PlaySkool
Sign up for weekly design tutorials and gamification strategies that drive results.
This Data Processing Addendum (“DPA”) is incorporated into and subject to the terms and conditions of the Agreement between BeeLiked Media Ltd (together with its Affiliates, “BeeLiked”) and the customer entity that is a party to the Agreement as a Member (“Customer”).
All capitalized terms not defined in this DPA have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the “Agreement” include this DPA (including the SCCs, where applicable, as defined herein).
Additional Data Protection Laws means, in addition to the Data Protection Laws, any applicable data protection and privacy laws, regulations, and regulatory requirements in jurisdictions outside of the UK and EU, including but not limited to: (i) the United States federal and state data protection laws, including the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”); (ii) the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); (iii) the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – “LGPD”), Federal Law No. 13,709/2018; (iv) the Privacy Act 1988 of Australia, as amended (“Australian Privacy Law”); and (v) any other applicable data protection or privacy laws in jurisdictions where Customer or BeeLiked operates or processes Personal Data, as may be amended or replaced from time to time.
Affiliate means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party to this Agreement. For purposes of this definition, ‘Control’ means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Agreement means these General Terms and all materials referred to or linked herein and, unless the context requires otherwise, includes all Order Forms and any addenda, schedules, or attachments to any of the foregoing, as may be amended by mutual written agreement of the parties from time to time.
Control means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the entity in question. The term “Controlled” shall be construed accordingly.
Customer Data means any data (including Personal Data) that the Customer submits, collects, or otherwise processes via the Subscription Service, including but not limited to User and Entrant Information. Customer Data is processed by BeeLiked on behalf of the Customer in accordance with the terms of this Agreement and the DPA. For clarity, Customer Data does not include BeeLiked Content or Promotion Content.
Data Privacy Framework means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and their respective successors (collectively, the “DPF”). Where BeeLiked self-certifies to the DPF, such certification shall be maintained in good standing. Participation in the DPF shall not limit BeeLiked’s obligations under applicable Data Protection Laws or the Data Processing Addendum.
Data Privacy Framework Principles means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as amended, superseded, or replaced. Where BeeLiked relies on the DPF for the transfer of Personal Data, it shall comply with the applicable Data Privacy Framework Principles in accordance with its certification and obligations under the DPF.
Data Protection Laws means, with respect to a party, all data protection and privacy laws and regulations applicable to that party’s processing of Customer Data under the Agreement, including, where applicable to such party, European Data Protection Laws and Additional Data Protection Laws.
European Data Protection Laws means, to the extent applicable to the processing of Customer Data under the Agreement, all data protection laws and regulations applicable in Europe, including: (i) Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”); (ii) Directive 2002/58/EC (ePrivacy Directive); (iii) national laws implementing (i) and (ii); (iv) the GDPR as incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”), in each case as amended, replaced, or superseded from time to time.
Europe, for the purposes of this DPA, means the European Economic Area and its member states (“EEA”), Switzerland, and the United Kingdom (“UK”).
BeeLiked Group means BeeLiked Media Ltd and any other entity that qualifies as an Affiliate as defined in the Agreement, provided such entity is directly involved in the provision of the Services or the processing of Customer Data under this Agreement.
SCCs means (i) the Standard Contractual Clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “2021 Controller-to-Processor Clauses”); or (ii) the Standard Contractual Clauses between processors adopted by the European Commission in the same Implementing Decision, also available at the above link (the “2021 Processor-to-Processor Clauses”). The applicable version shall be determined in accordance with Section 6.3, and shall be deemed to include any updated or successor clauses approved by the European Commission or other competent authority for international data transfers.
Security Incident means any unauthorized or unlawful breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed or controlled by BeeLiked, excluding incidents caused by the Customer or its Users. For clarity, Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Data, such as unsuccessful login attempts, pings, port scans, or other network attacks on firewalls or networked systems.
Sensitive Data means (a) a social security number, tax identification number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) a credit or debit card number (other than the truncated last four digits of a credit or debit card number); (c) employment, financial, credit, genetic, biometric, or health information; (d) racial, ethnic, political, or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws. Customer acknowledges and agrees that it shall not submit Sensitive Data to the Service unless expressly permitted by BeeLiked in writing. Customer further agrees that any unauthorized submission of Sensitive Data shall be at Customer’s sole risk and liability, and BeeLiked shall have no responsibility or liability for any processing of such data. BeeLiked reserves the right to immediately suspend or terminate access to the Service in the event of a breach of this provision.
