This Data Processing Agreement (“DPA”) forms part of the Memberstack Terms of Service, or other agreement governing the use of Memberstack (“Agreement”) entered by and between you, the Client (as defined in the Agreement) (collectively, “you”, "your”, “Client”), and Memberstack, Inc (“Memberstack”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by Memberstack solely on behalf of the Client. Both parties shall be referred to as the “Parties” and each, a “Party”. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with re-spect to the Processing of Personal Data.
HOW TO EXECUTE THIS DPA:
By using our Services, Client accepts this DPA and you represent and warrant that you have full authority to bind the Client to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Client or any other entity, please do not provide Personal Data to us.
If you need a signed copy of this DPA, you can download one here.
Memberstack means the company that is a party to this DPA. It is organized under the laws of the state of Delaware (USA) and has its head office located at 1209 Orange Street, Wilmington, New Castle County, Delaware 19801, USA.
Memberstack Group means Memberstack and its Affiliates engaged in the Processing of Personal Data.
Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with Memberstack. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Applicable Data Protection Law means all laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of Personal Data applicable to the processing of Client Personal Data under the Agreement including but not limited to General Data Protection Regulation 2016/679 (“GDPR”), Federal Data Protection Act of 19 June 1992 (Switzerland), UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR); and binding guidance and / or codes of practice issued by a competent supervisory authority under applicable laws (as defined in the GDPR), or the European Data Protection Board.
Business Contact Information means the names, mailing addresses, email addresses, and phone numbers regarding the other Party’s employees, directors, vendors, agents and customers, maintained by a Party for business purposes as further described below.
Client Personal Data means Client-owned or controlled personal data provided by or on Your behalf to Memberstack or an Memberstack affiliate or subcontractor for processing under Applicable Data Protection Law pursuant to the Agreement. Unless prohibited by Applicable Data Protection Law, Client Personal Data shall not include information or data that is anonymized, aggregated, de-identified and/or compiled on a generic basis and which does not name or identify a specific person.
“Controller”, “Consent”, “Processor”, “Sub-Processor”, “Data Subject”, “Personal Data”, “Processing”, “Public Authority”, “Supervisory Authority or similar terms shall have the meaning given under Applicable Data Protection Law. For the purposes of this Addendum Processor shall mean Memberstack.
Personal Data Breach means an actual, confirmed breach of security of Client Personal Data that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such Client Personal Data transmitted, stored or otherwise processed by a Party under the terms of the Agreement.
Standard Contractual Clauses means: (i) where the GDPR applies the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)(the “Swiss SCCs“).
UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by subsequent legislation.
UK SCCs Addendum means the standard contractual clauses addendum issued by the UK Secretary of State for the transfer of Personal Data outside the UK and any amendment or replacement of such standard contractual clauses pursuant to Article 46(5) of the GDPR.
- Representations and Warranties
2.1 Each Party represents and warrants that it will comply with the requirements of Applicable Data Protection Law as applicable to such Party with respect to the processing of the Client Personal Data.
2.2 Each Party warrants and represents it has no reason to believe that the Data Protection Law prevents it from providing or receiving any services under the Agreement; and
2.3 Each Party warrants and represents it has the corporate power and capacity to perform its obligations under this Addendum
2.4 You represent and warrant to Memberstack that:
2.4.1 You shall comply with and provide all of your obligations under this Addendum in accordance with best industry practice;
2.4.2 You have no reason to believe that Applicable Data Protection Law prevents You from entering into this Addendum or fulfilling any of Your obligations under this Agreement;
2.4.3 You have all necessary authorisations to enable or entitle You to enter into this Addendum, including but not limited to instructions, notices, licenses and consents, and that these have been obtained and are in full force and effect and will remain in such force and effect at all times during the subsistence of this Addendum;
2.4.4 You shall only provide processing instructions that are lawful and You shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which it was acquired;
2.4.5 neither the execution and delivery of this Addendum nor Your performance of any of Your obligations hereunder violates any (a) law to which You are subject; (b) judgment or order by which You are bound; (c) constitution or other equivalent constituting documents; or (d) other agreement or instrument which is binding on You or Your assets; and
2.5 Prior to transmitting Client Personal Data to Memberstack, You shall inform Memberstack of any requirements pertaining to the transmitted Client Personal Data.
2.6 Memberstack represents and warrants to You that:
2.6.1 it will process the Client Personal Data (as set out in Appendix A) only in accordance with your documented processing instructions which may be given from time to time (including as as set forth in the Agreement and this Addendum), save as otherwise required by law. The Parties agree that the Agreement and this Addendum, along with the Client’s configuration of or any use of any settings, features, or options in the services (as the Client may be able to modify from time to time) constitute the Client’s complete and final instructions to Memberstack in relation to the processing of Client Personal Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties. For the avoidance of doubt, the Client acknowledges and agrees that the documented instructions include the processing of Client Personal Data for the purposes of providing, supporting, and improving Memberstack services (including to provide insights and other reporting).
