DATA PROCESSING AGREEMENT

This Data Processing Addendum (“DPA”), including its Schedules, forms part of the Agreement (as defined below) between Foursquare Labs, Inc. (“Foursquare”) and Company and applies to the processing of Company Personal Data (as defined below), if and as applicable, in connection with the Agreement. In the event of a conflict between the terms of the Agreement as they relate to the processing of Company Personal Data and this DPA, the DPA shall prevail. Capitalized terms not specifically defined herein shall have the meaning set forth elsewhere in the Agreement.

The parties agree as follows:

  1. Definition
    1. “Agreement” means the agreement(s) between Foursquare and the Company for the provision of data services under which the parties are engaged in or are permitted to engage in processing of Personal Data;
    2. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, each as amended and supplemented from time to time;
    3. “Company” means the entity that entered into the Agreement;
    4. “Company Personal Data” means the Personal Data in relation to which the Company is the Controller and which is processed by Foursquare as a Processor or by its Sub-processors in the course of providing the Services;
    5. “Controller” means the entity which alone or jointly with others determines the purposes and means of the processing of Personal Data and includes a “business”; as defined under the CCPA; where the purposes and means of processing are determined by applicable Data Protection Law, the Controller or the criteria for the Controller’s nomination will be as designated by applicable Data Protection Laws;
    6. “Data Protection Laws” means all current and future applicable laws and regulations relating to the processing, security, protection, and retention of Personal Data and privacy that may exist in relevant jurisdictions, including, but not limited to the CCPA, the GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, any national laws or regulations implementing the foregoing, and any data protection laws of Norway, Iceland, Liechtenstein, Switzerland and the UK and any amendments or replacements for such laws and regulations;
    7. “Data Subject” shall have the meaning assigned to the term “data subject”; under applicable Data Protection Laws and shall include, at the minimum, any and all identified or identifiable natural person to whom the Personal Data relates;
    8. “EU” means the European Union and the countries which are members of that union collectively;
    9. “European Country” means a member state of the EU, Norway, Iceland, Liechtenstein, Switzerland and the UK;
    10. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
    11. “Personal Data” means any information relating to an identified or identifiable individual or as otherwise defined by applicable Data Protection Laws. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity;
    12. “Personal Data Incident” shall have the meaning assigned by applicable Data Protection Laws to the terms “security incident”, “security breach” or “personal data breach” but shall include any situation in which Foursquare becomes aware that Company Personal Data has been or is likely to have been accessed, disclosed, altered, lost, destroyed or used by unauthorized persons, in an unauthorized manner;
    13. “process”, “processes”, “processing” or “processed” for purposes of this DPA means any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including, without limitation, accessing, collecting, recording, organizing, structuring, retaining, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning, combining, blocking, restricting, erasing and destroying Personal Data and any equivalent definitions in applicable Data Protection and Privacy Laws to the extent that such definitions should exceed this definition;
    14. “Processor” means the entity which processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA;
    15. “European-U.S. Approved Adequacy Mechanism” means any adequacy mechanism approved under applicable Data Protection Laws for the transfer of Personal Data from a European Country to the U.S.;
    16. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data from the other party, including any personal data breach;
    17. “Services” means the services provided under the Agreement;
    18. “Controller to Processor Standard Contractual Clauses” or “C-to-P SCCs” mean Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) sections I, II, III and IV (as applicable) to the extent they reference Module Two or its successor and any equivalent transfer mechanisms approved under applicable Data Protection Laws for the transfer of Personal Data; and;
    19. “Sub-processor” means any entity which provides processing services on behalf of Foursquare in its capacity as a Processor.
  2. Processing of Personal Data.
    1. Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Company Personal Data, Company is a Controller and Foursquare is a Processor.
    2. Company’s Processing of Personal Data. Company shall, in its use of Foursquare’s Services, have sole responsibility for compliance with all applicable Data Protection Laws regarding the accuracy, quality and legality of Company Personal Data that is to be processed by Foursquare in connection with the Services. Company shall further ensure that the instructions it provides to Foursquare in relation to the processing of Company Personal Data will comply with all applicable Data Protection Laws and shall not put Foursquare in breach of its obligations under applicable Data Protection Laws. Company specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject.
    3. Foursquare’s Processing of Personal Data. Notwithstanding anything to the contrary in the Agreement, in relation to Company Personal Data, Foursquare shall:
      1. Only process Company Personal Data in accordance with Company’s documented instructions which may be specific or general in nature as set out in the Agreement or as otherwise agreed between the parties.
      2. Ensure only authorized personnel who have undergone the appropriate training in the protection and handling of Personal Data and are bound to respect the confidentiality of Company Personal Data shall have access to the same;
      3. Implement appropriate technical and organizational measures to protect against unauthorized or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data;
      4. Without undue delay and to the extent permitted by law, notify Company of any requests from Data Subjects seeking to exercise their rights under applicable Data Protection Laws and, at Company’s written request and cost, taking into account the nature of the processing, assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, to assist with the Company’s obligation to respond to such requests. To the extent that Company Personal Data is not accessible to Company through the Services provided under the Agreement, Foursquare shall, where legally permitted and upon Company’s request, provide commercially reasonable efforts to assist Company in responding to such requests if responses to such requests are required by the applicable Data Protection Laws;
