Data Processing Addendum
Fanfaire
Data Processing Addendum
Last Updated: July 22, 2024
Fanfaire LTD, a Limited corporation (“Fanfaire”, “Company”, “we”, “us” or other similar terms) offers a proprietary e-commerce platform known as the “Fanfaire Platform” and related services, technologies and websites that enable businesses and service providers to create, operate and manage their digital storefronts (as more fully defined below, the “Services”).
This Data Processing Addendum (“DPA”) sets forth Fanfaire’s privacy practices in relation to Personal Information (as defined below) collected from or about Users (as defined below) and processed by Fanfaire in connection with the Services. This DPA supplements, is incorporated into and forms a part of the Terms of Service, or other written or electronic agreement, contract or order between Fanfaire and Customer pursuant to which Fanfaire provides, and Customer accesses and receives, Services (as more fully defined below, the “Customer Agreement”). When you agree to the Customer Agreement (including, without limitation, by clicking “I agree . . .” when signing up for our service), you are agreeing to this DPA. You may also agree to this DPA separately, by clicking on an “I agree” checkbox or other means of electronic acceptance (whether when registering for our services or otherwise). The term “Customer” as used herein refers to the business that is a signatory or party to, or has otherwise contractually entered into and accepted, a Customer Agreement for Services. The Parties hereby agree as follows and to the above:
This DPA supplements, is incorporated into and forms a part of the Customer Agreement. Capitalized terms used in this DPA have the meaning set forth herein or have the respective meanings provided in your Customer Agreement. In the event of any direct conflicts between the terms of your Customer Agreement and the terms of the DPA, the terms of this DPA shall control but solely as applicable to the processing of Personal Information as set forth herein. This DPA shall be effective contemporaneously with the Effective Date of your Customer Agreement and shall terminate automatically upon the expiration or termination of your Customer Agreement.
A note about our Google Calendar integration: Customer may connect their Google calendar with Fairfare to facilitate event booking by accessing free/busy data on connected calendars. Customers grant permission through an OAuth consent screen which outlines the data we use. We only access calendar data for identifying available times and scheduling events, ensuring efficiency and enhancing user experience. Fairfaire’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Definitions. For purposes of this DPA, the following terms shall have the following meanings:
a. “Company”, “Fanfaire”, “us”, “we” or similar terms means Fanfaire LTD.
b. “Customer Agreement” or “Agreement” means the Terms of Service or another written contract or order form mutually agreed to between Fanfaire and Customer governing Fanfaire’s provision of, and Customer’s access to and use of, the Services.
c. “Data Protection Laws” means (i) the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any applicable laws and/or regulations that implement and/or exercise derogations under it and/or replace or supersede it (“EU GDPR”); (ii) all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the United Kingdom including the U.K. Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 and the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR” and, together with EU GDPR, “GDPR”); (iii) the EU ePrivacy Directive (2002/58/EC); (iv) any national data protection laws made under or pursuant to (i), (ii) or (iii); and (v) the Swiss Federal Data Protection Act (“Swiss DPA”); (vi) all U.S. state data protection laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of Personal Information, including, but not limited to, the following: (1) California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (California Civil Code §§ 1798.100 to 1798.199) (“CPRA”); (2) Colorado Privacy Act (Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313) (“ColoPA”); (3) Connecticut Data Privacy Act (Public Act No. 22-15) (“CTDPA”); (4) Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404) (“UCPA”); and (5) Virginia Consumer Data Protection Act (Virginia Code Ann. §§ 59.1-575 to 59.1-585) (“VCDPA”); and (vii) each of the aforementioned as amended, superseded or updated from time to time. In the event of a conflict in the meanings of defined terms in the Data Protection Laws, the meaning from the law applicable to the location of the relevant data subject/individual/household shall apply.
d. “European Economic Area" or “EEA” means the Member States of the European Union together with Switzerland, Iceland, Norway, and Liechtenstein.
e. “Personal Information” means any data or information that is considered “personal data”, “personal information” or other similar terms as defined by applicable Data Protection Laws and that is provided by Customer to Fanfaire in connection with the Services. Personal Information includes the information and data described in Annex I attached hereto.
f. “Sensitive Personal Information” means personal data or personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and/or biometric data (where used for the purpose of uniquely identifying a natural person), data concerning health or data concerning a natural person's sex life or sexual orientation, and other personal data and personal information that is typically considered “sensitive” under applicable Data Protection Laws.
g. “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data from controllers to processors (module two) established in third countries approved by the European Commission from time to time, as may be amended, superseded or replaced by the European Commission from time to time. For reference purposes, a current copy of the SCCs is located at: Standard contractual clauses for international transfers (europa.eu).
h. “UK Addendum” means the UK’s International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0), a copy of which is located at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf, and as may be amended, superseded or replaced from time to time.
i. “Users” means Customer’s employees, representatives and users as well as that of any of Customer’s end clients/customers and other individuals whose Personal Information will be processed by Fanfaire in connection with the Services.
j. The terms “business” “controller”, “data protection impact assessment”, “data subject”, “personal data”, “personal data breach”, “processor”, “processing”, “service provider” and “supervisory authority” shall be as defined under relevant Data Protection Laws.
