Data Processing Agreement

A number of terms are used in this agreement. The meaning of those terms is clarified below:

Terms of Service: Taggian's general terms and conditions governing the use of Services.

GDPR: The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and its implementing law.

Data Subject: The person to whom the Personal Data relates, being an identified or identifiable natural person as referred to in Article 4(1) GDPR.

Data Breach: A Personal Data Breach as referred to in Article 33 GDPR, being a breach of security leading accidentally or unlawfully to the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed.

European Economic Area: All countries of the European Union, Liechtenstein, Norway and Iceland.

Personal Data: Personal data within the meaning of Article 4(1) GDPR.

Party/Parties: Taggian or Controller or both parties jointly.

Sub-processor: Any third party engaged by Taggian in the processing of Personal Data under the Agreement.

Agreement: The contract between Taggian and Controller that relates to the services to be provided by Taggian to Controller.

Supervisory Authority: The Belgian Data Protection Authority or any other supervisory authority referred to in the GDPR.

Processor: FrontLetter BV (trading as Taggian), having its registered office at Blankenbergse Steenweg 287, 8000 Bruges, Belgium.

Controller: The natural person(s) and/or legal person(s) with whom Taggian enters into an Agreement.

Processing: Any act relating to Personal Data as mentioned in Article 4(2) GDPR.

2.1 Taggian provides to Controller the services as described in the Agreement. Personal Data are thereby Processed by Taggian on behalf of the Controller. This Data Processing Agreement applies to any Processing carried out by Taggian on behalf of the Controller.

2.2 Controller is 'data controller' within the meaning of the GDPR. Taggian acts as 'processor' within the meaning of the GDPR.

3.1 The Personal Data made available by Controller to Taggian shall be processed for the benefit of Controller and processed solely on the basis of written instructions from Controller. Controller guarantees that the Personal Data Processed by Taggian for the benefit of the Controller are accurate and that the Processing is lawful and is Processed in full compliance with the GDPR and other applicable privacy laws and that this does not infringe on the rights of third parties.

3.2 The Personal Data to be Processed under this Data Processing Agreement includes:

• User identifiers and session data
• Device and browser information
• IP addresses and location data
• Behavioral data (page views, events, interactions)
• Marketing and advertising identifiers
• Any other data transmitted through server-side tracking implementation

3.3 The Processing shall take place under the responsibility of Controller. Taggian shall comply with all reasonable instructions of Controller in connection with the Processing.

3.4 The parties undertake to act at all times in accordance with the GDPR and all related laws and regulations regarding the Processing of Personal Data.

3.5 The Parties will each document in a register the Processing carried out by them, as well as their technical and organizational security measures and maintain this register.

3.6 Taggian shall assist Controller in complying with its obligations under the GDPR, including obligations of Controller towards Data Subjects, any data protection impact assessment and a Data Breach. If Controller has duties under Articles 32 to 36 GDPR, Taggian shall provide assistance.

3.7 Taggian processes Personal Data within the European Economic Area.

4.1 This Data Processing Agreement shall apply until Taggian no longer Processes Personal Data on behalf of the Controller.

4.2 After termination of this Data Processing Agreement, the provisions intended for that purpose by their nature shall continue to apply in full.

5.1 Taggian shall ensure appropriate (as referred to in Article 32 GDPR) technical and organizational measures so that Personal Data is secured against destruction, loss, unauthorized access, modification or against any form of unlawful processing and to ensure the timely availability of and access to Personal Data.

5.2 The technical and organizational measures taken by Taggian include:

• Encryption of personal data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• System monitoring and logging
• Incident response procedures
• Regular security training for personnel

6.1 Controller has the right to test or have tested the obligations of Taggian under this Data Processing Agreement and statutory provisions on the protection of Personal Data once per calendar year. The costs of an audit initiated by Controller shall be borne by Controller, unless the results show that Taggian is materially in breach of the provisions of this Data Processing Agreement or that Taggian needs to make adjustments in its business operations, in which case Taggian shall reimburse the costs related to the material breach or required adjustments.

