info@gsestudioweb.co.uk

ADDENDUM

Data Protection Agreement

This Data Processing Addendum (“Addendum”) is incorporated by reference into the Affiliate Program Terms and Conditions (“Affiliate T&C”), as updated from time to time, by and between you (“Affiliate”), and GSE StudioWeb and/or its affiliated companies (“GSE StudioWeb” or “Processor”), (collectively, the “Agreement”). This Addendum is entered into as of the later of the dates beneath the parties’ signatures below.

This Addendum is supplemental to the Agreement and sets out the terms that apply when Personal Data, as defined in the Data Protection Legislation, is processed by GSE StudioWeb on behalf of Affiliate under the Agreement. The purpose of the Addendum is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data are processed.

Capitalised terms used but not defined in this Addendum have the same meanings as set out in the Agreement.

Data Protection Legislation: means all laws and regulations, including laws and regulations of

(i) the General Data Protection Regulation (“GDPR”) ((EU) 2016/679),

(ii) California Consumer Privacy Act (“CCPA”), Cal. Civ. Code §1798.100 et seq.,

(iii) any national or state implementing laws, regulations and secondary legislation, as amended or updated from time to time, and

(iv) when the GDPR is no longer directly applicable in the UK, then any successor legislation to the GDPR or the Data Protection Act 1998.

1. Applicability

1.1 Applicability. This Addendum shall only apply to the Agreement to the extent Affiliate is established in a jurisdiction with applicable Data Protection Legislation (for example, within the European Union (“EU”) and Switzerland for the GDPR, or within the state of California for CCPA) and/or to the extent GSE StudioWeb processes Personal Data of Data Subjects located in the relevant jurisdiction on behalf of Affiliate.

2. Data Protection

2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation.
2.2 The subject matter and duration of processing, nature and purpose of processing, specific types of Personal Data that GSE StudioWeb will process and categories of Data Subjects who’s Personal Data will be processed are set forth in Schedule 1 (Scope of Processing). The parties acknowledge that for the purposes of the Data Protection Legislation, the Affiliate is the data controller and GSE StudioWeb is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).
2.3 Without prejudice to the generality of clause 2.1, the Affiliate, as Controller, shall be responsible for ensuring that, in connection with Affiliate Personal Data and the Services,
(i) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including all applicable Data Protection Legislation; and
(ii) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to GSE StudioWeb for processing in accordance with the terms of the Agreement and this Addendum.
2.4 Affiliate instructs GSE StudioWeb to process Personal Data
(a) in accordance with the Agreement and Schedule 1;
(b) to provide the Services and any related technical support;
(c) as further specified via Affiliate’s use of the Services (including in the settings and other functionality of the Services) and any related technical support; and
(d) to comply with other reasonable instructions provided by Affiliate where such instructions are consistent with the terms of the Agreement and this Addendum. Affiliate will ensure that its instructions for the processing of Personal Data shall comply with all applicable Data Protection Legislation. If GSE StudioWeb believes or becomes aware that any of Affiliate’s instructions conflict with any Data Protection Legislation, GSE StudioWeb shall inform Affiliate immediately. GSE StudioWeb may process Personal Data other than on the instructions of Affiliate if it is required under applicable law to which GSE StudioWeb is subject. Where GSE StudioWeb is relying on applicable law as the basis for processing Personal Data, GSE StudioWeb shall promptly notify the Affiliate of this before performing the processing required by the applicable laws unless those applicable laws prohibit GSE StudioWeb from so notifying the Affiliate.
2.5 GSE StudioWeb shall, in relation to any Personal Data processed in connection with the performance by GSE StudioWeb of its obligations under this Agreement:
(a) implement appropriate technical and organisational measures (please refer to schedule 2) to safeguard Personal Data, taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
(b) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
(c) comply with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred;
(d) assist the Affiliate, at the Affiliate’s cost and by appropriate technical and organisational measures considering the nature of processing, in fulfilling Affiliate’s obligations to respond to Data Subject requests under the Data Protection Legislation, to the extent Affiliate does not have access to the Personal Data necessary to respond to such requests through its use or receipt of the Services. For the avoidance of doubt, Affiliate is responsible for responding to Data Subject request for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data;
(e) take reasonable measures to cooperate and assist Affiliate in conducting a data protection impact assessment and related consultations with any supervisory authority, if Affiliate is required to do so under the Data Protection Legislation;
(f) notify the Affiliate without undue delay on becoming aware of a Personal Data breach, provided that such breach is not caused by Affiliate or Affiliate’s personnel or end users;
(g) make available to Affiliate all information reasonably necessary to demonstrate GSE StudioWeb’s compliance with this Addendum. If so entitled under applicable Data Protection Legislation, Affiliate may engage a mutually
agreed upon third party to audit GSE StudioWeb no more than once per year and solely for the purposes of meeting its audit requirements pursuant to applicable Data Protection Legislation. To request an audit, Affiliate must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to legal@GSE StudioWeb.com. The auditor must execute a written confidentiality agreement acceptable to GSE StudioWeb before conducting the audit. The audit must be conducted during regular business hours, subject to GSE StudioWeb’s policies, and may not unreasonably interfere with GSE StudioWeb’s business activities. Any audits are at Affiliate’s sole cost and expense;
(h) upon termination or expiration of the Agreement, in accordance with the terms of the Agreement, cease all processing of Affiliate Personal Data and delete or make available to Affiliate for retrieval all relevant Affiliate Personal Data in GSE StudioWeb’s possession, except as otherwise prohibited or allowed by any applicable law. GSE StudioWeb shall extend the protections of the Agreement and this Addendum to any such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention.
2.6 The Affiliate consents to the use of those companies listed in the Privacy Policy as third-party processors of Personal Data under this agreement (“Sub-processors”). GSE StudioWeb will contractually impose data protection obligations on its Sub-processors that are at least equivalent to those data protection obligations imposed on GSE StudioWeb under this Addendum. As between the Affiliate and GSE StudioWeb, GSE StudioWeb shall remain fully liable for all acts or omissions of any Sub-processor appointed by it pursuant to this Section 2.6. If GSE StudioWeb engages a new Sub-processor in a manner that such Sub-processor will process Affiliate’s Personal Data, GSE StudioWeb will notify Affiliate by updating its list of Sub-processors located on its website and informing Affiliate of the change via email or the use of its Affiliate portal. If, within 30 days of receipt of that notice, Affiliate notifies GSE StudioWeb in writing of any objections (on reasonable grounds) to the proposed addition, the parties will work together to find a mutually agreeable solution. In case the parties are not able to find a mutually agreeable solution, GSE StudioWeb is entitled to terminate agreement and addendum without notice.
2.7 Personal data collected on our websites may be stored and processed in the United Kingdom or any other country in which GSE StudioWeb and its Sub-processors or their respective subsidiaries and affiliates maintain facilities, including countries which may not have data protection laws similar to the laws in the country from which you initially provided the information. By choosing to use and submit data via the GSE StudioWeb Site or the Affiliate Program you consent to any such transfer of information outside of your country.