      5. At Company’s written request and cost, taking into account the nature of processing and the information available to Foursquare, assist Company with its obligations under applicable Data Protection Laws relating to the security of Company Personal Data and the requirements to conduct data protection impact assessments; and
      6. Upon written request by Company, delete or return to Company any such Company Personal Data after the end of the provision of the Services, unless applicable law requires storage of the Company Personal Data. Until Company Personal Data is deleted or returned, Foursquare shall continue to comply with this DPA.
  3. Sub-processing.
    1. Company acknowledges and agrees that Foursquare may engage Sub-processors (and permit Sub-processors to do so in accordance with Section 3 of this DPA) for the purposes of providing the Services. Foursquare shall ensure that any Sub-processors to whom Foursquare transfers Company Personal Data enter into written agreements with Foursquare requiring that the Sub- processors abide by terms no less protective than those set forth in this DPA. Foursquare shall remain responsible for its Sub-processor’s compliance with the obligations of this DPA. The list of current Sub-processors engaged in processing Personal Data for the performance of the Services can be found in Schedule 2.
    2. Foursquare can at any time and without justification appoint a new Sub-processor provided that Company is given ten (10) days prior notice and Company does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub- processor’s non-compliance with applicable Data Protection Laws. If, in Foursquare’s reasonable opinion, such objections are legitimate, Foursquare shall refrain from using such Sub-processor in the context of the processing of Company Personal Data. In such cases, Foursquare shall use reasonable efforts to (i) make available to Company a change in Foursquare’s Services or (ii) recommend a change to the Company’s configuration or use of the Services to avoid the processing of Company Personal Data by the objected-to Sub-processor. If Foursquare is unable to make available such change within a reasonable period of time, which shall not exceed ninety (90) days, Company may, by providing written notice to Foursquare, terminate the Service which cannot be provided by Foursquare without the use of the objected-to Sub-processor by providing written notice to Foursquare.
  4. Personal Data Incidents. Foursquare shall notify Company, without undue delay, if Foursquare becomes aware of any Personal Data Incident involving Company Personal Data and take such steps as Company may reasonably require, within the timescales reasonably required by Company, to remedy the Personal Data Incident and provide such further information as Company may reasonably require. Foursquare reserves the right to charge an administrative fee for assistance provided under this Section 4 unless and to the extent that Company demonstrates that such assistance is required because of a failure by Foursquare to abide by this DPA.
  5. International Transfers.
    1. Company acknowledges and agrees that Company Personal Data may be transferred outside the country from which it was originally collected provided that such transfer is required in connection with the Services and such transfers take place in accordance with applicable Data Protection Laws.
    2. European Country Specific Provisions
      1. If, in the performance of Services, Company Personal Data is transferred outside of a European Country to a country that does not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws, the following international transfer mechanisms listed below shall apply, in order of precedence as set forth in Section 5.2.2 to any such transfers in accordance with applicable Data Protection Laws:
        1. European-U.S. Approved Adequacy Mechanism. Any transfer under a European-U.S. Approved Adequacy Mechanism must be made in accordance with the rules of the mechanism including, where required, the registration or certification of Foursquare.
        2. Controller-to-Processor Standard Contractual Clauses. If data transfers cannot be made under a European-U.S. Approved Adequacy Mechanism, the parties shall comply with the C-to-P SCCs, subject to the additional terms in Schedule 1.
      2. In the event that the Services are covered by more than one transfer mechanism or such mechanism ceases to be a valid data transfer mechanism under applicable Data Protection Laws, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: 1) European-U.S. Approved Adequacy Mechanism; 2) C-to-P SCCs; 3) other approved transfer mechanism (such as Binding Corporate Rules).
      3. Foursquare has no reason to believe that the laws and practices in the third country of destination applicable to the processing of the Company Personal Data by Foursquare, including any requirements to disclose Company Personal Data or measures authorizing access by public authorities, prevent Foursquare from fulfilling its obligations under this DPA. If Foursquare reasonably believes that a change in the laws and practices in the third country of destination will prevent it from fulfilling these obligations, then it shall promptly notify Company. In such cases, Foursquare shall use reasonable efforts to (i) make available to Company a change in Foursquare’s Services or (ii) recommend a change to the Company’s configuration or use of the Services to facilitate compliance without unreasonably burdening Customer. If Foursquare is unable to make available such change promptly, Company may, by providing written notice to Foursquare, terminate the Service which cannot be provided by Foursquare in accordance with this DPA and suspend transfer of Company Personal Data.
  6. Audits. At Company’s written request, Foursquare shall make available to Company all information necessary to demonstrate compliance with the obligations set forth under applicable Data Protection Laws, provided that Foursquare shall have no obligation to provide commercially confidential information. On no more than an annual basis and at the Company’s expense, Foursquare shall further allow for and contribute to audits and inspections by Company or its authorized third-party auditor that shall not be a competitor of Foursquare. The scope of any such audits, including timing, proportionality and conditions of confidentiality, shall be mutually agreed upon by the parties prior to initiation.
  7. Limitation of Liability. Neither party’s total liability to the other party under this DPA shall exceed the greater of (a) the limitation of liability under the applicable Agreement; and (b) the amount paid by Company to Foursquare under the applicable Agreement during the 12 months prior to the date the cause of action arose.

