Data Processing Agreement
Last Updated: May 30, 2024
This Data Processing Agreement (“DPA”) is entered by and between Overwolf Ltd. and its Affiliates (“Company” or “Vendor”) and the Developer signed the Overwolf Developer Terms and Conditions executed between the parties (“Developer” and “Agreement”), and is entered into force on the date on which the Developer accepted the Agreement (“Effective Date”).
Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement (each of Vendor and Developer, a “party” and together the “parties”).
WHEREAS, Vendor is the developer, owner, and operator of the platform/s, APIs, SDKs, tools, plugins, codes, technology, content, and other services that are provided to third party Developers (as such terms may be defined in the Agreement and for the purpose of this DPA shall be referred to as the “Services”);
WHEREAS, during the use of the Services by the Developer, the parties will process and share Personal Data (as such terms are defined below) subject to the terms and conditions of this DPA; and
WHEREAS, the parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States, and other data protection laws and agree on the following:
- DEFINITIONS
-
“Adequate Country” is a country that has an adequacy decision from the European Commission.
-
“CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 - 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA”) as well as all regulations promulgated thereunder from time to time.
-
“CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments.
-
“CTDPA” means the Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.
-
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law, CPA, VCDPA and CTDPA. The terms “Business”, “Business Purpose”, “Consumer”, “Cross Context Behavioral Advertising” (also known as "CCBA"), “Contractor”, “First-Party Business”, “Service Provider”, “De-identified Data” or “Deidentified Data”, “Share”, “Sale”, “Sell”, “Third-Party Business” and “Targeted Advertising”, shall have the same meanings as ascribed to them in the US Data Protection Laws. “Data Subject” shall also mean and refer to a “Consumer”. “Personal Data” shall also mean and refer to “Personal Information”.
-
“Consent” means an End User informed and freely given consent, that meets the requirements stipulated under Article 7 of the GDPR or the IAB Policies.
-
“Data Protection Law” means applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law, US Data Protection Laws, and the Brazilian General Data Protection Law (“LGPD”) as may be amended or superseded from time to time.
-
“EEA” means the European Economic Area.
-
“End User” means an individual using, visiting or browsing the Application (as such term defined in the Agreement), or any other digital property operated by the Developer.
-
“EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any laws relating to data protection, the Processing of Personal Data, privacy or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018, UK Data Protection and Digital Information Bill (collectively, “UK Data Protection Laws”), (v) the Swiss Federal Act on Data Protection (“Swiss FDPA”); (vi) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (vii) any legislation replacing or updating any of the foregoing.
-
“IAB Framework” means the IAB Tech Labs’ technical specification for the GDPR transparency & consent framework (“TCF”) and the Global Privacy Platform (“GPP”).
-
“IAB Policies” means the (i) IAB Europe TCF available at: 230509-TCF-Policies-TransparencyConsentFramework_Policies_version_TCF-v2.2.pdf; (ii) IAB Global Privacy platform including the Multi State Privacy Framework (“MSPA”) available at: IAB First Amended and Restated Multi-State Privacy Agreement (MSPA).pdf
-
“ID” means (i) a unique identifier stored on an End-User’s device; (ii) a unique identifier generated for a specific End User; (iii) an online identifier associated with a particular device; or (iii) a cookie ID, agent ID, IP address, URL or RTB tag, or any online identifier identifying an End User or a specific device.
-
“Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017, and other related privacy regulations.
-
“Privacy Signals” means the End Users’ preference signals, indicating the End Users’ preference for Processing Personal Data, such as: requesting to opt-out from selling or sharing Personal Data, opt-out from Processing Personal Data for Targeted Advertising, including without limitations flags or signals sent through a cookie banner, cookie manager, consent management platform or other technology (“CMP”) such as IAB Global Privacy Platform (“GPP”) or otherwise the CCPA “Do Not Sell Or Share My Personal Information” signals, Google restricted data Processing (“RDP”) signals, Global Consent Platform (“GCP”) signals, and any other opt-out from interest-based advertising signals such as the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI), as applicable.
-
“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
-
“Standard Contractual Clauses” or “SSC” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
-
“Swiss Data Protection Laws” or “FADP” shall mean the Swiss Federal Act on Data Protection of June 19, 1992, SR 235.1, and any other applicable data protection or privacy laws of the Swiss Confederation as amended, revised, consolidated, re-enacted or replaced from time to time, and to the extent applicable to the Processing of Personal Data under the Agreement.
-
“Swiss SCC” shall mean the applicable standard data protection clauses issued, approved, or recognized by the Swiss Federal Data Protection and Information Commissioner.
-
“UK SCC” means the UK's International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers, available at: international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK's Information Commissioner's Office, Parliament or Secretary of State.
