This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written or electronic agreement between Tamboo and Customer for the purchase of online services from Tamboo (hereinafter referred to as the “Services”) (the “Terms) to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of GDPR as defined below.

In the course of providing the Services to Customer pursuant to the Terms, Tamboo may Process Personal Data on behalf of Customer. The Parties agree to comply with the following provisions with respect to any Personal Data, each acting responsibly and in good faith.

If the Customer entity entering into this DPA is a party to the Terms, this DPA is an addendum to and forms part of the Terms. If the Customer entity entering into this DPA has executed an Order Form, this DPA is an addendum to that Order Form and applicable renewal Order Forms. If the Customer entity entering into this DPA is neither a part to the Terms nor an Order Form directly with Tamboo, this DPA is not valid and is not legally binding. Such entity should contact the Customer entity that is a party to the Terms to discuss whether any amendment to its agreement with that Customer entity may be required.

This DPA shall not replace or supersede any comparable or additional rights relating to Processing of Personal Data contained in Customer’s Terms (including any existing data processing addendum to the Terms), and any such individually negotiated agreement or addendum shall apply instead of this DPA.

Definitions

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data pursuant to the GDPR.

“Data Subject” means the identified or identifiable person to whom Personal Data relates pursuant to the GDPR.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information relating to an identified or identifiable natural person and, an identified or identifiable legal entity pursuant to the GDPR.

“Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, or combination, restriction, erasure, or destruction pursuant to the GDPR.

“Processor” means the entity which Processes Personal Data on behalf of the Controller pursuant to the GDPR.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

The Parties acknowledge and agree that with regard to the Processing of Personal Data in the course of providing the Services, Customer is the Controller and Tamboo is the Processor. Customer shall, in its use of the Services, comply at all times with GDPR in respect of all personal data it provided to Tamboo pursuant to the Terms. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data provided to Tamboo.

Tamboo shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of an in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Terms and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services, and (iii) Processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Terms. Tamboo shall notify Customer without undue delay if, in Tamboo’s opinion, an instruction for the processing of personal data given by Customer is an infringement of the GDPR.

The subject-matter of Processing of Personal Data by Tamboo is the performance of the Services pursuant to the Terms. The Processing will be carried out until the term of Customer’s ordering of the Services ceases. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.

The Services are operated in the United States. If you are located outside of the United States and choose to use the Services or provide information to us, you acknowledge and understand that your information will be transferred, processed, and stored in the United States, as it is necessary to provide the Services and perform the Terms of Service. United States laws may not be as protective as those in your jurisdiction.

Tamboo shall ensure that all Tamboo personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, and shall ensure that Tamboo’s access to Personal Data is limited to those personnel performing Services in accordance with the Terms.

Tamboo shall maintain appropriate technical and organizational measures designed to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected.

At the end of the applicable term of the Services and, to the extent allowed by applicable law, Tamboo shall securely destroy, or upon request, return such Personal Data, to Customer.

If Tamboo becomes aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to the Personal Data that is protected by Tamboo in the course of providing the Services (hereinafter referred to as an “Personal Data Incident”), under the Terms it shall notify Customer without undue delay and provide Customer with a description of the Personal Data Incident. Tamboo shall make reasonable efforts to identify the cause of such a Personal Data Incident and take those steps as Tamboo deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Tamboo’s control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

At Customer’s request and cost, Tamboo shall assist Customer by implementing appropriate and reasonable technical and organizational measures to assist with Customer’s obligation to respond to requests from Data Subjects.

With effect from May 25, 2018, Tamboo shall take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Articles 32 through 36 of that regulation taking into account the nature of the Processing under this DPA.

Tamboo shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.

Schedules

Schedule 1: Details of the Processing

Tamboo will Process Personal Data as necessary to perform the Services pursuant to the Terms, as further instructed by Customer in its use of the Services.

Tamboo will Process Personal Data for the duration of the Terms, unless otherwise agreed upon in writing.

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

  • Users of Customer’s web and mobile applications.

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Browser
  • Browser Version
  • Current Web Page DOM and Assets
  • Current URL
  • Form Field Selections and Values
  • Initial Referrer
  • Initial Referring URL
  • IP Address
  • Keystrokes
  • Language
  • Position of Mouse Movements
  • Operating System
  • Position and Targets of Clicks
  • Screen Height
  • Screen Width
  • Scroll Position
  • Session Identifier
  • Time on Page
  • Time Zone
  • User Identifier
  • UTM Parameters