Data Protection Agreement (DPA)

This DPA defines the conditions under which any Processing of Personal Data should be done as part of the Scope of the Agreement for Services that reference the DPA. When referenced, this DPA in full is considered an integral part of the Agreement, unless any restrictions are specified.

Definitions

In this DPA these terms have the following meaning:

We, our or us – mean Localistico Ltd, a UK-based company registered in Companies House with number 09121600
You or your – refer to the Customer in the original Agreement.
We and You together might be referred as “The Parties”, “we both”, or “both of us”
“Applicable Data Protection Law” means all data protection laws and regulations applicable to the Processing of Personal Data by us on behalf of you as Customer under this DPA, including both the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and any applicable national implementations of the GDPR by member states of the European Union (together with GDPR “EU Data Protection Law”), and the GDPR as it forms part of UK law (“UK GDPR) by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together with UK GDPR “UK Data Protection Law”)
“Controller” means a controller within the meaning of EU Data Protection Law
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
“Data Subject(s)” mean(s) the identified or identifiable natural person(s) as set forth under Applicable Data Protection Law to whom the Personal Data Processed by the Processor on behalf of the Controller relates;
“Data Subject Right(s)” means any rights of a Data Subject under Applicable Data Protection Law to be exercised against the Controller of and in regards to the Personal Data processed by the Processor on behalf of the Controller, which may include but not be limited to a right to access, right to object, right to erasure, right to restriction of processing, right to rectification and/or right to data portability.
“EU SCC” means the standard contractual clauses for controllers and processors in the EU/EEA adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021.
“Personal Data” means personal data within the meaning of EU Data Protection Law Processed by us as a Processor on your behalf as a Controller.
“Processing” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means a processor within the meaning of EU Data Protection Law;
“Sensitive Personal Information” means the categories of Personal Data considered as sensitive personal information
“Special Category Data” means the categories of Personal Data set forth in Art. 9 GDPR.
“Sub-Processor” means a Processor used by us for the Processing or parts of the Processing of Personal Data Processed by us as a Processor on behalf of a Controller.
“Third Country Transfer” means transfer of Personal Data from the European Union or the United Kingdom to a third country.
“Transfer Mechanism” means any basis provided for a Third Country Transfer by Applicable Data Protection Law
References to “include” and “including” means including without limiting the generality of any description preceding such term and “or” or “and/or” is not exclusive

Other Terms not defined in this DPA will have the meanings given to them in the original Agreement.

Duration

The term of this DPA equals the Term of the Agreement. Upon any termination of the Agreement, this DPA shall automatically terminate, unless we expressly agree otherwise. You may terminate this DPA at any time without notice in the event there is a material breach by us of the material provisions of this DPA or, if we are unable or unwilling to carry out a lawful instruction from you.

In particular, failure to comply with the material obligations agreed in this DPA and derived from Applicable Data Protection Law on the Processing of a Processor on behalf of a Controller, such as Art. 28 GDPR, constitutes a material breach.

In the event and to the extent that there is any conflict between the provisions of this DPA and any part of the original Agreement in connection with the Processing of Personal Data by us on your behalf, this DPA will prevail but only with respect to the respective conflict.

Scope and Subjects

With regard to any Personal Data Processed by us on your behalf under this DPA, you are classified as the Controller and we as the Processor.

We shall process any Personal Data Processed as a Processor on your behalf solely for the purpose of and as necessary to provide the agreed Services under the Scope of our Agreement unless we are obliged to carry out other Processing(s) by applicable law. In such a case, we shall notify you of such legal requirements prior to the Processing, unless prohibited by applicable law.

In the event that an instruction violates Applicable Data Protection Laws, we shall inform you immediately. We shall then be entitled to suspend the execution of the relevant instruction(s) until you confirm or change such instruction(s).

We both agree that the purpose of Processing is the provision of the agreed Services, that might include administering and transferring data to different platforms of third parties.