2. Processing of Personal Information.
a. General. Fanfaire shall comply with its obligations under applicable Data Protection Laws when processing Personal Information subject to such Data Protection Laws. The subject-matter of such processing is providing and making available Services to Customer in accordance with Customer’s Customer Agreement and such processing will continue until Customer’s Customer Agreement terminates or expires. Annex I attached hereto sets out the nature and purpose of the processing, including the types of Personal Information we process and the data subjects whose Personal Information is processed. Fanfaire may update the descriptions of processing set forth on Annex I from time to time to reflect new products, features or functionality comprised within the Services consistent with the requirements of Section 19 of this DPA.
b. Roles of the Parties. Fanfaire and Customer acknowledge that the status of each Party is a question of fact determined under applicable Data Protection Laws. Without limiting the foregoing, the Parties acknowledge and agree that Customer is the controller or business, Fanfaire is the processor or service provider acting on Customer’s behalf, and that Fanfaire may engage Subprocessors pursuant to the requirements set forth in Section 9 (Subprocessors) below. For the avoidance of doubt, the Parties acknowledge and agree that Customer is responsible for determining the processes and means by which the Personal Information is processed and for ensuring that Customer’s instructions for the processing of such Personal Information comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired such Personal Information.
c. Data Processing, Transfers and Sales. Customer hereby instructs Fanfaire to retain, use, disclose and otherwise process the Personal Information for the following purposes, and Customer shall provide the Personal Information to Fanfaire only for the following purposes, and Fanfaire shall only retain, use, disclose or otherwise process the Personal Information for the following purposes: (i) to provide the Services to the Customer in accordance with Customer’s Customer Agreement covering those Services; (ii) as otherwise set out in Customer’s Customer Agreement and this DPA; and/or (iii) as otherwise agreed upon in writing by the Customer and Fanfaire, all of which Fanfaire and Customer acknowledges to be instructions for the purposes of this DPA, unless a different manner of processing is required pursuant to any other applicable law to which Fanfaire is subject, in which case Fanfaire shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before processing that particular Personal Information.
d. Final Agreement. Customer’s Customer Agreement and this DPA shall be and are the Customer’s complete and final instructions to in relation to the processing of the Personal Information that is subject to the Data Protection Laws covered by this DPA. Processing outside the scope of this DPA and the Customer Agreement will require prior written agreement between Customer and Fanfaire on additional instructions for such processing. If we reasonably believe any instruction Customer has provided with respect to the processing of Personal Information violates applicable Data Protection Laws, we shall notify Customer.
e. Limited Use. Fanfaire shall not retain, use, disclose or otherwise process Personal Information for any purpose other than for the specific purposes identified above, in the Customer Agreement or as otherwise permitted or required by applicable Data Protection Laws or otherwise pre-approved by Customer in writing. Fanfaire does not “sell” or “share” (as defined by applicable Data Protection Laws) Personal Information, which means that Fanfaire does not and shall not rent, disclose, transfer, make available or otherwise communicate Personal Information of Customer to any third party for monetary or other valuable consideration. In other words, neither Fanfaire, nor any of its nor any of its employees, agents, consultants or representatives shall have any right to process any of Customer’s Personal Information for their own commercial benefit in any form. Fanfaire shall require its employees, agents, and service providers to comply in all material respects with the obligations and restrictions applicable to Fanfaire under this DPA.
f. Combined, Aggregated or Anonymized Information. Fanfaire shall not combine any Personal Information that Fanfaire receives from, or on behalf of, Customer with information that it receives from, or on behalf of, another source provided that Fanfaire may combine Personal Information as authorized by applicable Data Protection Laws. Fanfaire may collect, use, retain, access, share, transfer, sell, or disclose information that (i) has been deidentified, anonymized or aggregated consistent with the terms and conditions of applicable Data Protection Laws or (ii) any information that is not Personal Information consistent with the terms of Customer’s Customer Agreement. Among other things, this means that Fanfaire may share aggregated and/or anonymized information regarding the use or results of the Services with third parties to assist with developing and improving the Services or to third parties for commercial purposes. Without limiting the above, this DPA does not apply to any data related to a Customer’s use of the Services unless it is Personal Information (e.g. this does not apply to Service analytics, activity logs, use patterns, etc.).
g. Certification. Fanfaire hereby acknowledges, agrees and certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them.
h. Additional United States Requirements. To the limited extent that Fanfaire is processing any Personal Information of Customer that is subject to the Data Protection Laws of California, Colorado, Connecticut, Utah or Virginia, the applicable jurisdiction-specific terms specified in Annex IV attached hereto shall apply in addition to the other terms of this DPA.
3. Required Consents. As the data controller or business under applicable Data Protection Laws, please note that Customer is responsible for obtaining all necessary consents, and giving all necessary notices, to its Users, including any consents or notices required by this DPA, your applicable Customer Agreement or applicable Data Protection Law. With this in mind, Customer hereby warrants and represents that: (a) it has provided all applicable notices to, and obtained all necessary authorizations from, its Users required for the lawful processing of their Personal Information by Fanfaire in accordance with the Customer Agreement, this DPA and applicable Data Protection Law; and (b) in respect of any Personal Information collected or processed by Fanfaire on behalf of the Customer, it has obtained all necessary consents, authorizations and rights for the lawful processing of that Personal Information by Fanfaire in accordance with the Customer Agreement, this DPA and applicable Data Protection Law.
4. Assistance. Where applicable, taking into account the nature of the processing, and to the extent required under applicable Data Protection Laws, Fanfaire shall provide the Customer with any information or assistance reasonably requested or required by the Customer for the purpose of complying with any of the Customer’s obligations under applicable Data Protection Laws, including: (i) using reasonable efforts to assist the Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Customer’s obligation to respond to requests by Users to exercise rights provided by applicable Data Protection Laws, including providing reasonable documentation, product functionality and/or processes to assist Customer in retrieving, deleting or restricting Personal Information; and (ii) providing reasonable assistance to the Customer with any data protection impact assessments and responding to or assisting with any requests from or consultations to any governmental, regulatory or supervisory authorities relevant to Customer, in each case solely in relation to processing of the Personal Information and taking into account the information available to Fanfaire.