Schedule 1

INTERNATIONAL TRANSFER MECHANISMS FOR EUROPEAN COUNTRIES

  1. C-to-P SCC PROVISIONS & ADDITIONAL TERMS
    For the purposes of the C-to-P SCCs, Company is the data exporter and Foursquare is the data importer and the parties agree to the following:
    1. Reference to the C-to-P SCCs. The relevant provisions contained in the C-to-P SCCs are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the C-to P SCCs is set out in Schedule 2. To the extent there is any conflict between this DPA and the C-to-P SCCs, the terms of the C-to-P SCCs shall prevail. All Clauses referenced below refer to the C-to-P SCCs (as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).
    2. Docking clause. The option under Clause 7 shall not apply.
    3. Certification of Deletion. The parties agree that the certification of deletion of Company Personal Data that is described in Clauses 8.5 and 16(d) of the C-to-P SCCs shall be provided by Foursquare to Company only upon Company’s written request.
    4. Security. In relation to Clause 8.6(a), it is up to the Company to determine whether, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Company Personal Data as well as the risks to individuals, the technical and organizational measures set forth in Schedule 2 provide a level of security appropriate to the risk with respect to Company Personal Data.
    5. Personal Data Breach. For purposes of Clause 8.6(c), personal data breaches will be handled in accordance with Section 4 of this DPA.
    6. Audits. The parties agree that the audits described in Clause 8.9 shall be carried out in accordance with Section 6 of this DPA.
    7. Sub-processors. For purposes of Clause 9, Option 2 under Clause 9(a) shall apply and Foursquare has Company’s general authorization to engage Sub-processors in accordance with Section 3 of this DPA.
    8. Redress. For the purposes of Clause 11, Foursquare shall inform Data Subjects on its website of a contact point authorized to handle complaints. Complaints shall be handled in accordance with Section 2.3.4 of this DPA and Foursquare shall not otherwise have any obligation to handle the request (unless otherwise agreed with Company). The option under Clause 11 shall not apply.
    9. Liability. Foursquare’s liability under Clause 12(b) shall be limited to any damage caused by Foursquare where it has failed to comply with its obligations under Data Protection Laws, specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Company.
    10. Supervision. As regards to data transfers, the parties agree as follows:
      1. EU Establishment. Where Company is established in the EU, the supervisory authority with responsibility for ensuring Company’s compliance with applicable Data Protection Laws as regards the data transfer shall act as competent supervisory authority.
      2. No EU Establishment with Appointed Representative. Where Company is not established in the EU but falls within the territorial scope of application of the GDPR and has appointed a representative, the supervisory authority of the member state in which the representative is established shall act as competent supervisory authority.
      3. No EU Establishment with No Appointed Representative. Where Company is not established in the EU but falls within the territorial scope of application of THE GDPR without having to appoint a representative, the Data Protection Commission (“DPC”), Ireland shall act as competent supervisory authority.
      4. Other European Country Establishment. When Company is established in a European Country that is not a member of the EU (e.g., UK or Switzerland), the competent supervisory authority shall be either: 1) that which is located in the European Country in which the Company is established; or 2) that which is responsible for ensuring Company’s compliance with the applicable Data Protection Laws where Company falls within the territorial scope.
    11. Notification. In the event of a government access request affecting Company Personal Data, for the purposes of Clause 15, Foursquare shall notify Company and not the Data Subject(s). Company shall be solely responsible for promptly notifying the Data Subject as necessary.
    12. Governing Law. The governing law for the purposes of Clause 17 shall be the law of the EU member state in which Company is established. Where the Company is established in a European Country that is not a member of the EU, the C-to-P SCCs shall be governed by the laws of that European Country. In either case, where such law does not allow for third-party beneficiary rights, the C-to-P SCCs shall be governed by the laws of Ireland.
    13. Choice of forum and jurisdiction. Where the Company is established in the EU, the parties agree that the courts of Ireland shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with these C-to-P SCCs. Where the Company is established in a European Country that is not a member of the EU, the courts of that European Country shall have exclusive jurisdiction. For Data Subjects habitually resident in a European Country that is not a member of the EU, the courts of the Data Subject’s habitual residence are an alternative place of jurisdiction in respect of disputes.
    14. Appendix. The parties agree that the content of Schedule 2 is intended to satisfy the requirements of the Appendix to the C-to-P SCCs.

