DPA

Data Processing Agreement (DPA) for JARO Marketing Agency

Last updated: 22/11/2024

This Data Processing Agreement (“DPA”) is part of the Terms of Service (“Agreement”) between [Customer Name] (“Customer,” “you,” “your”) and JARO Marketing Agency (“the Software,” “Processor,” “we,” “our,” “us”). This DPA governs the processing of personal data that we perform on behalf of the Customer in connection with the provision of the Software, in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Definitions

  • Data Controller: The entity that determines the purposes and means of the processing of personal data.
  • Data Processor: The entity that processes personal data on behalf of the Data Controller.
  • Data Subject: Any identified or identifiable individual whose personal data is processed.
  • Personal Data: Any information relating to an identified or identifiable individual.
  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, disclosure, or erasure.
  • Sub-Processor: Any third party appointed by the Processor to process personal data on behalf of the Customer.

2. Roles and Responsibilities

  • Customer as Data Controller: The Customer acts as the Data Controller for all personal data processed through the Software. As Data Controller, the Customer is responsible for determining the legal basis for processing and ensuring compliance with applicable data protection laws.
  • JARO Marketing Agency as Data Processor: JARO Marketing Agency acts as the Data Processor and processes personal data on behalf of the Customer in accordance with this DPA and the Customer’s instructions.

3. Types of Personal Data Processed

JARO Marketing Agency processes the following types of personal data on behalf of the Customer:

  • End-user data: Names, email addresses, reviews, feedback, video testimonials, and other information submitted through review requests or landing pages.
  • Customer data: Names, email addresses, contact information, login credentials, and other business-related data.
  • Usage data: IP addresses, device information, and data related to the usage of the Software.

The scope of the data processed may change based on the services provided by JARO Marketing Agency, and the Customer will be informed accordingly.

4. Purpose of Processing

JARO Marketing Agency processes personal data for the following purposes:

  • Aggregating reviews from third-party platforms (e.g., Google, Facebook).
  • Responding to reviews via artificial intelligence on behalf of the Customer.
  • Sending review request campaigns and processing feedback.
  • Sharing reviews through widgets and social media platforms.
  • Performing analytics to track and enhance reputation management.
  • Automating processes such as the sending of review requests.

5. Duration of Processing

The processing of personal data will continue for the duration of the Agreement, unless otherwise required by law or requested by the Customer for data deletion.

6. Processor Obligations

JARO Marketing Agency agrees to:

  • Process data only under instructions from the Customer: We will process personal data only as necessary to provide the Software and in accordance with the Customer’s documented instructions.
  • Ensure confidentiality: We will ensure that all employees or contractors involved in processing personal data are subject to a duty of confidentiality.
  • Implement security measures: We will implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, or disclosure.
  • Assist the Customer: We will assist the Customer in fulfilling its obligations to respond to data subject requests (e.g., requests for access, rectification, deletion, or portability) and in ensuring compliance with applicable laws, including performing data protection impact assessments when required.
  • Data breach notification: In the event of a personal data breach, we will notify the Customer without undue delay after becoming aware of the breach and provide reasonable information and assistance.

7. Customer Obligations

As Data Controller, the Customer agrees to:

  • Provide lawful instructions: The Customer will ensure that all instructions provided to JARO Marketing Agency are lawful and comply with applicable data protection laws.
  • Inform data subjects: The Customer is responsible for providing data subjects with any necessary privacy notices and obtaining the required consents where applicable.
  • Ensure legal basis for processing: The Customer must ensure that there is a valid legal basis for processing personal data (e.g., consent, legitimate interest, contract performance).
  • Respond to data subject requests: The Customer will handle all data subject requests related to the personal data processed through the Software. JARO Marketing Agency will assist upon request.

8. Sub-Processors

JARO Marketing Agency may engage Sub-Processors to process personal data on behalf of the Customer. We will:

  • Ensure that any Sub-Processor we engage provides the same level of data protection and security as required by this DPA.
  • Inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, giving the Customer the opportunity to object.
  • Remain fully liable for the performance of our Sub-Processors.

A list of current Sub-Processors can be provided upon request.

9. International Data Transfers

JARO Marketing Agency may transfer personal data to countries outside the European Economic Area (EEA) or other regions with data protection laws different from those in your jurisdiction. Where such transfers occur, we will ensure that appropriate safeguards are in place to protect the personal data, such as relying on Standard Contractual Clauses (SCCs) or other lawful mechanisms.

10. Security Measures

JARO Marketing Agency implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data during transmission.
  • Access controls to prevent unauthorized access to data.
  • Regular security assessments and audits.
  • Incident response plans to handle data breaches.

11. Data Subject Rights

JARO Marketing Agency will assist the Customer in ensuring compliance with data subjects’ rights under applicable data protection laws, including the rights to:

  • Access their personal data.
  • Rectify inaccurate or incomplete data.
  • Request erasure of their data (“right to be forgotten”).
  • Restrict or object to the processing of their data.
  • Receive their data in a portable format (where applicable).

Requests from data subjects will be forwarded to the Customer for handling, and JARO Marketing Agency will provide assistance as necessary.

12. Data Retention and Deletion

Upon termination or expiration of the Agreement, JARO Marketing Agency will, at the Customer’s request:

  • Return all personal data processed on behalf of the Customer, or
  • Delete all personal data, unless retention is required by law.

13. Audit Rights

The Customer has the right to request audits or inspections of JARO Marketing Agency‘s processing activities to ensure compliance with this DPA. The Customer agrees that such audits will be conducted at its own cost, with reasonable notice and minimal disruption to our operations.

14. Liability

Both parties agree that their liability under this DPA will be subject to the limitations and exclusions set out in the Agreement, except where such limitations are prohibited by applicable data protection laws.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of [insert jurisdiction], without regard to its conflict of laws principles.

16. Termination

This DPA shall remain in effect as long as JARO Marketing Agency processes personal data on behalf of the Customer. Upon termination of the Agreement, the terms of this DPA will continue to apply for as long as JARO Marketing Agency retains personal data.

17. Contact Information

If you have any questions or concerns regarding this DPA or your data privacy rights, please contact us at: contact@jaromarketingagency.com.