This Data processing Agreement is concluded between We Can Track B.V., a private company with limited liability, established and existing under the laws of the Netherlands, having its registered office in (1323 ME) Almere, the Netherlands, at Purcellstraat 92, registered with the Chamber of Commerce under 73567493 (hereinafter referred to as “wecantrack”), and Affiliate as defined in the Agreement.
wecantrack and Affiliate each a “Party” and together referred to as “Parties”.
WHEREAS:
- wecantrack helps affiliate publishers to gain a better overview of their sales performance. In order to do so, wecantrack collects, processes and matches session, click and sale data, collecting those from different sources on behalf of the affiliate publisher;
- Affiliate is a website owner who hosts the products and services of an advertiser;
- wecantrack and Affiliate concluded an Agreement regarding the use of wecantrack’s services and products, of which this Data Processing Agreement is a part;
- Where the personal data processing is concerned, Affiliate classifies as a controller within the meaning of Section 4(7) of the General Data Protection Regulation (“GDPR”);
- Where the personal data processing is concerned, wecantrack qualifies as a processor within the meaning of Section 4(8) GDPR;
- In accordance with the provisions of Section 28(3) GDPR, Parties wish to document a number of conditions in the present Data Processing Agreement which apply to their relationship in the context of the aforesaid activities on behalf of – and for the benefit of Affiliate.
AGREED AS FOLLOWS:
1. Definitions
1.1 In this Data Processing Agreement, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:
appendix to this Data Processing Agreement which forms an integral part of it;
the present agreement;
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as referred to in Section 4(12) GDPR;
as well as conjugations of this verb: the processing of Personal Data as referred to in Section 4(2) GDPR;
the sub-contractor hired by wecantrack that Processes Personal Data in the context of this Data Processing Agreement on behalf of Affiliate, as referred to in Section 28(4) GDPR
1.2 The provisions of the Agreement (including the Terms of Service) apply in full to this Data Processing Agreement. In case provisions with regard to the Processing of Personal Data are included in the Agreement, the provisions of this Data Processing Agreement prevail.
2. Purpose of the Personal Data Processing
2.1 wecantrack and Affiliate have concluded the present Data Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex 1.
2.2 wecantrack is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with the legitimate instructions of Affiliate and under the express (final) responsibility of Affiliate. For all other Processing of Personal Data, including but not limited to the collection of Personal Data by the Affiliate, Processing for purposes not reported to wecantrack by Affiliate, Processing by third parties and/or for other purposes, wecantrack is not responsible or liable. Responsibility and liability for these Processing activities rest exclusively with Affiliate.
2.3 Affiliate is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation and does not infringe any rights of third parties. Affiliate will indemnify and hold harmless wecantrack against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
2.4 wecantrack undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement and/or the Agreement. wecantrack will not use the Personal Data which it Processes under this Data Processing Agreement for its own or third-party purposes in any way without Affiliate’s express written consent, unless a legal provision requires wecantrack to do so. In such case, wecantrack shall immediately inform Affiliate of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3. Technical and organisation security measures
3.1 wecantrack will implement (or arrange the implementation of) appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. wecantrack will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
3.2 wecantrack will provide a document which describes the appropriate technical and organizational measures to be taken by wecantrack. This document will be attached to this Data Processing Agreement as Annex 2. Affiliate acknowledges having taken cognizance of the relevant measures and by agreeing to this Data Processing Agreement during the account registration and login, Affiliate agrees with the measures taken by wecantrack.
4. Confidentiality
4.1 wecantrack will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.
5. Sub Processors
5.1 wecantrack is entitled to outsource the Processing of Personal Data on the Affiliatet’s instructions to Sub Processors, either wholly or in part, which parties are described in Annex 3.
5.2 In case wecantrack wishes to engage other Sub Processors, wecantrack will inform Affiliate of any intended changes concerning the addition or replacement of the Sub Processors. Affiliate may object, duly motivated including reasonable detail supporting Affiliate’s concerns and in writing, to such changes within 14 working days after receiving such notification. wecantrack will then use commercially reasonable efforts to review and respond to Affiliate’s objection. .