3. Miscellaneous

3.1 Except as stated in this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control as it relates to processing Affiliate Personal Data.
3.2 Any claims brought under this Addendum shall be subject to the terms and conditions, including by not limited to, the exclusion and limitations set forth in the Agreement.

Schedule 1

Scope of Processing

Details of Data Processing

1. Subject matter: The subject matter of the data processing under this Addendum is the Affiliate Personal Data as defined under the appropriate Data Protection Legislation or as otherwise defined in the Agreement.
2. Duration: As between GSE StudioWeb and Affiliate, the duration of the data processing under this Addendum is until the termination of the Agreement in accordance with its terms, except as otherwise required by applicable law.
3. Purpose: The purpose of the data processing under this Addendum is the provision of the Services to the Affiliate and the performance of GSE StudioWeb’s obligations under the Agreement (including this Addendum) or as otherwise agreed by the parties in mutually executed written form.
4. Nature of the processing: GSE StudioWeb provides application and advertising attribution solutions and other Services as described in the Agreement, which process Affiliate Personal Data upon the instruction of the Affiliate in accordance with the terms of the Agreement.
5. Categories of data subjects: Affiliate may submit Affiliate Personal Data to the Services, the extent of which is determined and controlled by Affiliate in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
   (a) Employees, agents, advisors, representatives, consultants, partners of Affiliate (who are natural persons); and/or
   (b) Affiliate’s end-users authorised by Affiliate to use the Services.
6. Types of Personal Data: Affiliate may submit Affiliate Personal Data to the Services, the extent of which is determined and controlled by Affiliate in its sole discretion, and which may include, but is not limited to, the following types of Personal Data: identification and contact data; financial information; and/or certain information about Affiliate’s end users (such as IP address and advertising identifier).
7. Sensitive Personal Data (if applicable): Affiliate shall not send GSE StudioWeb any Sensitive Personal Data (as defined in the Data Protection Legislation).

 

Schedule 2

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

1. Access control to systems

Measures to prevent data processing systems from being used without authorisation:
GSE StudioWeb AND ITS SUB-PROCESSORS are employing a ‘least privilege’ model that provided the minimum level of authorisation and access required for an employee to perform job duties.
A unique user ID and password is provided to each employee for the duration required to perform job duties. All user accounts and access rights are managed by GSE StudioWeb AND ITS SUB-PROCESSORS IT/Ops/Security personnel.
GSE StudioWeb AND ITS SUB-PROCESSORS are maintaining a password policy that dictates password usage parameters, including: strength, complexity, expiry, reuse, expiration, and account lockout. Password policy is enforced through software controls and regular security audits.
Where possible, GSE StudioWeb AND ITS SUB-PROCESSORS are employing two-factor authentication, requiring users to provide username, password, and a second token for access to systems. GSE StudioWeb AND ITS SUB-PROCESSORS’s two-factor authentication system is fully managed and documented certificate management procedures are employed by IT and Security personnel.
Per SOC 2 requirements, regular audits are performed to ensure that correct level of authorisation and access is maintained across systems and data.