2.6.2 it will promptly notify You if Memberstack determines that Your processing instruction violates any Applicable Data Protection Law (provided that nothing herein shall require Memberstack to provide legal or regulatory advice or monitor Applicable Data Protection Law as they apply to You).
- Disclosure and Processing of Client Personal Data
3.1 When providing or making available Client Personal Data to Memberstack, You shall only disclose or transmit Client Personal Data that is necessary for Memberstack to perform the applicable services under the Agreement.
3.2 Following expiration or termination of the provision of services under the Agreement and relating to the processing of Client Personal Data, Memberstack shall promptly and securely delete all Client Personal Data (including existing copies) pursuant to its data retention schedule and as required by applicable laws. Notwithstanding the data retention schedule, upon Your written request following the termination of services, Memberstack shall destroy all Client Personal Data in our possession, unless otherwise required or permitted by applicable laws.
3.3 All Memberstack personnel, including subcontractors, authorized to process the Client Personal Data shall be subject to confidentiality obligations and/or subject to an appropriate statutory obligation of confidentiality.
3.4 You expressly acknowledge and agree that, in the course of providing the services, Memberstack may anonymize, aggregate, and/or otherwise de-identify Client Personal Data (“De-Identified Data”) and subsequently use and/or disclose such De-Identified Data for the purpose of research, benchmarking, improving Memberstack’s offerings generally, or for another business purpose authorized by Applicable Data Protection Law provided that Memberstack has implemented technical safeguards and business processes designed to prevent the re-identification or inadvertent release of the De-Identified Data.
- Security Measures
4.1 Memberstack shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client Personal Data), confidentiality and integrity of Client Personal Data, as set forth in Memberstack’s Security Overview. Memberstack regularly monitors compliance with these measures. Memberstack will not materially decrease the overall security of the Services during a subscription term.
4.2 the Technical and Organizational Security Measures implemented pursuant to this clause 4 are subject to technical progress and development and that Memberstack regularly reviews and may update or modify them from time to time in order to ensure that the processing of Client Personal Data is performed in accordance with this Addendum and Applicable Data Protection Law.
4.3 Personal Data Breach:
If Memberstack becomes aware of an actual or suspected Personal Data Breach, of Client Personal Data, Memberstack will notify You without undue delay. Memberstack will provide You with such information, assistance, cooperation, and taking into account the nature of the services provided and the information available to Memberstack, take reasonable commercial steps to: (i) investigate and mitigate the Personal Data Breach and (ii) assist with respect to Your breach notification obligations under any Applicable Data Protection Law. The Parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected data subjects and/or the appropriate regulator in connection with a Personal Data Breach, provided that nothing in this clause shall prevent either party from complying with its obligations under Applicable Data Protection Law.
- Audits and Inspections
Upon written request, Memberstack shall make available to You, no more than once annually and strictly at your own cost, information reasonably necessary to demonstrate Memberstack’s compliance with its obligations under this Addendum and Applicable Data Protection Law. You shall be solely responsible for determining whether the Services and Memberstack’s Security Measures will meet your needs, including with respect to any Data Protection Laws.
- Data Subject and Supervisory Authority Requests
To the extent required under Applicable Data Protection Law and taking into account the nature of the services provided, Memberstack shall:
6.1 provide such assistance to You as is reasonably requested with respect to Your obligations to comply with requests from Your data subjects to exercise their rights under Applicable Data Protection Law. Memberstack shall notify You without delay upon receipt of any request by a data subject to exercise his or her rights under Applicable Data Protection Law in respect of any Client Personal Data. Memberstack will not independently respond to such requests from Your data subjects except where otherwise required by Applicable Data Protection Law. You undertake to inform Memberstack (as the processor / service provider) of any data subject (or consumer) request received and shall provide Memberstack with the necessary information to allow Memberstack to comply with the request when required to do so; and
6.2 notify You of all enquiries or communications from a competent supervisory authority that Memberstack receives which relate to Client Personal Data processed in connection with providing the services and under this Addendum and the Agreement unless prohibited from doing so at law or by a regulator. You shall be responsible for all communications or correspondence with the competent supervisory authority in relation to Your role as Controller of Client Personal Data under Applicable Data Protection Law and, to the extent permitted by law.
- Data Protection Impact Assessments and Prior Consultation
To the extent required under Applicable Data Protection Law and taking into account the nature of the services provided and the information available to Memberstack, and to the extent You do not otherwise have access to the relevant information, Memberstack shall provide reasonable assistance to You as reasonably requested with respect to Your obligations to conduct data protection impact assessments with respect to the processing of Client Personal Data.
