1.1 This Data Processing Agreement (“DPA”, “Terms”, or “Agreement”) pertain to Gameball’s Services which govern the use of Gameball’s Services by the Customer, between Gameball (“Gameball”, “Processor”, We, or us) and the subscribed Customer or Customer whether an individual or a legally formed entity (the “Customer” or “you” refers to party subscriber to the Services provided by Gameball). Gameball and Customer are collectively referred to as “Parties” If you are entering into this Agreement on behalf of Gameball or another legal entity you hereby represent that you have the authority to bind such entity to the terms of this Agreement, and Customer shall mean such entity. If you do not have such authority or you or such entity do not agree to this Agreement, you must not accept this Agreement and neither you nor such entity may use the services.
1.3 In this Agreement the Customer acts as a Data Controller and the Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.
1.4 This Agreement seeks to implement data processing terms that comply with the requirements of the current legal framework concerning data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.5 We update these terms from time to time according to enhancement and changes in data processing and protection we do to Gameball to serve you better. If you have an active Gameball subscription, we will let you know when we do via email (if you have subscribed to receive email notifications via the link in our General Terms)or via in-app notification.
2. Definitions, Interpretation, and Mechanisms
2.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
3. Data processing mechanism:
3.1 Gameball is a SaaS solution for providing loyalty, referrals, and customer engagement solutions by integrating with the Client’s platform such as a mobile app, website, or retail POS, Gameball processes data that are sent by the Client’s platform based on the integration implemented between Client’s platform and Gameball to personalize the experience, reward customers, track their behavior, control program logic; which can include customer profile data like email, name, phone, etc. and behavioral data and events like orders, logins, page views, etc.; all based on the nature and data synced through APIs integration.
4.Data protection measures:
4.1 Gameball maintains up-to-date technical measures to ensure data security, privacy, and confidentiality during data transmissions and against cognizance by third parties. Gameball follows all best practices to maintain the solution's availability, integrity, and resiliency. These are amended in each case to reflect the current state of technology.
4.2 API requests executed without authentication will fail; for more information (the Customer can check this technical documentation: developer.gameball.co/api-reference/authentication)
4.3 Gameball uses HTTP response status codes to indicate the success or failure of the Customer’s API requests. If the Customer’s request fails, Gameball returns an error using the appropriate status code.
4.4 Each party shall take appropriate technical and organizational measures to safeguard the confidentiality and integrity of the personal data and prevent unauthorized access or disclosure.
5. Duration of storage:
5.1 Gameball’s Customers always have the right to erase their data and by default Gameball stores data only for as long as is necessary to fulfill contractual or statutory duties for which the data were collected. Gameball erases the data immediately afterward, unless the Parties agree to freeze the data in case of rejoining, or any other agreements, or still need this data until the expiry of the statutory period of limitation for purposes of evidence in civil claims or due to statutory duties of storage.
6. Processing of Customer Personal Data
6.1 Processor shall:
6.1.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
6.1.2 not Process Customer Personal Data other than on the relevant Customer’s documented instructions the Customer instructs Processor to process Customer Personal Data.
7. Processor Personnel
7.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data, as strictly necessary for the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
8.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
8.2 In assessing the appropriate level of security, the Processor shall take into account, in particular, the risks that are presented by Processing, in particular from a Personal Data Breach.
9.1 You agree we may engage Sub-Processors to Process Personal Data on your behalf, and we do so in three ways. First, we may engage Sub-Processors to assist us with hosting and infrastructure. Second, we may engage with Sub-Processors to support product features and integrations. Third, we may engage with Gameball Affiliates as Sub-Processors for service and support. Some Sub-Processors will apply to you as default, and some Sub-Processors will apply only if you opt-in based on your agreement and plan. We have currently appointed, as sub-processors listed in Annex 1 to this DPA.
9.2 We will allow you to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, or permit you to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination).
9.3 Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.
9.4 Due to the nature of our global business and our ongoing efforts to delight our customers, our business needs and services providers may change from time to time. For example, we may deprecate a service provider to consolidate and minimize our use of service providers. Similarly, we may add a service provider if we believe that doing so will enhance our ability to deliver our Subscription Service, we will notify you at least 30 days prior to any such change.
10. Data Subject Rights
10.1 Taking into account the nature of the Processing, the Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
10.2 Processor shall:
10.2.1 promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
10.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the Contracted Processor responds to the request.
