The purpose of this DPA is to reflect the agreement on the processing of personal data in accordance with data protection legislation.

Last revised January 22nd, 2024

This Data Processing Addendum (the "Agreement") forms a part of the contract for Application Services between Processor and Controller. This Agreement shall reflect the parties' agreement with regards to Processing of Personal Data.

If the Controller signing this Agreement is a customer of UNLESS, this Agreement forms part of a contract of service with UNLESS. If the Controller is not a user or customer of UNLESS, this Agreement is null and void.

This Agreement is between CUSTOMER ("Controller") and UNLESS ("Processor"). Each individually is referred to as "Party", and jointly referred to as "Parties".

• Parties have agreed that the Controller will act as the sole Controller of the Personal Data, and that the Processor renounces any rights it may have to act as a data controller of the Personal Data held by the Controller.
• Parties agree that it may be necessary to process certain Personal Data on behalf of Controller.
• In light of this, UNLESS offers this Agreement to address compliance obligations imposed upon Controller.
• Parties agree that Application Services rendered by UNLESS may qualify as commissioned Data Processing as per sec. 28 of the General Data Protection Regulation (2016/679)

Definitions

1. “Applicable Law” means the relevant Data Protection and Privacy laws to which Parties are subject, including the GDPR directive (2016/679).
2. “Application Services” shall mean all software applications (including, but not limited to, scripts, web pages, native applications, browser plugins, web components, data and APIs) used by Controller and provided by Processor in any way.
3. “Breach Incident” means a breach leading to the accidental or unlawful loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
4. “Controller” means CUSTOMER, in its role of an entity which determines the purposes and means of the processing of personal data.
5. “CUSTOMER” (“you”, “your”) means an individual accepting this Agreement.
6. “Customer Application” is an application, product, or service that is owned, published, created, or managed by CUSTOMER, in which the Application Services are integrated or made accessible to Users or End Users.
7. “End User” means an individual who uses a Customer Application.
8. “Input” means Personal Data that was submitted by CUSTOMER, their Users, or their End Users.
9. “Output” means any data or content that the Application Services returns.
10. “Personal Data” means any information which can be related to an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, and supplied by Controller to UNLESS under the Terms & Conditions, or which UNLESS or any of its Sub Processor generate, collect, store, transmit, or otherwise process on behalf of Controller in connection with this Agreement. Personal Data may include information which is related to CUSTOMER's users, employees, and other individuals.
11. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure or destruction, as defined under Applicable Law.
12. “Processor” means UNLESS, in its role of an entity which processes personal data on behalf of the controller.
13. “Services” means the Application Services and all other services provided by Processor, including (but not limited to) support, consultancy, and custom development.
14. “Sub Processors” means any affiliate, agent or assignee of Processor that may process Personal Data pursuant the terms of the Agreement, and any unaffiliated processor engaged by Processor.
15. “Third-Party Application” means any software, platform, data sources, software-as-a-service, or other products or services not provided by UNLESS that are integrated with our Services as described in the Agreement.
16. “UNLESS” (“we”, “us”, “our”) is the brand name used by the company Rocket Launcher BV to promote its services.
17. “User” means an individual who is authorized by CUSTOMER to manage a Service.

Liability

The liability for violation of provisions of this Agreement shall be regulated by the liability clauses in the service terms between the Parties.

The Parties shall ensure the Data Subject’s right to claim compensation according to the GDPR. This right shall not be limited through the service terms.

Notwithstanding the above, CUSTOMER is responsible for having a legal basis for the processing of End User data coming directly from CUSTOMER. UNLESS shall have no liability for any claims or costs that is a result of the CUSTOMER not ensuring a legal basis for the processing of personal data.

Privacy by design

The UNLESS platform is designed to be sensitive to the End Users' privacy through several core design choices.

• UNLESS does not collect unnecessary data, but only data that is required in the context of the Services.
• UNLESS aggregates and anonymizes data insofar possible; minimizing the chances of being able to identify individual End Users.
• UNLESS has extensive technical and physical safeguards protecting our customers' information.

Data retention and destruction

UNLESS will only retain Personal Data for as long as Services are provided to CUSTOMER under this agreement. Following expiration or termination of the Agreement, UNLESS will delete or return to CUSTOMER all Personal Data in its possession as provided in the Agreement except to the extent UNLESS is required by Applicable Law to retain some or all of the Personal Data (in which case UNLESS will implement reasonable measures to prevent the Personal Data from any further processing).

