This Data Processing Agreement (“DPA”) is entered into between BrandMobile (the “Data Processor”) and the legal entity identified as the Customer in the Service Agreement (the “Data Controller”). This DPA forms an integral part of the Master Service Agreement and governs the processing of personal data on behalf of the Customer.
Interpretation and Scope
Purpose. The purpose of this DPA is to outline the rights and obligations of both parties regarding the protection of personal data when using the BrandMobile Platform, ensuring compliance with GDPR and applicable local data protection laws.
Priority. In the event of any conflict between this DPA and the Master Service Agreement, the terms of this DPA shall prevail concerning data processing activities.
Definitions. Terms such as “Personal Data,” “Data Subject,” “Processing,” and “Breach” shall have the meanings assigned to them in the General Data Protection Regulation (GDPR).
Obligations of The Data Processor
Documented Instructions. BrandMobile shall process personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law.
Confidentiality. BrandMobile ensures that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
AnalyticSecurity Measures. BrandMobile shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption and pseudonymization where applicable.
Sub-Processors
Authorization. The Data Controller provides a general written authorization for BrandMobile to engage sub-processors. A list of current sub-processors is available upon request or on the BrandMobile website.
Changes. BrandMobile shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Data Controller the opportunity to object.
Liability. BrandMobile remains fully liable to the Data Controller for the performance of the sub-processor’s obligations.
Breach Notification
Timelines. In the event of a personal data breach, BrandMobile shall notify the Data Controller without undue delay after becoming aware of the breach.
Content. The notification shall describe the nature of the breach, the categories of data affected, and the measures taken or proposed to be taken to address the incident.
Audit and Compliance
Right to Audit. BrandMobile shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
Appendix A: Details of Processing
Subject Matter: Provision of gamified marketing and data collection services via the BrandMobile Platform.
Duration: The term of the Master Service Agreement plus the period until all data is deleted.
Nature and Purpose: To enable the Data Controller to create interactive campaigns, capture leads, and analyze user engagement.
Data Categories: Name, email address, IP address, device ID, campaign interaction data, and any other fields defined by the Data Controller in their campaign forms.
Data Subjects: End-users and participants of the Customer’s BrandMobile campaigns.
Appendix B: Authorized Sub-Processors
Cloud Hosting: Amazon Web Services (AWS)
SMS Delivery: GatewayAPI, LinkMobility
Analytics: IPstack, Matomo
Cookie: Cookiebot
QR codes: Unitag, Bit.ly
Support: Freshworks
Forms & Documents: Jotform
Kanban: Trello
Appendix C: Technical and Organisational Measures
Access Control: Strict role-based access control (RBAC) and multi-factor authentication for administrative access.
Encryption: Data is encrypted at rest using AES-256 and in transit via TLS 1.2 or higher.
Resilience: Regular automated backups and geographically redundant hosting.
Monitoring: Continuous security logging and vulnerability scanning.