7.1 Taggian shall notify Controller, as soon as Taggian becomes aware of it, of a Data Breach without unreasonable delay. In communicating with Controller about the Data Breach, Taggian shall endeavor to include the following information:

• A. The nature of the Data Breach as well as its (alleged) cause;
• B. The affected categories of Personal Data and any personal data records in question;
• C. The contacts from which more information about the Data Breach can be obtained;
• D. The likely consequences of the Data Breach;
• E. The measures that Taggian proposes to take or has taken to remedy the Data Breach, including measures to mitigate any adverse effects thereof.

7.2 The assessment of whether a Data Breach should be reported to the Supervisory Authority, and any reporting of a Data Breach to the Supervisory Authority, is and shall remain the responsibility of Controller.

7.3 Taggian shall properly document each Data Breach, including the facts and findings regarding its consequences and the corrective actions taken. This record shall also include all incidents that are not so serious as to require reporting to the Supervisory Authority.

8.1 Taggian is obliged to keep the Personal Data provided by Controller confidential and to keep it secret, unless Taggian is required by law or regulation to disclose the Personal Data to third parties.

8.2 The employees of Taggian involved in the Processing are all bound by a confidentiality clause.

9.1 Controller hereby grants Taggian general permission to engage Sub-processors. Such Sub-processors may have access to the Personal Data to be processed.

9.2 Taggian shall notify Controller of any intended changes regarding the addition or replacement of Sub-processors, giving Controller the opportunity to object to such changes within seven days. Current Sub-processors include cloud infrastructure providers and CDN providers within the EU.

9.3 If Taggian engages a Sub-processor, Taggian shall impose the same data protection obligations on such Sub-processor as are contained in this Data Processing Agreement.

10.1 If Taggian fails to fulfill its obligations under this Agreement, the law, other obligations imposed by the Supervisory Authority or obligations related to the foregoing, then Taggian shall be liable to Controller and/or the Data Subjects for this subject to what is provided in this Data Processing Agreement, the Agreement and the Terms of Service.

10.2 The liability of Taggian is limited to what is included in this Data Processing Agreement, the Agreement and the Terms of Service, even if that Agreement and the Terms of Service, for whatever reason, are not or no longer in force.

10.3 If Controller fails to fulfill its obligations under this Data Processing Agreement and/or otherwise fails to do so or acts in violation of the GDPR and other privacy laws, then Controller shall be liable to Taggian for this and Controller shall be obligated to compensate Taggian for any damages incurred as a result.

10.4 Controller shall indemnify Taggian against all claims, demands, damages, costs, fines and penalties of third parties, Data Subjects or the Supervisory Authority if Controller fails to comply with the Agreement, this Data Processing Agreement or the Terms of Service or if Controller has not acted in accordance with the GDPR and other privacy laws. Controller shall reimburse all related and resulting costs (including costs of legal assistance) and damages of Taggian.

11.1 After the end of the Agreement, regardless of the manner of termination of the services to Controller, within 30 days after termination Taggian shall - at the discretion of Controller - make the Personal Data available to Controller or destroy it, unless statutory retention periods or storage periods require otherwise. Any remaining copies of Personal Data and backups shall thereupon be destroyed by Taggian at a time to be determined by Taggian.

12.1 If one or more articles of this Data Processing Agreement should be invalid or otherwise not binding, the validity of the remaining articles of this Data Processing Agreement shall not be affected thereby. In such a case, the Parties shall, in mutual consultation and in the spirit of this Data Processing Agreement, amend the Agreement to the extent necessary. The non-binding articles will be replaced by provisions that differ as little as possible in terms of the Parties' intentions from the non-binding articles in question.

13.1 Belgian law applies to this Data Processing Agreement. The courts of Bruges, Belgium have exclusive jurisdiction to hear disputes between the Parties.