Terms of use Privacy Policy Cookie Policy Data Processing Addendum Affiliate Agreement User Research

Data Processing Addendum

This Data Processing Addendum (“DPA“) forms part of the Subscription Agreement entered into between the Customer (the “Company”) and RadiateCapital Limited (“Rebrandly”, the “Data Processor”) (together as the “Parties”) (the “Principal Agreement”).

WHEREAS

A. The Company acts as a Data Controller.

B. The Company has engaged Rebrandly to provide certain Services under the Principal Agreement which will require the processing of Company Personal Data by Rebrandly, acting as a Data Processor.

C. This DPA sets out the additional terms, requirements and conditions on which Rebrandly will process Company Personal Data when providing services under the Principal Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

"Authorised Persons" means the persons or categories of persons that the Company authorises to give Rebrandly personal data processing instructions as identified in Schedule 1.

"Business Purposes" means the services described in the Principal Agreement or any other purpose specifically identified in Schedule 2.

"Company Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Rebrandly as a result of, or in connection with, the provision of the services under the Principal Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Contracted Sub-Processor" means any person appointed by or on behalf of Rebrandly to process Company Personal Data on behalf of the Controller in connection with this DPA.

"Data Protection Laws" means:

a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.

b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of Personal Data.

"Data Transfer" means:

i. a transfer of Company Personal Data from the Company to a Contracted Sub-Processor; or

ii. an onward transfer of Company Personal Data from a Contracted Sub-Processor to another Contracted Sub-Processor, or between two establishments of a Contracted Sub-Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

"DPA" means this Data Processing Addendum and all Schedules.

"EEA" the European Economic Area.

"GDPR" means the General Data Protection Regulation ((EU) 2016/679).

"SCC" means the ICO's International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO's International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU or such alternative clauses as may be approved by the European Commission or by the UK from time to time.

"Services" means the branded link management dashboard and applications Rebrandly provides. The Services are described in more detail in Schedule 2.

"Subscription Agreement" means the Terms of Use made available from time to time at rebrandly.com/terms-conditions or such other terms and conditions that are mutually agreed in writing and signed between the Company and Rebrandly.

"UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as given to them in Data Protection Laws, and their cognate terms shall be construed accordingly.

1.3. This DPA is subject to the terms of the Principal Agreement and is incorporated into the Principal Agreement. Interpretations and defined terms set forth in the Principal Agreement apply to the interpretation of this DPA, unless the context otherwise requires.

1.4. The Schedules form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules.

1.5. A reference to writing or written includes email with a clear confirmation of receipt by the other party.

1.6. In the case of conflict or ambiguity between:

1.6.1. any provision contained in the body of this DPA and any provision contained in the Schedules, the provision in the body of this DPA will prevail;

1.6.2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Schedules, the provision contained in the Schedules will prevail;

1.6.3. any of the provisions of this DPA and the provisions of the Principal Agreement, the provisions of this DPA will prevail; and

1.6.4. any of the provisions of this Agreement and any executed SCC, the provisions of the executed SCC will prevail.

2. Processing of Company Personal Data

2.1. The Company and Rebrandly acknowledge that for the purpose of the Data Protection Laws, the Company is the controller and Rebrandly is the processor.

2.2. Rebrandly shall comply with the applicable Data Protection Laws which specifically relate to the Processing of Company Personal Data.

2.3. The Company retains control of the Company Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Laws, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Rebrandly.

2.4. Schedule 1 describes the subject matter, duration, nature and purpose of the processing and the Company Personal Data categories and Data Subject types in respect of which Rebrandly may process to fulfil the Business Purposes of the Principal Agreement.

3. Rebrandly Obligations

3.1. Rebrandly will only process Company Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Company’s written instructions from Authorised Persons to provide the Services. These instructions need to be agreed in advance and provided in writing to Rebrandly by the Company.

3.2. Rebrandly will comply with any Company written request or instruction, agreed in advance, from Authorised Persons requiring Rebrandly to amend, transfer, delete or otherwise process the Company Personal Data where possible.

3.3. Rebrandly will maintain the confidentiality of all Company Personal Data and will not disclose Company Personal Data to unauthorised third parties unless the Company or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator.