Schedule 2

DETAILS OF PROCESSING ACTIVITIES

A. LIST OF PARTIES

  1. Data Exporter:
    Name: Company as defined in the DPA to mean the entity that executed the Agreement.
    Address: Refer to Agreement.
    Contact person’s name, position and contact details: Refer to Agreement
    Activities relevant to the transfer under these Clauses: Performance of the Services pursuant to this Agreement.
    Role: Controller
  2. Data Importer:
    Name: Foursquare Labs, Inc.
    Address: 50 W 23rd St., New York, NY 10010
    Contact person’s name, position and contact details: Elizabeth Hein, DPO, privacy@foursquare.com
    Activities relevant to the transfer under these Clauses: Performance of the Services pursuant to this Agreement.
    Role: Processor

B. DESCRIPTION OF TRANSFER

  1. Categories of data subjects who personal data is transferred:
    Data Subjects will include end-users of Company’s products and services that rely on the Services provided by Foursquare in connection with the Agreement and at the direction of, or on behalf of the Controller.
  2. Categories of personal data transferred:
    The Company Personal Data provided to Processor in connection with the provision of Services may include, but is not to limited to, IP addresses, other unique IDs such as cookie IDs and device IDs, and device location data (e.g., latitude and longitude coordinates).
  3. Sensitive data transferred:
    N/A
  4. Frequency of transfer:
    Continuous basis depending on the use of the Services by Company.
  5. Nature of the processing:
    Performance of the Services in accordance with the Agreement.
  6. Purpose(s) of the data transfer and further processing:
    Foursquare will process Company Personal Data as necessary to perform the Services in accordance with the Agreement and as further instructed by the Company.
  7. The period for which data will be retained:
    Data shall be retained in accordance with the terms of the Agreement or as otherwise required by law.

C. COMPETENT SUPERVISORY AUTHORITY

  1. Identify the competent supervisory authority:
    Refer to Schedule 1, paragraph 1.10.

D. PROCESSOR SECURITY MEASURES

  1. Access control of processing areas
    Foursquare implements suitable measures to prevent unauthorized persons from gaining access to the data processing equipment used to process the personal data. This is accomplished by:
    • Card key systems
    • Building receptionists
  2. Access control to data processing systems
    Foursquare implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
    • Unique user ID and privacy password for each employee
    • Lock out of user accounts after a pre-determined number of failed log-in attempts
    • Anti-virus and spam scanning
    • Multifactor authentication
  3. Access control to use specific areas of data processing systems
    Foursquare implements suitable measures to give access to the persons entitled to use its data processing systems only to data within scope and to the extent covered by their respective access permission (authorization) and to prevent personal data from being read, copied, modified or removed without authorization. This is accomplished by:
    • User IDs set up to restrict user privileges based on job duties, project responsibilities and other business activities
    • VPN access requires authorization and authentication
  4. Transmission control
    Foursquare implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during transmission or transport of the data media and to make it possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisioned. This is accomplished by:
    • Firewall and encryption technologies to protect gateways and pipelines through which data travels
    • Monitoring of encryption technologies
  5. Access and input control
    Foursquare implements suitable measures to make it is possible to check and establish whether, when, by whom and for what reason personal data have been input into data processing systems or otherwise processed. This is accomplished by:
    • Authentication of the authorized personnel via utilization of user ID and passwords
    • Restricted physical access to processing areas
    • System time-out after non-activity for a pre-determined time period
  6. Instructional control
    Foursquare implements suitable measures to provide that personal data is only processed in accordance with the Agreement and Data Exporter’s instructions. This is accomplished by Information & security training and policies & procedures for employees.
  7. Availability control
    Foursquare implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by:
    • Business continuity, backup and disaster recovery management
    • Offsite backup storage
  8. Separation of processing for different purposes
    Foursquare implements suitable measures to ensure that personal data that are intended for different purposes can be processed separately. This is accomplished by:
    • Access to personal data being restricted via user authorization passwords
    • Use of personal data being application specific

E. LIST OF SUBPROCESSORS

The Controller has authorized the following Sub-processors for the purposes of data transmission, storage, querying and security:

  1. Amazon Web Services
  2. Databricks
  3. Fastly
  4. PerimeterX