DATA PROCESSING ADDENDUM

Updated: 01.01.2023

To complete this Data Processing Addendum (“DPA”), please fill in your details, sign in the relevant signature blocks and send the completed and signed DPA to Сombo.tools by email to . As an alternative, this DPA can be filled in and signed via DocuSign.

In the course of the use of the Site and the Software offered through the Site by Сombo.tools under the Agreement, Сombo.tools may Process certain Personal Data on behalf of the Client. If such Processing occurs, the Client and Сombo.tools agree to comply with the terms set out in this DPA in connection with such Personal Data. The purpose of this DPA is to ensure such Processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data are processed.

For transfers of Personal Data from Сombo.tools to the Client, when the Client is located in a country that does not ensure an adequate level of data protection within the meaning of Data Protection Legislation, to the extent such transfers are subject to Data Protection Legislation, the SCCs apply as attached and incorporated herein and the Client and Сombo.tools agree to sign SCCs and comply with the terms set out in the SCCs in connection with such transfers.The SCCs shall come into effect and be deemed executed upon execution of this DPA and shall apply pursuant to the order of precedence described in clause 9.2 of this DPA.

The DPA forms a part of the Terms of Use, unless the Client has entered into an End-User Agreement with Сombo.tools, in which case, it forms a part of such agreement (in either case, the “Agreement”). The Client and Сombo.tools are hereinafter jointly referred to as the “Parties” and individually as the “Party”. A party to this DPA is the Client entity which has accepted the Terms of Use and/or has entered into the End-User Agreement. If the Client entity signing this DPA neither has accepted the Terms of Use nor has entered into the End-User Agreement, this DPA is not valid and is not legally binding. Such an entity should request that the Client entity who is a party to the Agreement executes this DPA. If the Client has previously executed a data processing addendum with Сombo.tools, this DPA supersedes and replaces such prior data processing addendum.

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

Processing of the Personal Data by Сombo.tools in the framework of the Client’s use of the Demo Version and/or Software under the Agreement without execution of this DPA is not possible as it constitutes violation of Art. 28.3 of the GDPR.

  • 1. DEFINITIONS

    The following terms shall have the meanings ascribed to them herein.

    • 1.1. Сombo.tools: The Сombo.tools entity which is a party to this DPA being ORISTANE MANAGEMENT LTD, a company incorporated under the laws of the Republic of Cyprus.

    • 1.2. Client: any person/business who uses the Software through the Site during a free trial period under the Terms of Use and the Privacy Policy and/or after the free trial period having concluded/accepted the End-User Agreement.

    • 1.3. Data Protection Legislation: the data protection or privacy laws in the European Union (“EU”), European Economic Area (“EEA”) and their Member States, including the General Data Protection Regulation (the “GDPR”) ((EU) 2016/679), and any successor legislation to the GDPR or the Data Protection Act 1998 when the GDPR is no longer directly applicable in the United Kingdom.

    • 1.4. Subprocessor: any Processor engaged by or on behalf of Сombo.tools to Process the Personal Data on behalf of the Client in connection with the Agreement.

    • 1.5. The terms “Controller”, “Data Subject”, “Data Subject Right Request”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.

  • 2. COMPLIANCE

    • 2.1. The Parties acknowledge and agree to comply with applicable Data Protection Legislation in relation to the Personal Data shared with Сombo.tools under the terms of this DPA and in the framework of Parties’ relations under the Agreement.

    • 2.2. In its use of the Software and provision of instructions to Сombo.tools , the Client shall Process the Personal Data in accordance with the requirements of applicable Data Protection Legislation. The Client shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which the Client acquired the Personal Data.

    • 2.3. In relation to the Processing of the Personal Data, Сombo.tools acts on behalf of and on the instructions of the Client in carrying out the purpose of Processing set out in clause 3.4 of this DPA.

    • 2.4. This DPA and the Agreement are Client’s complete and final instructions at the time of execution of the DPA for the Processing of the Personal Data. Any additional or alternate instructions must be agreed upon separately. The Processing described in clauses 2.3 and 3.4 of this DPA is deemed an instruction by the Client to process the Personal Data.

  • 3. DATA PROCESSING

    • 3.1. The Parties acknowledge and agree that with regard to the Processing of the Personal Data, the Client is the Controller, Сombo.tools is the Processor and that Сombo.tools will engage Sub-processors pursuant to the requirements set forth in section 6 of this DPA and the Data Protection Legislation.

