Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Ovation Terms of Service, or another agreement governing the use of Ovation (“Agreement”) entered into by and between you, the Client (as defined in the Agreement) (collectively, “you”, “your”, “Client”), and OVATION UP, INC (“Ovation”, “us”, “we”, “our”) to reflect the parties’ agreement regarding the Processing of Personal Data by Ovation solely on behalf of the Client. Both parties shall be referred to as the “Parties” and each as a “Party.” Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
This DPA is valid only for our European customers. If you are not located in Europe, please contact us directly to receive the appropriate Data Processing Agreement for your region, where applicable.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail solely with respect to the Processing of Personal Data.
HOW TO EXECUTE THIS DPA:
By utilizing our Services, the Client acknowledges and accepts this Data Processing Agreement (DPA), and you affirm that you possess full authority to legally bind the Client to the terms outlined in this DPA. If you are unable or unwilling to comply with and be bound by this DPA, or lack the requisite authority to bind the Client or any other entity, we kindly request that you refrain from providing Personal Data to us. Should you require a signed copy of this DPA, please contact dsr@ovationup.com, and we will promptly furnish you with one.
- Definitions
Ovation refers to the company that is a party to this DPA. It is organized under the laws of Delaware, United States, and has its head office located at 833 W 1800 N, Mapleton, UT 84664, USA.
Ovation Group means Ovation and its Affiliates engaged in the Processing of Personal Data.
Affiliate refers to any entity that directly or indirectly controls, is controlled by, or is under common control with Ovation. In this context, ‘Control’ signifies the direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Applicable Data Protection Law means all laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data applicable to the processing of Client Personal Data under the Agreement including but not limited to General Data Protection Regulation 2016/679 (“GDPR”), Federal Data Protection Act of 19 June 1992 (Switzerland), UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR); and binding guidance and / or codes of practice issued by a competent supervisory authority under applicable laws (as defined in the GDPR), or the European Data Protection Board.
Business Contact Information means the names, mailing addresses, email addresses, and phone numbers regarding the other Party’s employees, directors, vendors, agents and customers, maintained by a Party for business purposes as further described below.
Client Personal Data means Client-owned or controlled personal data provided by or on Your behalf to Ovation or an Ovation affiliate or subcontractor for processing under Applicable Data Protection Law pursuant to the Agreement. Unless prohibited by Applicable Data Protection Law, Client Personal Data shall not include information or data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific person.
“Controller”, “Consent”, “Processor”, “Sub-Processor”, “Data Subject”, “Personal Data”, “Processing”, “Public Authority”, “Supervisory Authority or similar terms shall have the meaning given under Applicable Data Protection Law. For the purposes of this Addendum Processor shall mean Ovation.
Personal Data Breach means an actual, confirmed breach of security of Client Personal Data that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such Client Personal Data transmitted, stored or otherwise processed by a Party under the terms of the Agreement.
Standard Contractual Clauses means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“).
UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by subsequent legislation.
UK SCCs Addendum means the standard contractual clauses addendum issued by the UK Secretary of State for the transfer of Personal Data outside the UK and any amendment or replacement of such standard contractual clauses pursuant to Article 46(5) of the GDPR.
- Representations and Warranties
2.1 Each Party represents and warrants that it will comply with the requirements of Applicable Data Protection Law as applicable to such Party with respect to the processing of the Client Personal Data.
2.2 Each Party warrants and represents it has no reason to believe that the Data Protection Law prevents it from providing or receiving any services under the Agreement; and
2.3 Each Party warrants and represents it has the corporate power and capacity to perform its obligations under this Addendum
2.4 You represent and warrant to Ovation that:
2.4.1 You shall comply with and provide all of your obligations under this Addendum in accordance with best industry practice;
2.4.2 You have no reason to believe that Applicable Data Protection Law prevents You from entering into this Addendum or fulfilling any of Your obligations under this Agreement;
2.4.3 You have all necessary authorisations to enable or entitle You to enter into this Addendum, including but not limited to instructions, notices, licenses and consents, and that these have been obtained and are in full force and effect and will remain in such force and effect at all times during the subsistence of this Addendum;
2.4.4 You shall only provide processing instructions that are lawful and You shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which it was acquired;
2.4.5 neither the execution and delivery of this Addendum nor Your performance of any of Your obligations hereunder violates any (a) law to which You are subject; (b) judgment or order by which You are bound; (c) constitution or other equivalent constituting documents; or (d) other agreement or instrument which is binding on You or Your assets; and
2.5 Prior to transmitting Client Personal Data to Ovation, You shall inform Ovation of any requirements pertaining to the transmitted Client Personal Data.