5.3 wecantrack will impose the same data protection obligations as set out in this Data Processing Agreement on each Sub Processors, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Affiliate understand and acknowledges that wecantrack may not always be in the position to with Sub Processors about their data processing agreements.
5.4 Where a Sub Processor fails to fulfil its data protection obligations, wecantrack shall remain fully liable to wecantrack for the performance of the Sub Processor’s obligations.
6. Personal Data Processing outside the Europe Economic Area
6.1 wecantrack will only be permitted to transfer Personal Data outside the European Economic Area (EEA) if this is done in compliance with the GDPR.
7. Liability
7.1 With regard to the liability and indemnification obligations of wecantrack the stipulation in the Agreement regarding the limitation of liability applies.
7.2 Without prejudice to Article 7.1 of this Data Processing Agreement, wecantrack is solely liable for damages suffered by Affiliate and/or third party claims as a result of any Processing, in the event the specific obligations of wecantrack under the GDPR or the Data Processing Agreement are not complied with or in case wecantrack acted in violation of the legitimate instructions of Affiliate.
8. Personal Data Breach
8.1 wecantrack will notify Affiliate without undue delay upon wecantrack becoming aware of a Personal Data Breach affecting the Personal Data.
8.2 wecantrack will take all reasonable measures to prevent or limit the Personal Data Breach. wecantrack will, insofar as reasonable, provide all reasonable cooperation requested by Affiliate in order for Affiliate to comply with its legal obligations relating to the Personal Data Breach.
8.3 wecantrack will, insofar as reasonable, assist Affiliate with Affiliate’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. wecantrack is never held to report a Personal Data Breach with the data protection authority and/or the data subject.
8.4 wecantrack will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant data protection authority and/or data subjects, as meant in Section 33 and 34 GDPR.
9. Audit
9.1 When so requested by Affiliate, wecantrack will enable Affiliate, or experts (including external experts) designated by Affiliate and who are bound by confidentiality, to inspect and audit the implementation of this Data Processing Agreement and, in particular, the security measures taken by wecantrack, at most once per calendar year, subject to a reasonable notice and with permission of wecantrack, to adequately monitor compliance with what has been agreed between the Parties. Such an audit will at all times be carried out in a manner that has as little effect as possible on the normal business operations of wecantrack. Affiliate will bear all the costs of this audit. All results and findings of the audit remain confidential and may not be shared or made public in any way.
9.2 The audit in Article 9.1 of this Data Processing Agreement, will only take place if Affiliate has requested and assessed similar audit reports availably at wecantrack and Affiliate provides reasonable argument that justify an audit initiated by Affiliate. Such an audit is justified when similar audit reports present at wecantrack give no or insufficient information about compliance with this Data Processing Agreement.
9.3 In case wecantrack is of the opinion that an instruction relating to the provisions of this Article 9 infringes the GDPR or other applicable data protection legislation, wecantrack will inform Affiliate immediately.
9.4 wecantrack is entitled to charge any possible costs that relate to the provisions of this Article 9 with Affiliate.
10. Cooperation
10.1 wecantrack will, taking into account the nature of the Processing and insofar as reasonably possible, provide all reasonable cooperation to Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR).
10.2 wecantrack will forward a complaint or request from a data subject with regard to the Processing of Personal Data to Affiliate as soon as possible, as Affiliate is responsible for handling the request.
10.3 wecantrack, will taking into account the nature of Processing, the information available to wecantrack and insofar as reasonably possible, provide reasonable cooperation to Affiliate in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).
10.4 wecantrack is entitled to charge any costs associated with the cooperation as referred to in this Article 10 with Affiliate.
11. Force majeur
11.1. In the event of force majeure, there will be no attributable failure in the performance of the Agreement by wecantrack.
11.2. Force majeure includes, among other things, employees on sick leave and/or absence of employees who are crucial to the supply of the Solution, interruptions in the supply of electricity, strikes, riots, government measures, fire, natural disasters, floods, failure on the part of wecantrack’s suppliers, failure on the part of third parties engaged by wecantrack, interruptions in the connection to the internet (whether or not due to a DDoS attack), hardware malfunctions, malfunctions in networks, including telecommunication networks, and other unforeseen circumstances.
