Data Processing Agreement

Last updated:

Data Processing Agreement

This Data Processing Agreement (this “Agreement”) is made between you, the individual and/or entity creating an account with Fonticons, Inc. (the “Company”) and Fonticons, Inc. (the “Processor” or “Data Processor,” together with the Company, the “Parties”).

WHEREAS, the Data Processor processes certain information concerning Company’s users in the course of providing services, as set forth in a certain Privacy Policy and the EU-U.S. Data Privacy Statement (the EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (the “Privacy Policy”), which has been adopted by the Data Processor and is available to the public;

WHEREAS, the Company wishes to, or currently does, contract with Data Processor for the purpose of the provision of certain data-related services (the “Services”);

WHEREAS, the Parties seek to implement a data processing agreement consistent with the Privacy Policy and the EU-U.S. Data Privacy Framework (the EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF);

WHEREAS, the Parties desire to enter into this Agreement, the terms of which shall supplement any other contract by and among them, if any (the “Principal Agreement”).

NOW THEREFORE, as of the date of the final signature hereon (the “Effective Date”), it is agreed as follows:

1. Definitions and Interpretation.
   1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
      1. “Agreement” means this Data Processing Agreement.
      2. “Company Personal Data” means any data associated with Company’s users that could be used to identify such user or that pertains to their actions, activity, or habits.
      3. “Contracted Processor” means a Subprocessor.
      4. “Data Protections Laws” means laws pertaining to or controlling data privacy and protection in the United States, any relevant state or other jurisdiction within the United States, as well as the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and the Privacy Policy.
      5. “Data Transfer” means:
         1. a transfer of Company Personal Data from the Company to a Contracted Processor; or
         2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).
      6. “Services” means the services the Data Processor provides.
      7. “Processing” means any operation or set of Operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      8. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
      9. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
2. Processing of Company Personal Data.
   1. Data Processor shall:
      1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
      2. not Process Company Personal Data other than on the relevant Company’s documented instructions.
   2. The Company instructs Processor to process Company Personal Data.
3. Processor Personnel.
   1. Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data.
4. Security.
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures required by the Data Protection Laws.
5. Subprocessing.
   1. Data Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company. Notwithstanding anything to the contrary herein, Company understands that Data Processor’s servers are maintained by a third party, chosen at Processor’s discretion.
6. Data Subject Rights.
   1. Taking in to account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is commercially practicable, for the fulfilment of the Company obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
   2. Processor shall:
      1. promptly notify Company if it receives a request from a third party under any Data Protection Law in respect to Company Personal Data; and
      2. ensure that it does not respond to that request except on the documented instructions of Company or as required by the Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach.
   1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
   2. Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation.
   1. Processor shall provide commercially reasonable assistance to the Company with any data protection impact assessments. Such commercially reasonable assistance shall be limited to the provision of documentation and answering questions relevant to the documentation but not otherwise covered in the documentation.
9. Deletion or return of Company Personal Data.
   1. Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
   2. Processor shall provide written certification to Company that it has fully complied with this section within 10 business days of the Cessation Date.
10. Audit rights.
11. Subject to this section, Processor shall make available to the Company on request reasonably necessary information to demonstrate compliance with this Agreement.
12. Information and audit rights of the Company only arise under this section to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Laws.
13. Data Transfer.
14. The Processor may not transfer or authorize the transfer of Data that would create any violation of any Data Privacy Law.
15. General Terms.
16. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
    1. disclosure is required by law;
    2. the relevant information is already in the public domain.
17. Notices. All notices and communications given under this Agreement must be in writing (including email) and shall be given via the methods of contact customarily utilized by the Parties.
18. Execution and Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. A signed copy of this Agreement transmitted by facsimile, email, or other means of electronic transmission shall be deemed to have the same legal effect as delivery of an original executed copy of this Agreement for all purposes. This agreement may be signed by any commercially reasonable method, including physically, third party electronic verification (such as Docusign), or click-to-sign, and any such signature shall be deemed an original signature for all purposes. If Processor executes this Agreement and delivers it to Company, but Company does not return a Company- executed version of this Agreement, then the rights and limitations of Processor shall still apply and the terms herein shall still control the relationship between Processor and Company if Company continues to work with Processor, unless Company expressly disclaims the terms of this Agreement.
19. Governing Law and Jurisdiction.
20. This Agreement is governed by the laws of the State of Arkansas.
21. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the State of Arkansas.
22. This Agreement supplements any Principal Agreement, including any amendments thereto, including future amendments. In the event of any conflict between any Principal Agreement, including any amendments thereto, including future amendments, the terms of this Agreement shall control.

By creating an account, the Company agrees and consents to the terms herein, effective as of the date of such account’s creation. By continuing to use such services, the Data Processor agrees that such account creation and use of services are intended to constitute a binding signature and further intends that such account creation and use constitute a binding agreement as though this document was signed by both parties.