Data Processing Agreement

1. Introduction

‍

1.1 This Data Processing Agreement (“DPA”, “Terms”, or “Agreement”) pertain to Gameball’s Services which govern the use of Gameball’s Services by the Customer, between Gameball (“Gameball”, “Processor”, We, or us) and the subscribed Customer or Customer whether an individual or a legally formed entity (the “Customer” or “you” refers to party subscriber to the Services provided by Gameball). Gameball and Customer are collectively referred to as “Parties” If you are entering into this Agreement on behalf of Gameball or another legal entity you hereby represent that you have the authority to bind such entity to the terms of this Agreement, and Customer shall mean such entity. If you do not have such authority or you or such entity do not agree to this Agreement, you must not accept this Agreement and neither you nor such entity may use the services.

‍

1.2 These Terms constitute a legal agreement between You and Gameball which are made available at our website https://www.gameball.co/ (“Website”), (Website definition shall include for this Agreement, any of the mobile applications that are related and relevant to Gameball and/or any software solution of Gameball). If you use the Service, you represent that you can be bound by these Terms. You agree that you are not using the Service for any illegal purpose. And by using the Gameball Services, you agree to be bound by these Terms, and all conditions established by Gameball in connection with the Service. If you do not agree to the Terms in their entirety, you are not authorized to subscribe to any of the Gameball Services or use the Gameball solutions or products in any manner. You agree that we may send you communications regarding the Services, consistent with our Privacy Policy. We reserve the right to make changes to the Terms at any time. Your continued usage of the Gameball Services after any such modification and notification thereof shall constitute your consent to such modification.

‍

1.3 In this Agreement the Customer acts as a Data Controller and the Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.

‍

1.4 This Agreement seeks to implement data processing terms that comply with the requirements of the current legal framework concerning data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

‍

1.5 We update these terms from time to time according to enhancement and changes in data processing and protection we do to Gameball to serve you better. If you have an active Gameball subscription, we will let you know when we do via email (if you have subscribed to receive email notifications via the link in our General Terms)or via in-app notification.

‍

2. Definitions, Interpretation, and Mechanisms

‍

2.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

‍

• "Agreement" means this Data Processing Agreement and all Schedules;
• "Customer Personal Data" means any information relating to an identified or identifiable natural person. They include particularly all information making it possible to conclude your identity, for instance, your and your customer's name, telephone number, address, or e-mail address. Statistical data, which we collect for example when someone visits our website, do not fall under the meaning of personal data.;
• "Contracted Processor" means a Sub-processor;
• "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
• "EEA" means the European Economic Area;
• "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
• "GDPR" means EU General Data Protection Regulation 2016/679;
• "Data Transfer" means:

• a transfer of Customer Personal Data from the Customer to a Contracted Processor; or
• an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,
• in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
• "Services" means the loyalty and engagement services the Customer provides.
• "Sub-processor" means any person appointed by or on behalf of a Processor concerning Data on behalf of the Customer in connection with the Agreement.
  
  
• The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

‍

3. Data processing mechanism:

‍

3.1 Gameball is a SaaS solution for providing loyalty, referrals, and customer engagement solutions by integrating with the Client’s platform such as a mobile app, website, or retail POS, Gameball processes data that are sent by the Client’s platform based on the integration implemented between Client’s platform and Gameball to personalize the experience, reward customers, track their behavior, control program logic; which can include customer profile data like email, name, phone, etc. and behavioral data and events like orders, logins, page views, etc.; all based on the nature and data synced through APIs integration.

‍

4.Data protection measures:

‍

4.1 Gameball maintains up-to-date technical measures to ensure data security, privacy, and confidentiality during data transmissions and against cognizance by third parties. Gameball follows all best practices to maintain the solution's availability, integrity, and resiliency. These are amended in each case to reflect the current state of technology.

• Gameball is hosted on state-of-the-art servers within the AWS cloud multi-zone infrastructure.
• To add an additional layer of security to the Customer’s Gameball account, Gameball APIs are authenticated using API Keys. The provided API Keys are namely, API Key and Secret Key (also defined as transaction key). The API Key can be used for regular non-sensitive endpoints (creating a player for instance) while the Secret Key is used along with the API Key when performing sensitive operations. Sensitive API endpoints that require a Secret (transaction) key are:

• Order API
• Transactions APIs
• Batches APIs

4.2 API requests executed without authentication will fail; for more information (the Customer can check this technical documentation: developer.gameball.co/api-reference/authentication)

• Gameball performs monthly assessments to identify any vulnerabilities in its system, immediately applying security patches to our underlying infrastructure and software.
• All our logs are considered highly valuable sensitive records that have a permanent policy to protect against modification, deletion, and inappropriate access.
• Gameball maintains a publicly available system-status webpage that includes scheduled maintenance, service incident, and event history (which at any time the Client can check through this link: gameball.statuspage.io )where the Client can get updates on how Gameball systems are doing. If there are interruptions to service, the Gameball team will post a note on this page.
• Gameball has a tight release management process; any code changes must be presented via a pull request which is reviewed for ensuring code quality and secure code practices. This PR is deployed to a staging environment where it undergoes testing cycles by the QA team.
• Gameball uses Datadog as Gameball’s monitoring and logging platform for covering all monitoring requirements.
• Gameball uses tools like Snyk and Sonarqube to ensure secure code.
• As part of data encryption and hashing Gameball applies to secure data in transiting sensitive requests payloads are hashed using SHA1 and salt keys while being sent over HTTPs, At rest, sensitive data are encrypted while stored in the database.
• Gameball performs daily database backups with two weeks of retention to avoid any disastrous consequences of losing data.
• Gameball services run over container cluster served via load balancer to ensure availability

4.3 Gameball uses HTTP response status codes to indicate the success or failure of the Customer’s API requests. If the Customer’s request fails, Gameball returns an error using the appropriate status code.

