Data Processing Agreement | Campfire Interactive

WHEREAS, the Customer and the Provider entered into a Master Platform Agreement (the “Master Agreement”) that may require the Provider to process Personal Information provided by the Customer; and

WHEREAS, this Data Processing Agreement (the “DPA”) sets out the additional terms, requirements, and conditions on which the Provider will handle, process, disclose, transfer, or store Personal Information when providing services under the Master Agreement;

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1) Definitions and Interpretation

1.1) The following definitions and rules of interpretation apply in this DPA.

“Authorized Persons” means the persons or categories of persons that the Customer authorizes to give the Provider Personal Information processing instructions, pursuant to the Master Agreement.

“Business Purpose” means the services described in the Master Agreement.

“Data Subject” means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.

“Personal Information” means any information the Provider processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

“Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

“Security Breach” means any act or omission that results in unauthorized access to or disclosure or acquisition of Personal Information.

1.2) This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.3) The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.

1.4) In the case of conflict or ambiguity between:

a) any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail;

b) the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail; and

c) any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.

2) Personal Information Types and Processing Purposes

2.1) The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

2.2) Appendix A describes the general Personal Information categories and related types of Data Subjects the Provider may process to fulfill the Business Purposes of the Master Agreement. The Customer discloses Personal Information to the Provider only for the limited and specified Business Purposes.

3) Provider’s Obligations

3.1) The Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions from Authorized Persons. The Provider will not process, retain, use, or disclose the Personal Information for any other purpose, outside of the parties’ business relationship, or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. This includes not combining or updating the Personal Information with personal information obtained outside of this contract unless the Privacy and Data Protection Requirements permit the action. The Provider will notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.

3.2) The Provider will comply with any Customer request or instruction from Authorized Persons requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

3.3) The Provider will maintain the confidentiality of all Personal Information and will not sell it to anyone, share it for cross-context behavioral advertising (targeted advertising) with anyone, or disclose it to third parties without specific authorization from the Customer or this DPA, unless required by law. If a law requires the Provider to process or disclose Personal Information, the Provider will first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4) The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.

3.5) The Provider will notify the Customer of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect the Provider’s performance of the Master Agreement or this DPA.

3.6) The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Information other than as required under the Privacy and Data Protection Requirements.

4) Provider’s Employees

4.1) The Provider will limit Personal Information access to:

a) those employees who require Personal Information access to meet the Provider’s obligations under this DPA and the Master Agreement; and

b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

4.2) The Provider will ensure that all employees:

a) are informed of the Personal Information’s confidential nature and use restrictions and are obliged to keep the Personal Information confidential; and

b) are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.

5) Security

5.1) The Provider will implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, or disclosure including, but not limited to, the security measures set out in Appendix B.

6) Security Breaches

6.1) The Provider will promptly notify the Customer of a confirmed Security Breach.

6.2) Immediately following any confirmed Security Breach, the parties will coordinate with each other to investigate the matter. The Provider will reasonably cooperate with the Customer in the Customer’s handling of the matter.

6.3) The Provider shall not be responsible for any expenses or costs related to a Security Breach that arises from the Customer’s specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.

7) Cross-Border Transfers of Personal Information

7.1) Customer shall not transfer to Provider any Personal Information that requires a cross-border transfer mechanism under applicable Privacy and Data Protection Requirements, including, but not limited to, Personal Information from or about individuals that reside in the European Union, United Kingdom, or Switzerland.

7.2) If any such cross-border transfer of Personal Information is required by Customer to use the Services under the Master Agreement, Customer will provide written notice to Provider and the Parties will negotiate in good faith whether they may enter into, and first enter into, applicable data transfer mechanisms as required by law prior such transfer of Personal Information.

8) Subcontractors

8.1) Customer authorizes Provider to use a third party (subcontractor) to process the Personal Information to provide the services under the Agreement if:

a) the Provider enters into a written contract with the subcontractor that contains protections for Personal Information substantially the same as those set out in this DPA;

b) the Provider maintains control over all Personal Information it entrusts to the subcontractor; and

c) the subcontractor’s authorization to process Customer Personal Information terminates automatically on termination of this DPA for any reason.

8.2) Where the subcontractor fails to fulfill its obligations under such written agreement, the Provider remains liable to the Customer for the subcontractor’s performance of its agreement obligations.

9) Data Subject Requests, Complaints, and Third-Party Rights

9.1) The Provider will notify the Customer if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.

9.2) The Provider will notify the Customer if it receives any other complaint, notice, or communication that directly or indirectly relates to the Personal Information processing under the Master Agreement or to either party’s compliance with the Privacy and Data Protection Requirements.