5. Access Requests. If Fanfaire receives a request submitted by a User to exercise a right it has under any Data Protection Laws in relation to that User’s Personal Information, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with the User in relation to such requests and, to the extent permitted by applicable law, Fanfaire shall not respond to the User.
6. Government Requests. Fanfaire shall notify Customer of any request for the disclosure of Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
7. Audits. Provided that Customer has or does enter into a non-disclosure agreement acceptable to Fanfaire, Fanfaire shall (i) allow Customer and its authorized representatives who are reasonably acceptable to Fanfaire (who have also signed a non-disclosure agreement acceptable to Fanfaire) to access and review any Fanfaire documentation, certifications or other reports or files reasonably required to ensure compliance with the terms of this DPA; or (ii) where required by Data Protection Law or the Standard Contractual Clauses or UK Addendum (and in accordance with this Section), allow Customer and its authorized representatives who are reasonably acceptable to Fanfaire (who have also signed a non-disclosure agreement acceptable to Fanfaire) to conduct reasonable audits (including inspections) during the term of the Customer Agreement to ensure compliance with the terms of this DPA.
Notwithstanding the foregoing, any audit must be conducted during our regular business hours, with reasonable advance notice to us (at least 20 business days) and subject to reasonable confidentiality procedures. The scope of any audit shall not require us to disclose to Customer or its authorized representatives, or to allow Customer or its authorized representatives to access: (1) any data or information of any other Fanfaire customer; (2) any Fanfaire internal accounting or financial information; (3) any Fanfaire trade secret; (4) any information that, in our reasonable opinion could: (a) compromise the security of our systems or premises; or (b) cause us to breach our obligations under Data Protection Law or our security, confidentiality and or privacy obligations to any other Fanfaire customer or any third party; or (5) any information that Customer or its authorized representatives seek to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws and our compliance with the terms of this DPA.
In addition, audits shall be limited to once per year, unless (x) we have experienced a security breach within the prior twelve (12) months which has impacted Customer’s Personal Information; or (y) an audit reveals a material noncompliance. If we decline or are unable to follow your instructions regarding audits permitted under this Section (or the Standard Contractual Clauses or UK Addendum, where applicable), Customer may terminate this DPA and the Customer Agreement for convenience.
8. International Transfers.
a. General. Fanfaire is located in the United Kingdom. Therefore, any Personal Information we collect will be collected and stored in the UK. For Users that are in the EU, EEA, Switzerland or UK, this means that their Personal Information will be stored in a jurisdiction that offers a level of protection that may, in certain instances, be less protective of their Personal Information than the jurisdiction the User is typically resident in. Fanfaire adheres to, and the transfer will be subject to, the Standard Contractual Clauses which are deemed incorporated into and form a part of this DPA, as follows (including subject to the preferences, clarifications and mutual agreements set forth below):
Module Two of the SCCs will apply.
The audits described in Clause 8.9(c) and (d) of the SCCs shall be carried out in accordance with Section 7 of this DPA.
In Clause 9 of the SCCs, Option 2 will apply, and Customer acknowledges and expressly agrees that Fanfaire will appoint and engage new Subprocessors in accordance with Section 9 of this DPA (including the notice time periods specified in Section 9 of this DPA).
In Clause 11 of the SCCs, the optional language will not apply.
The liability described in Clause 12 of the SCCs shall in no event exceed the limitations set forth in the Customer’s Customer Agreement, and under no circumstances and under no legal theory (whether in contract, tort, negligence or otherwise) will either party to this DPA, or their affiliates, officers, directors, employees, agents, service providers, suppliers, or licensors be liable to the other party or any third party for any lost profits, lost sales of business, lost data (being data lost in the course of transmission via Customer’s systems or over the Internet through no fault of Fanfaire), business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, regardless of whether such party has been advised of the possibility of or could have foreseen such damages. For the avoidance of doubt, this clarification shall not be construed as limiting the liability of either party with respect to claims brought by data subjects.
The Data Protection Commission of Ireland shall be the competent Supervisory Authority pursuant to Clause 13 of the SCCs.
The certification of deletion of Personal Information that is described in Clause 16(d) of the SCCs shall be provided by Fanfaire to Customer only upon Customer’s request.
In Clause 17 of the SCCs, Option 1 will apply, and the SCCs will be governed by Irish law.
In Clause 18(b) of the SCCs, disputes will be resolved before the courts of Ireland;
Annex I of the SCCs is deemed completed with the information set out in Annex I to this DPA.
Subject to Section 11 of this DPA, Annex II of the SCCs is deemed completed with the information set out in Annex II to this DPA.
Annex III of the SCCs is deemed completed with the information set out in Annex III to this DPA.
b. SCCs. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, in the event of any conflict or inconsistency between the provisions of the Customer Agreement (including this DPA) and the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail to the extent of such conflict (subject to the clarifications set forth above).
c. UK Addendum. In the case of cross-border transfers of Customer’s Personal Information subject to UK GDPR, the Parties acknowledge and agree that the UK Addendum shall govern and apply and the SCCs shall be deemed amended as specified in the UK Addendum in respect of the transfer of such Personal Information. In such event, the tables attached to the UK Addendum shall be deemed automatically populated and completed with the applicable information set forth in Annexes I, II and III attached to this DPA. Additionally, the parties’ preferences, clarifications and agreements set forth in Section 8 of this DPA shall also apply to and be used for purposes of interpreting the UK Addendum. Without limiting the foregoing, the parties acknowledge and agree that: (i) In Table 2 of the UK Addendum, the Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed to be completed according to the parties’ preferences outlined in this DPA; (ii) In Table 4 of the UK Addendum, the Parties agree that either Party may terminate the Addendum as set out in Section 19 of the UK Addendum; (iii) Any conflict between the terms of the SCCs attached hereto and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum; and (iv) the clarifications and preferences set forth in Section 8 of this DPA shall be interpreted as also applying to the UK Addendum.
