processors, which shall be made available to the Controller upon request or accessible at www.joinsocialcard.com/subprocessors. Social Card will notify the Controller of any intended changes concerning the addition or replacement of Sub-processors by updating this list at least 30 days prior to any such changes. The Controller may object to such changes within 30 days of the update. If the Controller objects to a new Sub-processor, Social Card will work with the Controller in good faith to address the Controller's reasonable concerns. If the Controller cannot reach an agreement with Social Card, the Controller may terminate the Agreement by providing written notice to Social Card.
4.3. Social Card shall impose on any Sub-processor the same data protection obligations as set out in this DPA by way of a contract or other legal act.
5.1. Taking into account the nature of the processing, Social Card shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR.
6.1. Social Card shall not transfer Personal Data to a third country or international organization without the Controller's prior written consent, unless such transfer is required by Union or Member State law.
6.2. In the event of such transfers, Social Card shall ensure that the transfer is carried out in compliance with the GDPR, including, where applicable, by entering into Standard Contractual Clauses.
7.1. Social Card shall notify the Controller without undue delay after becoming aware of a Personal Data breach.
7.2. Such notification shall include a detailed description of the breach, the type of data involved, and the measures being taken to address and mitigate the breach.
8.1. This DPA shall remain in effect for the duration of the Agreement between the parties, unless terminated in accordance with its terms.
8.2. Upon termination of this DPA for any reason, Social Card shall, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller and certify to the Controller that it has done so, unless Union or Member State law requires the storage of such data.
1. Policies and Procedures:
2. Access Control:
3. Data Encryption:
4. Network Security:
5. Incident Response:
6. Data Minimization and Retention: