Data Processing Agreement
This Data Processing Agreement (“DPA”), forms part of the Rybbon Terms of Service (the “Agreement”) and reflects the agreement between Rybbon and you (the “Customer”) with respect to the terms governing the Processing of Customer Data under the Agreement.
Revised November 14, 2019
“Personal Data” means any information relating to an identified or identifiable natural person.
“Customer Data” means any Personal Data that Rybbon receives and processes on behalf of Customer as a Data Processor in the course of providing Service, as more particularly described in this DPA.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU GDPR.
“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.
“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.
“Sub-processor” means any Data Processor engaged by Rybbon or its subsidiaries to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.
2. Roles and Scope of Processing
2.1 Role of the Parties. As between Rybbon and Customer, Customer is the Data Controller of Customer Data, and Rybbon shall process Customer Data only as a Data Processor acting on behalf of Customer.
2.2 Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Rybbon; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Rybbon to process Customer Data and provide the Service pursuant to the Agreement and this DPA.
2.3 Rybbon Processing of Customer Data. Rybbon shall process Customer Data only for the purposes described in this DPA.
2.4 Merchants. Rewards sent to Recipients may require Recipients to provide Personal Data to the Reward Merchant in order to receive and use the Reward. The Merchant’s use of Personal Data is subject to the Merchant’s terms and conditions associated with the use of that Reward and is excluded from this DPA. Rybbon is not liable for any claims related to services provide by Merchants.
2.5 Details of Data Processing
Rybbon’s use of Customer Data shall be limited to the following purposes:
- (a) To perform and provide the Service to the Customer
- (b) To provide customer support to Customer and Recipients including administrative contact with Recipients
- (c) To protect the security of Rybbon systems
- (d) To detect use of the Service that is fraudulent or not compliant with the Agreement
- (e) To meet all legal and regulatory obligations applicable to Rybbon
- (f) To improve and enhance the Service
Rybbon shall not sell or market Customer Data to any third party. Rybbon may share Customer Data with third-parties for law enforcement purposes. Rybbon shall ensure that any person who is authorized by Rybbon to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.1 Authorized Sub-processors. Customer agrees that Rybbon may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Rybbon may be obtained by making a request to firstname.lastname@example.org.
4.2 Sub-processor Obligations. Where Rybbon is entering into an engagement with a Sub-processor, Rybbon shall seek to enter into an agreement setting out the respective obligations of each party and shall seek to be reasonably satisfied that the Sub-processor has measures in place to protect Customer Data against unauthorized disclosure of or access to Customer Data.
5.1 Security Measures. Rybbon shall implement and maintain appropriate technical and organizational security measures to prevent unauthorized destruction, loss, alteration, disclosure of or access to Customer Data (a “Security Breach”). Customer may request more information, on a confidential basis, about Rybbon’s security measures by contacting email@example.com.
5.2 Notification. Rybbon shall inform Customer within 72 hours of becoming aware of any Security Breach. To the extent that a Security Breach is caused, or is otherwise suffered, by Rybbon, Rybbon shall investigate, identify and remediate the Security Breach as soon as possible, and within a reasonable time frame.
5.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials and protecting the security of Customer Data when in transit to and from the Service.
Upon termination of the Agreement, Rybbon keeps Customer Data for 5 years (the “Retention Period”) to help meet Rybbon’s and Merchants’ legal and regulatory requirements. Following the Retention Period, Rybbon shall either delete Customer Data or anonymize it. This requirement shall not apply to the extent Rybbon is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Rybbon shall securely isolate and protect from any further processing, except to the extent required by applicable law.
Customer shall send all requests for deletion of Customer Data to firstname.lastname@example.org. Retention policies described in section 6 of this DPA may prevent Rybbon from fulfilling such requests. If Rybbon is unable to delete Customer Data for technical reasons, Rybbon will apply measures to ensure that Customer Data is blocked from any further Processing.
Rybbon has a Data Protection Officer and all enquiries in respect of this DPA should be directed to the Data Protection Officer via email@example.com.