EU and CCPA Data Processing Agreement

Wooly, Inc. dba Roster Technologies

DPA Background

This EU and CCPA Data Processing Agreement (“DPA”) supplements our Terms of Service, Privacy Policy, or any other online or paper contract (together and individually, the “Agreement”) with clients (“Client” or “you”) insofar as they relate to processing of data that is subject to the European Union’s General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“), and the California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq., as supplemented or amended by the California Privacy Rights Act of 2020 (“CCPA”) (collectively the “Data Privacy Laws”).  To the extent this DPA conflicts with our Terms of Service, our Privacy Policy, or any other agreement you have with us, this DPA will control.  Capitalized terms used in this DPA shall have the same meaning set forth for those terms or similar terms in the Data Privacy Laws, unless a different meaning is specified herein.

Wooly, Inc.  (“Wooly,” “we,” or “us”) doing business as Roster Technologies (“Roster”) is a software as a service provider.  As such, we act as a “Processor” under the GDPR.  As one of our clients, you control the means and purposes for the processing of the data you gather using our services (the “Services”), and thus, you are a Controller under the GDPR.  Unless otherwise agreed between us in writing, those items the GDPR requires of Processors will be our responsibility, and those items required of Controllers will be your responsibility.  Under the CCPA, we qualify as a service provider, and we agree to comply with the requirements of service providers as described in the CCPA and as specifically described in this DPA.

Specifically, the parties agree as follows:

How to Execute this DPA

We have adopted this DPA and made it effective through the Agreement into which our Clients enter with us. Each provision of the DPA, including the provisions of the EU Standard Contractual Clauses as seen in Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs“) details of which are included in Exhibit A, and the International Commissioner’s Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022 (“UK Addendum“), details of which are included in Exhibit B, are enforceable against the parties as if each had been separately signed. Because both parties have assented to the Agreement, no further execution of the DPA is necessary by you or Wooly; provided, however, that both parties explicitly agree to cooperate and sign additional documents, if necessary, to effectuate the EU SCCs and UK Transfer Addendum. 

Our GDPR and CCPA Obligations

When you use the Services, you may ask us to process Personal Data about the individuals with whom you interact, including without limitation your ambassadors, applicants, prospects, employees, clients, marketplace partners, customers, vendors, suppliers, or other individuals with whom you interact, or about whom you gather Personal Data (“Your Personal Data”) using the Services (collectively and individually, “Your Data Subjects”).  That Personal Data may be subject to the protections of the Data Privacy Laws.  For purposes of clarity, the parties agree that Your Personal Data does not include data that is anonymized, aggregated, or de-identified in a manner that eliminates the possibility that the data can be tracked or identified to any specific individual (“De-Identified Data”).  

Acknowledging that certain of your obligations as a Controller must be passed along to any company or individual that processes the Personal Data of Your Data Subjects, we agree to perform the following functions and to facilitate your compliance with the Data Privacy Laws in the following ways:

1.    Right of Access by Data Subject and Communication with Authorities and Your Data Subjects

We agree that, in order to assist you in your obligations as a Controller, we will implement the appropriate technical and organizational measures to allow you to (1) respond to any request by any Data Subject to exercise his or her rights under the Data Privacy Laws, and (2) respond to correspondence, inquiries, or complaints from entitled third parties such as individuals, regulators, courts, and other authorities in connection with the processing of Personal Data.  If any such requests or correspondence is received directly by us, we will forward you the request or correspondence and will wait for further direction from you before taking action.  We will not communicate with authorities or Your Data Subjects without receiving your advance written permission, except as required by applicable law.  Upon documented request from you, we will correct, supplement, modify, or delete any of Your Personal Data, except as required by applicable law.

2.    Use Limitation

We agree that we will not use or process any of Your Personal Data for any purpose other than the purpose set forth in the Agreement, except to respond to specifically document requests from you regarding Your Personal Data.  In no event will we process, rent, sell, use, or transfer any of Your Personal Data for our own purposes or for the purposes of any third party.  In addition, we will delete all Your Personal Data from our systems ninety (90) days after termination of the Agreement, except as may be required or allowed by applicable law.  You also agree that you will not use or process any Personal data of any Data Subject for any purpose other than the purposes for which you have consent from the Data Subject.

3.     International Transfers of Data

To the extent your transfer of Your Personal Data to us involves a transfer out of the EU or UK, we agree to comply, where applicable, with the EU SCCs, details of which are included as Exhibit A and the UK Transfer Addendum, details of which are included in Exhibit B (collectively the “Transfer Mechanisms”).  

