{"id":77496,"date":"2024-05-13T16:34:30","date_gmt":"2024-05-13T22:34:30","guid":{"rendered":"https:\/\/inmoment.com\/?page_id=77496"},"modified":"2024-05-13T16:34:33","modified_gmt":"2024-05-13T22:34:33","slug":"dpa","status":"publish","type":"page","link":"https:\/\/inmoment.com\/dpa\/","title":{"rendered":"Data Processing Agreement"},"content":{"rendered":"\n

This Data Processing Agreement (\u201cDPA\u201d) is between your company (\u201cClient\u201d or \u201cController\u201d) and the Pearl-Plaza company (\u201cPearl-Plaza\u201d, \u201cService Provider\u201d, or \u201cProcessor\u201d) identified in the Agreement. This DPA applies to the Processing of Personal Data by Pearl-Plaza while providing Services to the Client as outlined in the Agreement. <\/p>\n\n\n\n

1. Definitions<\/strong><\/p>\n\n\n\n

All capitalized terms not defined below will have the meanings given to them in the Agreement. <\/p>\n\n\n\n

\n

a. \u201cAgreement\u201d means the master agreement, order form, statement of work, or schedule pursuant to which Pearl-Plaza provides and the Client uses the Services.<\/p>\n\n\n\n

b. \u201cData Protection Laws\u201d means the applicable privacy and data protection laws, rules, and regulations.<\/p>\n\n\n\n

c. \u201cPersonal Data\u201d is given the meaning under the Data Protection Laws relating to this term or any similar term including personal information or personally identifiable information. If no laws apply, then Personal Data means any information that by itself or when combined with other information can be used to identify a specific natural person (e.g., name, telephone number, address, etc.). <\/p>\n\n\n\n

d. \u201cProcess\u201d or \u201cProcessing\u201d is given the meaning under the Data Protection Laws. If no laws apply, then Process or Processing means any operation performed on Personal Data such as collecting, storing, altering, analyzing, accessing, using, disclosing, making available, erasing, or destroying. <\/p>\n\n\n\n

e. \u201cSecurity Incident\u201d means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.<\/p>\n\n\n\n

f. \u201cServices\u201d means the Pearl-Plaza products and services outlined in the Agreement.<\/p>\n<\/div><\/div>\n\n\n\n

2. Details of Processing<\/strong><\/strong><\/p>\n\n\n\n

The subject matter, nature, purpose, details of Processing, and the types of Personal Data Processed are outlined in the Agreement and determined by the Client through the Client\u2019s use of the Services. Personal Data may include, without limitation, name, phone number, email address, postal address, IP address, customer loyalty number, employee number, and any other Personal Data the Client chooses to send to Pearl-Plaza regarding its employees, customers, and\/or end users. The duration of Processing will be for the term of the Agreement. <\/p>\n\n\n\n

3. Pearl-Plaza\u2019s Obligations<\/strong><\/p>\n\n\n\n

\n

a. Pearl-Plaza shall comply with the Data Protections Laws (including any such obligations that relate to Pearl-Plaza\u2019s use of sub-processors).<\/p>\n\n\n\n

b. Pearl-Plaza shall only Process Personal Data within the scope of the Client\u2019s documented instructions and as permitted in the Agreement or this DPA.<\/p>\n\n\n\n

c. Pearl-Plaza shall inform the Client if Pearl-Plaza believes, in good faith, that the Client\u2019s instructions violate the Data Protection Laws or any other confidentiality obligations. Pearl-Plaza shall be entitled to postpone action on such an instruction until the Client has addressed Pearl-Plaza\u00b4s concerns.  <\/p>\n\n\n\n

d. Pearl-Plaza, and anyone who Process the Personal Data on Pearl-Plaza\u2019s behalf, shall maintain the Personal Data with strict confidentiality and shall not disclose Personal Data to any unauthorized third parties. <\/p>\n\n\n\n