d. Swiss DPA. In the case of cross-border transfers of Customer’s Personal Information protected by Swiss law, the SCCs shall apply subject to the following amendments: (i) references to “Regulation (EU) 2016/679” will be deemed to refer to the Swiss DPA; (ii) references to specific articles of “Regulation (EU) 2016/679” will be deemed replaced with the equivalent article or section of the Swiss DPA; (iii) references to “EU,” “Union,” and “Member State” will be deemed replaced with “Switzerland”; (iv) references to the “competent supervisory authority” are replaced with the “Swiss Federal Data Protection Information Commissioner”; and (v) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.
9. Subprocessors. Fanfaire may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the Services (“Subprocessors”). See Annex III for more information regarding the specific Subprocessors we use. For the avoidance of doubt, Customer hereby approves all applicable Subprocessors identified on Annex III to the extent applicable to the Services received by Customer. We may update Annex III from time to time and we recommend for each Customer to periodically review Annex III, including any links to Subprocessor Lists included on Annex III. By continuing to use our Services after any changes or modifications are made to Annex III (or any Subprocessor Lists linked to or referenced on Annex III), Customer is deemed to have automatically accepted the updated Annex. If Customer (acting reasonably) does not approve of any new Subprocessor being added for any reasonable or legitimate reason, they should (i) contact us at support@fanfaire.io so we can discuss the basis for the Customer’s disapproval and possible alternative Subprocessors, or (ii) object within forty-five (45) days by terminating the Customer Agreement for convenience.
Our Subprocessors may have access to Personal Information. Please know that Fanfaire carefully selects its Subprocessors based on their security practices and availability levels and we perform due diligence on the technical and organizational security measures of all Subprocessors. We have entered into agreements with each Subprocessor which impose in all material respects the same obligations on the Subprocessor with regard to their processing of Personal Information as are imposed on Fanfaire under this DPA and any Customer Agreements and which, as applicable, otherwise comply with the requirements of the Data Protection Laws. Fanfaire is responsible for the acts and omissions of Subprocessors in relation to Fanfaire’s obligations under this DPA and applicable Customer Agreements.
With respect to all Subprocessors having access to Personal Information of Users that are in the EU, EEA, Switzerland or UK: Customer acknowledges that in order for Fanfaire to provide the Services it may be necessary for certain Subprocessors to access or otherwise process the Personal Information outside the EEA, Switzerland or United Kingdom. In those circumstances, Fanfaire will only use Subprocessors that have and maintain certification to the EU-U.S. Privacy Shield (or a successor thereto or comparable privacy shield under other Data Protection Laws) or that comply with the Standard Contractual Clauses (as updated from time to time), UK Addendum or other applicable requirements of the Data Protection Laws.
10. Data Retention and Deletion. If Customer wishes to delete any Personal Information processed by the Services, the Customer should send a deletion request to support@fanfaire.io. Fanfaire will strive to respond to all such requests as soon as reasonably practical. If Customer ceases to subscribe to and use the Services, or Customer permanently discontinues or terminates a Customer’s access to the Services, Fanfaire will handle all of that Customer’s Personal Information as follows:
i. Subject to subsections (ii) and (iii) below, Fanfaire shall, to the greatest extent reasonably possible, within ninety (90) days of the date of termination of the Customer Agreement: (1) upon the written request of Customer, return a complete copy of all Personal Information by secure file transfer in such reasonable format as notified by Customer to Fanfaire; and (2) delete and use reasonable efforts to procure the deletion of all other copies of Personal Information processed by Fanfaire or any Subprocessors.
ii. Subject to subsection (iii) below, Customer may in its absolute discretion notify Fanfaire in writing within thirty (30) days of the date of termination of the Customer Agreement to require Fanfaire to delete and procure the deletion of all copies of the Personal Information processed by Fanfaire. In such case, Fanfaire shall, to the greatest extent reasonably possible, within ninety (90) days of the date of termination of the Customer Agreement: (1) comply with any such written request; and (2) use reasonable efforts to procure that its Subprocessors delete all Personal Information processed by such Subprocessors.
iii. Notwithstanding the foregoing, Customer acknowledges that it may be impossible to completely delete certain residual Personal Information. Additionally, Fanfaire and its Subprocessors may retain Personal Information to the extent required by and only to the extent and for such period as required by applicable laws and always provided that Fanfaire shall ensure the confidentiality of all such Personal Information and shall ensure that such Personal Information is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. To the extent permitted by applicable Data Protection Laws, Fanfaire may deidentify/anonymize or aggregate the Personal Information and may continue to collect, use, retain, access, share, transfer, sell or disclose such deidentified/anonymized or aggregated information following the termination of the Customer Agreement consistent with the terms and conditions of applicable Data Protection Laws.
11. Data Security Measures. Fanfaire shall utilize industry standard practices on information security management to safeguard sensitive information (such as Personal Information), including the measures set out in Annex II attached hereto. Our information security systems apply to people, processes and information technology systems on a risk management basis. Without limiting the foregoing, Fanfaire shall treat Personal Information as the confidential information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of such data and information. Upon request by the Customer, but no more frequently than once per calendar year (or more frequently if circumstances reasonably require) and only upon ten business days prior written notice, Fanfaire shall make available information reasonably necessary to demonstrate compliance with this DPA. Customer has assessed the security measures offered by Fanfaire to meet the standards required by applicable Data Protection Laws as at the effective date hereof.