You generally authorize the engagement of Subprocessors by Memberstack and a list of existing Subprocessors (to the extent that Subprocessors shall be used) may be made available via Third Party Sub-Processors. Memberstack shall enter into a written agreement with each Subprocessor(s) that imposes on the Subprocessor the same data protection obligations that are imposed on Memberstack pursuant to this Addendum. You shall promptly, and in any event within 10 business days, notify Memberstack in writing of any reasonable objection to such changes / appointment. You acknowledge that Memberstack’s Subprocessors are essential to provide the services and that if You object to Memberstack’s use of a Subprocessor, then notwithstanding anything to the contrary in the Agreement, Memberstack will not be obligated to provide the services to You for which Memberstack uses that Subprocessor and any adjustments required by You shall be at your cost. Any disagreements between the Parties shall be resolved via the contract dispute resolution procedure.
9.1 Transfers of EEA/Swiss Data:
To the extent that GDPR and complementary data protection laws in EU member countries (“EU Data Protection Law”) applies to the processing of Client Personal Data, Memberstack agrees that it will not transfer Client Personal Data out of the EEA and/or Switzerland to a country that has not been identified by the European Commission or a Supervisory Authority under EU Data Protection Law as a country that provides an adequate level of data protection except where Memberstack has ensured appropriate safeguards are in place, such as the Standard Contractual Clauses approved by the European Commission unless otherwise required by applicable law. Memberstack and You hereby enter into the Standard Contractual Clauses (as further set out in the Schedule to this Agreement) in respect of such transfers.
9.2 Transfers of UK Data:
Subject to subsection 9.4 below, the Parties shall rely on the UK Standard Contractual Clauses as amended from time to time by the Information’s Commissioner Office (the “UK SCCs”), to protect Client Personal Data being transferred from the United Kingdom (UK) to a country outside the UK not recognized as providing an adequate level of protection for personal data. You, acting as data exporter, shall execute, or shall procure that Your relevant entities execute, such UK SCCs with the relevant Memberstack entity or a third-party entity, acting as a data importer.
9.3 Transfers of non-EEA/Swiss/UK Data:
In the event that Client Personal Data is to be transferred outside the country of origin in connection with the provision of Services under the Agreement and this country is not located within the EEA, Switzerland or the United Kingdom, the Parties will work together expeditiously and in good faith to establish the appropriate transfer mechanism to be implemented, as required by applicable Data Protection Law.
9.4 Transfer Mechanism:
In the event that the transfer mechanisms agreed by the Parties herein are amended, replaced, or cease to be authorized as a means to provide “adequate protection” with respect to transfers of Client Personal Data, the Parties will work together expeditiously and in good faith to establish another valid transfer mechanism and/or implement supplementary measures as needed to establish appropriate safeguards for such data. Any impacts on the terms of the Agreement and the provision of the services caused by such new requirements will be addressed by the Parties in accordance with Section 15 (Changes in Laws) below.
- Use of Business Contact Information
- Disclaimer of Liability
Memberstack will not be liable for any claim brought by a data subject arising from or related to Memberstack or its Affiliates action or omission to the extent that Memberstack was acting in accordance with Your instructions.
- Governing Terms
12.1 This Addendum represents the entire agreement between the Parties in relation to its subject-matter and all previous representations, agreements and statements are hereby excluded.
12.2 For avoidance of doubt and without prejudice to the rights of any data subjects thereunder, this Addendum and any Standard Contractual Clauses (or other data transfer agreements) that the Parties or their affiliates may enter into in connection with the services provided pursuant to the Agreement will be considered part of the Agreement and the liability terms set forth in the Agreement will apply to all claims arising thereunder.
12.3 In the event of any conflict or ambiguity between terms of this Addendum and terms of the Agreement, the terms of the Addendum shall prevail. In the event of any conflict or ambiguity between terms of this Addendum and terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail. All other terms and conditions within the Agreement remain unchanged and in full force and effect.
Each and every provision of this Addendum is severable and distinct from the others and if at any time any provision of this is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction, that will not affect or impair the legality, validity or enforceability in that jurisdiction of any other provision of this Addendum.
- Notices and Variation
All notices, consents, demands, and other communications required or permitted to be given by either Party under this Addendum shall be in writing. No amendment to this Addendum will be effective unless in writing and signed by both Parties.
- Changes in Laws
In the event of (i) any newly enacted Applicable Data Protection Law, (ii) any change to an existing Applicable Data Protection Law (including generally-accepted interpretations thereof), (iii) any interpretation of a new or existing Applicable Data Protection Law by You, or (iv) any material new or emerging cybersecurity threat, which individually or collectively requires a change in the manner by which Memberstack is delivering the services to You, the Parties shall agree in writing upon how Memberstack’s delivery of the services will be impacted and shall make equitable adjustments to the terms of the Agreement and the Services in accordance with any change procedures as may be agreed to by the Parties.