    • 3.2. Subject matter of the Processing. The subject matter of the Processing of the Personal Data is to ensure the Client’s use of the Software through the Site, to enable the Client to review and analyze data processing results via the Software and to exercise other rights as further described in the Agreement.

    • 3.3. Duration of the Processing. The Processing shall last for the period during which the Client has the right of access to and use of the Software and other rights under the Agreement (but not longer than the term of the Agreement), except as otherwise required by applicable law.

    • 3.4. Nature and purpose of the Processing. Сombo.tools offers performance marketing software as a service solution through the Site. It allows users to upload and download the data to and from the Software, to customize the built-in features and tools of the Software in order to retrieve, gather, process and analyze the Client’s data as well as to review and analyze data processing results via the Software or by downloading the reports and data. In the framework of these activities the Processing of the Personal Data occurs upon the Client’s instructions in accordance with the terms of the Agreement. The purpose of the Processing under this DPA is to perform Сombo.tools’s obligations under the Agreement and this DPA.

    • 3.5. Categories of Data Subjects. For the further Processing by Сombo.tools , the Client may submit the Personal Data to the Software in relation to the following Categories of Data Subjects:

      • 3.5.1. third parties with which the Client conducts business, e.g. the Client’s partners - publishers and advertisers (natural persons);

      • 3.5.2. Client’s end-users who use or interact with the Client’s websites, products, services, advertisements and/or mobile application services.

    • 3.6. Types of the Personal Data. The data types which may be Processed when using the Software:

      • 3.6.1. in relation to the Data Subjects identified in clause 3.5.1., unique user IDs (assigned only to publishers), (full) names, IP addresses and email addresses as well as other types of the Personal Data the extent of which is determined and controlled by the Client in its sole discretion;

      • 3.6.2. in relation to the Data Subjects identified in clause 3.5.2., technical Identifiers: IP addresses of non-EEA end-users, cookie IDs, geodata (with city-level precision), digital fingerprints (including timestamped user agents) and custom unique user IDs (“ClickID”); engagement information: the information which refers to the Client’s ad campaigns and Data Subjects’ actions (e.g. log files, clicks on the Client’s ads, ad impressions viewed, conversions registered and other interactions, events and actions the Client chooses to measure and analyze within the Software).

    • 3.7. For the purpose of clarity, the Client shall not configure the Software to collect any data that is not permitted to be collected pursuant to the terms of the Agreement or that is beyond the scope identified above in this section 3 of this DPA.

  • 4. OBLIGATIONS OF THE CLIENT

    • 4.1. The Client confirms:

      • 4.1.1. it has the legal capacity to enter into and execute this DPA and it is a Controller which determines the purposes and means of the Processing of the Personal Data;

      • 4.1.2. its instructions in connection with the processing of the Personal Data are in accordance with the Data Protection Legislation and will not cause Сombo.tools to breach the Data Protection Legislation. The Client shall be solely responsible for the legality of the Personal Data and for ensuring it has an appropriate lawful basis to enable the collection and Processing of the Personal Data pursuant to the terms of the Agreement and this DPA; 4.1.3. it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Сombo.tools for Processing in accordance with the terms of the Agreement and this DPA.

    • 4.2. The Client may use information received in connection with clauses 5.5, 5.6 and 5.8 of this DPA only to assess Сombo.tools ’s compliance with the Data Protection Legislation and this DPA. The Client must keep this information confidential, unless it is the Client’s confidential information.

  • 5. OBLIGATIONS OF СOMBO.TOOLS

    • 5.1. Сombo.tools shall Process the Personal Data only on the Client’s lawful documented instructions, including Processing pursuant to section 3 of this DPA, unless compelled to by the EU or Member State law to which Сombo.tools is subject. In this case, Сombo.tools shall notify the Client immediately.

    • 5.2. Сombo.tools shall implement appropriate technical and organizational measures designed to protect the Personal Data against unauthorized processing, including unauthorized disclosure, access, destruction, loss and alteration, taking into account (i) the state of the art, (ii) costs of implementation, (iii) nature, scope, context and purposes of the Processing, as well as (iv) risks posed to Data Subjects.

    • 5.3. Сombo.tools shall grant access to the Personal Data within its organization only to the personnel who require such access (i) in connection with their role and (ii) strictly for the purposes of performance of Сombo.tools ’s obligations under the Agreement.

    • 5.4. Сombo.tools confirms that it has informed and instructed its personnel of the rules of Processing of the Personal Data under this DPA and guarantees that its personnel maintain confidentiality and security of the Personal Data.