If Fanfaire becomes aware of a security incident involving a Customer’s Personal Information, Fanfaire will (a) notify Customer of the security incident within 72 hours, (b) investigate the security incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the security incident, and (c) take steps to remedy any non-compliance with this DPA. Notwithstanding the foregoing, because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Fanfaire cannot guarantee that unauthorized parties will not gain access to Personal Information processed by the Services. To the extent permitted by applicable law, Fanfaire expressly excludes any liability arising from any unauthorized access to Personal Information. For the avoidance of doubt, Customer hereby acknowledges and agrees that the measures set forth in Annex II are reasonable technical and physical security practices and procedures for purposes of applicable Data Protection Laws and are compliant with applicable Data Protection Laws
12. Affiliates. Depending on the terms of your Customer Agreement, we may in certain circumstances collect, receive or otherwise process Personal Information in connection with use of the Services by Customer’s affiliates. In such cases, Customer will act as a single point of contact for its affiliates with respect to compliance with applicable Data Protection Laws, such that if Fanfaire gives notice to Customer, such information or notice will be deemed received by Customer’s affiliates. Customer shall be responsible for such affiliates’ compliance with this DPA and all acts and/or omissions by a Customer affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer. The Parties acknowledge and agree that any claims in connection with this DPA (or applicable Data Protection Laws) will be brought by Customer, whether acting for itself or on behalf of an affiliate.
13. Customer Agreements. Customer agrees that it: (i) will comply with its obligations under all applicable Data Protection Laws and related laws with respect to its provision of, processing, security and handling of Personal Information, and will not do or omit to do anything which causes Fanfaire (or any Subprocessor) to breach any of its obligations under applicable Data Protection Laws; (ii) will determine the purposes and general means of Fanfaire’s processing of Personal Information in accordance with the Customer Agreement; (iii) will make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Information, such as pseudonymizing or backing-up Customer Personal Information; (iv) has obtained all consents, permissions and rights necessary under applicable Data Protection Laws and related laws for Fanfaire to lawfully process Customer’s Personal Information for the purposes, including, without limitation, Customer's sharing and/or receiving of Customer Personal Information with third-parties via the Services; and (v) unless the Parties have agreed otherwise in writing (via an amendment to Customer’s Customer Agreement, an order or statement of work thereunder, or otherwise), Customer shall only provide, deliver or otherwise make available to Fanfaire Personal Information to the extent required for the Customer to access and receive the Services consistent with their intended use and shall not provide, deliver or otherwise make available to Fanfaire any other Personal Information for any other purpose. Customer shall have sole responsibility for the accuracy, quality, and legality of all Customer Personal Information and the means by which Customer acquired the Personal Information. Customer specifically acknowledges that its use of the Services will not violate the rights of any data subject that has opted-out from sales or other disclosures of Personal Information, to the extent applicable under Data Protection Laws.
14. Limitation of Liability. Subject to the terms of the Standard Contractual Clauses and Section 8 of this DPA, Fanfaire’s aggregate liability to a Customer arising from or related to this DPA is subject to the applicable terms and conditions of the Customer’s applicable Customer Agreement.
15. Indemnity. Customer agrees to indemnify Fanfaire and its officers, directors, employees, agents, affiliates, successors and permitted assigns (each an "Indemnified Party", and collectively the "Indemnified Parties") against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including legal fees and court fees, that are incurred by the Indemnified Parties arising out of any third party claim brought against Fanfaire relating to or arising out (i) any instructions given by the Customer to Fanfaire with respect to processing of Personal Information, (ii) any failure to obtain the consents or provide the notices required under Section 3, or (iii) any other breach or violation by the Customer of any of its obligations under this DPA or any breach or violation of any Data Protection Laws.
16. Sensitive Personal Information. We do not intentionally collect Sensitive Personal Information and we hereby request for Customer not (and Customer hereby agrees not to) to share or permit any third party to share any Sensitive Personal Information with us. If Customer chooses to provide us with Sensitive Personal Information, or if we receive Sensitive Personal Information on behalf of a Customer, Customer is responsible for complying with any regulatory controls and requirements of applicable Data Protection Laws regarding that Sensitive Personal Information and directing us as necessary to comply with Data Protection Laws as necessary or required by such law. In such event, Customer hereby instructs Fanfaire to access and use such Sensitive Personal Information as necessary to perform the Services, and Customer hereby consents to and approves of Fanfaire’s processing of such Sensitive Personal Information in accordance with this DPA. Customer hereby acknowledges and agrees that the protections, restrictions and security and organizational measures set forth in this DPA are reasonable and appropriate for purposes of processing the Sensitive Personal Information.
17. Enforceability of this Addendum. Any provision of this DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision into the Customer Agreement.
18. Integrations. The Services may enable Customer to access, or include integrations with, third party services, stores, platforms, products or technologies (“Third Party Products”), including but not limited to Third Party Products which may be integrated directly into Customer’s online Service account. For instance, the Fanfaire Platform offers the ability to integrate Customer’s account and/or store with third party platforms such as Google (e.g. Google Calendar), Auth0, Stripe, and Twillio. If Customer elects to enable, access or use any such Third Party Products, its access and use of such Third Party Products is governed solely by the terms and conditions and privacy policies of such Third Party Products, and Fanfaire does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Third Party Products, including, without limitation, their content or the manner in which they handle personal information or personal data or any interaction between Customer and the provider of such Third Party Products. Without limiting the foregoing, please know that all Personal Information shared with or submitted to the Third Party Products by or on behalf of Customer will be entirely outside of Fanfaire’s control and will not be subject to this DPA or any of Fanfaire’s privacy policies; provided, however, that any Personal Information shared by or submitted from the Third Party Products by or on behalf of Customer to the Services will be subject to the terms of this DPA. Fanfaire is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s enablement, access or use of any such Third Party Products, or Customer’s reliance on the privacy practices, data security processes or other policies of such Third Party Products. The providers of Third Party Products shall not be deemed or treated as Subprocessors for any purpose under this DPA unless otherwise expressly identified as Subprocessors on Annex III (or any Subprocessor lists linked to on Annex III).