We shall create no further copies or duplicates of the Personal Data Processed on your behalf without your specific knowledge, with the exception of:

back-up copies or other technical mechanisms necessary to ensure orderly Processing
data required to meet regulatory requirements, when applicable

Data Types & Categories of Data Subjects

The Processing of Personal Data comprises the following types and categories of Data Subjects, depending on the Scopes of the Services

*Scope*	*Type of Personal Data*	*Categories*
Applicable to all	Contact data (when shared) Disclosed information from third parties – e.g. from public directories Login / Credential data (when shared) Other Personal Data included in Email communications, Business or Venue Data by Customer	Customers Employees Contact persons Other Data Subjects whose Personal Data might be included in Email communications, Business or Venue Data provided by Customer

Each of the following are only applicable in the event that the Agreement includes features or functionalities related to the given Scopes

*Scope*	*Type of Personal Data*	*Categories*
Location Management, Presence Management, Metrics and Reporting	Login / Credential data Access data (e.g. IP address for logging purposes)	Users Contact persons Other Data Subjects whose Personal Data is included in Venue data by Customer
Review Management, Q&A, Post comments or any Reporting related to those	Review data (name, review text, date, time, review object) When applicable: Access data (e.g. IP address for logging purposes)	Users Reviewers Website visitors
Store Pages, Store Locators, Store Data Widgets, Store Data Tags, Other website-related items or any Reporting related to those	Access data (e.g. IP address for logging purposes) Query inputs of users / website visitors	Users Website Visitors
Promotions, Posts, Ads, or any Reporting related to those	Access data (e.g. IP address for logging purposes) Promotion/Ad content Login / Credential data	Users Contact persons Other Data Subjects whose Personal Data is included in Promotion data by Customer
Messaging	Communication data (such as message date & timestamp, message content, user names, or status) Login / Credential data	Users End-Customers Contact persons Other Data Subjects whose Personal Data is included in Messages data by Customer
Review Generation / Email campaigns	Contact data (name, email address and/or telephone number) Communication/mailing Campaign data	Contacts / End-Customers Other Data Subjects whose Personal Data is included in Campaign Data data by Customer

Statutory Processor Obligations

We shall comply with the statutory requirements set for Processors under Applicable Data Protection Law, such as Art. 28 GDPR and in particular comply with the following provisions:

Confidentiality. We will only entrust such employees with the Processing of Personal Data as outlined in this DPA who have been bound to confidentiality and have previously been familiarised with the principles of Applicable Data Protection Law relevant to their work.
Security Measures. We shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose(s) of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, assist you by implementing and complying with appropriate technical and organisational measures for the Processing of Personal Data on your behalf, to ensure a level of security appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems in accordance with Applicable Data Protection Laws on the Processing of a Processor on behalf of a Controller, in particular, as applicable, Art. 28 (3) lit. c, 32 GDPR. These measures are subject to technical progress and further development. In this respect, we are permitted to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced.
Assistance for data protection, impact assessments and prior consultation. We shall, taking into account the nature of Processing and the information available to us, assist you in complying with your obligations to carry out data protection impact assessments and/or consult a supervisory authority prior to a data protection impact assessment as required by Applicable Data Protection Laws.
Support for supervisory procedures. Insofar as you are subject to an inspection by the applicable supervisory authorities, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Processing of Personal Data by us on your behalf under this DPA, we shall make reasonable efforts to support you. That said, we both acknowledge that most of our Services enable comprehensive self-administration of most of the Personal Data to assist you in connection with obligations under GDPR, including obligations to responding to data subject requests. To the extent the Controller is unable to independently address a request then the Processor shall provide reasonable assistance, but we exclude liability if you as Controller decide not respond to a valid request from a Data Subject, if you do not respond correctly, or if you do not respond in due time.
Cooperation with supervisory authorities. We shall support you with regard to prior consultation of the supervisory authority taking into account the nature of Processing and the information available to us. We both shall cooperate, on request, with the competent data protection supervisory authority in the performance of its tasks. Insofar as applicable and permitted, you shall be informed of any inspections and measures conducted by the supervisory authority, without undue delay. This also applies insofar as we may be under investigation or if we were party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the Processing of Personal Data on your behalf.
Data Subject Rights requests. In the event a Data Subject contacts us directly to exercise a Data Subject Right under Applicable Data Protection Law with regard to the Processing of Personal Data Processed by us on your behalf, and in particular when concerning a rectification, erasure, or restriction, we will forward such request of the Data Subject to you without undue delay. We may not under our own authority rectify, erase or restrict the Processing of Personal Data that is being Processed on your behalf, but only on documented instructions.
Deletion or return of Personal Data. After the end of the provision of the respective Services agreed upon under the Agreement, we shall, at your choice, delete or return all Personal Data, unless Applicable Data Protection Law requires storage of such Personal Data
Data Retention. Data collected is stored for the duration of the application process for the Services. In the event of non-employment, data is stored for a period of six (6) months from the date of rejection. In the event of employment, data is stored for a period of three (3) years after the end of employment.