3. Access control to data

Measures to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorisation in the course of processing or use and after storage:
GSE StudioWeb AND ITS SUB-PROCESSORS are employing a ‘least privilege’ model that provided the minimum level of authorisation and access required for an employee to perform job duties.
User accounts are configured to restrict user privileges based on job duties, project responsibilities and other business activities.
External access to GSE StudioWeb AND ITS SUB-PROCESSORS assets is restricted, following the same least privilege model, and requires two-factor authorisation and authentication. External access controls are configured and monitored by GSE StudioWeb AND ITS SUB-PROCESSORS IT and Security personnel.
Per SOC 2 requirements, regular audits are performed to ensure that correct level of authorisation and access is maintained across systems and data.

4. Transmission control

Measures to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged:
GSE StudioWeb AND ITS SUB-PROCESSORS are maintaining firewalls and encryption technologies to protect gateways and pipelines through which data travels. All data in transit to or from GSE StudioWeb AND ITS SUB-PROCESSORS platforms is encrypted and transmitted across SSL-protected channels. SSL transactions are logged and can be audited by GSE StudioWeb AND ITS SUB-PROCESSORS Engineering, IT, and Security personnel.

5. Input control

Measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed:
GSE StudioWeb AND ITS SUB-PROCESSORS software platforms require user authentication prior to data input. Actions performed within software applications are logged. System time-out after user non-activity occurs after a predetermined time period
Per data centre policy, physical access to data processing areas is not permitted.

6. Availability control

Measures to ensure that personal data are protected from accidental destruction or loss:
GSE StudioWeb AND ITS SUB-PROCESSORS are maintaining documented and management-approved business continuity, incident response, data backup, and disaster recovery procedures designed to maintain business operations and redundancy of critical systems and data. GSE StudioWeb AND ITS SUB-PROCESSORS are performing regular testing to ensure that availability supporting systems function properly.

7. Segregation control

Measures to ensure that data collected for different purposes can be processed separately:
Access to personal data is restricted by user access and authorisation controls specific to GSE StudioWeb AND ITS SUB-PROCESSORS software application platforms.
GSE StudioWeb AND ITS SUB-PROCESSORS application data is logically separated, per unique identifier, at the database layer. Access to database contents is scoped appropriately per unique user account.
GSE StudioWeb AND ITS SUB-PROCESSORS are maintaining separate environments for development and testing, research and development, and production systems and data.

8. Availability and resilience

GSE StudioWeb AND ITS SUB-PROCESSORS critical infrastructure is spread across multiple physical data centre locations and geographic regions with design emphasis on redundancy and survivability.
GSE StudioWeb AND ITS SUB-PROCESSORS are maintaining documented and management-approved business continuity, incident response, data backup, and disaster recovery procedures designed to maintain business operations and redundancy of critical systems and data.
GSE StudioWeb AND ITS SUB-PROCESSORS are providing customers with service status updates and availability messages.

9. Privacy Management

GSE StudioWeb AND ITS SUB-PROCESSORS are maintaining governance structures in accord with industry-standard privacy practices, including: engaging senior management in data privacy issues, a broad company network of privacy-focused internal stakeholders, enterprise risk assessments, employee-specific privacy policies, provide ongoing education materials with regard to privacy, and company-wide annual privacy and security trainings.
GSE StudioWeb AND ITS SUB-PROCESSORS are maintaining a data map, inventory of personal data and processing activities, and documentation of transfer mechanisms used for cross-border data flows.
GSE StudioWeb AND ITS SUB-PROCESSORS are providing end user privacy policies for each product platform and its corporate website. GSE StudioWeb AND ITS SUB-PROCESSORS are also hosting an internal employee privacy policy.
GSE StudioWeb AND ITS SUB-PROCESSORS are integrating data privacy into their regular product roadmap, new initiatives, information security policies, and internal operations.

10. Data protection-oriented default settings

GSE StudioWeb AND ITS SUB-PROCESSORS’s project and software development lifecycles are carried out with principles of privacy by design and by default, with an aim to prevent rather than remediate data protection breaches. Privacy is the default setting embedded into all phases of design lifecycle. For example, a privacy questionnaire is embedded in the company’s standard project charter template, and certain responses trigger additional diligence by appropriate privacy and security personnel, who stay engaged in product counselling from ideation to development (including secure code checking processes and procedures) through product launch, ongoing iteration, and maintenance. GSE StudioWeb AND ITS SUB-PROCESSORS are sending periodic reminders to key stakeholders of these practices, hosts monthly security meetings and regular privacy-centric dialogues on best practices, and requires all hires to complete an annual privacy and security awareness training. Through transparency to end users and regular auditing of security policies, GSE StudioWeb AND ITS SUB-PROCESSORS are operating with respect for data privacy in a user-centric manner.

Copyright © 2020 - 2021 GSE StudioWeb is owned by GSE StudioWeb. Is an advocate for global consumer privacy rights, protection and security. Trademarks and brands are the property of their respective owners and our respective clients. All Rights Reserved. Powered and maintained by “Logo