19. Amendment. Fanfaire may from time to time update this DPA (including the Annexes attached hereto) to account for new technologies, industry practices, processing activities, regulatory and legal requirements or for other purposes. Fanfaire will provide notice to Customer if these changes are material and where otherwise required by applicable law. If and where required by applicable law or Customer’s applicable Customer Agreement, Fanfaire will also obtain Customer’s consent to the update. Notice may be by email to Customer at the last email address provided by Customer, by posting notice of such changes on the Fanfaire website and Platform, or by other means, consistent with applicable law. The Customer’s continued use of the Services after the amended DPA is posted to Fanfaire’s website (or notice is otherwise provided or consent is otherwise obtained to the extent required above) constitutes the Customer’s agreement to, and acceptance of, the amended DPA. If the Customer does not agree to any changes to the DPA, the Customer should cease use of the Services immediately.
Annex I
Description of Processing Activities / Transfer
List of Parties.
B. Description of the Processing and Transfer:
The parties acknowledge that Fanfaire’s processing of Personal Information will include all personal information and personal data submitted or uploaded to the Services by Customer and Customer’s Users (and/or third parties acting on their behalf) from time to time, for the purposes of, or otherwise in connection with, Fanfaire providing the Services to Customer.
Set out below is the description of the processing and transfers of personal data and personal information in connection with the Services provided by Fanfaire as contemplated as of the date of this DPA. Such description is subject to change or may be supplemented pursuant to Section 19 of the DPA.
Annex II
Security Measures
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Below is a description of the technical and organisational measures implemented by the Processor/ Data Importer (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Fanfaire implements and maintains technical and organizational security measures to protect Customers. Fanfaire has a dedicated security team that guides the implementation of controls, processes, and procedures governing the security of Fanfaire and its Customers. The Fanfaire security team is responsible for developing, implementing and maintaining an information security program that reflects the following:
Align security activities with Fanfaire’s strategies and support Fanfaire’s objectives.
Leverage security to facilitate confidentiality, integrity, and availability of data and assets.
Analyze identified or potential threats to Fanfaire and its Customers and provide reasonable remediation recommendations.
Actively monitor Fanfaire environments and utilize the intelligence gathered to continuously improve our security program.
Support secure infrastructure, platform, and feature development.
Periodically perform internal Red Teaming operations, to confirm control effectiveness and identify areas for improvement.
Perform threat modeling exercises when building new or materially modifying existing systems, components, and platforms to confirm proper protection and handling of data.
Manage security utilizing a risk based approach.
Implement measures designed to manage risks and potential impacts to an acceptable level.
Leverage industry security and compliance frameworks where relevant and applicable.
Provide security awareness training to Fanfaire employees and provide mechanisms for employees to reach directly out to the security team with questions.
Data Center, Cloud Providers, and Business Continuity/Disaster Recovery
Fanfaire leverages leading data center and cloud service providers to house our infrastructure.
Our cloud service providers utilize an array of security equipment, techniques, and procedures designed to control, monitor, and record access to the facilities.
Fanfaire leverages geographically separate data centers and cloud service provider availability zones to facilitate infrastructure and service availability and continuity.
Fanfaire has implemented solutions designed to protect against and mitigate effects of DDoS attacks.
Fanfaire has a team to support our platform and supporting infrastructure.
Fanfaire has business continuity disaster recovery plans which are tested periodically. Results of testing are leveraged to improve plans where necessary.
Encryption
Fanfaire leverages SSL certificates to encrypt data in-transit between website end users and customer domains.
Fanfaire offers HSTS (HTTP Strict Transport Security) which encrypts the content served during sessions and only allows Fanfaire customer Digital Storefronts to be accessed via HTTPS.
Application Level Security
Fanfaire uses a 3rd party for authentication therefore no passwords are stored with Fanfaire.
Two-factor authentication (2FA) is available on Fanfaire customer Command Centers for an added layer of security.
Fanfaire utilizes Web Application Firewall (WAF) technology.
Regular pen testing is performed on the Fanfaire platform by Fanfaire’s security team as well as a third party, the results of which are analyzed and remediated (as appropriate) by our engineering and security teams.
Customers are able to grant permissions to additional users to access their Command Center at their discretion.
Incident Response
In the event of an issue related to the security of the Fanfaire platform, the Fanfaire security team follows a formal incident response process.
Fanfaire analyzes identified or potential threats to Fanfaire and its customers, and takes reasonable actions where necessary.
Fanfaire Building and Network Access
Fanfaire does not currently have any physical office space and access to the Fanfaire internal network is restricted and monitored.
Systems Access Control
Access to Fanfaire systems is strictly limited to appropriate personnel.
Fanfaire subscribes to the principle of least privilege.
Fanfaire’s access control policy applies to systems that Fanfaire manages and maintains. The Fanfaire access control policy addresses control processes that include, but are not limited to:
Account provisioning/decommissioning
Privileged account management
User identification
Access logging and monitoring
Measures for ensuring data minimisation
Fanfaire allows visitors to use certain functionalities of its platform anonymously and minimises the Data it requires from Customers to only what is necessary to provide the service requested.
