DATA PROCESSING AGREEMENT

  1. Parties to the Agreement

    The Controller: Any user of the Website (as defined in the Terms and Conditions published here) that uploads personal data to the Website notwithstanding to the purpose of such upload (“you”).

    The Processor: Hypeddit LLC

  2. Scope and Roles

    1. This agreement applies to the processing of Personal Data, within the scope of the GDPR, by the Processor on behalf of the Controller.
    2. For purposes of this agreement, you and Hypeddit LLC agree that you are the Controller of the Personal Data and Hypeddit LLC is the Processor of such data. In the case where you act as a Processor of Personal Data on behalf of a third party, Hypeddit LLC shall be deemed to be a Sub-Processor.
    3. These Terms do not apply where Hypeddit LLC is a Controller of Personal Data.
  3. Definitions

    1. For the purposes of this Agreement, the following definitions shall apply: Agreement means his data processing agreement. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). Personal Data means that data, meeting the definition of “personal data” as defined in Article 4 of the GDPR, that is collected or provided by you to Hypeddit LLC in order to perform the processing as defined in this Agreement. Sub-Processor means a natural or legal person, public authority, agency or body other than the data subject, Controller and Processor who, under the direct authority of the Processor, are authorised to process Personal Data for which Artist is the Controller
    2. Terms used but not defined in this Data Processing Agreement (e.g., “processing”, “controller”, “processor”, “data subject”) shall have the same meaning as in Article 4 of the GDPR.
  4. The Processing

    1. The subject matter, duration, nature and purpose of the Processing, and the types of Personal Data and categories of data subjects shall be as defined hereinbelow:

      1. Subject matter and duration of the Processing: Email addresses processing during the term while you are a user of the data processor’s services provided via the Website (as described in the Terms and Conditions) and remain the data controller of data subjects’ personal data.
      2. Nature and purpose of the Processing: Email addresses gathering and use for the purpose of emailing newsletters to data subject on behalf of the data controller.
      3. Type of Personal Data and categories of data subjects: Email addresses are the only data processed under this Data Processing Agreement. The data controller shall not collect or provide the data processor with any other types of data for processing.
  5. Obligations and rights of the Controller

    1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that Processing is performed in accordance with the GDPR. Those measures shall be reviewed and updated where necessary.
    2. Where proportionate in relation to Processing activities, the measures referred to in paragraph 5.1 shall include the implementation of appropriate data protection policies by the Controller.
    3. The Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only Personal Data which are necessary for each specific purpose of the Processing are processed. That obligation applies to the amount of Personal Data collected, the extent of their Processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default Personal Data are not made accessible without the individual's intervention to an indefinite number of natural persons.
  6. Obligations of the Processor

    1. The Processor shall:

      1. process the Personal Data only on documented instructions from the Controller;
      2. ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      3. take all measures required pursuant to Article 32 of the GDPR, namely to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons including, as a minimum, the measures set out in this Agreement, namely the following security measures shall be implemented by the Processor, as a minimum: encryption in transit, role-based access control, regular backups, firewall, anti-virus.
      4. respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another Processor, namely that the Processor may not engage another Processor (Sub-Processor) without the prior authorisation of the Controller. Those Sub-Processors that are authorised by the Controller at the date of this agreement are listed further.
      5. As at the date of this agreement, the following Sub-Processors have been identified by the Processor to the Controller with respect to the Processing described herein: Amazon Web Services (hosting), SendGrid (email sending), Kickbox (email verification)
      6. In cases where another Processor is engaged, the Sub-Processor must be subject to the same contractual terms as described in this Agreement;
      7. assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
      8. insofar as this is possible, assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, relating to security of Processing, Personal Data Breaches and data protection impact assessments;
      9. at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of the Personal Data.
  7. Duration and Applicable Law

    1. This Agreement shall continue in effect for so long as the Processor is processing Personal Data on behalf of the Controller.
    2. This Agreement shall be governed by the laws of the State of New York, USA and subject to the exclusive jurisdiction of the courts of the State of New York, USA.