Introduction

This Data Processing Agreement (“DPA”) is an addendum to the agreement or general terms (“Terms of Service”) regulating the service provided to ______________ (“Data Controller”) by Sealmetrics SL (“Data Processor”). The following clauses are applicable whenever the intended use of Sealmetrics SL triggers the application of the European Union's General Data Protection regulation (“GDPR”) and/or is subject to the California Privacy Protection Act (“CCPA”).

Definitions

“Privacy Laws” means all privacy and data protection laws, rules, regulations, decrees, orders and other government requirements applicable to the processing of personal data under this DPA.

The terms “personal data”, “personal information”, “processing”, “controller”, “processor”, “service provider”, “data subject”, “personal data”, “personal data breach” and “data breach” will have the meanings ascribed to them in the applicable Privacy Laws.

"The Product" refers to a cloud-based software provided by Sealmetrics SL.

"Data processor" or “service provider” refers to Sealmetrics SL.

“Buyer” or "Data Controller" refers to the company identified in this agreement as such, having entered into a contract to either deploy the Product on one or various websites or use the Product to store, process, analyze, visualize or retrieve structured or unstructured data pertaining to its own current or potential customers.


Scope

The subject matter of processing is the personal data provided in respect of the services under the Terms of Service. The duration of the processing is the duration of the provision of the services under the Terms of Service until disposal of the personal data in accordance with such terms. The nature and purpose of the processing is in connection with the provision of the services. The types of personal data processed are those submitted by or at the direction of the Data Controller as part of the services under the Terms of Service. The categories of data subjects are those whose personal data is submitted by or at the direction of the Data Controller as part of the services being provided.

Such personal data will in any case be limited to pseudonymized events pertaining to pages visited, referring websites, and generic campaign properties included in URL parameters. The Product is not designed to single out specific individuals, collect IP addresses or facilitate the creation of personal profiles.

For purposes of statistical comparison and benchmarking Seal Metrics may download Google Analytics reports from the accounts that you select during the configuration of the Product. Seal Metrics does this in compliance with the Google API Services User Data Policy, including its Limited Use requirement. If the Data Controller has chosen to enable conversion tracking signals, Seal Metrics will act on its behalf to share data with Google, which acts as an independent controller. In no case will Seal Metrics become a data controller or joint data controller as a result of these instructions.

The Data Controller will not be collecting data, in aggregated or granular form, about a data subject's health, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. As a result, the Product will not be storing or processing such data.

Processing

Sealmetrics SL has developed information security risk management policies to reasonably ensure the confidentiality, integrity, and availability of the data processed by the Product. These include sub-processor audits (see Sub-processors for further details), certifications, infrastructure, availability and disaster resistance, technical security controls, and administrative security controls.

To the extent that Sealmetrics SL is processing personal data on behalf of the Data Controller, Sealmetrics SL shall:

Process the personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization;

  • Ensure that only the team members providing the service, or offering relevant customer support have access to the data being processed, and that such team members are informed of the confidential nature of the data being processed, having received appropriate training on their responsibilities and having committed themselves to confidentiality or being under an appropriate statutory obligation of confidentiality;
  • Assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of its obligation to respond to requests for exercising the data subject's rights laid down in the Privacy Laws;
  • At the choice of the Data Controller, delete or return all the personal data to the Data Controller after the end of the provision of services relating to processing and delete existing copies unless applicable law requires storage of the personal data;
  • Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in the Privacy Laws and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

Sub-processors

Sealmetrics SL has the Data Controller’s general authorization to engage other processors for the processing of personal data in accordance with this DPA from the list included in app.comply.org/attest/Sealmetrics SL, which Sealmetrics SL may update from time to time. Sealmetrics SL will inform the Data Controller of any intended changes by updating the list on its website at least fifteen (15) days in advance. The Data Controller may object to the change without penalty by notifying Sealmetrics SL within fifteen (15) days after the list is updated and describing its reasons to object. Sealmetrics SL shall use reasonable endeavors to avoid processing of personal data by such new processor to which the Data Controller reasonably objects.

Where Sealmetrics SL engages another processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA, in substance, shall be imposed on that other processor by way of a contract or other legal act under applicable law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Privacy Laws. Where that other processor fails to fulfill those data protection obligations, Sealmetrics SL shall (subject to the Terms of Service) remain fully liable to the Data Controller for the performance of that other processor's obligations.

Data Subject Rights

To the extent that Sealmetrics SL is processing personal data on behalf of the Data Controller, Sealmetrics SL shall, to the extent legally permitted, promptly notify the Data Controller of any data subject requests Sealmetrics SL receives, and the Data Controller authorizes Sealmetrics SL to redirect such requests to the Data Controller to respond directly.

To the extent legally permitted, the Data Controller shall be responsible for any reasonable costs arising from Sealmetrics SL providing assistance to the Data Controller in responding to such requests.


Data Transfers

Sealmetrics SL shall ensure that, to the extent that any personal data originating from the Data Controller’s country is transferred by Sealmetrics SL to another country, such transfer shall be subject to appropriate safeguards in accordance with the Privacy Laws.

Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • The pseudonymization and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

In particular, the following have been implemented by Seal Metrics:

  • The Product provides end-to-end encryption using the Transport Layer Security (TLS) protocol version 1.2 or higher with a minimum of 128 bit encryption for personal data in transit.
  • Personal data within the Product is encrypted using, at a minimum, AES-256.
  • Its IT systems, as well as those of its sub-processors, are regularly monitored for vulnerabilities, as well as patched in a timely manner.
  • External points of connectivity in our chosen network architecture are protected by firewalls.
  • Network and database activity are logged and actively monitored for potential security events including intrusion.
  • User passwords are stored in a one-way hash.

To the extent that Sealmetrics SL is processing personal data on behalf of the Data Controller, Sealmetrics SL shall take steps to ensure that any natural person acting under the authority of Sealmetrics SL who has access to such personal data does not process it except on instructions from the Data Controller, unless he or she is required to do so by applicable law.

Data Breach

To the extent that Sealmetrics SL is processing personal data on behalf of the Data Controller, Sealmetrics SL shall notify the Data Controller without undue delay after becoming aware of a personal data breach and shall reasonably respond to the Data Controller’s requests for further information to assist the Data Controller in fulfilling its obligations under the Privacy Laws.