Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into as of the Effective Date by and between Indiegogo Inc., a Delaware corporation, with its registered office at 2261 Market Street #4731, San Francisco, CA 94114 ("Indiegogo"),
and
the entity or person set forth on the last page hereto ("Creator"). Indiegogo ("Processor") and Creator ("Controller") are sometimes referred to individually as "Party" or collectively as "Parties".
This DPA forms an integral part of and is concluded subject to the Indiegogo Creator Guidelines (“TOU”), which Creator has concluded with Indiegogo.
Whereas:
a. the Creator is interested in using website provided by Indiegogo (the website and associated services are jointly referred to as "Services");
b. Creator's use of the Services requires that Creator Users’ Data (as defined below) is processed by Indiegogo;
c. the Parties wish to set forth their mutual obligations regarding the processing of Creator Data (as defined below) by Indiegogo;
The parties have agreed as follows:
1. SUBJECT MATTER OF DPA
1.1. Data Processing Agreement is entered into in connection with and for the purpose of performing the Indiegogo Terms of Use, Indiegogo Creator Guidelines (the “TOU”). The processing of personal data in connection with the performance of the TOU is regulated by the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR").
1.2. Pursuant to the Data Processing Agreement, the Creator entrusts Indiegogo with the personal data specified in Appendix 1 to the DPA ("Personal Data") for processing. A change in the scope of entrustment of processing does not require an annex, but only the consent of both Parties expressed in writing or electronically (including e-mail) by persons authorized to make statements under the TOU. A change in the scope of entrustment as specified in the preceding sentence may not lead to an expansion of the Processor's obligations or limitation of its rights under the TOU, including with regard to the remuneration due.
1.3. We process Personal Data only for the fulfillment of the TOU and to the extent necessary for its fulfillment and only during the term of the TOU.
1.4. We are obliged to process Personal Data in accordance with the "Applicable Data Protection Laws" which means the GDPR, other applicable laws and the DPA.
2. OBLIGATIONS OF THE PARTIES
2.1. Creator, as the data controller, acknowledges and understands that in circumstances and to the extent described in Appendix 1 to this DPA making use of the Services requires that Creator Users' Data are processed within the Services.
2.2. Creator, as the data controller, confirms that this DPA along with Creator’s use and configuration of the Services and its individual features are the complete and final instructions to Indiegogo for the processing of Creator Data. Indiegogo will immediately inform the Creator if in its opinion the Creator’s instructions may infringe Applicable Data Protection Laws; Creator Data was and will be obtained in accordance with Applicable Data Protection Laws and that all required consents (if required) from people whose personal data is processed using the Services were collected and all information duties fulfilled.
2.3. Indiegogo, as a data processor, undertakes to only process Creator Data to make it possible for the Creator to make use of the Services and its individual features, solely on the basis and under the conditions specified in this DPA and Applicable Data Protection Laws.
2.4. Indiegogo is obliged to:
2.4.1. apply all technical and organizational measures adequate to the level of risk to secure Personal Data under the principles set forth in Article 32 of the GDPR;
2.4.2. assist the Creator in complying with the obligations set forth in Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to Indiegogo;
2.4.3. process Personal Data only at the Creator’s documented instruction, unless such an obligation is imposed on Indiegogo by applicable national or EU law, in which case Indiegogo will inform the Creator of this legal obligation prior to the start of processing, unless such law prohibits the provision of such information for reasons of important public interest; in particular, the TOU is considered to be the documented instruction of the Controller;
2.4.4. as far as possible, assist the Creator, through appropriate technical and organizational measures described in Appendix 2, in fulfilling its obligation to respond to the data subject's requests for the execution of their rights under Chapter III of the GDPR;
2.4.5. ensure that persons authorized to process Personal Data undertake to maintain confidentiality, unless they are persons obliged to maintain confidentiality under the law;
2.4.6. upon termination of the DPA, depending on the Creator’s request, to delete or return the Personal Data and delete copies thereof, unless otherwise provided by imperative law; within the limits set forth in Appendix 1 to the DPA, Indiegogo shall process the Personal Data on its own behalf, for the purpose of establishing, asserting or defending against claims that may arise in connection with the performance of the DPA or the TOU.