2.6 Ovation represents and warrants to You that:
2.6.1 it will process the Client Personal Data (as set out in Appendix A) only in accordance with your documented processing instructions which may be given from time to time (including as set forth in the Agreement and this Addendum), save as otherwise required by law. The Parties agree that the Agreement and this Addendum, along with the Client’s configuration of or any use of any settings, features, or options in the services (as the Client may be able to modify from time to time) constitute the Client’s complete and final instructions to Ovation in relation to the processing of Client Personal Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. For the avoidance of doubt, the Client acknowledges and agrees that the documented instructions include the processing of Client Personal Data for the purposes of providing, supporting, and improving Ovation services (including to provide insights and other reporting).
2.6.2 it will promptly notify You if Ovation determines that Your processing instruction violates any Applicable Data Protection Law (provided that nothing herein shall require Ovation to provide legal or regulatory advice or monitor Applicable Data Protection Law as they apply to You).
- Disclosure and Processing of Client Personal Data
3.1 When providing or making available Client Personal Data to Ovation, You shall only disclose or transmit Client Personal Data that is necessary for Ovation to perform the applicable services under the Agreement.
3.2 Following expiration or termination of the provision of services under the Agreement and relating to the processing of Client Personal Data, Ovation shall provide you a reasonable opportunity (of at least thirty (30) days) to retrieve or export Client Personal Data. After this retrieval window, Ovation shall promptly and securely delete or destroy all Client Personal Data (including existing copies) in its possession or control, unless otherwise required or permitted by applicable laws to retain such data.
If you request data deletion prior to the end of the thirty (30) day retrieval window, Ovation shall destroy all remaining Client Personal Data upon such request, provided no other legal obligations require its retention.
3.3 All Ovation personnel, including subcontractors, authorized to process the Client Personal Data shall be subject to confidentiality obligations and/or subject to an appropriate statutory obligation of confidentiality.
3.4 You expressly acknowledge and agree that, in the course of providing the services, Ovation may anonymize, aggregate, and/or otherwise de-identify Client Personal Data (“De-Identified Data”) and subsequently use and/or disclose such De-Identified Data for the purpose of research, benchmarking, improving Ovation’s offerings generally, or for another business purpose authorized by Applicable Data Protection Law provided that Ovation has implemented technical safeguards and business processes designed to prevent the re-identification or inadvertent release of the De-Identified Data.
- Security Measures
4.1 Ovation shall maintain appropriate technical and organizational measures, including its SOC 2 Type 2 certification, to protect the security, confidentiality, and integrity of Client Personal Data, including protection against unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, or damage, and unauthorized disclosure or access. Ovation will not materially decrease the overall security of the Services during the subscription term. Such measures may include, but are not limited to, encryption in transit and at rest, access controls, vulnerability management, employee security training, logging and monitoring, and regular penetration testing.
4.2 Ovation regularly reviews and may update or modify these technical and organizational measures to account for technological developments and evolving industry standards, ensuring that the Processing of Client Personal Data is performed in accordance with this Addendum and Applicable Data Protection Law.
4.3 Personal Data Breach. If Ovation becomes aware of an actual or suspected Personal Data Breach of Client Personal Data, Ovation will notify You without undue delay and provide relevant information, assistance, and cooperation to investigate and mitigate the breach and fulfill Your breach notification obligations under Applicable Data Protection Law.
- Audits and Inspections
Upon written request, Ovation shall make available to You, no more than once annually and strictly at your own cost, information reasonably necessary to demonstrate Ovation’s compliance with its obligations under this Addendum and Applicable Data Protection Law. You shall be solely responsible for determining whether the Services and Ovation’s Security Measures will meet your needs, including with respect to any Data Protection Laws.