In the event of any conflict between the Transfer Mechanisms and this DPA, the Transfer Mechanisms shall control and supersede.  If the European Union, United Kingdom, or courts thereof decide that the Transfer Mechanisms are insufficient protection for citizens of the EU or UK, respectively, then the parties agree to work in good faith together to determine how a new valid method can be implemented to meet any new requirements.  

We agree that we will not process or transfer any of Your Personal Data originating from the European Economic Area or United Kingdom in any country or territory that has been determined to offer an inadequate level of data protection unless it has first obtained your consent or ensured that a valid method similar to the Transfer Mechanisms is in place with respect to such country or territory.

4.     Processing Confidentiality and Agreements by Agents

We agree that we will keep Your Personal Data strictly confidential and that we will ensure that any of our employees, vendors, or other agents “Our Agents” who have access to Your Personal Data (1) are informed of and subject to this strict duty of confidentiality; (2) access and process only such of Your Personal Data as is strictly necessary to perform our obligations under the Agreement; and (3) agree not to permit any person to process Your Personal Data who is not subject to the foregoing duties.  We accept responsibility for the conduct of Our Agents in this regard, including their acts, errors and omissions.

5.     Disposition of Your Personal Data Upon Request or Termination

At your request or at termination of the Agreement, whichever is sooner, we agree to delete or return to you all Your Personal Data, including any of Your Personal Data subcontracted to a third party for processing, except as required by applicable law.  At that time, with respect to Your Personal Data that we are required by applicable law to retain, we will isolate and protect Your Personal Data from further processing, except as required by applicable law.  We will use commercially reasonable efforts to ensure that any of our subprocessors who are in possession of Your Personal Data shall also comply with this provision. 

6.     Security Incidents and Security

We will at all times make commercially reasonable efforts to ensure that Your Personal Data is adequately protected in accordance with the requirements of the Data Privacy Laws.  To this end, we agree that we will implement appropriate technical and organizational measures to protect Your Personal Data from security incidents.  These measures are described in Exhibit C to this DPA.

When we become aware of any security incident, which consists of the unpermitted, accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any of Your Personal Data, we will inform you without any undue delay, and in no event longer than 24 business hours after we discover the security incident.  We will cooperate reasonably with you and provide you the information you need in order to fulfill your data breach obligations under the Data Privacy Laws.  We will also take other further measures and actions, in our sole discretion or as required by applicable law, that are necessary to remedy or mitigate the effects of the security incident, and we will keep you informed of every material development connected with the security incident.  Except as required by law, we will not take action to notify Your Data Subjects of any security incident without your prior written consent.

7.     Subprocessors

In the course of providing our Services, we may be required to contract with a third-party processor (“Subprocessor”) to perform a portion of the Services.  We have included as Exhibit D a list of the Subprocessors we currently use.  If we add any additional Subprocessors, we will inform you of such Subprocessors and give you an opportunity to object to the use of such Subprocessors.  We agree to impose the same data protection obligations upon each of our Subprocessors that we agree to in this DPA and we agree to be fully responsible for any liability arising out of the acts and omissions of our Subprocessors.  

For the avoidance of doubt, the objection rights as set out in this subsection will not apply in cases where we subcontract ancillary services to third parties without having access to Your Personal Data.  Such ancillary services are not considered data processing.

8.     Audits, Requests from Law Enforcement, and Impact Assessment

In certain instances, you as a Controller are required to submit to an audit to show that you are complying with the provisions of the Data Privacy Laws.  In any such instance, we agree to cooperate fully with such audit and to maintain a reasonable record of processing activities that we carry out on your behalf.  After reasonable notice, we will allow you or your auditors to audit our compliance with this DPA, to include communication with our staff and access to our systems and information; provided you conduct your audit during normal business hours and make reasonable efforts to minimize the disruption to our business.  

If we are requested by law enforcement to disclose any of Your Personal Data, we will, unless prohibited by law, inform you of the request, attempt to re-direct the law enforcement agency to contact you directly, and only provide such information as required by law.

In the event that you believe that our processing of Your Personal Data is likely to result in a high risk to the data protection rights and freedoms of citizens of the EU or UK, we agree to assist you in a reasonable and timely manner to conduct a data protection impact assessment, which may include consulting with the relevant data protection authority.