Data Protection Officer

To the extent required under Applicable Data Protection Laws we have a data protection officer (“Data Protection Officer” or “DPO”) which can be contacted under support@localistico.com.

Sub-processing

We may engage and/or commission Sub-Processors for the Processing of Personal Data on your behalf after your respective authorisation.

The current list of Sub-Processors engaged by us that you allow us to authorise includes the following:

*Sub-processor*	*Purpose*	*Place of processing*	*Address & details*
Amazon Web Services EMEA SARL	HostingAPI AccessAI Services	European Union (EU)	38 Avenue John F. Kennedy,L-1855, Luxembourg / Luxembourg https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html
Google Cloud EMEA Limited	HostingAPI AccessArtificial Intelligence (AI) services	European Union (EU)	70 Sir John Rogerson’s Quay, Dublin 2 / Ireland https://cloud.google.com/terms/data-processing-addendum
Localistico SL	Central technical infrastructure and services provision	European Union (EU)	c/ Campomanes, 6, Madrid, Spain

Scenario-specific Sub-Processors and, if applicable, Third Country Transfers

*Sub-processor*	*Purpose / Scenario*	*Place of processing / Legal Basis for Third Country Transfer*	*Address & details*
Twilio Inc.	Communications and Mailing / When using Email services or Notifications for Users	USA / Standard Contractual Clauses, Adequacy Decision (EU-U.S. Data Privacy Framework)	101 Spear Street, Fifth Floor, San Francisco, CA 94105, United States https://www.twilio.com/en-us/legal/data-protection-addendum
Pendo.io, Inc	App user logging services / When users navigate in the app	USA / Standard Contractual Clauses, Adequacy Decision (EU-U.S. Data Privacy Framework)	418 South Dawson Street Raleigh, NC 27601 United States https://www.pendo.io/legal/data-processing-addendum/
OpenAI OpCo, LLC	Artificial Intelligence (AI) services / When using AI-enabled functions	USA / Standard Contractual Clauses	3180 18th St., Suite 100 San Francisco, CA 94110, United Stateshttps://openai.com/policies/data-processing-addendum
Anthropic PBC	Artificial Intelligence (AI) services / When using AI-enabled functions	USA / Standard Contractual Clauses (SCCs)	55 2nd Street, 15th Floor, San Francisco, CA 94105, United States https://privacy.claude.com/en/collections/10672414-policies-terms-of-service (The DPA is embedded within their Commercial Terms of Service and Privacy Policy)
Mixpanel Inc	App user logging services / When users navigate in the app	USA / Standard Contractual Clauses, Adequacy Decision (EU-U.S. Data Privacy Framework)	1 Front Street 28th Floor San Francisco, CA 94111, United Stateshttps://mixpanel.com/legal/dpa/
Hubspot Inc	Support functions / For client communications and support ticketing	USA / Standard Contractual Clauses, Adequacy Decision (EU-U.S. Data Privacy Framework)	25 First Street, Cambridge, MA 02141 United Stateshttps://legal.hubspot.com/dpa
Retool Inc	Support functions / For internal or client reporting	USA / Standard Contractual Clauses, Adequacy Decision (EU-U.S. Data Privacy Framework)	1550 Bryant Street, San Francisco, CA 94103, United Stateshttps://docs.retool.com/legal/dpa
Localistico Ltd	Central technical infrastructure and services provision / When services are provided by UK personnel	United Kingdom / Adequacy Decisions	Tintagel House, 92 Albert Embankment, London, England, SE1 7TY