4. Rebrandly Personnel

Rebrandly shall take reasonable steps to ensure the reliability of any employee, agent, contractor or any Contracted Sub-Processor who may have access to the Company Personal Data, ensuring in each case that access is limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to Rebrandly, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

5.1. Rebrandly shall implement appropriate technical and organizational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Company Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Company Personal Data. See Schedule 3 for Rebrandly’s technical and organizational measures to safeguard data against unauthorized destruction, alteration, loss, disclosure or access.

5.2. In assessing the appropriate level of security, Rebrandly shall take account in particular the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Sub-processing

6.1. Rebrandly shall not appoint (or disclose any Company Personal Data to) any Contracted Sub-Processor unless required or authorized by the Company.

6.2. Those Contracted Sub-Processors approved as at the commencement of this DPA are as set out in this web-page: https://rebrandly.com/SubProcessors (“SubProcessor Page”).

6.3. Current Sub-processors and Notification of Sub-processor Additions:

6.3.1. Customer understands that effective operation of the Services may require the transfer of Customer Data to Rebrandly Affiliates, or to Rebrandly's Sub-processors. Customer hereby authorizes the transfer of Customer Data to locations outside Europe (Rebrandly’s primary processing facilities are in the United States of America), including to Rebrandly Affiliates and Sub-processors, subject to continued compliance with this DPA throughout the duration of the Agreement. Customer hereby provides general authorization to Rebrandly engaging additional third-party Sub-processors to process Customer Data within the Services for the Permitted Purposes.

6.3.2. Rebrandly may, by giving reasonable notice to the Customer, add to the SubProcessor Page. Rebrandly will notify Customer if it intends to add or replace Sub-processors from the SubProcessor Page at least 10 days prior to any such changes. To receive such notification, Customers need to follow link https://rebrandly.com/SubProcessors-notification to join Rebrandly’s distribution list. If Customer objects to the appointment of an additional Sub-processor within ten (10) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, then Rebrandly will work in good faith with Customer to find an alternative solution. In the event that the parties are unable to find such a solution, Customer may terminate the Agreement at no additional cost.

7. Data Subject Rights

7.1. Taking into account the nature of the Processing, Rebrandly shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, and at Company’s cost, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2. Rebrandly shall:

7.2.1.notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

7.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which Rebrandly is subject, in which case Rebrandly shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before they respond to the request.

8. Personal Data Breach

8.1. Rebrandly shall notify Company without undue delay upon Rebrandly becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2. Rebrandly shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

Rebrandly shall provide reasonable assistance to the Company (at the Company’s cost) with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR, the UK GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of Company Personal Data and taking into account the nature of the Processing and information available to the Contracted Sub-Processors.

10. Deletion or return of Company Personal Data

At the Company’s request, Rebrandly shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”) delete and procure the deletion of Company Personal Data.

11. Audit rights

11.1. Rebrandly shall make available to the Company on request information necessary to demonstrate compliance with this DPA.

11.2. Information and audit rights of the Company only arise under section 9.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Laws.

12. International Transfers

12.1. Customer acknowledges and consents that Rebrandly and its Sub-processors may transfer and process personal data to and in the United States of America and other locations in which Rebrandly, its Affiliates or its Sub-processors maintain data processing operations, as more particularly described in the SubProcessor Page. Rebrandly shall ensure that such transfers are made in compliance with Applicable Data Protection Legislation and this DPA.

12.2. Rebrandly may only process, or permit the processing, of Company Personal Data outside the EEA under the condition that the transfer otherwise complies with the Data Protection Laws and this DPA.

12.3. If the Company consents to an appointment by Rebrandly of a Contracted Sub-Processor located outside the EEA in compliance with the provisions of clause 10, then the Company authorises Rebrandly to enter into the SCCs with the Contracted Sub-Processor on its behalf.

13. General Terms

Notices. All notices and communications given under this DPA must be in writing. Email confirmation of receipt will be sent by the other party. The Company shall be notified by email sent to the address related to its use of the Service under the Principal Agreement. Rebrandly shall be notified by email sent to the address: legal@rebrandly.com.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Ireland.

Any dispute arising in connection with this DPA which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Dublin subject to possible appeal to the Irish High Courts.