e. Except as otherwise provided by law, Upon the Client\u2019s request and, if required by the Data Protection Laws, Pearl-Plaza shall delete, return, or enable the Client to delete and\/or download, all Personal Data at the end of the Agreement unless a longer retention period is required by law.  <\/p>\n\n\n\n

f. Pearl-Plaza shall not sell or share for targeted advertising, as defined by the Data Protection Laws, Personal Data it receives from or on behalf of the Client. <\/p>\n\n\n\n

g. Pearl-Plaza shall not retain, use, or disclose Personal Data received by or on behalf of the Client outside of its direct business relationship with the Client other than as permitted by the Agreement, this DPA, or the Data Protection Laws.<\/p>\n\n\n\n

h. Pearl-Plaza shall not combine Personal Data received by or on behalf of the Client with Personal Data received by a third party, except as permitted by the Agreement, this DPA, or the Data Protection Laws.<\/p>\n<\/div><\/div>\n\n\n\n

4. Client\u2019s Obligations<\/strong><\/p>\n\n\n\n

\n

a. The Client shall comply with the Data Protection Laws including all requirements for Pearl-Plaza to Process the Personal Data on the Client\u2019s behalf including, without limitation, giving notifications, obtaining consents, and making any disclosure required under the Data Protection Laws.<\/p>\n\n\n\n

b. The Client shall give written instructions to Pearl-Plaza regarding Processing of Personal Data as agreed by the parties in the Agreement, this DPA, or through its use of the Services. In urgent cases, instructions may be given verbally. These instructions will be immediately confirmed and documented by the Client in writing.<\/p>\n\n\n\n

c. The Client shall not instruct Pearl-Plaza to Process the Personal Data in any way that violates the Data Protection Laws. If the Client believes, in good faith, that a request violates the Data Protection Laws or any other confidentiality obligations, then the Client shall immediately inform Pearl-Plaza. <\/p>\n\n\n\n

d. The Client shall immediately notify Pearl-Plaza if it finds any error or irregularity when reviewing the Processing.<\/p>\n<\/div><\/div>\n\n\n\n

5.<\/strong> Security<\/strong><\/p>\n\n\n\n

Pearl-Plaza has implemented and shall maintain reasonable and appropriate technical and organizational measures for the Services as outlined in Exhibit A to this DPA. To keep up with advancing technology and security, Pearl-Plaza reserves the right to modify the technical and organizational measures provided that the functionality and security is not degraded. <\/p>\n\n\n\n

6. Security Incidents<\/strong><\/p>\n\n\n\n

If a Security Incident occurs, then Pearl-Plaza shall promptly notify the Client of the Security Incident and immediately take reasonable steps to mitigate and remediate the Security Incident including steps to prevent such Security Incident from happening again. Pearl-Plaza shall reasonably cooperate with the Client to comply with Data Protection Laws related to notification of supervisory authorities or individuals affected by the Security Incident. <\/p>\n\n\n\n

To the extent known by Pearl-Plaza at the time Pearl-Plaza becomes aware of the Security Incident, Pearl-Plaza\u2019s notification to the Client shall include:<\/p>\n\n\n\n

\n

a. The Personal Data affected (including types, categories, and volumes);<\/p>\n\n\n\n

b. The name and contact information of Pearl-Plaza\u2019s data protection officer or point of contact for further information;<\/p>\n\n\n\n

c. The cause and impact of the Security Incident; and<\/p>\n\n\n\n

d. The mitigation and remediation efforts already taken and\/or will be taken by Pearl-Plaza.  <\/p>\n<\/div><\/div>\n\n\n\n