    • 5.5. Upon the Client’s written request, Сombo.tools shall make available information necessary to demonstrate compliance with the obligations laid down in the Data Protection Legislation and this DPA, provided that (i) the requested information is in Сombo.tools ’s possession or control and (ii) the Client has no other reasonable means of obtaining such information.

    • 5.6. Upon the Client’s written request, Сombo.tools shall provide the Client with information necessary to demonstrate Сombo.tools ’s compliance with this DPA in the form of (i) responses to a reasonable written questionnaire submitted by the Client and/or (ii) inspection of documentation reasonably required to demonstrate Сombo.tools ’s compliance.

    • 5.7. Сombo.tools shall adhere to clauses 5.5 and 5.6 only to the extent which is not contrary to the law and/or Сombo.tools’s confidentiality obligations given to its partners or other Clients.

    • 5.8. At the request of the Client as well as at the Client’s sole cost and expense, Сombo.tools shall allow for and contribute to audits, including inspections, related to Processing of the Personal Data under this DPA and conducted by the Client or an auditor mandated by the Client not more than once a year and solely for the purposes of meeting its audit requirements pursuant to applicable Data Protection Legislation. To request an audit, the Client must submit a detailed audit plan at least one month prior to the proposed audit date describing the proposed scope, duration and start date of the audit. Audit requests must be sent to [email protected]. The Client or the auditor mandated by the Client must execute a written confidentiality agreement acceptable to Сombo.tools before conducting the audit. The audit must be conducted during regular business hours, subject to Сombo.tools ’s policies, and may not unreasonably interfere with Сombo.tools ’s business activities. The Client shall use (and ensure that each of its mandated auditor uses) its best efforts to avoid causing any damage, injury or disruption to Сombo.tools ’s premises, equipment, personnel and business while its (or auditor’s) personnel is on those premises in the course of such an audit or inspection. Сombo.tools might deny access to its premises for the purposes of an audit or inspection stipulated by this clause 5.8 to (i) any individual unless he or she produces reasonable evidence or identity and authority, and (ii) any competitor of Сombo.tools .

    • 5.9. Сombo.tools warrants that it will promptly notify the Client regarding: (i) any changes in the Laws which might affect Processing of the Personal Data provided for by this DPA, (ii) any accidental or unauthorized access to the Personal Data Сombo.tools has received from the Client, (iii) any request received directly from the Data Subjects, including Data Subject Rights Requests, without responding to the request unless it has received prior written authorization to do so by the Client, (iv) any instruction of the Client which, in Сombo.tools ’s opinion, infringes the GDPR or other EU or Member State data protection provisions.

    • 5.10. If Processing or transfer of the Personal Data to a third country is required by the EU or Member State law to which Сombo.tools is subject (without documented instructions of the Client), Сombo.tools shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

    • 5.11. Taking into account the nature of Processing and the information available to Сombo.tools , Сombo.tools shall assist the Client, in ensuring compliance with obligations pursuant to Art. 32 (Security of processing), Art. 33 (Notification of a personal data breach to the Supervisory Authority), Art. 34 (Communication of a personal data breach to the data subject), Art. 35 (Data protection impact assessment) and Art. 36 (Prior consultation) of the GDPR. For the avoidance of doubt, (i) if the Client is required to do so under the Data Protection Legislation, Сombo.tools shall take reasonable measures to cooperate and assist the Client in conducting a data protection impact assessment and related consultations with any Supervisory Authority to the extent the Client does not otherwise have access to the relevant information and to the extent such information is available to Сombo.tools , at the Client’s expense, (ii) Сombo.tools shall notify the Client without undue delay on becoming aware of a Personal Data Breach, provided that such breach is not caused by the Client or Client’s personnel, and shall provide the Client with information (to the extent in Сombo.tools ’s possession) to assist the Client to meet any obligations to inform Data Subjects or Supervisory Authorities of the Personal Data Breach under the Data Protection Legislation, (iii) Сombo.tools shall provide reasonable assistance to the Client in the cooperation or prior consultation with the Supervisory Authority to the extent required under the GDPR;

    • 5.12. Taking into account the nature of Processing, Сombo.tools shall assist the Client, at the Client’s cost, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client’s obligation to respond to requests for exercising the Data Subject’s rights. The obligation of such assistance applies to Сombo.tools to the extent the Client does not have access to the Personal Data necessary to respond to such requests through its access to and use of the Software. For the avoidance of doubt, the Client is responsible for responding to Data Subject request for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data.