-
1.1 “UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
1.2 "US Data Protection Laws" means any U.S. federal and state privacy laws effective and apply to the Processing of Personal Data, and any implementing regulations and amendment thereto, including without limitation, the CCPA, the CPA, the CTDPA, the VCDPA, and the UCPA.
1.3 “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of US Data Protection Laws, UK Data Protection Laws, or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.
-
RELATIONSHIP OF THE PARTIES
-
Pursuant to this DPA and in the course of the engagement set for the therein, Company and Developer will Process the Personal Data described in Annex I.
-
The Parties acknowledge that for the Processing the Personal Data by the Company for (i) the Restricted Purpose in the course of providing services to Developer as specified under the US Privacy Law Addendum (detailed in ANNEX VIII); (ii) providing CMP services for the Developer; the Company shall be considered as a Processor / Service Provider, as applicable.
-
Except as otherwise agreed in by the Parties under Section 2.2 above, each party is an independent Controller with respect to Personal Data Processed under the Agreement. Each party shall be individually and separately responsible for complying, and shall be able to demonstrate compliance, with applicable Data Protection Laws in connection with the Processing of Personal Data. The purpose, subject matter, and duration of the Processing, the type of Personal Data, and categories of Data Subjects are described in ANNEX I attached hereto.
-
-
REPRESENTATIONS AND WARRANTIES
-
Each party shall notify the other party, in writing without undue delay (unless prohibited by law) upon becoming aware of:
-
A security incident that may affect the other party or the Processing of Personal Data provided to or made available by the other party (“Security Incident Notice”). A Security Incident Notice shall include, to the extent available: (i) a description of the nature of the Security Incident, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) a description of the likely consequences of the company that has been exposed; and (iii) a description of the measures taken or proposed to be taken to address the company that has been exposed, including, where appropriate, measures to mitigate its possible adverse effects; and
-
A Data Subject request, Consumer user right request (“DSR Notice”) or otherwise and regulatory, authority or a complaint, investigation, inquiry, warrant, subpoena, or proceedings from or brought by any public, governmental, or judicial agency or authority that relates to the Personal Data Processed under this Agreement (“SAR Notice”).
-
In the event of a Security Incident Notice, a DSR or SAR Notice, the parties undertake to cooperate in good faith to ensure compliance with applicable laws.
-
-
Each party shall implement and maintain an information security program with appropriate technical and organizational measures. This program is to ensure a level of security that will be appropriate to the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, which includes at a minimum (i) the security measures set forth in ANNEX II; and (ii) where required by Data Protection Laws, the appointment of a Data Protection Officer to oversee the privacy program.
-
Each party shall provide reasonable cooperation and assistance to the other party in ensuring compliance with its obligation to carry out data protection impact assessments.
-
Each party shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to Personal Data; (ii) that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
-
In addition, and if applicable based on the applicable jurisdiction, each party shall Process the Personal Data solely as provided through the Privacy Signals, including the IAB Policies and the IAB Framework, and similar industry frameworks or guidelines applicable to the Agreement.
-
Where the Company process the Personal Data as a Processor for the purpose of providing the CMP services in addition to the requirements and obligation section 3 of this DPA and Company shall comply with the following:
-
Upon Developer’s reasonable request, Company shall provide Developer with commercially reasonable cooperation and assistance needed to fulfill Developer’s obligation under the GDPR to carry out a data protection impact assessment related to Developer’s use of the services, to the extent Developer does not otherwise have access to the relevant information, and to the extent such information is available to Company. Company shall provide commercially reasonable assistance to the Developer in the cooperation or prior consultation with the Supervisory Authority to the extent required under the GDPR or other applicable data protection laws.
-
Following the termination of this DPA, Company shall, at the choice of the Developer, delete all Personal Data processed on behalf of the Developer and certify to the Developer that it has done so, or otherwise, return all Personal Data to the Developer and delete existing copies unless applicable law or regulatory requirements requires that Overwolf continue to store the Personal Data. Until the Personal Data is deleted or returned, Company shall continue to ensure compliance with this DPA.