Service means the services provided by BeeLiked to the Customer under the applicable Agreement, including access to and use of the BeeLiked Platform, any associated web-based applications and tools, and any ancillary services as specified in the relevant Order Form(s), but excluding Free Services unless otherwise expressly stated.
Sub-processor means any third party, including any Affiliate of BeeLiked, engaged by BeeLiked to process Customer Data on its behalf in connection with the provision of the Service under the Agreement or this DPA. Sub-processors do not include BeeLiked employees but may include contractors or consultants acting under BeeLiked’s direct authority and who are subject to data protection obligations equivalent to those set forth in this DPA. BeeLiked shall maintain an up-to-date list of Sub-processors and will provide the Customer with reasonable advance notice of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes on reasonable grounds related to data protection.
For the Permitted Purposes (defined below), the parties acknowledge and agree that, with regard to the processing of Customer Data, BeeLiked acts as a processor on behalf of the Customer, whether the Customer is itself a controller or a processor acting on behalf of a third-party controller. For the avoidance of doubt, this DPA applies only to processing activities where BeeLiked acts as a processor. In instances where BeeLiked determines the purposes and means of processing Customer Data and therefore acts as a controller, such processing is governed by BeeLiked’s Privacy Policy and, where applicable, the terms set forth in Annex C (Jurisdiction-Specific Terms). BeeLiked shall notify the Customer in writing before any such processing where it acts as a controller, unless such processing is required by applicable law. Where BeeLiked acts as a controller, it shall ensure that such processing is limited to what is necessary for its legitimate business purposes and shall provide the Customer with reasonable prior notice and an opportunity to object, unless prohibited by law.
BeeLiked shall process Customer Data, as further described in Annex A (Details of Data Processing) of this DPA, only in accordance with the Customer’s documented lawful instructions as set forth in this DPA, to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”). The parties agree that the Agreement, including this DPA, along with the Customer’s configuration or use of any settings, features, or options in the Service (as the Customer may modify from time to time), constitutes the Customer’s complete and final instructions to BeeLiked regarding the processing of Customer Data (including for the purposes of the SCCs), provided that such configurations are technically feasible, clearly documented, and do not conflict with the terms of this DPA. BeeLiked shall promptly inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws or is unclear or technically infeasible and may suspend the execution of such instruction until the Customer confirms, clarifies, or modifies the instruction in writing. If the parties are unable to resolve the issue in good faith within a reasonable time, BeeLiked may terminate the affected processing activities upon written notice.
Customer will not provide, or cause to be provided, any Special Category Data (as defined in Data Protection Laws) to BeeLiked for processing under the Agreement. BeeLiked is not responsible for any Special Category Data submitted in breach of this provision, except to the extent that BeeLiked fails to comply with its obligations under applicable Data Protection Laws regarding such data. For the avoidance of doubt, this DPA will not apply to Special Category Data unless otherwise agreed in writing. If BeeLiked becomes aware that Special Category Data has been submitted, it may, without liability, delete such data or take reasonable remedial action. Customer shall promptly notify BeeLiked if it becomes aware that Special Category Data has been submitted, and the parties must cooperate in good faith to remediate any associated risks.
Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, regarding its processing of Customer Data and any processing instructions it issues to BeeLiked; and (ii) it has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for BeeLiked to process Customer Data for the purposes described in the Agreement. Customer bears sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Without limiting the generality of the foregoing, Customer agrees that it will be responsible for complying with all laws (including Data Protection Laws) applicable to any Campaigns (as defined in the Agreement) or other content created, sent, or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails, and its email deployment practices. BeeLiked is entitled to rely on the foregoing representations and warranties and will not be liable for any breach of those representations or any non-compliance by Customer with applicable laws.