Measures for ensuring data quality
Fanfaire ensures the quality of its data through verification of emails that sign up to the fanfaire.io platform. Fanfaire also allows users to update the information in their accounts themselves or via requests to support.
Measures for ensuring limited data retention
Fanfaire maintains a Data Retention Policy setting out the retention periods for various types of data based on legal requirements, justified interests of Fanfaire and the purposes of collection.
Measures for ensuring accountability
Fanfaire has designated representatives where necessary to ensure data is protected.
Measures for allowing data portability and ensuring erasure
Fanfaire has a process for deleting Customer Data upon request within 28 days.
Security Risk Management
Threat intelligence and risk assessment are key components of Fanfaire’s information security program. Awareness and understanding of potential (and actual) threats guides the selection and implementation of appropriate security controls to mitigate risk. Potential security threats are identified, and assessed for severity and exploitability. If risk mitigation is required, the security team works with relevant stakeholders and system owners to remediate. The remediation efforts are tested to confirm the new measures/controls have achieved their intended purpose.
Law Enforcement Request Policy
Fanfaire respects the human rights of our customers and their end users. Fanfaire implements a robust law enforcement request policy which is designed to ensure that all law enforcement, governmental and regulatory requests are valid and made in accordance with applicable legal process. Fanfaire does not disclose data to law enforcement, regulatory or governmental bodies unless required by applicable law and objects to unlawful requests. If Fanfaire receives a demand for Customer’s Personal Information (as defined above), Fanfaire will attempt to redirect the law enforcement agency or regulatory or government body to request such data directly from the relevant customer. If compelled to disclose or provide access to data to law enforcement, regulatory or governmental bodies or agencies, Fanfaire will notify the relevant customer and provide them with a copy of the demand to allow them to seek a protective order or other appropriate remedy (except if such notification is legally prohibited, such as through a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).
Annex III
Subprocessors
The Controller has authorized the use of the following Subprocessors:
Annex IV
State Specific Requirements
California:
A. If Fanfaire is processing on behalf of Customer any Personal Information subject to the CPRA, then the following additional terms and conditions shall apply solely to the limited extent required by the CPRA and solely with respect to the Personal Information that is in the scope of the CPRA (and not with respect to any Personal Information that is covered by Data Protection Laws of other jurisdictions):
Fanfaire is prohibited from selling or sharing Personal Information it collects pursuant to Customer’s Customer Agreement.
The specific business purpose for which Fanfaire is processing the Personal Information pursuant to Customer’s Customer Agreement is to provide, manage and secure the Fanfaire Services, and Customer is disclosing the Personal Information to Fanfaire only for the limited and specified business purpose set forth in Customer’s Customer Agreement.
Fanfaire is prohibited from retaining, using, or disclosing the Personal Information that it collected pursuant to Customer’s Customer Agreement for any purpose other than for the business purpose specified in the Customer’s Customer Agreement or as otherwise permitted by the CPRA.
Fanfaire is prohibited from retaining, using, or disclosing the Personal Information that it collected pursuant to the Customer’s Customer Agreement for any commercial purpose (as that term is defined in the CPRA) other than the business purposes specified in such Customer Agreement, unless expressly permitted by the CPRA.
Fanfaire is prohibited from retaining, using, or disclosing the Personal Information that it collected pursuant to the Customer’s Customer Agreement outside the direct business relationship between Fanfaire and Customer, unless expressly permitted by the CPRA.
Fanfaire is required to comply with all applicable sections of the CPRA with respect to Personal Information of Customer that is subject to the CPRA, including – with respect to the Personal information that Fanfaire collected pursuant to the Customer’s Customer Agreement – providing the same level of privacy protection as required of businesses by the CPRA.
Fanfaire grants Customer the right to take reasonable and appropriate steps to ensure that Fanfaire uses the Personal Information that it collected pursuant to the Customer’s Customer Agreement in a manner consistent with Customer’s obligations under the CPRA.
Fanfaire is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CPRA.
Fanfaire grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Fanfaire’s unauthorized use of Customer’s Personal Information.
Fanfaire is required to enable Customer to comply with consumer requests made pursuant to the CPRA or Customer is required to inform Fanfaire of any consumer request made pursuant to the CPRA that they must comply with and provide the necessary information for Fanfaire to comply with the request.
If Fanfaire subcontracts with another person in providing services to Customer, Fanfaire shall have a contract with the subcontractor that complies with the CPRA.
B. To the extent that Section A above does not apply (i.e., Fanfaire is not considered a “service provider” or “contractor” of Customer, but is instead considered a “third party”, each as defined by the CPRA), and either Party sells or shares with the other Party any Personal Information in the scope of the CPRA, then the following additional terms and conditions shall apply solely to the limited extent required by the CPRA and solely with respect to the Personal Information that is in the scope of the CPRA (and not with respect to any Personal Information that is covered by Data Protection Laws of other jurisdictions):
The purposes for which the Personal Information is made available to and by Fanfaire is to provide, manage and secure the Fanfaire Services under the Customer’s Customer Agreement subject to the applicable Party’s applicable privacy policy.
The Personal Information is made available to the receiving Party only for the limited and specified purposes set forth in the Customer’s Customer Agreement and is required to be used only for those limited and specified purposes.
The receiving Party is required to comply with applicable sections of the CPRA, including – with respect to the Personal Information that is made available to the receiving Party – providing the same level of privacy protection as required of businesses by the CPRA.
The disclosing Party is granted the right – with respect to the Personal Information that is made available – to take reasonable and appropriate steps to ensure that the receiving Party uses the Personal Information in a manner consistent with the disclosing Party’s obligations under the CPRA.