Relationship

• The Processor is appointed by the Controller to Process such Personal Data for and on behalf of the Controller as is necessary to provide the Services.
• The Controller shall Process Personal Data in accordance with the requirements of the Applicable Laws. For the avoidance of doubt, the Controller's instructions for the Processing of Personal Data shall comply with the Applicable Law and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable Law. The Controller shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which it acquires the Personal Data.
• Processor agrees to notify Controller if it becomes unable to comply with the terms of this Agreement, and take reasonable and appropriate measures to remedy such non-compliance.
• Controller agrees to and warrants that End Users and Users have been informed of UNLESS' use of Personal Data as required by Applicable Law, that Controller has obtained the appropriate consents and permits from End Users and Users as required under Applicable Law and has displayed, if applicable, a link to UNLESS privacy policy (e.g. As part of Controller's privacy policy or elsewhere, easily discoverable by End Users and Users).

Data processing

The Processor shall process Personal Data for the Purpose of providing the Services. Depending on how the Controller chooses to use the Services and depending on the Input of the Controller, their Users or End Users, the subject matter of Processing of personal data may cover the following types of information.

• Geographical information (City, State, Country, Currency);
• Audience membership, a collection of technical attributes based on real-time identifiers
• IP address;
• Data encoded into the URL or shown in plain format;
• Referring URL and domain;
• Online Identifiers (i.e. online data collected from End Users or User devices, applications and protocols which leave traces which may identify them), such as UDID, cookie identifiers, device type, operating system, and browser type.
• Page views, interactions and time on site;
• Data and time when website pages were accessed.

Other data points that typically comprise Personal Information that may be processed are email address, name, and more - but these will have to be actively submitted by Controller as Input and will not be collected in other ways.

Data safety, privacy & security

• The Processor shall establish data security in accordance with the Applicable Laws. The measures taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems.
• These measures are listed in Exhibit A and outline commercially reasonable security-related policies, standards and practices in line with the complexity of the UNLESS platform.
• The technical and organizational measures are subject to technical process and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time, insofar as the security level of the defined measures is not reduced.
• CUSTOMER is responsible for using and configuring the UNLESS platform in a manner which enables CUSTOMER to comply with Applicable Laws, including the implementation of appropriate technical and organizational measures.
• UNLESS has appointed a Data Privacy Officer, who can be reached at dpo@unless.com, and who oversees our privacy program.

Security breaches

Upon becoming aware of a Breach Incident, Processor will notify Controller without undue delay and will provide information relating to the Breach Incident as reasonably requested by the Controller. UNLESS will use reasonable endeavours to assist CUSTOMER in mitigating, where possible, the adverse effects of any Breach Incident.

Audit rights

The Controller may audit the Processor’s compliance with this Agreement up to once a year. If required by legislation applicable to the Controller, the Controller may request audits more frequently. To request an audit, the Controller must submit an audit plan 3 weeks in advance of the proposed audit date to the Processor, describing the proposed scope, duration, and start date of the audit. If any third party is to conduct the audit, it must be mutually agreed between the Parties.

If the requested statement or audit scope is addressed in an ISAE, ISO or similar assurance report performed by a qualified third party auditor within the prior 12 months, and the Processor confirms that there are no known material changes in the measures audited, the Controller may accept those findings instead of requesting a new statement or audit of the measures covered by the report.

Furthermore, the Processor shall take reasonable action to assist the Controller in case of audits, assessments or investigations initiated by authorities targeting the Controller.

Sub-Processing

On the condition of a contractual agreement in accordance with applicable data protection laws, the Controller understands that certain Sub-Processors are needed for the operation of the Services. The Controller agrees to the following.

• Controller provides a general consent to UNLESS to engage onward Sub-Processors (including but not limited to the provision of cloud based analytics services, machine learning and recommendation engines, personalized search and cloud processing), provided that UNLESS has entered into an agreement with Sub-Processor which is equally restrictive to the obligations set forth under this Agreement (the the extent applicable to the services rendered).
• Outsourcing to further Sub-Processors or changing any existing Sub-Processors is permissible if Processor informs the Controller of the identity of the Sub-Processor and the scope of the planned Sub-Processing in writing or in text form, and the controller does not object to the planned Sub-Processing in writing or in text within 20 business days. The Controller shall not unreasonably object to the planned Sub-Processing.
• UNLESS may transfer and process Personal Data to and in other locations around the world where UNLESS or its Sub-Processors may perform data processing as necessary to provide Application Services.
• If UNLESS Processes Personal Data from the EEA, EU or Switzerland, UNLESS shall ensure that it (or the relevant Sub-Processor) has a legally approved mechanism in place to allow for the international transfer of data.