Schedule 1: Personal Data Processing Purposes and Details

Subject matter of processing: Link management and analyticsDuration of Processing: For the duration of the Principal AgreementNature of Processing: Collection and aggregation of IP addresses Personal Data Categories: Technical Data

The Company agrees not to include any Company Personal Data in any URL/link created by using the Services nor in any part of the platform (eg.: notes, tags, etc.). It is the Company’s responsibility to notify Rebrandly in advance and in written (and Rebrandly needs to authorize it in written) in the event that the Company includes or wishes to include any Company Personal Data in any URL/link created whilst using the Services or other part of the Rebrandly platform.

Data Subject Types: CustomersAuthorised Persons: List of approved Company Sub-Processors: https://rebrandly.com/SubProcessors

Identify Rebrandly’s legal basis for processing Company Personal Data outside the EEA in order to comply with cross-border transfer restrictions: Rebrandly’s AWS servers are located mainly in the United States of America. AWS is an approved Contracted Sub-Processor and may process Company Personal Data (i.e. EU Company Personal Data) in the provision of the Services to the Company.

Schedule 2: Service Description

The services are offered by RadiateCapital Limited (“Rebrandly”).

Rebrandly is a link management platform designed to brand, track and share short URLs using a custom domain name. Rebrandly provides a complete platform that includes a web-based dashboard, applications for mobiles (iOS and Android), software for Mac and Windows, and browser extensions.

Schedule 3: Technical and organizational measures

Rebrandly’s latest SOC 2 Type II Reports and annual Penetration Test Reports are made available to Customers and prospects via the Rebrandly Trust Center. Request access here: www.trust.rebrandly.com.

Rebrandly shall implement and maintain technical and organizational measures appropriate to safeguard Company Personal Data against unauthorized destruction, alteration, loss, disclosure or access as set out in this Schedule.

Capitalized terms not defined in this Schedule, or otherwise defined in the DPA, shall have the same meaning as in the Principal Agreement.

“Information Resources” means any computing and other network, systems, applications, and network elements, by or with which Company Personal Data is stored, transmitted or processed pursuant to the Agreement. Strong Encryption means the use of encryption technologies with minimum key lengths of 128-bits for symmetric encryption and 1024-bits for asymmetric encryption.

1. System Security Requirements

Monitoring Security Alerts: Actively monitor industry resources (e.g. software vendor mailing lists or websites) for timely notification of all applicable security alerts pertaining to Rebrandly’s Information Resources.

System Scanning: Scan both external-facing and internal Information Resources with applicable industry standard security vulnerability scanning software (including, but not limited to, network, server, application, and database scanning tools).

Deploy Intrusion Detection/Prevention Systems: Deploy one or more Intrusion Detection/Prevention Systems (IDS or IPS) in an active mode of operation.

Remediating Service Vulnerabilities: Use a documented process to remediate security vulnerabilities in the Information Resources, including through industry publications, vulnerability scanning, virus scanning, and the review of security logs, and apply appropriate security patches promptly with respect to the probability that such vulnerability can be, or is in the process of being exploited.

Security Administration: Assign security administration responsibilities for configuring host operating systems to specific individuals and ensure that security staff have reasonable and necessary experience in information/network security. Manage IAM Users and their permissions by authorized personnel and follow a least-privilege principle.

Server Hardening: Ensure that all of Rebrandly’s servers are and remain ‘hardened’ by restricting access to the company VPN only and by requiring possession of a SSH key to access them, where applicable.

Restrict User Privileges and Access: Restrict access by users to only the commands, data and Information Resources necessary to perform authorized functions. System administrator/root (or privileged, super user, or the like) access should be limited to individuals requiring such high-level access in the performance of their jobs and system administrators should not perform tasks for non-privileged users using system administrator accounts or credentials.

1. Physical Security Requirements

Secure Facilities: Ensure that all of Rebrandly’s Information Resources are located in secure physical facilities with access limited and restricted to authorized individuals only. AWS controls and monitors access to all data centers.

Monitoring and Recording Access: Monitor and record, for audit purposes, access to the physical facilities containing Information Resources used in connection with Rebrandly’s performance of its obligations under the Agreement.

3. Network Security Requirements

Detection and Handling of Unauthorized Access: Have a documented process and controls in place to detect and handle unauthorized attempts to access Customer Information. Global management of the Rebrandly infrastructure performed using a primary AWS account which is part of an AWS Organization with governance services enabled (Security Hub, GuardDuty, CloudTrail, Config) to supervise Cloud accesses and threats and continuous compliance.

