Privacy and Data Protection Appendix

This Privacy and Data Protection Appendix (“Appendix”) amends (for valid consideration which is hereby acknowledged as duly received) the agreement entered into between the Client (“Client”, “Partner”, “You”, “Your” etc.) and the relevant Flame Digital, duly registered and acting under the laws of England and Wales (“Flame Digital Limited”) for providing Social Media Channel management services (“Agreement”).

This Appendix shall be incorporated into and form part of the Agreement and be deemed to have become effective as of the date both Client and Flame Digital Limited have executed this Appendix. In case of any conflict between a provision of the Appendix and the Agreement, as it relates to Personal Data, the provision of the Appendix shall prevail. Capitalized terms used herein and not defined herein will have the meaning set forth in the Agreement and/or the Data Protection Laws.

Flame Digital Limited’s provision of the Service to Client entails the transmission and processing of data retrieved, sent and received by and from its partners (including Partner) and their Data Subjects, clients and other third parties. Such data may constitute Personal Data (as defined below). Therefore, the parties agree to comply with the following provisions.

1. Definitions.
1.1. “Data Protection Laws” means any applicable data protection or privacy laws or regulations as may be amended or superseded from time to time, including but not limited to: the EU General Data Protection Regulation (“GDPR”) as implemented by countries within the EEA and in the USA; and/or other laws or regulations that are similar, equivalent to, successors to, or that are intended to or implement the laws or regulations applicable to Partner in relation to the transmission and processing of Personal Data under or in relation to the Agreement.
1.2. “Controller”, “Data Subject” , “Personal Data” , “Processor”, “ Processes/Processing” shall each have the meanings given in the applicable Data Protection Laws.
1.3. “Partners Privacy Policy” means the privacy policy available at Partner’s official website or their Data Protection Annex.
1.4. “Service” means Flame Digital Limited Social Media Management Service for creating, publishing, advertising and analyzing digital content across social media platforms; Creation of personalized social media marketing strategies; Monitoring of content performance; Social media presence and customers/sales maximization.
1.5. “Data Subjects” means a human end-Data Subject accessing a mobile/web application/website or receiving any kind of mailings and all sorts of messaging.
2. Client and Flame Digital Limited each agree and acknowledge that where a party Processes Personal Data under or in connection with the Agreement it alone determines the purposes and means of such Processing as a data controller (as defined under applicable Data Protection Laws).
3. Each party confirms that it has complied, and will continue to comply with its obligations relating to Personal Data that apply to it under applicable Data Protection Laws.
4. Partner warrants that it has provided adequate notices to and obtained valid consents from Data Subjects (or his partners warranted him that they had done it), in each case, to the extent necessary for Flame Digital Limited to Process their Personal Data or other information in connection with the Agreement, including, without limitation for direct marketing activities and international transfers of Personal Data outside of the EEA. Partner will on request provide records of all relevant consents obtained (or make his partners who warranted to provide) to Flame Digital Limited. Partners shall notify Flame Digital Limited in writing within 24 hours of Partner receiving Data Subject’s objection to or withdrawal of Data Subject’s consent to Process their Personal Data or other information including, without limitation for direct marketing activities and international transfers of Personal Data outside of the EEA. Partner will not by act or omission, cause Flame Digital Limited to violate the Flame Digital Limited’s Privacy Policy, any Data Protection Laws, notices provided to, or consents obtained from, Data Subjects as result of Processing Personal Data in connection with or Flame Digital Limited otherwise performing the Service under the Agreement.
5. Flame Digital Limited will Process Personal Data in accordance with the Flame Digital Limited’s Privacy Policy.
6. Each party will limit access to Personal Data to those personnel who require such access only as necessary to fulfil such party’s obligation under the Agreement.
7. Each party will maintain appropriate administrative, physical, organizational and technical safeguards aimed at maintaining an appropriate level of security.
8. Each Party will provide other Party with all necessary assistance in connection with communications from, or requests made by Data Subjects in relation to their rights under Data Protection Laws, and supervisory authorities, in each case as they relate to Data Subject Personal Data.
9. Each Party to the best extent possible will provide the other Party assistance in complying with the Data Protection Laws.

