Legal
GLOBAL DATA PROCESSING ADDENDUM
Where referenced by an applicable product or services agreement, statement of work, memorandum of understanding or attachment or other applicable additional terms (the “Agreement”) entered into between you and Glui Inc. (“Glui”) (collectively, the “Parties”), this Data Processing Addendum (“DPA”), including its Schedules, forms a part of and is incorporated by reference into the Agreement and sets forth the terms and conditions relating to compliance with Privacy Laws (as defined below) in connection with the products and services rendered by Glui to you pursuant to the Agreement. In the event of a conflict between the terms of the Agreement as they relate to the Processing (as defined below) of Personal Data (as defined below) and this DPA, the DPA shall prevail. Capitalized terms not specifically defined herein shall have the meaning set forth elsewhere in the Agreement.
If you are accessing or using the Glui service or products on behalf of an organization (e.g., your employer or other entity), you are agreeing to this DPA for that organization (in which event, “you” and “your” will refer to that organization).
The Parties agree as follows:
1. Definitions.
1.1. “Data Subject” means an identified or identifiable natural person to which the Personal Data pertains.
1.2. “European Data Protection Laws” means, collectively, all applicable European Union (“EU”) or national laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and EU Member State laws supplementing the GDPR; the GDPR as incorporated into United Kingdom (“UK”) law (the “UK GDPR”) and the Data Protection Act 2018; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications.
1.3. “Instructions” means this DPA, including Attachment 1 hereto, and any further documentation through which you instruct Glui to perform specific Processing of Personal Data.
1.4. “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, that may be Processed by Glui in connection with the performance of the Agreement.
1.5. “Privacy Laws” means, collectively, European Data Protection Laws; the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), Cal. Civil Code § 1798.100 et seq., and its implementing regulations, including any amendments thereto (collectively, the “CCPA/CPRA”); the Colorado Privacy Act, C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments thereto (the “CPA”); Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto (the “CTDPA”); the Utah Consumer Privacy Act, Utah Code § 13-61-101 et seq. (SB 0227), including any implementing regulations and amendments thereto (the “UCPA”); the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq. (SB 1392), including any implementing regulations and amendments thereto (the “VCDPA”); and any similar U.S. state laws.
1.6. “Process” (and its derivatives) means any operation or set of operations performed, whether or not by automated means, on Personal Data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data.
1.7. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.8. “Security Measures” means technical and organizational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against Information Security Incidents, including measures to ensure the confidentiality of Personal Data.
1.9. “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for monetary or other valuable consideration.
1.10. “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing or by electronic or other means, Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
1.11. “Standard Contractual Clauses” means the EU Standard Contractual Clauses for Controller to Processor data transfers and the UK Addendum to the EU Standard Contractual Clauses 3.
1.12. “Sub-Processor” means the entity engaged by Glui or any further Sub-Processor to Process Personal Data on your behalf and under your authority.
1.13. The terms “Aggregate,” “Business,” “Business Purpose,” “Controller,” “De-identify,” “Processor,” and “Service Provider” shall have the meanings ascribed to them in applicable Privacy Laws.
2. Roles and Responsibilities of the Parties.
2.1. The Parties acknowledge and agree that (1) you are acting as a Controller and have the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data, and Glui is acting as a Processor and Service Provider with respect to Personal Data; and (2) the Personal Data that you disclose to Glui is provided to Glui for limited and specified Business Purposes.
2.2. You represent and warrant that you have complied in all material respects with Privacy Laws in relation to all Personal Data disclosed to Glui or otherwise Processed by Glui on your behalf in connection with the products and services. You acknowledge and agree that, in connection with your use of the products and services, you are solely responsible for complying with Privacy Laws and other applicable laws, including without limitation (i) ensuring the accuracy, quality and legality of Personal Data, and (ii) providing any notices and obtaining any consents necessary to enable Glui to Process Personal Data pursuant to the Agreement and this DPA. You shall ensure that the instructions you provide to Glui in relation to the Processing of Personal Data do not (i) violate Privacy Laws or any other applicable laws, or (ii) put Glui in breach of its obligations under applicable law. You acknowledge and agree that your use of the products and services will not violate the rights of any Data Subject.
3. Obligations of Glui
3.1. Subject to applicable Privacy Laws, Glui shall Process Personal Data only on behalf of and in accordance with your instructions, unless otherwise required by applicable law, in which case Glui shall inform you of that legal requirement before Processing the Personal Data, unless informing you is prohibited by law on important grounds of public interest. Glui shall immediately inform you if, in Glui’s opinion, an Instruction infringes applicable Privacy Laws.
3.2. Except as described in Section 3.8 below, Glui shall not (1) Sell or Share Personal Data, (2) retain, use or disclose Personal Data (i) for any purpose other than for the Business Purposes specified in the Agreement, or (ii) outside of the direct business relationship between you and Glui, or (3) combine Personal Data received pursuant to the Agreement with Personal Data received from or on behalf of another person(s), or collected from Glui’s own interaction with individuals, unless permitted by applicable Privacy Laws. Glui certifies that it understands and will comply with the requirements and restrictions set forth in this Section 3.2. For the avoidance of doubt, Glui may, as part of providing the products and services, De-identify or Aggregate Personal Data in accordance with the standards for such activity set forth in applicable Privacy Laws.
3.3. Glui shall comply with relevant obligations as a Service Provider and Processor under applicable Privacy Laws and provide the level of privacy protection for Personal Data as is required by applicable Privacy Laws. To the extent required by applicable Privacy Laws, Glui shall notify you if Glui makes a determination that it can no longer meet its obligations under this DPA or applicable Privacy Laws.