Encryption of Information both in Transit and at Rest: Use Strong Encryption for the transfer of Company Personal Data outside of Company-controlled or Rebrandly-controlled facilities, or when transmitting Company Personal Data over any untrusted network, or when storing Company Personal Data.

Remote Access: Require authentication and encryption for any remote access use of Information Resources. Separate the internal network from the internet using firewalls configured to allow only authorized traffic, as defined in Rebrandly's Security Policy. Monitor and screen traffic entering Rebrandly’s production network by firewall and monitoring tools implemented by AWS and configured by Rebrandly, such as VPC logs and CloudTrail.

4. Company Personal Data Requirements

Segregation of Company Personal Data: Segregate Company’s applications and Company’s Personal Data from any other applications and information of Rebrandly or Rebrandly’s customers, by using logical access controls.

Documentation of Secure Backup, Transport, Storage and Disposal of Customer Information: Have a documented procedure for the secure backup, transport, storage, and disposal of Company Personal Data and upon Company’s request, provide such documented procedure to Company.

Business Continuity and Disaster Recovery Plan: Maintain business continuity and disaster recovery plans that ensures that Rebrandly can meet its contractual obligations under the Agreement.

5. Identification/Authentication Requirements

Unique Credential and Passwords: Credentials, UserIDs and passwords will not be shared and will not be used by any person other than the assigned individual user.

Limit Failed Logins: Limit failed login attempts to no more than six (6) successive attempts and lock the user account upon reaching that limit. Access to the user account can be reactivated subsequently through a manual process requiring verification of the user’s identity or, where such capability exists, can be automatically reactivated after at least three (3) minutes from the last failed login attempt.

Terminate Inactive Interactive Sessions: Terminate interactive sessions, or activate a secure, locking screensaver requiring authentication, after a period of inactivity not to exceed fifteen (15) minutes.

Passwords: Passwords must meet the minimum requirements of (i) must be a minimum of eight (8) characters in length; (ii) if the password is less than twelve characters in length, it must contain characters from at least three (3) of these groupings: uppercase alpha, lowercase alpha, numeric, and special characters; (iii) must not be the same as the UserID with which they are associated; and (iv) must be complex and not contain names or dictionary words.

Secure Conveyance of UserIDs and Passwords: Use a secure method for the conveyance of authentication credentials (e.g., passwords) and authentication mechanisms (e.g., tokens or smart cards). Ensure user session authentication is protected by utilizing TLS encryption on Vendor websites.

6. Requirements for Software and Data Integrity

Scan and Remove Viruses: Have current antivirus software installed and running to scan for and promptly remove viruses.

Separate Production and Non-Production Resources: Separate development and test activities from and restrict developer access to operational environments in order to reduce the risks of inadvertent or unauthorized modifications to the operational system that could compromise the system’s integrity or availability.

Software Change Control Process: Implement a documented software change control process including back out procedures.

Utilize Database Transaction Logging: For applications which utilize a database that allows modifications to Company Personal Data, have database transaction logging features enabled and retain database transaction logs for a minimum of six (6) months.

Review Code for Vulnerabilities and Compliance with Industry Standard Security Requirements: For all software developed, used, furnished and/or supported under this Agreement, review such software to find and remediate security vulnerabilities during initial implementation and upon any modifications and updates and implement OWASP guidelines.

Quality Assurance Test Application and Security Vulnerabilities: Perform quality assurance testing for the application functionality and security components (e.g., testing of authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture) during initial implementation and upon any modifications and updates.

7. Monitoring and Auditing Controls

Restrict Access to Security Logs: Restrict access to security logs to authorized individuals.

Review Security Logs and Resolve Security Problems: Review, on a routine basis, security logs for anomalies and document and resolve all logged security problems in a timely manner.

Record Retention: Retain complete and accurate records relating to its performance of its obligations arising out of this Schedule and Rebrandly’s compliance in a format that will permit audit for a period of no less than three (3) years, or longer as may be required pursuant to a court order or civil or regulatory proceeding.

Annual Compliance Review: At a minimum, annually review this Schedule to ensure that Rebrandly is in compliance with the requirements of this Agreement.

8. Personnel Security and Integrity Procedures

Personnel Procedures and Practices: Deploy appropriate procedures for Rebrandly personnel including, but not limited to, conducting background checks consistent with applicable law.

Training of Personnel: Provide appropriate privacy and information security training to Rebrandly’s employees that have access to customer Personal Data or systems.