Customer shall ensure that BeeLiked’s processing of Customer Data in accordance with Customer’s instructions does not cause BeeLiked to violate any applicable law, regulation, or rule, including Data Protection Laws. BeeLiked shall promptly notify Customer in writing, unless prohibited under European Data Protection Laws, if it becomes aware or reasonably believes that any data processing instruction from Customer violates European Data Protection Laws. In such cases, BeeLiked may suspend execution of the relevant instruction until Customer confirms or modifies the instruction to ensure compliance with applicable laws. BeeLiked shall not be liable for any breach of Data Protection Laws resulting from its processing of Customer Data in accordance with Customer’s instructions, provided that BeeLiked acts in good faith and relies on those instructions. Where Customer acts as a processor on behalf of a third-party controller (or intermediary), Customer warrants that its instructions, including authorizations to BeeLiked for the appointment of Sub-processors, have been duly authorized by the relevant controller. BeeLiked is not required to verify such authorization and may rely on Customer’s representations. Customer shall serve as the sole point of contact for BeeLiked, and BeeLiked is not required to interact directly with any third-party controller except as required by the Agreement. Customer is responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
Customer authorizes BeeLiked or any member of the BeeLiked Group, on behalf of and for the benefit of BeeLiked, to engage Sub-processors to process Customer Data in accordance with Section 3.2 to assist BeeLiked in fulfilling its obligations with respect to providing the Service under the Agreement. BeeLiked shall notify Customer in writing (including via email) at least 15 days before any intended addition or replacement of a Sub-processor. Customer may object to such changes on reasonable data protection grounds by providing written notice to BeeLiked within 10 days of receiving such notice. If so, the parties shall work together in good faith to address the Customer’s concerns, including making commercially reasonable efforts to find an alternative solution. If no resolution is reached within 15 days of BeeLiked receiving the objection, BeeLiked may, at its discretion, either not appoint the proposed Sub-processor or terminate the affected portion of the Service without liability, provided that such termination is limited to the specific Service(s) that cannot be provided without the use of the proposed Sub-processor.
BeeLiked shall: (i) enter into a written agreement with each Sub-processor that includes data protection obligations that are no less protective of Customer Data than those set forth in this DPA, considering the nature of the services provided by such Sub-processor; and (ii) remain fully liable for the Sub-processor’s performance of its obligations and any acts or omissions that cause BeeLiked to breach its obligations under this DPA. Customer acknowledges and agrees that, where applicable, BeeLiked fulfills its obligations under Clause 9 of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses by complying with this Section 3. BeeLiked may be restricted from disclosing full copies of Sub-processor agreements due to confidentiality obligations but shall, upon request, use reasonable efforts to provide Customer with sufficient information, such as a summary of relevant contractual terms or audit reports, to demonstrate the Sub-processor’s compliance with the obligations outlined in this DPA. If the Customer reasonably determines that the information provided is insufficient, the parties shall cooperate in good faith to address the Customer’s concerns, which may include facilitating a discussion with the Sub-processor or providing additional documentation, subject to confidentiality obligations.
BeeLiked shall implement and maintain appropriate technical and organizational security measures, as described in Annex B (“Security Measures”) of this DPA, designed to preserve the security, integrity, and confidentiality of Customer Data and to protect against Security Incidents. BeeLiked shall review and update the Security Measures at least annually or as required to comply with applicable Data Protection Laws.
BeeLiked shall ensure that any person authorized by BeeLiked to process Customer Data (including its staff, agents, and subcontractors) is subject to a written or statutory obligation of confidentiality that is no less protective than the confidentiality obligations set forth in this Agreement. This obligation shall survive the termination of their engagement and the termination or expiry of this Agreement.
Customer is responsible for reviewing the information provided by BeeLiked regarding data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that BeeLiked may update or modify the Security Measures periodically, provided that such updates and modifications do not materially degrade the overall security of the Service provided to Customer. BeeLiked shall notify Customer in advance of any material changes to the Security Measures that may affect the processing of Customer Data. If a material degradation of security occurs, Customer may terminate the affected Service upon written notice within thirty (30) days after such change becomes effective, without penalty.
Upon becoming aware of a Security Incident, BeeLiked shall, without undue delay, and in any event within seventy-two (72) hours of discovery, take the following actions:
(i) notify Customer without undue delay;
(ii) provide Customer with information, subject to applicable confidentiality and legal requirements, as reasonably necessary to assist Customer with its notification and reporting responsibilities, provided that such disclosure does not materially compromise BeeLiked’s own security posture or violate applicable law;
(iii) take appropriate steps to identify the cause of the Security Incident, minimize exposure of Customer Data, and secure the Customer Data, to the extent remediation is within BeeLiked’s reasonable control.