- Data Subject and Supervisory Authority Requests
To the extent required under Applicable Data Protection Law and taking into account the nature of the services provided, Ovation shall:
6.1 Data Subject Requests. Taking into account the nature of the services provided, Ovation shall:
- Notify You in writing within five (5) business days of receiving any request by a data subject to exercise his or her rights under Applicable Data Protection Law, unless otherwise prohibited by law.
- Refrain from responding to such requests directly, unless legally required to do so, and instead follow Your reasonable and lawful instructions regarding how to address the request.
- Provide reasonable assistance to You, at Your expense, to enable You to comply with any such request as required under Applicable Data Protection Law, provided that You supply all information or context necessary for Ovation to fulfill the request.
6.2 Supervisory Authority Requests. Ovation shall notify You of all enquiries or communications from a competent supervisory authority relating to Client Personal Data processed under this Addendum, unless prohibited by law or by the relevant supervisory authority. You shall be responsible for all communications or correspondence with the competent supervisory authority in relation to Your role as Controller.
- Data Protection Impact Assessments and Prior Consultation
7.1 To the extent required by Applicable Data Protection Law and taking into account the nature of the services provided and the information available to Ovation, Ovation shall provide reasonable assistance to You, upon written request, to conduct any data protection impact assessment or transfer impact assessment regarding the Processing of Client Personal Data, including any required consultations with the relevant supervisory authority.
7.2 Ovation shall only be required to provide information or documentation reasonably necessary for such assessments where Ovation holds such information and it is not otherwise available to You. Any additional support beyond the standard compliance measures under this Addendum may be subject to separate fees or charges, to be agreed upon by the Parties.
- Subprocessors
8.1 Authorization. You hereby authorize Ovation to engage Subprocessors. The current list of Ovation’s Subprocessors, including their respective processing locations and services, is available at: [Subprocessors List]. Client may subscribe to notifications of new or replacement Subprocessors via instructions provided at that page (or as otherwise communicated by Ovation).
8.2 Ovation shall provide at least ten (10) business days’ notice before appointing any new Subprocessor or replacing an existing Subprocessor. You may object to any new Subprocessor on reasonable grounds relating to data protection within the notice period.
8.3 If You reasonably object to a new Subprocessor, the Parties shall cooperate in good faith to find a mutually acceptable resolution. If no resolution is feasible, Ovation shall not be obligated to provide the specific service(s) for which the Subprocessor is engaged, and the Parties shall make appropriate adjustments to the services and associated fees as needed.
8.4 Ovation shall ensure each Subprocessor is subject to obligations regarding the protection of Client Personal Data that are no less onerous than those set forth in this Addendum, including any relevant Standard Contractual Clauses if required by Applicable Data Protection Law.
- Transfers
9.1 Transfers of EEA/Swiss Data. Where the GDPR or Swiss DPA applies to the Processing of Client Personal Data, Ovation will not transfer Client Personal Data out of the EEA or Switzerland to a country that has not been identified as providing an adequate level of protection unless Ovation has ensured appropriate safeguards via the Standard Contractual Clauses approved by the European Commission or other valid transfer mechanism under Applicable Data Protection Law.
9.2 Transfers of UK Data. Where the UK GDPR applies, the Parties shall rely on either (i) the combination of the EU SCCs with the “UK Addendum to the EU Commission SCCs” or (ii) the International Data Transfer Agreement (IDTA), in each case as amended from time to time. You, acting as data exporter, shall execute or procure the execution of such documentation with Ovation or any relevant Ovation entity as necessary to lawfully transfer Client Personal Data from the UK to third countries.
9.3 No Reliance on EU–U.S. Data Privacy Framework (DPF). On July 10, 2023, the European Commission adopted an adequacy decision for the EU–U.S. DPF. Ovation does not currently rely on or participate in the DPF. Instead, Ovation continues to rely on SCCs (and, where applicable, the UK Addendum or IDTA) for EU–U.S. and UK–U.S. transfers. If Ovation later chooses to self-certify under the DPF, it will notify You and update this Addendum as necessary.