3.4. Glui shall ensure that any person authorized by Glui to Process Personal Data in the context of the products and services is subject to a duly enforceable contractual or statutory confidentiality obligation.
3.5. Taking into account the nature of the Processing of Personal Data, Glui shall reasonably assist you in fulfilling your obligations to respond to a Data Subject’s request.
3.6. Glui shall provide commercially reasonable assistance to you in complying with your obligations under Privacy Laws, in particular your obligation, as applicable, to implement appropriate Security Measures, to carry out a data protection impact assessment, and to consult the competent supervisory authority.
3.7. To the extent permitted by applicable Privacy Laws, you may (1) take reasonable and appropriate steps to ensure that Glui uses Personal Data in a manner consistent with your obligations under applicable Privacy Laws; and (2) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
3.8. To the extent permitted by applicable Privacy Laws, Glui may retain, use, or disclose Personal Data obtained in the course of providing the products and services: (1) to retain and employ another Service Provider as a Sub-Processor, where the Sub-Processor meets the requirements for a Service Provider under applicable Privacy Laws; (2) for internal use by Glui to build or improve the quality of its products and services, provided that the use does not include building or modifying household or consumer profiles to use in providing products and services to another business, or correcting or augmenting data acquired from another source; (3) to detect data security incidents, or protect against fraudulent or illegal activity; (4) to comply with federal, state, or local laws; (5) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (6) to cooperate with law enforcement agencies concerning conduct or activity that Glui reasonably and in good faith believes may violate federal, state, or local law; or (7) to exercise or defend legal claims.
4. Data Transfers
4.1. To the extent Personal Data is subject to European Data Protection Laws, the Parties agree to comply with the Standard Contractual Clauses.
5. Sub-Processing
5.1. You consent to Glui engaging Sub-Processors for the Processing of Personal Data in accordance with the Agreement and this DPA. Glui shall ensure that Sub-Processors are bound by written agreements that impose obligations on the Sub-Processors that are the same in all material respects as those imposed on Glui under this DPA. A list of Glui’s Sub-Processors is available upon request. Glui shall provide you with at least ten (10) days’ notice of the appointment of a new Sub-Processor and, to the extent required by applicable Privacy Law, give you an opportunity to object before Personal Data is provided to the Sub-Processor. If you do not object to the appointment of such Sub-Processor on reasonable grounds within ten (10) days of notification, the appointment will be deemed accepted.
6. Data Security
6.1. Glui shall implement appropriate Security Measures to protect Personal Data.
6.2. At your direction, Glui will delete or return Personal Data at the end of the provision of products and services, unless retention of the Personal Data is required by applicable Privacy Laws.
7. Data Breach Notification
7.1. Glui shall promptly inform you of any Security Incident of which Glui becomes aware and shall reasonably cooperate with you in all reasonable and lawful efforts to prevent, mitigate or rectify such Security Incident. Glui shall provide such assistance as reasonably required to enable you to satisfy your obligations under applicable Privacy Laws.
8. Audit
8.1. Glui shall make available to you information in Glui’s possession reasonably necessary to demonstrate compliance with the obligations set forth in this Addendum, provided Glui shall have no obligation to provide commercially confidential information.
8.2. To the extent required by applicable Privacy Laws, at no cost to Glui and no more than once per calendar year, Glui shall allow for and contribute to a reasonable inspection conducted by you (or another independent auditor mandated by you, approved by Glui, and subject to appropriate statutory or contractual confidentiality obligations). You shall provide Glui at least 60 days’ prior written notice of its intention to carry out any such inspection. Such an inspection shall take place at a time mutually agreed upon by the Parties during normal working hours and on business days, and such inspection shall not unreasonably interfere with the normal conduct of Glui’s business. The scope of any such inspection, including timing, proportionality and conditions of confidentiality, shall be mutually agreed upon by the Parties prior to initiation. In lieu of the foregoing inspection, at Glui’s sole discretion and expense, Glui may arrange for a reasonable assessment, by a qualified independent assessor of Glui’s choosing, of Glui’s policies and technical and organizational measures in support of relevant obligations under this DPA and applicable Privacy Laws, and, in such event. Glui shall provide a report of such assessment to you.
9. Liability
9.1. Neither Party’s total liability to the other party under this DPA shall exceed the amount paid by you to Glui under the Agreement during the 12 months prior to the date the cause of action arose.
Attachment 1
Scope of the Personal Data Processing
This Attachment forms part of the Data Processing Addendum (“DPA”) between you and Glui.
Nature and Duration of the Processing of Personal Data:
Glui Processes Personal Data for the purpose of providing the Glui products and services, including advertising campaigns on behalf of brands, agencies, publishers and others (each a “Partner” and collectively, “Partners”). The provision of products and services by Glui to Partners includes providing access to Personal Data provided by users.
The duration of the Processing is for the length of the Agreement.
The Processing concerns the following categories of Personal Data:
Personal Data may include transaction/sales data, online behavioral data (clicks, downloads, views), or other consented first party user Personal Data entered by users into Glui enabled advertisements, including but not limited to first name, last name, email address, telephone number, delivery address, transaction details, donation amounts, and ticketing requests.
Glui shall Process Personal Data for the following purposes, in accordance with the Agreement:
Glui uses this Personal Data to create and deliver reports, assess the effectiveness of campaign performance, including attribution and analytics, and transfer the Personal Data related to a specific advertising campaign to the Partner for which the campaign was created either through a direct connection with the Partner’s CRM, encrypted file or other secure delivery method, as set forth in the Agreement.