7. Audits<\/strong><\/p>\n\n\n\n

The Client may audit Pearl-Plaza\u2019s compliance with this DPA on an annual basis, but audits may occur more frequently if the Client has a good faith belief that Pearl-Plaza has not materially complied with its obligations herein. Pearl-Plaza shall make available to the Client any information necessary to demonstrate its compliance with this DPA. An audit may consist of sending Pearl-Plaza reasonable security questionnaires, requesting evidence of applicable security certifications (e.g., SOC 2 or ISO 27001), and requesting results of assessments and tests performed by Pearl-Plaza or an independent third party as part of Pearl-Plaza\u2019s regular processes. If Pearl-Plaza determines that it can no longer comply with the Data Protection Laws, then Pearl-Plaza will promptly notify the Client.  <\/p>\n\n\n\n

8. Sub-Processors<\/strong><\/p>\n\n\n\n

The Client provides general consent for Pearl-Plaza to work with third parties to provide the Services. Third parties who Process Personal Data are referred to as sub-processors. Pearl-Plaza shall enter into a written agreement with each sub-processor and ensure, to the extent applicable, that each sub-processor is bound by obligations which are at least as restrictive as those outlined in this DPA. Pearl-Plaza shall be responsible for the acts or omissions of its sub-processors at all times. <\/p>\n\n\n\n

The Client may request a list of Pearl-Plaza\u2019s sub-processors at any time. A current list of can also be found at https:\/\/inmoment.com\/subprocessors\/<\/a>. Pearl-Plaza shall inform the Client of any new or replacement sub-processors in advance by updating the website or by email (where the Client has signed up to receive email notifications via the link on the website). <\/p>\n\n\n\n

If the Client has a reasonable objection to a new sub-processor, then the Client shall: (a) send written notice to legal@inmoment.com<\/a> within 30 days of Pearl-Plaza\u2019s notice; and (b) articulate reasonable grounds for its objection in the notice. Pearl-Plaza and the Client shall promptly work together in good faith to resolve any concerns. If notice is not sent to Pearl-Plaza within the time period specified above, then the Client shall be deemed to have consented to Pearl-Plaza\u2019s use of the new sub-processor.<\/p>\n\n\n\n

9. Individual Personal Data Requests<\/strong><\/p>\n\n\n\n

If Pearl-Plaza receives a request from an individual related to their Personal Data that Pearl-Plaza Processes for and on behalf of Client, then Pearl-Plaza shall promptly inform the Client of the request or Pearl-Plaza may advise the individual to submit their request directly to the Client. The Client is responsible for ensuring that such requests are handled in accordance with the Data Protection Laws. Pearl-Plaza shall reasonably cooperate with the Client in fulfilling these requests.<\/p>\n\n\n\n

10. Additional Costs<\/strong><\/p>\n\n\n\n

If the Client requests Pearl-Plaza\u2019s assistance with fulfilling its obligations under the Data Protection Laws and such requests go beyond the standard functionality of the Services, then Pearl-Plaza may charge the Client for any costs beyond those outlined in the Agreement to the extent that is reasonable (considering factors like time, volume, and complexity of instructions). This includes, without limitation, costs related to erasure, return, storage, or additional retention of Personal Data.  <\/p>\n\n\n\n

11. General<\/strong><\/p>\n\n\n\n

Except to the extent prohibited by Data Protection Laws, any breach of this DPA is subject to the liability cap in the Agreement. Furthermore, the liability of either party for breach of this DPA will be reduced proportionately to the extent that any act or omission of the other party or any third party acting on its behalf directly caused or contributed to such breach. If there are any conflicts between this DPA and the Agreement, this DPA prevails. This DPA supersedes and replaces any other prior data processing agreement or similar terms which were entered into by the Client and Pearl-Plaza. <\/p>\n\n\n\n

v2024April<\/p>\n\n\n\n

Exhibit A<\/strong><\/p>\n\n\n\n

Technical and Organizational Measures<\/strong><\/p>\n\n\n\n

1. Physical Access Control. <\/strong>Unauthorized persons are prevented from gaining access to premises, buildings, rooms, or data processing equipment used to process personal data. Controls include:<\/p>\n\n\n\n