9.4 Transfers of non-EEA/Swiss/UK Data. For transfers of Client Personal Data originating outside the EEA, Switzerland, or the UK, the Parties shall implement any additional or alternative data transfer mechanisms or measures required by Applicable Data Protection Law in the originating jurisdiction.
9.5 Transfer Mechanism Changes. If any transfer mechanism (including the SCCs or any UK transfer solution) is invalidated, amended, or replaced, or if additional safeguards are required by Applicable Data Protection Law, the Parties shall work together in good faith to promptly adopt an alternative, valid transfer mechanism or to implement supplementary measures. Any impacts on the terms of the Agreement caused by such new requirements will be addressed in accordance with Section 15 (Changes in Laws).
- Use of Business Contact Information
Each Party consents to the other Party using its Business Contact Information for contract management, payment processing, service offering, and business development purposes, including business development with partners, and such other purposes as set out in the using Party’s data privacy policy (copies of which shall be made available upon request). For such purposes, and notwithstanding anything else set forth in the Agreement or this Addendum with respect to Client Personal Data in general, each Party shall be considered an independent Controller with respect to the other Party’s Business Contact Information and shall be entitled to transfer such information to any country where such Party’s global organization operates.
- Disclaimer of Liability
Ovation will not be liable for any claim brought by a data subject arising from or related to Ovation or its Affiliates action or omission to the extent that Ovation was acting in accordance with Your instructions.
- Governing Terms
12.1 This Addendum represents the entire agreement between the Parties in relation to its subject-matter and all previous representations, agreements and statements are hereby excluded.
12.2 For avoidance of doubt and without prejudice to the rights of any data subjects thereunder, this Addendum and any Standard Contractual Clauses (or other data transfer agreements) that the Parties or their affiliates may enter into in connection with the services provided pursuant to the Agreement will be considered part of the Agreement and the liability terms set forth in the Agreement will apply to all claims arising thereunder.
12.3 In the event of any conflict or ambiguity between terms of this Addendum and terms of the Agreement, the terms of the Addendum shall prevail. In the event of any conflict or ambiguity between terms of this Addendum and terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail. All other terms and conditions within the Agreement remain unchanged and in full force and effect.
- Severability
Each and every provision of this Addendum is severable and distinct from the others and if at any time any provision of this is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction, that will not affect or impair the legality, validity or enforceability in that jurisdiction of any other provision of this Addendum.
- Notices and Variation
All notices, consents, demands, and other communications required or permitted to be given by either Party under this Addendum shall be in writing. No amendment to this Addendum will be effective unless in writing and signed by both Parties.
- Changes in Laws
In the event of (i) any newly enacted Applicable Data Protection Law, (ii) any change to an existing Applicable Data Protection Law (including generally-accepted interpretations thereof), (iii) any interpretation of a new or existing Applicable Data Protection Law by You, or (iv) any material new or emerging cybersecurity threat, which individually or collectively requires a change in the manner by which Ovation is delivering the services to You, the Parties shall agree in writing upon how Ovation’s delivery of the services will be impacted and shall make equitable adjustments to the terms of the Agreement and the Services in accordance with any change procedures as may be agreed to by the Parties.
- Governing Law and Jurisdiction
16.1 The jurisdiction of this Addendum shall be the jurisdiction of the Agreement. In the event there is no jurisdiction clause in the Agreement, any dispute or claim in connection with this Addendum shall be governed by and construed in accordance with:
16.1.1 in the case of the contracting Ovation entity being in Europe, the laws of Ireland,
16.1.2 in the case of the contracting Ovation entity being in the USA or elsewhere, the laws of the state of Utah, United States.
SCHEDULE
EEA STANDARD CONTRACTUAL CLAUSES
- The relevant Controller-to-Processor Standard Contractual Clauses (Module 2) are available: here.
- For the purposes of entering the Standard Contractual Clauses:
- The optional Clause 7 shall not apply.
- Option 2 of Clause 9 (Use of sub-processors) shall apply.