10.3 Each party shall cooperate with the other in responding to data subject requests and regulatory inquiries related to the processed data.
11. Personal Data Breach
11.1 Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
11.2 Processor shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
11.3 Any transfer of personal data between the parties shall be done under the DPA and applicable data protection laws. In the event of a data breach, the affected party shall immediately inform the other party and take all necessary actions to mitigate the impact of such breach.
12. Data Protection Impact Assessment and Prior Consultation
12.1 Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely concerning Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
13. Deletion or return of Customer Personal Data
13.1 Subject to this section 13 Processor shall promptly and in any event within 10 business days from the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data.
13.2 The Processor shall provide written certification to Customer that it has fully complied with this section 13 within 10 business days of the Cessation Date.
14. Audit rights
14.1 Subject to this section 14, upon the Customer’s request and the Processor’s written approval and sole discretion, the Customer can access the information necessary to demonstrate compliance with this Agreement.
14.2 Information and audit rights of the Customer only arise under section 14.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
15. Data Transfer
15.1 The Processor may transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.
16. General Terms
16.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
16.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by mail to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
16.3 Agreements. In case of signed Order Forms or Master Services Agreement, the purpose, scope, and duration of data processing shall be limited to what is necessary for fulfilling the obligations under this Agreement.
17. Governing Law and Jurisdiction
17.1 This Agreement is governed by the laws of Delaware, United States of America.
17.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Delaware, subject to Delaware’s regulations.
18.1 Unless explicitly stated otherwise in this Agreement, the failure of any Party to exercise any right or remedy under this Agreement shall not constitute a waiver of such right or remedy, and the waiver of any violation or breach of the Agreement by a Party shall not constitute a waiver of any prior or subsequent violation or breach.
18.2 Neither the performance by the Parties of their duties and obligations under this Agreement nor anything herein shall create or imply an agency relationship between the Parties, nor shall this Agreement be deemed to constitute a joint venture between the Parties.
18.3 If any provision of this Agreement is determined by a court or other competent authority to be invalid, illegal, or unenforceable, such invalidity, illegality, or unenforceability shall not affect the validity, legality or enforceability of any other provision of this Agreement.
18.4The Customer is obliged to comply with the applicable data protection laws when using the Gameball Services.
19. Contact Information
19.1 Gameball’s nominated Privacy Officer can be contacted at 2035 Sunset Lake Road, Suite B-2, the city of Newark, Delaware State, United States, or by email at: email@example.com
19.2If you have any questions or concerns about Gameball’s Data Protection Terms or if you would like to make a complaint about a possible breach of local privacy laws, please do so by sending an email or submitting a request through the “Contact Us” form on our websites.
1. Infrastructure Sub-Processors
To facilitate the provision of Gameball's Subscription Service, we enlist the services of Sub-Processors to assist in maintaining our infrastructure. Upon acceptance of the DPA, you acknowledge and consent that all designated Sub-Processors may be granted access to Customer Data.
|Sub-Processor||Purpose||Applicable Service||Country location|
|Amazon Web Services, Inc||Hosting & Infrastructure||Used as a on-demand cloud computing platforms, storage, and enabling certain modules and features of Gameball.||United States|
|Cloudflare||Content Delivery Network and Firewall and security||Used as a web infrastructure and website security, providing content delivery network services, DDoS mitigation, internet security, and distributed domain name server services||United States|
2. Feature Specific Sub-Processors
Some of our features and integrations require the use of additional Sub-Processors. Some Sub-Processors will apply to you as a default, and some Sub-Processors will apply to you only if and when you opt-in. We will notify you before you turn on a feature or install an integration that requires support from an opt-in Sub-Processor where indicated in the table below
|Sub-Processor||Purpose||Applicable Service||Country location|
Form submission spam prevention (Google reCAPTCHA)
Used for Gameball accounts registeration
3. Gameball Affiliate Sub-Processors
To help Gameball deliver the Subscription Service, we engage Gameball Affiliates as Sub-Processors to assist with our data processing activities. By agreeing to the DPA, you agree all of these Sub-Processors may have access to Customer Data.
|Gameball.inc||Service & Support||United States|
|Kailiolabs||Service & Support||Egypt|
|Helol.LLC||Service & Support||Saudi Arabia|