24 September 2019
This Data Processing Agreement (“DPA”) supplements the Terms of Service available here, as updated from time to time between Customer and Cookie Saver, or other agreement between Customer and Cookie Saver governing Customer’s use of the Cookie Saver Service (the “Agreement”) when the GDPR applies to your use of the Cookie Saver Service to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Cookie Saver. Unless otherwise defined in this DPA or in the Agreement, all capitalised terms used in this DPA will have the meanings given to them in Section 16 of this DPA.
Please read our blog post here to understand what personal data is processed by the Cookie Saver Service.
1. DATA PROCESSING
1.1 Scope and Roles.
This DPA applies when Customer Data is processed by Cookie Saver. In this context, Cookie Saver will act as “processor” to Customer who may act either as “controller” or “processor” with respect to Customer Data (as each term is defined in the GDPR).
1.2 Details of Data Processing.
1.2.1 Subject matter.
The subject matter of the data processing under this DPA is Customer Data.
As between Cookie Saver and Customer, the duration of the data processing under this DPA is determined by Customer.
The purpose of the data processing under this DPA is the provision of the Cookie Saver Service.
1.2.4 Nature of the processing:
Processing first-party cookies set client-side through a server and setting the first party cookies server-side instead. The cookies are not stored or logged.
1.2.5 Type of Customer Data:
IP-address of website visitors and any cookie values in the processed cookies as configured by the Customer under the Cookie Saver Service.
1.2.6 Categories of data subjects:
The data subjects are the Customer’s website visitors.
1.3 Compliance with Laws.
Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR. The Customer shall be responsible to the outside world (including the data subject) for ensuring that the processing of personal data takes place within the framework of the General Data Protection Regulation. The Customer shall therefore have both the right and obligation to make decisions about the purposes and means of the processing of personal data. The Customer shall be responsible for ensuring that the processing that Cookie Saver is instructed to perform is authorised in law.
2. CUSTOMER INSTRUCTIONS
The parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Cookie Saver’s processing of Customer Data (“Documented Instructions”). Cookie Saver will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Cookie Saver and Customer.
3. CONFIDENTIALITY OF CUSTOMER DATA
Cookie Saver will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Cookie Saver Service, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Cookie Saver a demand for Customer Data, Cookie Saver will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Cookie Saver may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Cookie Saver will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Cookie Saver is legally prohibited from doing so.
4. CONFIDENTIALITY OBLIGATIONS OF COOKIE SAVER PERSONNEL
Cookie Saver ensures that employees who process Customer Data have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality.
Cookie Saver ensures that access to Customer Data is limited to those employees for whom it is necessary to process Customer Data in order to meet Cookie Saver’s obligations to the Customer and that Customer Data is only processed in accordance with the Instructions.
5. SECURITY OF DATA PROCESSING
Cookie Saver is responsible for implementing necessary (a) technical and (b) organisational measures to ensure an appropriate security level.
6.1 Authorised Sub-processors.
Customer agrees that Cookie Saver may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. Amazon Web Services are currently engaged by Cookie Saver to carry out processing activities on Customer Data on behalf of Customer. At least 30 days before Cookie Saver engages any new sub-processor to carry out processing activities on Customer Data on behalf of Customer, Cookie Saver will inform Customer via email. Customer consents to Cookie Saver’s use of sub-processors as described in this Section. Except as set forth in this Section, or as Customer may otherwise authorise, Cookie Saver will not permit any sub-processor to carry out processing activities on Customer Data on behalf of Customer.
Sub-processor Obligations. Where Cookie Saver authorises any sub-processor as described in Section 6.1: (i) Cookie Saver will restrict the sub-processor’s access to Customer Data only to what is necessary to maintain the Cookie Saver Service or to provide the Cookie Saver Service to Customer in accordance with the Documentation and Cookie Saver will prohibit the sub-processor from accessing Customer Data for any other purpose; (ii) Cookie Saver will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by Cookie Saver under this DPA, Cookie Saver will impose on the subprocessor the same contractual obligations that Cookie Saver has under this DPA; and (iii) Cookie Saver will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that cause Cookie Saver to breach any of Cookie Saver’s obligations under this DPA.
7. SECURITY BREACH NOTIFICATION
Security Incident. Cookie Saver will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and b) take reasonable steps to mitigate the effects and to minimise any damage resulting from the Security Incident.
7.2 Cookie Saver Assistance
To assist Customer in relation to any personal data breach notifications Customer is required to make under the GDPR, Cookie Saver will include in the notification under section 7.1(a) such information about the Security Incident as Cookie Saver is reasonably able to disclose to Customer, taking into account the nature of the Cookie Saver Service, the information available to Cookie Saver, and any restrictions on disclosing the information, such as confidentiality.