10. Contract Clauses for Controller to Processor (Processor to Sub-Processor) relationships:
10.1. Obligations:
Between You and Flame Digital Limited, You are sharing Personal Data in relation to the Agreement. Therefore, You, as the Controller (or Processor) will have the responsibility to obtain appropriate consents (warranties regarding obtaining such consents from Controller if you act as Processor) for Processing of Personal Data by Flame Digital Limited as Processor (Sub-Processor) in the capacity of a Processor (Sub-Processor) as highlighted in this Appendix. You will comply with the requirements of the Data Protection Laws as a Controller (or Processor) and will be responsible for notifying Flame Digital Limited of any Data Subject request towards deletion, rectification, opt-out election or any other execution of rights by Data Subject, which influence execution of Agreement between the Parties.
10.1.1. Paragraphs 10.1.2 – 10.1.5 shall apply if and to the extent that the Processor processes any Personal Data on the Controller’s behalf when performing its obligations under the Agreement.
10.1.2. Each party acknowledges that:
10.1.2.1. Processor shall only Process Personal Data for the following permitted purpose in relation to campaigns:
(1) For fraud/ bot detection purposes including creating fraud reports to be shared;
(2) For reporting purposes including reports to be shared with potential advertisers or for reporting to Controller;
(3) For determining performance of campaigns distributed through the network and billing purposes.
10.1.2.2. the processing shall continue for the duration of Agreement and this Appendix as part thereof;
10.1.2.3. the processing concerns: likes, reach, views and impressions data, IP Address, device identifiers, publisher details (such as advertiser and publisher name), campaign details and such other data sets.
10.1.3. The Processor shall:
10.1.3.1. process the Personal Data only to the extent necessary for the purposes of the Agreement and otherwise in accordance with the documented instructions of the Controller;
10.1.3.2. ensure that all persons authorised by it to process the Personal Data are committed to confidentiality or are under a statutory obligation of confidentiality under applicable law;
10.1.3.3. have at all times during the term of the Agreement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data, with particular regard to its accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access;
10.1.3.4. where the Processor does engage another Processor, substantially similar obligations to those set out in paragraphs in this Appendix shall be imposed by the Processor on the other Processor in a written contract;
10.1.3.5. Processor shall not retain Personal Data for longer than necessary to meet the permitted purposes hereunder or use the same for any purposes other than such permitted purposes.
10.1.3.6. If requested by Controller, Processor shall without delay, rectify the Personal Data, to ensure it remains accurate, complete and current or delete the same upon notification by Controller to honour any Data Subject’s request. Controller agrees to notify Processor of such requests immediately.
10.1.3.7. Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this Appendix, and reasonably assist in audits, including inspections, conducted by the Controller or its representative to determine Processor’s compliance with its obligations hereunder. Processor shall have audit rights to determine Controller’s compliance with Data Protection Laws and Controller shall make available to the Processor all information reasonably necessary to demonstrate such compliance. Any audit will be conducted upon provision of reasonable notice and during regular working hours;
10.1.3.8. At the earliest opportunity, and in any event within 48 hours after having become aware, notify the Controller of any unauthorised or unlawful processing of any Personal Data to which this clause applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the Data Subjects and co-operate with the Controller in dealing with such incident and its consequences; and
10.1.4. The Processor acknowledges that the Controller is under certain record keeping obligations under the Data Protection Laws, and agrees to provide the Controller with all reasonable assistance and information required by the Controller to satisfy such record keeping obligations.
10.2. MODEL CONTRACT CLAUSES
The Model Contract Clauses require setting out more detail about what data is being transferred and why, as well as how the Processor must keep that data secure.
10.2.1. Description of Flame Digital Limited’s data Processing for Partner
10.2.1.1. Partner is the Data Controller and the contact details are set out in this Appendix.
10.2.1.2. Flame Digital Limited is the Data Processor and our contact details are also set out in this Appendix.
10.2.1.3. The types of data being transferred are Personal Data, which does not include special categories of data.
10.2.1.4. Flame Digital Limited will be carrying out the tasks in relation to that data as set out in this Appendix.
10.2.2. Description of Processor’s security measures
10.2.2.1. Restriction of access to data centres, systems and server rooms as necessary to ensure protection of Personal Data.
10.2.2.2. Monitoring of unauthorised access.
10.2.2.3. Written procedures for employees, contractors and visitors covering confidentiality and security of information.
10.2.2.4. Restricting access to systems depending on the sensitivity/criticality of such systems.
10.2.2.5. Use of password protection where such functionality is available.
10.2.2.6. Maintaining records of the access granted to which individuals.
10.2.2.7. Ensuring prompt deployment of updates, bug-fixes and security patches for all systems.
10.2.2.8. Providing Anonymization (encryption, Pseudonymization) measures where applicable and required by Data Protection Laws.
10.2.3. Liability and Payment of Compensation
10.2.3.1. Without prejudice to the provisions of the Agreement, Flame Digital Limited shall defend, indemnify and hold Client harmless and keep Client indemnified, on demand from and against any and all damages incurred by Client as a result of Flame Digital Limited’s and/or its employees or representatives unauthorised and/or unlawful Processing, or accidental loss, disclosure, destruction or damage to any Client Data obtained from (or held by Flame Digital Limited or its personnel on behalf of) Client, save where such loss, disclosure, destruction or damage was carried out or incurred at the Client’s request. Flame Digital Limited shall be liable for and shall indemnify Client and its employees and agents from and against all damages (including non-material damage) which Client may suffer consequent upon breach of applicable Data Protection Laws, recklessness or wilful default of Flame Digital Limited, its employees or agents. In no event shall Flame Digital Limited’s total liability to Company or Client under this Appendix exceed $1,000.00.
10.2.3.2. Notwithstanding the provisions of the Agreement, Client shall defend, indemnify and hold Flame Digital Limited harmless and keep Flame Digital Limited indemnified, on demand from and against any and all actual or alleged claims and damages incurred by Flame Digital Limited as a result of Client’s and/or its employees or representatives (including without limitation any affiliates) unauthorised and/or unlawful data transfer or processing, or accidental loss, disclosure, destruction or damage to any Flame Digital Limited Data obtained from (or held by Client or its personnel on behalf of) Flame Digital Limited, save where such loss, disclosure, destruction or damage was carried out or incurred at Flame Digital Limited’s request. Client shall be liable for and shall indemnify Flame Digital Limited and its employees and agents from and against all damages (including non-material damage) which Flame Digital Limited may suffer consequent upon any breach of Applicable Data Protection Law, recklessness or wilful default of Client, its employees or agents.
11. This Appendix, (including all Clauses) and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation (a “Claim”) shall be governed by and interpreted in accordance with the law of England and Wales (unless required otherwise by Data Protection Laws). The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any Claim, unless required otherwise by Data Protection Laws.
12. In case of conflict between the provisions regarding handling of Personal Data provided in this Appendix and pointed in the Agreement, the Appendix will prevail.