BeeLiked’s notification of or response to a Security Incident under this DPA will not be construed as an acknowledgment by BeeLiked of any fault or liability regarding the Security Incident. BeeLiked will not assess the contents of Customer Data to identify specific reporting or other legal obligations applicable to the Customer. Any regulatory and/or data subject reporting obligations related to the Security Incident are the responsibility of the Customer. However, BeeLiked will provide reasonable cooperation and assistance to the Customer to enable the Customer to comply with its obligations under applicable Data Protection Laws. If the Security Incident was caused by BeeLiked’s breach of this Agreement or applicable law, such assistance will be provided at no additional cost to the Customer. BeeLiked will deliver notifications of any Security Incidents to the notification email address provided in the Agreement. The Customer is solely responsible for ensuring that the notification contact details (e.g., phone and email) are valid and accurate.
Notwithstanding the above, the Customer agrees that, except as provided by this DPA, the Customer is responsible for its secure use of the Service, including securing its account authentication credentials and protecting the security of Customer Data when in transit to and from the Service, and for taking appropriate steps to securely encrypt or back up Customer Data uploaded to the Service. For the avoidance of doubt, BeeLiked remains responsible for the security of Customer Data while it is stored or processed within systems managed or controlled by BeeLiked, in accordance with this DPA.
BeeLiked shall make available to the Customer, upon written request, all information reasonably necessary to demonstrate compliance with this DPA. This information will be provided no more than once annually, unless required more frequently by applicable Data Protection Laws or a regulator with jurisdiction over the Customer. The Customer may, at its own expense and subject to reasonable confidentiality obligations, engage an independent third-party auditor (approved by BeeLiked, such approval not to be unreasonably withheld) to conduct an audit, including a review of relevant documentation and, where strictly necessary, an inspection of BeeLiked’s data processing facilities, solely to assess compliance with this DPA. Any audit is subject to BeeLiked’s prior written approval of the scope, duration, and personnel involved and must be conducted during regular business hours, with at least thirty (30) days’ prior written notice, and in a manner that minimizes disruption to BeeLiked’s operations. The Customer agrees that it shall exercise its audit rights under this DPA (including this Section 5.1 and, where applicable, the SCCs) and any audit rights granted by Data Protection Laws by first requesting the information described in Sections 5.2 and 5.3 and proceed with an audit only if such information is insufficient to demonstrate compliance.
The Customer acknowledges that BeeLiked is regularly audited against recognized industry standards (such as ISO 27001 or SOC 2) by independent internal and external auditors. Upon the Customer’s written request, made no more than once per calendar year, BeeLiked shall provide the Customer, on a confidential basis, with a summary of its most recent audit reports (the “Report”) solely to verify BeeLiked’s compliance with the applicable audit standards and its obligations under this DPA. The Report shall exclude any proprietary or commercially sensitive information not relevant to that verification. The Customer agrees to treat the Report as Confidential Information and will not disclose it to any third party or use it for any purpose other than the stated verification without BeeLiked’s prior written consent.
In addition to the Report, BeeLiked shall respond to all reasonable requests for information from Customer to confirm BeeLiked’s compliance with this DPA by providing information regarding its information security program upon Customer’s written request. Customer shall not exercise this right more than once per calendar year.
Subject to Section 6.2, Customer acknowledges that BeeLiked may transfer and process Customer Data in the United States and other jurisdictions where BeeLiked, its Affiliates, or its Sub-processors maintain data processing operations solely for the Permitted Purposes. BeeLiked shall ensure that all such transfers are conducted in compliance with applicable Data Protection Laws and this DPA, including, where applicable, through the use of appropriate safeguards such as Standard Contractual Clauses (SCCs), the Data Privacy Framework, or other lawful transfer mechanisms recognized under European Data Protection Laws. BeeLiked shall notify Customer in advance of any material changes to the applicable transfer mechanisms or the jurisdictions in which Customer Data is processed and shall provide Customer with an opportunity to object to such changes where required by applicable law.
To the extent that BeeLiked receives Customer Data protected by Australian Privacy Law, the parties acknowledge and agree that BeeLiked may transfer such Customer Data outside of Australia, provided that: (a) such transfer aligns with the terms agreed upon by the parties; (b) BeeLiked complies with this DPA and Australian Privacy Law; and (c) BeeLiked ensures that the overseas recipient either: (i) is subject to privacy obligations substantially similar to those under the Australian Privacy Principles through a binding written agreement or other legally enforceable instrument; or (ii) the transfer is otherwise permitted under Australian Privacy Law, including if the Customer has expressly consented to the transfer after being informed that the overseas recipient may not be subject to similar privacy obligations.