The disclosing Party is granted the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information made available to the receiving Party.
The receiving Party is required to notify the other Party after it makes a determination that it can no longer meet its obligations under the CPRA.
Virginia:
A. If Fanfaire is processing on behalf of Customer any Personal Information subject to the VCDPA, then the following additional terms and conditions shall apply solely to the limited extent required by the VCDPA and solely with respect to the Personal Information that is in the scope of the VCDPA (and not with respect to any Personal Information that is covered by Data Protection Laws of other jurisdictions):
Fanfaire shall ensure that each person processing Personal Information is subject to a duty of confidentiality with respect to the data.
At the Customer’s direction, Fanfaire shall delete or return all Personal Information to the Customer as requested at the end of the provision of Services, unless retention of the Personal Information is required by law.
Upon the reasonable request of the Customer, Fanfaire shall make available to the Customer all information in its possession necessary to demonstrate Fanfaire’s compliance with the obligations in the VCDPA.
Fanfaire shall allow, and cooperate with, reasonable assessments by the Customer or the Customer’s designated assessor; alternatively, Fanfaire may arrange for a qualified and independent assessor to conduct an assessment of Fanfaire’s policies and technical and organizational measures in support of the obligations under VCDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Fanfaire shall provide a report of such assessment to the Customer upon request.
Fanfaire shall engage any subcontractor pursuant to a written contract in accordance with the VCDPA that requires the subcontractor to meet the obligations of the processor with respect to the Personal Information.
Colorado:
A. If Fanfaire is processing on behalf of Customer any Personal Information subject to the ColoPA, then the following additional terms and conditions shall apply solely to the limited extent required by the ColoPA and solely with respect to the Personal Information that is in the scope of the ColoPA (and not with respect to any Personal Information that is covered by Data Protection Laws of other jurisdictions):
Fanfaire shall ensure that each person processing the Personal Information of Customer is subject to a duty of confidentiality with respect to the Personal Information.
Fanfaire shall engage a subcontractor only after providing the Customer with an opportunity to object and pursuant to a written contract that requires the subcontractor to meet the applicable obligations of the Customer under the ColoPA with respect to the Personal Information.
Taking into account the context of processing, Fanfaire and Customer shall each implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and Fanfaire and Customer agree that Customer’s Customer Agreement and the DPA establish a clear allocation of the responsibilities between them to implement the measures.
Customer’s Customer Agreement and the DPA set out the processing instructions to which Fanfaire is bound, including the nature and purpose of the processing by Fanfaire, as well as the type of Personal Information subject to the processing, and the duration of the processing.
At the choice of Customer, Fanfaire shall delete or return all Personal Information to the Customer as requested at the end of the provision of the Services, unless retention of the Personal Information is required by law.
Fanfaire shall make available to the Customer all information necessary to demonstrate Fanfaire’s compliance with its applicable obligations under ColoPA.
Fanfaire shall allow for, and contribute to, reasonable audits and inspections by the Customer or the Customer’s designated auditor. Alternatively, Fanfaire may, with the Customer’s consent, arrange for a qualified and independent auditor to conduct, at least annually and at Fanfaire’s expense, an audit of Fanfaire’s policies and technical and organizational measures in support of the obligations under the ColoPA using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. Fanfaire shall provide a report of the audit to the Customer upon request.
Connecticut:
A. If Fanfaire is processing on behalf of Customer any Personal Information subject to the CTDPA, then the following additional terms and conditions shall apply solely to the limited extent required by the CTDPA and solely with respect to the Personal Information that is in the scope of the CTDPA (and not with respect to any Personal Information that is covered by Data Protection Laws of other jurisdictions):
Customer’s Customer Agreement and the DPA are binding and set forth instructions for processing the Personal Information, the nature and purpose of processing, the type of Personal Information subject to processing, the duration of processing and the rights and obligations of both Fanfaire and Customer.
Fanfaire shall ensure that each person processing Personal Information of Customer is subject to a duty of confidentiality with respect to the Personal Information.
Fanfaire shall at the Customer’s direction, delete or return all Personal Information to the Customer as requested at the end of the provision of the Fanfaire Services, unless retention of the Personal Information is required by law.
Upon the reasonable request of the Customer, Fanfaire shall make available to the Customer all information in its possession necessary to demonstrate Fanfaire’s compliance with the applicable obligations of the CTDPA.
After providing Customer an opportunity to object, Fanfaire shall only engage a subcontractor pursuant to a written contract that requires the subcontractor to meet the applicable obligations of Fanfaire under the CTDPA with respect to the Personal Information
Fanfaire shall allow, and cooperate with, reasonable assessments by Customer or the Customer’s designated assessor, or Fanfaire may arrange for a qualified and independent assessor to conduct an assessment of Fanfaire’s policies and technical and organizational measures in support of the applicable obligations of the CTDPA, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. shall provide a report of such assessment to Customer upon request.
Utah:
A. If Fanfaire is processing on behalf of Customer any Personal Information subject to the UCPA, then the following additional terms and conditions shall apply solely to the limited extent required by the UCPA and solely with respect to the Personal Information that is in the scope of the UCPA (and not with respect to any Personal Information that is covered by Data Protection Laws of other jurisdictions):
Customer’s Customer Agreement and the DPA sets forth instructions for processing Customer’s Personal Information, the nature and purpose of the processing, the type of Personal Information subject to processing, the duration of the processing, and the parties' rights and obligations
Fanfaire shall ensure each person processing Personal Information is subject to a duty of confidentiality with respect to the Personal Information
Fanfaire shall only engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as Fanfaire under the UCPA with respect to the Personal Information.