7.3 Unsuccessful Security Incidents
Customer agrees that: (i) an unsuccessful Security Incident will not be subject to this Section 7. An unsuccessful Security Incident is one that results in no unauthorised access to Customer Data or to any of Cookie Saver’s equipment or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents; and (ii) Cookie Saver’s obligation to report or respond to a Security Incident under this Section 7 is not and will not be construed as an acknowledgement by Cookie Saver of any fault or liability of Cookie Saver with respect to the Security Incident.
Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Cookie Saver selects, including via email. It is Customer’s sole responsibility to ensure that the Customer maintains accurate contact information at all times.
8. CERTIFICATIONS AND AUDITS.
Upon written request, Cookie Saver will without undue delay document to the Customer that Cookie Saver: (a) meets its obligations under this Data Processing Agreement and the Instructions; and (b) meets the provisions of the personal data regulation in force from time to time, in respect of the personal data processed on behalf of the Customer.
Upon written request, Cookie Saver will once a year provide a signed statement of assurance regarding Cookie Saver’s information security level and the measures taken by Cookie Saver. The statement of assurance will be prepared by Cookie Saver without third party review.
Upon written request, Cookie Saver will contribute to and give access to audit. A request for audit must be made subject to at least fourteen (14) days’ notice. The audit must be conducted by an independent third party selected and paid by the Customer and approved by Cookie Saver. Cookie Saver’s participation must be remunerated at 750 DKK per hour. Cookie Saver may not reject a suggested third party without reasonable cause. The independent third party must accept a general confidentiality agreement with Cookie Saver.
Cookie Saver will make available any certifications and audits available from sub-processors, e.g. ISO-Certification and SOC Reports from Amazon Web Services.
Impact Assessment and Prior Consultation. Taking into account the nature of the Cookie Saver Service and the information available to Cookie Saver, Cookie Saver will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information Cookie Saver makes available under this Section 8.
9. CUSTOMER AUDITS.
Customer agrees to exercise any right it may have to conduct an audit or inspection by instructing Cookie Saver to carry out the audit described in Section 8. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Cookie Saver written notice as provided for in the Agreement. If Cookie Saver declines to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this DPA and the Agreement.
10. TRANSFERS OF PERSONAL DATA.
Customer Data is processed using sub-contractors global cloud network. Customer Data is processed at the nearest possible location to the website visitor. Cookie Saver cannot control which location is used for processing, as the cloud network always utilize the fastest possible location.
11. TERMINATION OF THE DPA
This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
12. NO STORAGE OF CUSTOMER DATA
The Cookie Saver Service does not store any Customer.
13. ENTIRE AGREEMENT; CONFLICT
Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control, except that the Service Terms will control over this DPA.
Unless otherwise defined in the Agreement, all capitalised terms used in this DPA will have the meanings given to them below:
- “Cookie Saver Network” means Cookie Saver’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within Cookie Saver’s control and are used to provide the Cookie Saver Service.
- “Cookie Saver Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex 1.
- “Customer” means you or the entity you represent.
- “Customer Data” means the “personal data” (as defined in the GDPR) that is processed by the Cookie Saver Service.
- “EEA” means the European Economic Area. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
- “Security Incident” means a breach of Cookie Saver’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
ANNEX 1 – SECURITY STANDARDS
Capitalised terms not otherwise defined in this document have the meanings assigned to them in the Agreement.
1. INFORMATION SECURITY PROGRAM.
Cookie Saver will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Cookie Saver Network, and (c) minimise security risks, including through risk assessment and regular testing. The information security program will include the following measures:
1.2 Network Security
The Cookie Saver Network will be electronically accessible to employees, contractors and any other person as necessary to provide the Services. Cookie Saver will maintain access controls and policies to manage what access is allowed to the Cookie Saver Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Cookie Saver will maintain corrective action and incident response plans to respond to potential security threats.
1.3 Physical Security
1.3.1 Physical Access Controls
Cookie Saver is using a cloud service provider to host all Customer Data. Physical components of the subprocessor are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorised entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.).
1.3.2 Limited Employee and Contractor Access
Access to the Facilities are only granted to those employees and contractors who have a legitimate business need for such access privileges.
1.3.3 Physical Security Protections
All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities.
1.4 Continued Evaluation
Cookie Saver will conduct periodic reviews of the security of its network and adequacy of its information security program as measured against industry security standards and its policies and procedures. The subprocessor will continually evaluate the security of its network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.