9.     Description of Transfer

A. Categories of Data Subjects Whose Personal Data is Transferred.

Ambassadors, influencers, athletes, employees, advocates, fans, and customers of the client, including people who publicly mention the client on social media.

B. Categories of Personal Data Transferred.

First, middle, and last name, email, phone, physical home address, social profiles, public social media, order/conversion tracking information, commissions payable and contractual relationships among ambassadors and data exporter if applicable

C. Sensitive Data Transferred.

Data exporter may submit sensitive data (as defined in the Data Privacy Laws) to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion. The users of the Services may use the Services to interact and share information. Therefore, neither data exporter nor data importer will control the types of information submitted.

D. Frequency of Transfer.

Continuous basis.

E. Nature of Processing.

We will process Your Personal Data solely to provide the Services. 

F. Purpose(s) of the Data Transfer and Further Processing.

The purpose of the data transfer and processing is: (1) our performance of the agreed-upon Services; (2) accomplish our business purpose; (3) improve our Services; (4) comply with Data Privacy Laws; and (5) comply with any further instructions received by you.

G. Period for Which Personal Data Will Be Retained.

See Section 5 above.

H. Subject Matter, Nature, and Duration of Processing

See Sections 1, 2 & 5 above

I. Subprocessors

See Exhibit D below.

Your Obligations

As a Controller under the Data Privacy Laws, you are required to carry out certain responsibilities and to comply with certain requirements.  For example, and without intending to limit your obligations, you are required to comply with the privacy and confidentiality provisions of the Data Privacy Laws, just as we are.  You are also required to ensure that the consent of Data Subjects is obtained and that collection of Your Personal Data is otherwise justified under the Data Privacy Laws.  We acknowledge that in doing so, you are required to ensure that your Processors also comply with certain requirements, and we agree to reasonably cooperate with your requests in this regard.  However, if you make requests of us that go beyond our obligations set forth in the “Our Obligations Under the Data Privacy Laws” section of this DPA, we will comply with your requests at your expense.

EXHIBIT A

Details of the EU Standard Contractual Clauses

When applicable, the parties fully incorporate the EU SCCs, including the following options and provisions:

1. Module 2 applies to the parties’ relationship.

2. The parties’ signature to this DPA constitutes a signature as may be required for the EU SCCs.

3. Clause 7 does not apply.

4. For Clause 9(a), Option 2 applies. “ten (10) business days” replaces [Specify time period].

5. The option under Clause 11 (Redress) does not apply.

6. For Clause 13(a), the data exporter is considered established in an EU Member State.

7. For Clause 17, Option 1 applies. Ireland law governs.

8. For Clause 18(b) the courts of Ireland have jurisdiction. 

9. The information required under Annex 1.A is included in the Agreement. Wooly is the data importer and Client is the data exporter.

10. The information required under Annex 1.B is included in Section 9 of the DPA.

11. For Annex 1.C, the Data Protection Commissioner in Ireland is the competent supervisory authority.

12. The information required under Annex II is included as Exhibit C to this DPA.

13. The information required under Annex III is included as Exhibit D to this DPA.

EXHIBIT B

Details of the UK Transfer Addendum

This Appendix forms part of the DPA and supplements the EU SCCs, pursuant to the International Commissioner’s Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.

Part 1 is as follows:

(a) The information required on Table 1 is found in the Agreement.

(b) The information required on Table 2 is found on Exhibit A.

(c) The information required on Table 3 is found on Exhibit A.

(d) Table 4 is Data importer.

Part 2 is as follows:

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

EXHIBIT C

Security Measures

The security measures we take are outlined on our website at https://www.getroster.com/security/.  Those measures are periodically updated to ensure we are following current standards in data security. 

  • EXHIBIT D

List of Subprocessors

 1. Microsoft: data storage and infrastructure (Redmond, WA, United States)

2. Hubspot: E-mail marketing, CRM, web forms to capture leads (Cambridge, MA, United States)

3. Chargbee: Subscription management & invoicing (Rockville, MD, United States)

4. Stripe: Payment processing (San Fransico, CA, United States)

5. Google: workspace, marketing website analytics (Mountain View, CA, United States)

6. PostHog: Application visitor analytics (San Fransico, CA, United States)

7. Intercom: Customer service, tech support, knowledgebase, tutorials (San Fransico, CA, United States)

8. PartnerStack: referral & commission tracking for inbound business sales (Toronto, Ontario, Canada)