To the extent that BeeLiked receives Customer Data protected by European Data Protection Laws in a country outside of the EEA that is not recognized as providing an adequate level of protection for personal data (as described in applicable European Data Protection Laws), the parties agree that such transfers must comply with the applicable European Data Protection Laws. BeeLiked shall implement appropriate safeguards, including, where applicable, the Standard Contractual Clauses (SCCs), the Data Privacy Framework (DPF), or any other lawful data transfer mechanism recognized under European Data Protection Laws, as further described in this DPA. Where multiple mechanisms are available, the SCCs apply by default unless the parties agree otherwise in writing. BeeLiked shall notify the Customer of any material changes to the transfer mechanism used.
BeeLiked will use the Data Privacy Framework to lawfully receive Customer Data in the United States and will ensure that it provides at least the same level of protection to such Customer Data as required by the Data Privacy Framework Principles. If BeeLiked determines that it can no longer meet this obligation, it will notify Customer in writing without undue delay, and in any event, within five (5) business days. Following such notification, BeeLiked will either (i) take reasonable and appropriate steps to remediate the non-compliance within thirty (30) days of notification; or (ii) cease processing Customer Data and, at Customer’s written request, return or securely delete such data; or (iii) take other reasonable and appropriate steps to ensure that the transfer is otherwise adequately protected under applicable Data Protection Laws, subject to Customer’s prior written approval.
If European Data Protection Laws require appropriate safeguards for transferring Customer Data to BeeLiked (e.g., if the Data Privacy Framework does not apply or is invalidated), the Standard Contractual Clauses (SCCs) defined in this DPA are incorporated into and form an integral part of this DPA. The applicable SCC module (e.g., controller-to-processor or processor-to-processor) is selected based on the parties’ roles in Annex A of this DPA. If the SCCs and this DPA conflict, the SCCs prevail as required by European Data Protection Laws.
Regarding transfers subject to UK Data Protection Laws, the SCCs apply, where applicable per subsection (b) above, and are amended as specified in the UK Addendum. The parties are deemed to have executed the UK Addendum, which is incorporated into and forms an integral part of this DPA. Furthermore: (i) Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed with the information in Annexes I and II of the relevant SCCs; and (ii) Table 4 in Part 1 of the UK Addendum is deemed completed by selecting ‘BeeLiked,’ unless the parties agree otherwise in writing to allow future amendments.
Regarding transfers subject to the Swiss Federal Act on Data Protection (‘FADP’), the SCCs, where applicable per subsection (b) above, apply with these modifications: (i) references to ‘Regulation (EU) 2016/679’ are interpreted as references to the FADP; (ii) references to specific Articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the FADP; (iii) references to ‘EU,’ ‘Union,’ and ‘Member State law’ are replaced with ‘Switzerland’; (iv) Clause 13(a) and Part C of Annex II are deleted to the extent they are inapplicable under Swiss law; (v) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with ‘the Swiss Federal Data Protection and Information Commissioner’ and ‘relevant courts in Switzerland’; (vi) Clause 17 is replaced to state, ‘The Clauses are governed by the laws of Switzerland’; and (vii) Clause 18 is replaced to state, ‘Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland. The parties agree to submit to the jurisdiction of such courts.’ The parties also agree to cooperate in good faith and without undue delay to amend this DPA as necessary to ensure continued compliance with the FADP if Swiss data protection laws change, with either party entitled to initiate amendments.
If BeeLiked determines it cannot ensure compliance with the SCCs (where applicable), it must promptly notify Customer in writing. Customer may then, as a last resort, suspend the transfer of European Data or terminate only the affected Service portions if: (i) Customer first provides BeeLiked written notice of its intent to suspend or terminate, including reasonable details of the non-compliance; (ii) BeeLiked has at least thirty (30) days from receipt of the notice to cure the non-compliance or propose a lawful data transfer alternative; and (iii) during the cure period, the parties cooperate in good faith to identify and implement reasonably required additional safeguards or measures. Suspension or termination may occur only if BeeLiked fails to cure the non-compliance or implement a mutually agreeable alternative within the cure period.