-
The Developer acknowledges that Company may transfer Developer Data to and otherwise interact with third party data processors (“Sub-Processor”). The Developer hereby, authorizes Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub Processor on its behalf. Company may replace its existing Sub-Processors or add additional Sub-Processors provided it notifies the Developer before authorizing such Sub-Processor(s) to Process Personal Data in connection with the provision of the Services (email will suffice). Developer may reasonably object to the use of a new Sub-Processor by notifying Company promptly in writing within 10 days after receipt of Company’s notice. Developer shall explain its reasonable grounds for objection. In the event Developer objects to a new Sub-processor, Company will use commercially reasonable efforts to make available to Developer a change in the Services or recommend a commercially reasonable change to Developer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Developer. If Company is unable to make available such change within a reasonable period of time, either party may terminate without penalty with respect only to those Services which cannot be provided by Company without the use of the objected-to new Sub-processor by providing written notice to the other party. Where Company engages a Sub-Processor, it shall impose on the Sub-Processor data protection obligations no less onerous than those set out in this DPA, through a legally binding contract between Company and the Sub-Processor (“Contract”). Company shall ensure that the Contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law. 5.3. Company shall remain fully responsible to the Developer for the performance of the Sub-Processor’s obligations in accordance with the DPA. Company shall notify the Developer of any known failure by the Sub-Processor to fulfill its contractual obligations.
-
-
-
DATA TRANSFER
-
Any transfer of Personal Data Processed in connection with the Agreement outside of the jurisdiction from which it was collected shall be transferred subject to and in compliance with an approved transfer mechanism.
-
Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland), and the United Kingdom (collectively, “EEA”) to Adequate Country, without any further safeguard being necessary.
-
If the transfers of Personal Data include transfers from the EEA to countries that are not Adequate Country, then parties agree to rely on the Standard Contractual Clauses to facilitate such transfer:
-
Transfer of Personal Data from the EEA The terms set forth in ANNEX III shall apply.
-
Transfer of Personal Data from the UK, the terms set forth in ANNEX IV shall apply; and
-
Transfer of Personal Data from Switzerland, the terms set forth in ANNEX V shall apply.
-
-
-
CONFLICT
- In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event that the Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA solely with regards to international transfer of Personal Data. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
-
TERM AND TERMINATION
- This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates.
ANNEX I: DETAILS OF PROCESSING
This Annex I include certain details of the Processing of the Developer Data as required by Article 28(3) GDPR.
Categories of Data Subjects:
Developer’s End Users / Data Subjects that viewed ads or content which are placed on the Developer’s Application or the Company Platform/s (as such term defined in the Agreement) or any ads displayed through the Company Services to the Developer.
Categories of Personal Data:
Independent Controllers: IDs, Privacy String, tracking data, usage data, approximate location data, referred URL, aggregated insights such as ads viewed, impression data, optimization data, ad delivery data, ad effectiveness data, ad viewability data.
Controller – Processor: IDs, Privacy String.
Purpose of processing:
Independent Controllers: To display ad campaigns within the Customer properties; Analytics and attribution of such advertising campaigns; Frequency capping, audience verification, system maintenance, fraud detection, tracking and measurement of such advertising campaigns;
Controller – Processor: providing consent management platform (CMP) services.
Special Categories of Personal Data:
Not Applicable
Process Frequency:
The Personal Data is transferred on a continuous basis.
Nature of the processing:
Collection, storage, organization, analysis, modification, retrieval, disclosure, communication, and other uses in the performance of the Services as set out in the Agreement
Retention Period:
For as long as needed to provide the Services.
ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES
Each party shall implement and maintain current and appropriate technical and organizational measures to protect Personal Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access, as set forth below:
-
Conduct security testing or penetration testing, remediate any identified high vulnerabilities, provide written remediation plans for medium and low vulnerabilities;
-
Maintain a level of security appropriate to protect against any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Personal Data;
-
Oblige its employees, agents, or other persons to whom it provides access to Personal Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Personal Data; provide annual training to staff and subcontractors on the security requirements contained herein;
-
Adhere password policies for standard and privileged accounts consistent with industry best practices;
-
Ensure that only those personnel who need to have access to Personal Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing the Services and the obligations under this DPA;
-
Maintain a physical security program that is consistent with the corresponding industry practices;
-
Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Personal Data, if applicable, is securely erased or destroyed before repurposing or disposal;
-
Measures and assurances regarding US government surveillance (“Additional Safeguards”) see Annex III.
ANNEX III: EU INTERNATIONAL TRANSFERS AND SCC
-
The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
-
Module One (Controller to Controller) of the Standard Contractual Clauses shall apply where the transfer is effectuated by the Developer as the Data Controller of the Personal Data and Vendor as the Data Controller of the Personal Data.
-
The parties agree that for the purpose of transfer of Personal Data between the Developer (as Data Exporter) and the Vendor (as Data Importer), the following shall apply:
- a. Clause 7 of the Standard Contractual Clauses shall not be applicable.
- b. In Clause 9, shall not be applicable.
- c. In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- d. In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Developer is established (where applicable).
- e. In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
-
Annex I.A of the Standard Contractual Clauses shall be completed as follows:
- 1.a.1 “Data Exporter”: Developer
- 1.a.2