4.4 Each party shall take appropriate technical and organizational measures to safeguard the confidentiality and integrity of the personal data and prevent unauthorized access or disclosure.

‍

‍

5. Duration of storage:

‍

5.1 Gameball’s Customers always have the right to erase their data and by default Gameball stores data only for as long as is necessary to fulfill contractual or statutory duties for which the data were collected. Gameball erases the data immediately afterward, unless the Parties agree to freeze the data in case of rejoining, or any other agreements, or still need this data until the expiry of the statutory period of limitation for purposes of evidence in civil claims or due to statutory duties of storage.

‍

‍

6. Processing of Customer Personal Data

‍

6.1 Processor shall:

6.1.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and

6.1.2 not Process Customer Personal Data other than on the relevant Customer’s documented instructions the Customer instructs Processor to process Customer Personal Data.

‍

‍

7. Processor Personnel

‍

7.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

‍

‍

8. Security

‍

8.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

8.2 In assessing the appropriate level of security, the Processor shall take into account, in particular, the risks that are presented by Processing, in particular from a Personal Data Breach.

9. Sub-processing

‍

9.1 You agree we may engage Sub-Processors to Process Personal Data on your behalf, and we do so in three ways. First, we may engage Sub-Processors to assist us with hosting and infrastructure. Second, we may engage with Sub-Processors to support product features and integrations. Third, we may engage with Gameball Affiliates as Sub-Processors for service and support. Some Sub-Processors will apply to you as default, and some Sub-Processors will apply only if you opt-in based on your agreement and plan. We have currently appointed, as sub-processors listed in Annex 1 to this DPA.

9.2 We will allow you to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, or permit you to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination). 

9.3 Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.

9.4 Due to the nature of our global business and our ongoing efforts to delight our customers, our business needs and services providers may change from time to time. For example, we may deprecate a service provider to consolidate and minimize our use of service providers. Similarly, we may add a service provider if we believe that doing so will enhance our ability to deliver our Subscription Service, we will notify you at least 30 days prior to any such change.

‍

10. Data Subject Rights

‍

10.1 Taking into account the nature of the Processing, the Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

‍

10.2 Processor shall:

‍

10.2.1 promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

10.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the Contracted Processor responds to the request.

‍

10.3 Each party shall cooperate with the other in responding to data subject requests and regulatory inquiries related to the processed data.

‍

‍

11. Personal Data Breach

‍

11.1 Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

11.2 Processor shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

11.3 Any transfer of personal data between the parties shall be done under the DPA and applicable data protection laws. In the event of a data breach, the affected party shall immediately inform the other party and take all necessary actions to mitigate the impact of such breach.

‍

‍

12. Data Protection Impact Assessment and Prior Consultation

12.1 Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely concerning Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

‍

‍

13. Deletion or return of Customer Personal Data

‍

13.1 Subject to this section 13 Processor shall promptly and in any event within 10 business days from the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data.

13.2 The Processor shall provide written certification to Customer that it has fully complied with this section 13 within 10 business days of the Cessation Date.

‍

‍

14. Audit rights

‍

14.1 Subject to this section 14, upon the Customer’s request and the Processor’s written approval and sole discretion, the Customer can access the information necessary to demonstrate compliance with this Agreement.

14.2 Information and audit rights of the Customer only arise under section 14.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

‍

‍

15. Data Transfer

‍

15.1 The Processor may transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

‍

‍

16. General Terms

‍

16.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

• disclosure is required by law;
• The relevant information is already in the public domain.

‍

16.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by mail to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

‍

16.3 Agreements. In case of signed Order Forms or Master Services Agreement, the purpose, scope, and duration of data processing shall be limited to what is necessary for fulfilling the obligations under this Agreement.

‍

‍

17. Governing Law and Jurisdiction

‍

17.1 This Agreement is governed by the laws of Delaware, United States of America.

17.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Delaware, subject to Delaware’s regulations.

‍

‍

18. Miscellaneous

‍

18.1 Unless explicitly stated otherwise in this Agreement, the failure of any Party to exercise any right or remedy under this Agreement shall not constitute a waiver of such right or remedy, and the waiver of any violation or breach of the Agreement by a Party shall not constitute a waiver of any prior or subsequent violation or breach.

18.2 Neither the performance by the Parties of their duties and obligations under this Agreement nor anything herein shall create or imply an agency relationship between the Parties, nor shall this Agreement be deemed to constitute a joint venture between the Parties.

18.3 If any provision of this Agreement is determined by a court or other competent authority to be invalid, illegal, or unenforceable, such invalidity, illegality, or unenforceability shall not affect the validity, legality or enforceability of any other provision of this Agreement.

18.4The Customer is obliged to comply with the applicable data protection laws when using the Gameball Services.

‍

19. Contact Information

‍

19.1 Gameball’s nominated Privacy Officer can be contacted at 2035 Sunset Lake Road, Suite B-2, the city of Newark, Delaware State, United States, or by email at: partner@gameball.co

19.2If you have any questions or concerns about Gameball’s Data Protection Terms or if you would like to make a complaint about a possible breach of local privacy laws, please do so by sending an email or submitting a request through the “Contact Us” form on our websites.