    • 5.13. Сombo.tools (i) shall promptly notify the Client if it receives a request from a Data Subject under any Data Protection Legislation in respect of the Client’s Personal Data (unless prohibited by applicable law), and (b) shall not respond to that request except on the documented instructions of the Client or as required by applicable laws. Notwithstanding the foregoing, Сombo.tools shall be permitted to respond (including through automated responses) to any such requests informing the Data Subject that his/her request has been received and/or with instructions to contact the Client in the event that his/her request relates to the Client.

  • 6. SUB-PROCESSING

    • 6.1. The Client hereby consents to Сombo.tools appointing companies as third party processors of the Personal Data under this DPA (“Subprocessors”).

    • 6.2. Сombo.tools shall contractually impose on the Subprocessors the same data protection obligations as imposed on Сombo.tools under this DPA. Subject to clause 8.1 of this DPA, Сombo.tools shall remain fully liable to the Client for the performance of the Subprocessors’ obligations.

    • 6.3. In case of engagement of a new Subprocessor or replacing already existing Subprocessor, Сombo.tools shall notify the Client by updating its list of Subprocessors accessible under the link stated 6 in clause 6.1 of this DPA and informing the Client of the change via email or through the Client’s account in the Software. By doing so, Сombo.tools gives the Client an opportunity to object to such changes. If, within 30 calendar days of receipt of that notice, the Client objects in writing on reasonable grounds to the proposed changes, the Parties will work together to find a solution satisfying both Parties.

  • 7. TERM OF THIS DPA AND OBLIGATIONS AFTER ITS TERMINATION/EXPIRATION

    • 7.1. This DPA shall stay in force until the time when Processing of the Personal Data is no longer necessary in relation to the use of the Demo Version and/or the Software under the Agreement. The term of this DPA shall not exceed the term of the Agreement.

    • 7.2. Upon termination or expiration of the Agreement in accordance with the terms of the Agreement (including cases of expiration of trial period after which the Client does not want to continue to access/use the Demo Version and/or the Software subject to the terms of the End-User Agreement), Сombo.tools shall cease all Processing of the Client’s Personal Data and, at the Client’s choice, delete (or otherwise make unrecoverable and/or anonymized) or make available to the Client for retrieval all relevant Client’s Personal Data in Сombo.tools ’s possession and delete existing copies, except as otherwise prohibited or allowed by any applicable law. Сombo.tools shall extend the protections of the Agreement and this DPA to any such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention.

  • 8. LIMITATION OF LIABILITY

    • 8.1. Сombo.tools’s aggregate liability, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of Сombo.tools means the aggregate liability of Сombo.tools under the Agreement and this DPA together. For the avoidance of doubt, Сombo.tools’s total liability for all claims from the Client arising out of or related to the Agreement and this DPA shall apply in the aggregate for all claims under both the Agreement and this DPA established under the Agreement.

  • 9. MISCELLANEOUS

    • 9.1. Governing Law. This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of the Republic of Cyprus.

    • 9.2. If there is a conflict between the Agreement and this DPA, the terms of this DPA shall control as it relates to Processing of the Client’s Personal Data. 9.3. Nothing within this DPA relieves the Parties of their own direct responsibilities and liabilities under the Data Protection Legislation.

    • 9.3. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

    • 9.4. Notwithstanding anything to the contrary, the Parties hereby agree that this DPA shall be retroactively effective to the first day of the access and use of the Demo Version and/or the Software in the event that (i) this DPA is signed later than the acceptance by the Client of the Terms of Use (for the Demo Version period) or the End-User Agreement (if the Demo Version period is omitted), and (ii) the Processing 7 of the Personal Data specified in clause 3.6 of this DPA occurs in the framework of such access/use of the Demo Version and/or the Software from the first day of the access and use of the Demo Version and/or the Software under the Agreement. For the avoidance of doubt, the sub-clauses (i) and (ii) above in this clause 9.5 apply cumulatively.

The Parties’ authorized signatories have duly executed this DPA which become a binding part of the Agreement with effect from the later date set out below:

On behalf of the Client:

Client Full Legal Name:

Address:

Signatory Name:

Signatory Position:

Signature:

Date:

20

On behalf of the Сombo.tools:

Client Full Legal Name:

ORISTANE MANAGEMENT LTD

Address:

Prodromou, 75, Oneworld Parkview House, 4th Floor, 2063, Nicosia, Cyprus

Signatory Name:

Signatory Position:

Signature:

Date:

20