9.3) The Provider will provide reasonable and timely assistance to the Customer (at Customer’s sole expense) to respond to any complaint, notice, communication, or Data Subject request.

9.4) The Provider will not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s instruction, permitted by this DPA, or is otherwise required by law.

10) Term and Termination

10.1) This DPA will remain in full force and effect so long as:

a) the Master Agreement remains in effect; or

b) the Provider retains any Personal Information related to the Master Agreement in its possession or control (the “Term”).

10.2) Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement to protect Personal Information will remain in full force and effect.

11) Data Return and Destruction

11.1) At the Customer’s written request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.

11.2) On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control, except for Personal Information that it must retain for legal or business purposes. The Provider may only use this retained Personal Information for the required retention reason or purposes.

12) Audit

12.1) Upon the Customer’s written request, once per year, the Provider will make relevant audit reports available to the Customer for review: the Provider’s latest Service Organization Controls (SOC) Type 1 and SOC Type 2 audit reports and reports relating to its ISO/IEC 27001 certification. The Customer will treat such audit reports as the Provider’s Confidential Information as defined in the Master Agreement.

13) Warranties

13.1) The Customer warrants and represents that the Provider’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.

APPENDIX A

Data Processing Purposes and Details

Business Purposes: The provision of the Services, including installation, configuration, hosting, maintenance, support, and implementation assistance under the Master Agreement and Order Form. Processing is necessary to provide access to Provider’s software and related services for Customer’s internal business purposes.

Personal Information Categories:

Customer employee identifiers (e.g., names, email addresses, phone numbers)
Customer end user access credentials (e.g., usernames, passwords, security tokens)
Customer usage data and diagnostic information related to Customer’s use of the Services

Data Subject Types: Customer’s employees, contractors, and internal personnel authorized to use the Services.

Processing Duration: For the Term of the Master Agreement and any applicable Order Forms, including any renewal periods, and for a reasonable period thereafter to comply with post-termination obligations (e.g., data return or deletion or legal requirements).

Subcontractors: Provider may use subcontractors for hosting, support, and related services, subject to the terms of the Master Agreement and the DPA.

Authorized Persons: Authorized Persons includes persons or categories of persons that the Customer authorizes to give the Provider Personal Information processing instructions, pursuant to the Master Agreement.

APPENDIX B

Security Measures

PROVIDER’S TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES INCLUDE:

Physical Access Controls

Badge‑controlled entry, visitor sign‑in procedures, and escorted access for non‑employees.
Security cameras (CCTV), intrusion alarms, and monitored security checkpoints.
Locked server rooms, restricted access zones, and environmental controls for critical equipment.
Regular reviews of access logs and prompt removal of physical access for terminated staff.

2. System Access Controls

System-level access controls prevent unauthorized use of organizational systems. Measures typically include:

Enforcing strong password policies and multi‑factor authentication (MFA).
Role‑based access provisioning based on least privilege.
Centralized identity and access management (IAM) with automated onboarding/offboarding processes.
Regular reviews of user accounts, permissions, and authentication mechanisms.

3. Data Access Controls

Data access is restricted to only those who require it for business purposes. SOC‑aligned practices include:

Access to databases, applications, and sensitive data based on job responsibilities.
Data classification and labeling to define handling requirements.
Encryption of data at rest and monitoring tools to identify unauthorized data access attempts.
Logging and auditing data access for compliance and forensic purposes.

4. Transmission Controls

Transmission controls protect data as it moves between systems, networks, or external parties. Typical controls include:

Encryption of data in transit using secure protocols such as TLS 1.2+.
Secure file‑transfer mechanisms (SFTP, HTTPS, VPN tunnels).
Network monitoring and intrusion detection/prevention systems (IDS/IPS).
Policies restricting the use of insecure communication channels.

5. Input Controls

Input controls ensure data entered into systems by Provider is accurate, complete, and authorized. These generally include:

Validation checks, required field rules, and data format controls.
System-triggered error alerts for invalid or incomplete entries.
Logging of input activities for traceability and audit review.
Segregation of duties to ensure that data input, approval, and processing are independent.

6. Data Backups

Backup controls ensure that critical data can be recovered in the event of loss, corruption, or disaster. Common measures:

Automated, scheduled backups for systems and databases.
Encrypted storage of backup data, both onsite and offsite.
Regular restoration testing to confirm backup integrity and completeness.
Documented backup retention schedules aligned with legal and business requirements.

7. Data Segregation

Data segregation ensures that separate clients, functions, or environments cannot improperly access or influence one another. Controls may include:

Logical separation within databases, systems, and networks using access controls and permissions.
Segregated development, testing, and production environments.
Firewall policies isolating networks and sensitive workloads.
Audit trails to verify separation is maintained and functioning as intended.