Before any other Sub-Processor is engaged for the Processing of Personal Data by us on your behalf, we will enter into an agreement with such Sub-Processor that should include the requirements to protect Personal Data Processed by us on your behalf as required by Applicable Data Protection Laws and, in substance, to the same standards provided by this DPA

We may add or change Sub-Processors in a substantial way provided that:

We inform you of the intended change with appropriate advance notice in text or written form
You do not reasonably objected to the change within 7 days from the advance notice and
We ensure compliance, in substance, with this Agreement in regards to the engagement of that Sub-Processor

In the event of a reasonable objection by you to the intended change, we shall have the right to terminate the Agreement or the part of the Agreement affected by the intended change with immediate effect, provided that we cannot reasonably be expected to continue the Agreement or that part of the Agreement.

Third Country Transfers

In the event and to the extent of any Processing of Personal Data that is subject to EU Data Protection Law, UK Data Protection Law or other relevant laws on your behalf, such Processing by us, excluding any Processings by Sub-Processors, shall be carried out exclusively within member states of the European Union (EU) or the European Economic Area (EEA).

Your are aware that the Processing of data for some functions, as detailed in the list of Sub-Processors, may result in a Third-Country Transfer, in particular to the USA. In the event and to the extent required by Applicable Data Protection Law, we shall ensure that any such Third-Country Transfer is based on a Transfer Mechanism accepted under Applicable Data Protection Law, such as, as applicable, an adequacy decision of the relevant authorities or the EU SCC

Obligations in Case of Data Breaches

We shall notify you without undue delay of any failures, infringements by us or the persons employed by us as well as of any Data Breaches regarding the Personal Data Processed on your behalf as required by Applicable Data Protection Law, such as Art. 33, 34 GDPR.

We warrant that, if necessary, we will provide you with appropriate support in fulfilling its obligations regarding reportings of Data Breaches under Applicable Law, such as Art. 33, 34 GDPR in conjunction with Art. 28 (3) sentence 2 lit. f GDPR. We may only carry out notifications of supervisory authorities or Data Subjects for you in regard to Personal Data Processed on your behalf following your prior instruction.

Supervisory Powers

You have the right, after consultation with us, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this DPA in their business operations by means of random checks, which are ordinarily to be announced in good time. We shall ensure that you and/or your chosen auditor are able to verify compliance with its obligations under this DPA and Applicable Data Protection Law on the Processing of a Processor on behalf of a Controller, such as Art. 28 GDPR. For this, we undertake to provide you with the necessary information on request and, in particular, to demonstrate the execution of any Technical or Operational Measures implemented in this regard. We may claim remuneration for enabling these inspections within reason

Other terms

Liability to Data Subjects. We both shall be liable to the Data Subjects of the Processings in accordance with the provisions of Applicable Data Protection Law, such as Art. 82 GDPR. 8

Applicable law and Jurisdiction. The law applicable to this DPA shall be the law applicable to the original Agreement. The competent courts for any dispute under this DPA shall be the competent courts agreed upon in the Agreement.

Severability clause. In the event that any provision or part thereof is or becomes void or ineffective, this shall not affect the validity or effectivity of the remaining parts of this DPA.