To the extent BeeLiked adopts an alternative lawful data transfer mechanism for the transfer of European Data not described in this DPA (“Alternative Transfer Mechanism”) and that mechanism complies with applicable European Data Protection Laws and extends to the countries to which European Data is transferred, the Alternative Transfer Mechanism will apply instead of the transfer mechanisms described in this DPA. BeeLiked shall notify Customer in writing before implementing any Alternative Transfer Mechanism. Unless Customer reasonably objects in writing within fifteen (15) days of that notice, the Alternative Transfer Mechanism is deemed accepted. Furthermore, if a court of competent jurisdiction or supervisory authority determines that the measures described in this DPA are insufficient for the lawful transfer of European Data, BeeLiked may, upon written notice to Customer, implement additional measures or safeguards reasonably required to enable that lawful transfer and may continue data transfers during a reasonable implementation period unless prohibited by applicable law or regulatory order.
Upon termination or expiration of the Agreement, BeeLiked shall, within thirty (30) days, provide Customer with the ability to retrieve all Customer Data in its possession or control. At Customer’s written election, BeeLiked shall either return or delete all Customer Data, including all copies, except to the extent that BeeLiked is required by applicable law to retain some or all of the Customer Data, where that data is stored in archived systems, or where retention is necessary for the establishment, exercise, or defense of legal claims. Any retained Customer Data shall be securely isolated and protected from further processing (except as required by law) and must be deleted in accordance with BeeLiked’s data retention and deletion policies, which shall be made available to Customer upon request. BeeLiked shall not use Customer Data for any purpose after termination of the Agreement. Upon Customer’s written request and where required by applicable Data Protection Laws or the DPA, BeeLiked shall provide a written certification of deletion of Customer Data.
As part of the Service, BeeLiked provides the Customer with several self-service features that the Customer may use to retrieve, correct, delete, or restrict the use of Customer Data. The Customer may use these features to assist in fulfilling its (or its third-party controller’s) obligations under the Data Protection Laws with respect to responding to requests from data subjects via the Customer’s account at no additional cost. In addition, considering the nature of the processing and the information available to BeeLiked, BeeLiked will provide reasonable additional assistance to the Customer, upon the Customer’s written request, to enable the Customer (or its third-party controller) to comply with its obligations under Data Protection Laws in relation to data subject rights. This assistance will be provided without undue delay and may be subject to reimbursement of BeeLiked’s reasonable costs, as agreed to in writing in advance. If any such request is made directly to BeeLiked, BeeLiked will not respond to the communication except as legally required or as appropriate (e.g., to direct the data subject to contact the Customer) and, where feasible, only with the Customer’s prior written authorization. If BeeLiked is required by law to respond to a request, and the Customer is identified or identifiable from the request, BeeLiked will promptly notify the Customer and provide a copy of the request, unless legally prohibited from doing so. The Customer shall respond to the notification without undue delay and in any event within five business days. To avoid doubt, nothing in the Agreement, including this DPA, shall restrict or prevent BeeLiked from responding to any data subject or data protection authority requests regarding personal data for which BeeLiked acts as a controller, as defined under applicable Data Protection Laws.
To the extent required by applicable Data Protection Laws, BeeLiked will, considering the nature of the processing and the information available to BeeLiked, provide all reasonably requested information regarding the Service to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. BeeLiked will comply with the foregoing by: (i) complying with Section 5 (Security Reports and Audits); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if subsections (i) and (ii) are insufficient for the Customer to comply with such obligations, BeeLiked will provide additional reasonable assistance upon request at the Customer’s expense.
To the extent that BeeLiked processes Customer Data originating from and protected by Data Protection Laws in a jurisdiction listed in Annex C, the terms specified in Annex C with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) will apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms shall prevail, but only to the extent they are applicable to BeeLiked’s processing activities. BeeLiked will notify the Customer in writing at least thirty days in advance of any material changes to Annex C that may affect the applicability or precedence of the Jurisdiction-Specific Terms. If such changes materially and adversely affect the Customer’s rights or obligations under this DPA, the Customer may terminate the affected services by providing written notice to BeeLiked within 30 days of receiving the notice.
Each party’s and its Affiliates’ aggregate liability arising out of or related to this DPA (including the SCCs) is subject to the exclusions and limitations of liability set forth in the Agreement. For clarity, and notwithstanding anything to the contrary in the Agreement, BeeLiked’s total aggregate liability under this DPA, including the SCCs, shall not exceed the total amount the Customer paid to BeeLiked under the Agreement in the twelve months preceding the event giving rise to the liability. In no event shall either party be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, data, or use, even if advised of the possibility of such damages.