11.3. If the force majeure continues for at least thirty (30) days, wecantrack is entitled to terminate the Agreement without being obliged to pay any compensation for this termination.
12. Deletion or return of Personal Data
Following termination of the contract, the wecantrack shall, at the choice of the Affiliate, delete all personal data processed on behalf of the Affiliate and certify to the Affiliate that it has done so, or, return all the personal data to the Affiliate and delete existing copies unless Union or Member State law requires storage of the personal data, or, maintain the personal data for an additional 18 month grace period in case Affliate re-subscribes to the services of wecantrack. Until the data is deleted or returned, wecantrack shall continue to ensure compliance with this DPA.
ANNEX 1. OVERVIEW PERSONAL DATA
DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is processed
- (Website) visitors, users
Categories of personal data processed
- Session, Click and Sales Data
- such as, online identifiers (including cookie identifiers, internet protocol addresses and device identifiers), client identifiers, advertiser identifiers, data source identifiers, URLs, action dates, sale information (including sale amount, commission and transaction status), currency information (including currency and exchange rate), processing status and processing date
- Results, such as
- Clicks report
- Transactions report
- Advertisers report
- Network report
- Network accounts report
- Status report
- Page performance
- Overview dashboard
Nature of the processing
- Providing an overview of Affiliate’s sales performance
- Software development and improvement for the benefit of Affiliate
Purpose(s) for which the personal data is processed on behalf of the controller
1. In general: to track, consolidate, attribute and integrate your performance data, including:
● session data tracking
● click data tracking
● conversion data collection (via API, Postbacks, Webhooks, Web Scraping, File (e.g. CSV) Imports, Google Sheet Imports)
● data attribution (conversion to click, click to session)
● data integration – in Google Analytics, Ad networks, BigQuery, Looker Studio, Zapier
● data reporting
● affiliate link generator (manually or automatically)
● affiliate offer overview
● link testing
● cost and campaign data collection from ad networks
2. (Technical) support and customer service: for example:
● bug fixing
● customer questions
● technical problems
● missing data
● missing data attribution
● improving data accuracy and coverage
● encounter error/warning logs
● service health monitoring
● whether customers set up the software correctly
● to sort the customer in the right price plan (counts of sessions, clicks and conversions per last 30 days)
3. When investigating bugs and technical problems we may improve our services/technology
Duration of the processing
- Term agreement + additional 12 month grace period
ANNEX 2. SECURITY MEASURES
Access control
Servers are only accessible through SSH keys.
Integrity
User authorisation is heavily restricted. Only members of We Can Track B.V. that signed a Non Disclosure Agreement regarding confidential information have access to the data.
Anonymisation
Personal data such as IP addresses are by standard, if tracked at all, anonymised.
Encryption
The Cloud solution encrypts database at rest with LUKS and in transit with SSL.
On top of that, sensitive user data such as login information, network API credentials are all encrypted using AES-256.
Transmission Control
All requests and responses get transmitted through SSL.
Confidentiality
Only members of We Can Track B.V. that signed a Non Disclosure Agreement regarding confidential information have access to the production database. Access might be temporarily granted to an engineer with only relevant tables being accessible for fixing or improving the system.
Recoverability
Recoverability is managed by a Cloud solution. Backups are on transaction level this results us to be able restore the database to any given point in time for the previous 7 days.
Evaluation
Regular check-ups on data registration, user capacities and database scalability requirements.
ANNEX 3. OVERVIEW SUB PROCESSORS
Possible appropriate safeguards in accordance with the GDPR are:
- data processing agreement (art. 28(3) GDPR), in the event the sub processor is located in the EEA.
- transfers on the basis of an adequacy decision of the European Commission (art. 45 GDPR);
- transfers to organisations that are certified under the EU-US Privacy Shield;
- binding corporate rules (art. 46 and 47 GDPR);
- standard data protection clauses adopted by the European Commission (art 46 GDPR).