User and End User data sub-processors

Controller agrees to the commissioning of the following Sub-Processors for our Application Services (including, but not limited to, the provision and hosting of software, services, ML and AI models), potentially including User and End User data from within the Customer Application:

• Amazon Web Services, hosting and storage
• Microsoft Inc., Microsoft Azure cloud services

User data sub-processors

Controller agrees to the commissioning of the following Sub-Processors strictly on the UNLESS dashboard:

• Stripe, Inc., payment provider for customers only
• Chargebee, automated subscription billing for customers only
• Hubspot, CRM system and customer messaging platform for customer support
• Mixpanel, product analytics for our dashboard
• Google Tag Manager, tag management system
• Mailchimp, email management for onboarding emails and newsletters

Integrations with third-party business systems

UNLESS offers integration with some of your existing business systems. If you choose to enable such an integration to exchange data with UNLESS, you may need to have additional legal arrangements with either the source or the destination of such data.

To provide for these integrations, UNLESS uses the services of the following Sub-Processor:

• ApiDeck, integration platform (iPaaS) for SaaS companies

Third-party applications

The Processor may support integrations with some of your existing business systems, certain third-party platforms or applications. These integrations may be enabled or disabled by Controller whenever they see fit.

By enabling such Third-party Applications, Controller authorizes Processor to access the Controller’s accounts at such third-party application for the purposes described in this Agreement. Controller may be required to input their credentials in order for Processor to access such Third-party Applications.

Controller is responsible for complying with any relevant terms and conditions of the provider of the Third-party Application. Controller acknowledges and agrees that Processor has no responsibility or liability for any Third-party Application, or any data exported to a Third-party Application.

Processor does not guarantee that it will maintain any integrations with any Third-party Application, and Processor may disable such integrations at any time with or without notice to Controller.

Miscellaneous

• This Agreement, including Exhibits attached, supersedes any and all prior agreements (excluding the Service Conditions and Privacy Policy), understandings, negotiations and discussions of the Parties.
• The provisions in this Agreement are severable; if any phrase, clause or provision is invalid or unenforceable in whole or in part, this shall only affect such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.

Exhibit A

Your website and data are safe with UNLESS. There are a number of steps we take to ensure only Controller can access your site data and that your User and End User privacy is respected.

Data storage

All user data that UNLESS collects is stored electronically in Ireland, Europe on the Amazon Web Services infrastructure. Our application servers and database servers run inside an Amazon VPC, Virtual Private Cloud. The databases containing End User and usage data are only accessible from the application servers and no outside sources are allowed to connect to the database. Our data retention times are no longer than 365 days.

End User privacy

• End Users are assigned an unique user identifier, UUID, so that UNLESS can keep track of returning visitors without relying on any personal information, such as the IP address.
• IP addresses of End Users are always suppressed before being stored. We set the last octet of IPv4 addresses, all connections to UNLESS are made via IPv4, to 0 to ensure the full IP address is never written to disk. For example, if an End User’s IP address is 1.2.3.4, it will be stored as 1.2.3.0. The first three octets of the IP address are only used to determine the geographic location of the End Users.

Data collection and transmission

• Firewalls are in place exposing only the necessary ports through the internet and between different servers. Intrusion protection system (IPS) software is in place as a second layer of security, which will block access as soon as any suspicious login activity is detected.
• UNLESS transmits data from the End User’s browser to our systems using HTTPS.
• The protocols and ciphers suite used to encrypt data in transfer is available at the end of this article.

Data access and authentication

Only UNLESS engineers which require such access to perform their job efficiently are given access. Different engineers are given different access rights on different system components as well depending on what their job requires. Engineers who do have access, have their own credentials and these are only valid when used from specific IPs. SSH Key-Based authentication is used for server access.

Data collected through UNLESS is exclusively reserved for use by our users and customers. UNLESS does not make use of the data collected in any form or way unless consent is officially given by an admin of the UNLESS account, clearly outlining what the data will be used for.

Data access and backup

At UNLESS, we use DynamoDB continuous backups to keep your data safe in the case of system failure. Full database backups are taken continuously, and are kept for thirty five days as an electronic copy.

Compliance, certifications and audit reports:

• UNLESS is compliant with Payment Card Industry (PCI) Data Security Standard. We use Chargebee’s hosted pages (SAQ A compliance - https://www.chargebee.com/security/pci/) and Stripe (https://stripe.com/docs/security/stripe).
• Cloud security: https://aws.amazon.com/security/.