Claims against BeeLiked or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is party to the Agreement. BeeLiked is not liable for claims brought by third parties, including data subjects or supervisory authorities, except to the extent that such claims are expressly required to be permitted under applicable Data Protection Laws.
Neither party shall limit its liability for breaches of this DPA where such limitation is expressly prohibited by applicable Data Protection Laws. Subject to the foregoing, and except in cases of willful misconduct, gross negligence, or a Data Breach caused by a party’s failure to implement appropriate technical and organizational measures, each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.
This DPA shall remain in effect for the duration of BeeLiked’s processing of Customer Data on behalf of the Customer, including following termination of the Agreement, until all Customer Data has been returned or deleted in accordance with Section 7.1. Notwithstanding the termination of the Agreement, the provisions of this DPA survive as long as BeeLiked continues to process Customer Data.
This DPA supersedes and replaces any prior data processing agreements or similar documents entered into by the parties solely to the extent that they relate to the processing of Customer Data under the Agreement. This replacement does not affect any other agreements or terms not expressly covered by this DPA.
If there is any conflict or inconsistency between this DPA and the Agreement (including the Customer Terms of Service), the provisions of the following documents shall prevail in the following order of precedence: (i) the SCCs; (ii) this DPA; and (iii) the Agreement, including the Customer Terms of Service.
Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
Except as expressly provided in this DPA, a person who is not a party to this DPA shall have no rights under the Contracts (Rights of Third Parties) Act 1999 (or any equivalent legislation in any applicable jurisdiction) to enforce any of its terms. This does not affect any right or remedy of a third party that exists or is available apart from that Act or equivalent legislation.
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions set forth in the Agreement. However, where and to the extent that applicable Data Protection Laws require that specific data processing activities be governed by different laws or subject to the jurisdiction of specific courts or authorities, those laws and jurisdictions apply solely to those specific activities, to the extent required by such Data Protection Laws.
The categories of data subjects whose Personal Data may be Processed by BeeLiked on behalf of the Customer include, but are not limited to: (i) Users (i.e., individual end users, including Admin Users, who have access to the Customer’s Account on the BeeLiked Platform); (ii) Entrants (i.e., individual users who interact with the Customer’s Promotions hosted on the BeeLiked Platform); and (iii) Customer personnel or representatives who provide or manage Customer Data within the Subscription Service. Depending on the Customer’s specific use of the BeeLiked Platform, additional categories of data subjects may be involved, such as employees of the Customer’s Affiliates or third-party contractors. BeeLiked will Process Personal Data only according to the Customer’s documented instructions and as set forth in the Agreement and the DPA.
Customer may upload, submit, or otherwise provide certain Personal Data to the Service; the extent and nature of which are determined and controlled solely by Customer. BeeLiked shall process such Personal Data only on behalf of Customer and according to the terms of the Data Processing Addendum (DPA), applicable Data Protection Laws, and Customer’s documented instructions.
BeeLiked does not intentionally collect or process any Sensitive Data (as defined in this Agreement) in connection with the provision of the Service. Customer agrees not to upload or otherwise provide Sensitive Data to the Service. If BeeLiked becomes aware that Sensitive Data has been submitted, BeeLiked will promptly notify Customer and may delete such data. BeeLiked disclaims liability for any Sensitive Data submitted in breach of this Agreement or the Data Processing Addendum (DPA) to the maximum extent permitted by applicable law.
The processing of Customer Data will occur as necessary to provide the Service, according to the documented lawful instructions of the Customer, the functionality of the applicable Service, and for the Permitted Purposes as defined in this DPA.
BeeLiked provides a SaaS platform for creating and managing promotions and campaigns. The subject matter of the data processing under this DPA is Customer Data, which will be processed according to the Agreement (including this DPA) solely for the Permitted Purposes and may be subject to the following processing activities.
BeeLiked shall process Customer Data only for the Permitted Purposes, which include: (i) processing necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with Customer’s reasonable, documented, and lawful instructions that are consistent with the terms of the Agreement and applicable Data Protection Laws (e.g., via email or support tickets). BeeLiked is not liable for processing carried out according to Customer’s instructions that are unlawful or infringe applicable Data Protection Laws if BeeLiked was not aware and could not reasonably have been expected to be aware that such instructions were unlawful. If BeeLiked becomes aware that any instruction is unlawful, BeeLiked shall promptly notify Customer and may suspend the execution of such instruction until Customer confirms or modifies the instruction.