- Governing Law and Jurisdiction
16.1 The jurisdiction of this Addendum shall be the jurisdiction of the Agreement. In the event there is no jurisdiction clause in the Agreement, any dispute or claim in connection with this Addendum shall be governed by and construed in accordance with:
16.1.1 in the case of the contracting Memberstack entity being in Europe, the laws of Ireland,
16.1.2 in the case of the contracting Memberstack entity being in the USA or elsewhere, the laws of the state of Delaware.
EEA STANDARD CONTRACTUAL CLAUSES
- The relevant Controller-Processor Standard Contractual Clauses (Module 2) are available: here.
- For the purposes of entering the Standard Contractual Clauses:
a) The optional Clause 7 shall not apply
b) Option 2 of Clause 9 (Use of sub-processors) shall apply.
c) The description of the transfer of Personal Data in Appendix A of this Agreement shall be deemed to be inserted in place of Annex I of the Standard Contractual Clauses;
d) Memberstack’s security measures shall be deemed to be inserted in place of Annex II of the Standard Contractual Clauses.
UK STANDARD CONTRACTUAL CLAUSES
1.The UK SCCs Addendum is available: here.
2. For the purposes of entering the UK SCCs Addendum:
a) The information contained in Appendix A of this Agreement shall be deemed to apply to Tables 1, 2 and 3 of the UK Standard Contractual Clauses; and
b) Memberstack’s security measures shall be deemed to apply to the final row (Annex II) of Table 3 of the UK Standard Contractual Clauses.
A. LIST OF PARTIES
Data Exporter(s) / Client:
Contact Name, Position, Details:
1209 Orange Street, Wilmington, New Castle County, Delaware 19801, USA
Memberstack is engaged in the business of providing a SaaS product that includes various services, such as user authentication and payments (the “Memberstack Services”).
B. DESCRIPTION OF TRANSFER
|Categories Data Subjects|
|The personal data transferred concern the following categories of data subjects:
Individuals about whom Personal Data is provided to Memberstack via the Services by (or at the direction of) Client, which may include without limitation Client’s or its Affiliates’ employees, contractors, and end users.
|Purposes of the transfer(s)|
|The transfer is made for the following purposes: Memberstack will only process Client Personal Data as Processor for the following purposes and only when necessary and proportionate to comply with the Client’s instructions: Providing and updating the Services as licensed, configured, and used by Client and its users, including through Client’s use of Memberstack settings, administrator controls or other Service functionality; Securing and real-time monitoring the Services; Resolving issues, bugs, and errors; Providing Client requested support, including applying knowledge gained from individual Client support requests to benefit all Memberstack Clients but only to the extent such knowledge is anonymized as set out in the Agreement and this Appendix A detailing the subject matter, nature, purpose, and duration of Personal Data Processing in the Controller to Processor capacity; Any other documented instruction provided by Client and acknowledged by Memberstack as constituting instructions for purposes of this Addendum.|
|Categories of Personal Data|
|Depending on the Services you use, the personal data transferred may primarily concern the following categories of data:
Client Account Information: Data associated with the client’s Memberstack account, name, password, email, payment information, company name, and Client’s preferences. This will include: Memberstack unique user ID and social media login (optional).
Client End Users’ Data: This includes the data associated with the Client's end users that the Client chooses to process using Memberstack, for the purpose of providing requested services.
Device and Network information: Information about your desktop and mobile device, which may include network data, operating system, user agent, MAC / IP address, and service logs.
User Feedback and Satisfaction Data: This may include ratings and plain text feedback on how we can improve our services.
|Frequency of the transfer|
|Special categories of personal data (if appropriate)|
|Special categories are not required to use the Services. Such special categories of data include, but may not be limited to, Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical belief, genetic or biometric data, data concerning your health or sexual orientation. To the extent such sensitive data is submitted, it is determined and controlled by Client in its sole discretion.|
|Duration of processing|
|The applicable term of the Agreement unless otherwise required by law.|
|Nature and Subject Matter of the Processing|
|Memberstack will process Client Personal Data for the purposes of providing the Services to Client in accordance with the Addendum.|
|Retention period (or, if not possible to determine, the criteria used to determine that period)|
|The applicable term of the Agreement unless otherwise required by law.
C. COMPETENT SUPERVISORY AUTHORITY
|Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs:|
|The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter’s EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.|
|With respect to Personal Data to which GDPR applies, the competent supervisory authority is the Irish Data Protection Commission.|
|With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”).|