- The description of the transfer of Personal Data set out in Appendix A of this Agreement shall be deemed inserted in place of Annex I of the Standard Contractual Clauses.
- Ovation’s security measures (including SOC 2 Type 2 certification) described in Section 4 of the Addendum shall be deemed inserted in place of Annex II of the Standard Contractual Clauses.
UK STANDARD CONTRACTUAL CLAUSES (UK Addendum/IDTA)
- The UK SCCs Addendum is available: here. Where the UK GDPR applies, the Parties may rely on either the UK Addendum, in each case as amended or replaced from time to time.
- For the purposes of entering the UK SCCs Addendum:
- The information contained in Appendix A of this Agreement shall be deemed to apply to Tables 1, 2 and 3 of the UK Standard Contractual Clauses; and
- Ovation’s security measures, as referenced in Section 4 of the Addendum (including reference to its SOC 2 Type 2 certification), shall be deemed to apply to Table 3 (Annex II) of the UK SCCs Addendum.
APPENDIX A
A. LIST OF PARTIES
Data Exporter(s) / Client:
Name:
Address:
Contact Name, Position, Details:
Relevant Activities:
Roles:
Data Importer:
Name:
OVATION UP, INC
Address:
833 W 1800 N, Mapleton, UT 84664, USA
Contact:
OVATION UP, INC
Relevant Activities:
Ovation is engaged in the business of providing a comprehensive CRM system that includes a public-facing web app for collecting guest feedback and a restaurant portal (the “Ovation Services”).
Role:
Processor
B. DESCRIPTION OF TRANSFER
| Categories Data Subjects |
| The personal data transferred concern the following categories of data subjects: Individuals about whom Personal Data is provided to Ovation via the Services by (or at the direction of) Client, which may include without limitation Client’s or its Affiliates’ employees, contractors, and customers. |
| Purposes of the transfer(s) |
| The transfer is made for the following purposes: Ovation will only process Client Personal Data as Processor for the following purposes and only when necessary and proportionate to comply with the Client’s instructions: Providing and updating the Services as licensed, configured, and used by Client and its users, including through Client’s use of Ovation settings, administrator controls or other Service functionality; Securing and real-time monitoring the Services; Resolving issues, bugs, and errors; Providing Client requested support, including applying knowledge gained from individual Client support requests to benefit all Ovation Clients but only to the extent such knowledge is anonymized as set out in the Agreement and this Appendix A detailing the subject matter, nature, purpose, and duration of Personal Data Processing in the Controller to Processor capacity; Any other documented instruction provided by Client and acknowledged by Ovation as constituting instructions for purposes of this Addendum. |
| Categories of Personal Data |
| Depending on the Services you use, the personal data transferred may primarily concern the following categories of data: Client Account Information: Data associated with the client’s Ovation account, name, password, email, payment information, company name, and Client’s preferences. This will include: Ovation unique user ID. Client End Users’ Data: This includes the data associated with the Client’s end users, such as employees and customers, that the Client chooses to process using Ovation for the purpose of providing requested services. Device and Network information: Information about your desktop and mobile device, which may include network data, operating system, user agent, MAC / IP address, and service logs. User Feedback and Satisfaction Data: This may include ratings and plain text feedback on how we can improve our services. |
| Frequency of the transfer |
| Continuous |
| Special categories of personal data (if appropriate) |
| Special categories are not required to use the Services. Such special categories of data include, but may not be limited to, Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical belief, genetic or biometric data, data concerning your health or sexual orientation. To the extent such sensitive data is submitted, it is determined and controlled by Client in its sole discretion. |
| Duration of processing |
| The applicable term of the Agreement unless otherwise required by law. |
| Nature and Subject Matter of the Processing |
| Ovation will process Client Personal Data for the purposes of providing the Services to Client in accordance with the Addendum. |
| Retention period (or, if not possible to determine, the criteria used to determine that period) |
| The applicable term of the Agreement unless otherwise required by law.
|
C. COMPETENT SUPERVISORY AUTHORITY
| Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs: |
In accordance with Clause 13 of the SCCs:
|