BeeLiked will process Customer Data for the duration of the Agreement or as otherwise required by applicable law. Upon termination or expiration of the Agreement, BeeLiked shall, within thirty (30) days, return Customer Data in a commonly used electronic format or delete it, in accordance with Section 7 (Return or Deletion of Data) of the DPA, unless retention is required by applicable law. Upon Customer’s written request, BeeLiked shall confirm in writing the completion of the return or the deletion.
BeeLiked shall implement and maintain appropriate technical and organizational security measures consistent with industry standards such as ISO27001 or SOC 2. These measures are designed to preserve the security, integrity, and confidentiality of Customer Data and to protect against Security Incidents. BeeLiked shall review and update these measures at least annually or in response to material changes in security threats, as necessary. If BeeLiked becomes aware of a Security Incident involving Customer Data, BeeLiked shall notify Customer without undue delay, and in any event, within seventy-two (72) hours, in accordance with the Data Processing Addendum. This notice shall include, to the extent known, a description of the nature of the Security Incident, the categories and approximate number of data subjects and data records concerned, and the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.
Customer acknowledges that the Security Measures are subject to technical progress and development. BeeLiked may update or modify the Security Measures from time to time, provided that these updates and modifications do not materially degrade the overall security of the Service. BeeLiked shall provide Customer with at least thirty (30) days’ prior written notice of any material changes to the Security Measures that are reasonably likely to affect the processing of Customer Data, unless such notice is not possible due to urgent security concerns, in which case BeeLiked shall notify Customer as soon as reasonably practicable thereafter.
BeeLiked will implement and maintain appropriate technical and organizational measures, in accordance with applicable Data Protection Laws, industry standards, and the Data Processing Addendum (DPA), to protect Customer Data against unauthorized access, alteration, disclosure, or destruction. These measures shall include, at a minimum, access controls, encryption, and regular security assessments.
Customer may object in writing to BeeLiked’s appointment of a new Sub-processor within ten (10) calendar days of receiving notice in accordance with Section 3.1 of the DPA, provided that the objection is based on reasonable and documented grounds specifically relating to data protection. If this occurs, the parties will engage in good faith discussions to address the Customer’s concerns and seek a commercially reasonable resolution within thirty (30) calendar days of BeeLiked’s receipt of the objection. If the parties cannot reach a resolution within that period, BeeLiked may, at its discretion: (i) not appoint the proposed Sub-processor; (ii) propose an alternative Sub-processor; or (iii) permit Customer to suspend or terminate the affected Service according to the termination provisions of the Agreement. If a suspension or termination occurs, neither party is liable to the other for the termination, provided that Customer remains responsible for any fees incurred for Services rendered before the effective date of suspension or termination.
As a general practice, BeeLiked does not voluntarily provide government agencies or authorities (including law enforcement) with access to Customer Data. If BeeLiked receives a legally binding request (such as a subpoena, court order, or search warrant) for access to Customer Data, BeeLiked will, to the extent permitted by applicable law and without undue delay: (i) review the legality of the request; (ii) inform the requesting agency that BeeLiked is a Processor acting on behalf of the Customer; (iii) attempt to redirect the request to the Customer; (iv) notify the Customer of the request to allow the Customer to seek a protective order or other appropriate remedy, unless legally prohibited from doing so; (v) provide only the minimum amount of Customer Data necessary to comply with the request; and (vi) maintain a record of such requests and BeeLiked’s responses for audit and compliance purposes.
BeeLiked shall ensure that its sub-processors comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and all other applicable Canadian data protection laws. BeeLiked shall enter into written agreements with its sub-processors that impose data protection obligations substantially similar to those set forth in this Agreement, including obligations regarding the protection of Customer Data. BeeLiked shall ensure that any transfers of Customer Data to a jurisdiction outside of Canada comply with applicable Canadian data protection laws, including by using appropriate contractual or other legally recognized transfer mechanisms, as reasonably determined by BeeLiked. If Canadian data protection laws conflict with other applicable data protection laws, BeeLiked shall promptly notify Customer, and the parties shall cooperate in good faith to agree on a resolution that ensures continued compliance with PIPEDA, provided that BeeLiked is not required to take any action that would violate applicable law or materially increase its compliance burden without mutual written agreement.
Sign up for weekly design tutorials and gamification strategies that drive results.