2.5. The provisions of Sections 2.1.1-2.1.6 do not expand Indiegogo’s obligations with regard to the provision of services in accordance with the TOU.
2.6. Indiegogo is authorized to further entrust the processing of Personal Data to sub-processors, the list of which is attached as Appendix 3 to the DPA. Indiegogo will inform the Creator of any significant intended change to the list of sub-processors in the way adopted for communication in accordance with the TOU. The Creator can object to such change within the following 3 days. Indiegogo ensures that it will only use the services of such sub-processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR, as well as protects the rights of data subjects. Indiegogo is obliged to ensure that at least the same obligations are imposed on sub-processors as those imposed on Indiegogo in the DPA. Creator acknowledges that failure to agree to a change in the list of further processors may result in Indiegogo’s inability to continue performing the TOU, of which Indiegogo will inform Creator immediately.
2.7. Indiegogo will share with Creator the information necessary to perform its duties related to the entrustment of the processing of Personal Data. Indiegogo will allow Creator to carry out audits, including inspections, at a time agreed upon by the Parties, to the extent related to the entrustment of processing of Personal Data by Indiegogo and will provide cooperation in this regard. The cost of the audit shall be incurred by each Party on its own, notwithstanding the outcome of the audit. Creator is obliged to maintain the confidentiality of all information obtained in connection with the audit, including the results of the audit, and to ensure that the persons it relies on to carry out the audit have also obliged themselves to confidentiality in this regard. The obligation of confidentiality applies for the term of the DPA and indefinitely thereafter. In the case when the preceding sentence becomes invalid or ineffective, the confidentiality obligation shall continue for the term of the DPA and for a period of 10 years thereafter.
2.8. Indiegogo is obliged to ensure that any person processing Personal Data on its behalf processes the data only at Creator instruction.
3. DATA TRANSFER
3.1. Indiegogo may transfer Personal Data if:
3.1.1. the destination country provides an adequate level of personal data protection to that of the European Union; or
3.1.2. Creator and Indiegogo or Indiegogo’s sub-processor have entered into an agreement based on standard contractual clauses, that are attached as Appendix 4 to this Agreement, or have implemented another mechanism that legalizes the transfer of data to a third country in accordance with the law.
4. LIABILITY
4.1. Notwithstanding the provisions of the TOU, the total contractual and tort liability of Indiegogo in relation to the processing of Personal Data under the DPA is limited to the amount of Indiegogo’s remuneration due under other agreements conducted between Indiegogo and the Creator, unless otherwise provided by binding legal regulations.
5. JURISDICTION SPECIFIC DATA PROTECTION CLAUSES
5.1. If Creator is subject to any data protection laws of jurisdictions listed in Appendix 5 (US State Privacy Laws), then the terms of Appendix 5 supplement the clauses of sections 1 - 4 of this DPA.
6. FINAL PROVISIONS
6.1. The DPA is concluded for the term of the TOU. The DPA may be terminated by Creator with immediate effect in the event of gross or repeated breaches of the DPA, GDPR or other applicable data protection laws by Indiegogo - if Indiegogo has been previously called upon to remedy the breaches, an additional period of not less than 30 days has been set for this purpose, and the period has expired without effect. Termination of the DPA shall be in writing under pain of ineffectiveness.
6.2. Termination of the DPA is the basis for termination of the TOU.
6.3. Amendments to the DPA are possible only in writing under pain of ineffectiveness, unless the DPA expressly provides for another form for amendments.
6.4. Any terms capitalized and not defined in the DPA have the meaning given to them in the TOU.
6.5. Any disputes having to do with the DPA will be adjudicated by the Court of competent jurisdiction in accordance with the TOU.
6.6. The Appendices to the DPA are an integral part of the DPA. The list of appendices is as follows: