Arrows Up, LLC - Data Processing Agreement

This Data Processing Agreement ("DPA") is made by and between Arrows Up, LLC (herein "Arrows Up" or "Sub-Processor") and the client ( "Client" or "Processor") identified on that certain Arrows Up Service Agreement by and between Arrows Up and Client ("Contract"), each a "Party" and together the "Parties", for Arrows Up sub-processing Services as such term is defined in the Arrows Up, LLC Terms of Service ("TOS") in accordance with ADPL (as hereinafter defined). The EU General Data Protection Regulation 2016/679 ("GDPR"), the California Privacy Rights Act ("CPRA"), and corresponding provisions of other applicable data protection laws are together "ADPL".

This Agreement governs matters of personal information (as defined in the CPRA) protection between private Parties, and shall be in force for as long as the Parties process personal information in connection with this DPA, and the TOS and any therein referenced documents all of which are attached to or incorporated by reference into the Contract previously executed by Client (all such documents herein the "Agreement"), which bind the Parties, and further amends any prior agreement between the Parties with respect to any data protection matters.

1. Client is a processor or service provider and Arrows Up is a sub-processor for Client in accordance with ADPL of personal information.
2. Each Party shall comply at all times with ADPL. Arrows Up shall promptly notify Client of any circumstance of which it becomes aware that may prevent either party from complying with its obligations under this DPA or under ADPL. Each party shall reasonably cooperate with the other in responding to inquiries, events, incidents, claims, and complaints regarding the processing of the personal information or as otherwise needed for either party to demonstrate compliance with ADPL.
3. Arrows Up will process personal information only pursuant to Client's documented written instructions, which include the Agreement, and any other instructions communicated in writing to Arrows Up. The nature and purpose of the processing of personal information, the duration of such processing, the types of personal information processed and the categories of data subjects whose personal information is processed shall be in accordance with the Agreement. Arrows Up may also process personal information where required by ADPL to which Arrows Up is subject.
4. Client instructs Arrows Up to process the personal information for the following purposes: (i) providing Arrows Up's Services to Client; and (ii) compliance with other reasonable and lawful instructions provided by Client where such instructions are consistent with the Agreement.
5. Arrows Up may only process the types of personal information, relating to such categories of data subjects (as defined in the ADPL), and as are detailed in documented instructions per section 3 above.
6. In accordance with CPRA, unless otherwise instructed by Client, Arrows Up will refrain from: selling or sharing personal information; retaining, using or disclosing personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing personal information for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by the CPRA; retaining, using or disclosing the information outside of the direct business relationship between the Arrows Up and Client; and/or combining the personal information it receives from the Client with personal information it receives from or on behalf of another person or persons or that it collects from its own interaction with the consumer.
7. Arrows Up's personnel engaged in processing personal information are and will remain committed to confidentiality. Arrows Up implements appropriate technical and organizational measures to protect the personal information against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
8. Arrows Up maintains an updated list of its sub-processors, available here: https://www.goarrowsup.com/legal/privacy/subprocessors. Client is encouraged to check this list on a regular basis. Client shall have the right to object, on reasoned grounds, to any new sub-processor within fourteen (14) days of the list being updated by Arrows Up. In the event that Client, acting reasonably and in good faith, objects to such processing, then the Client may terminate the Contract upon at least five (5) days prior written notice to: [email protected]. Arrows Up shall ensure that the arrangement between Arrows Up and each sub-processor is governed by a written contract including terms which offer substantively at least the same level of protection for the personal information being processed hereunder as those set out in this DPA and which meet the requirements of Article 28(3) of the GDPR, and shall remain liable to Client for the performance of the Sub-Processor's obligations.
9. Arrows Up will assist Client in responding to requests for exercising data subjects' (as defined in the ADPL) rights (GDPR Articles 15-22; "Request"). Arrows Up will inform Client promptly if it receives a Request, and in any event within 72 hours of receiving the Request, and will not take any other action without Client's authorization. Arrows Up will likewise assist Client with its obligations pursuant to ADPL, such as GDPR Articles 32-36, including also data security, data protection impact assessments, and breach notifications. Arrows Up will reasonably allow for and contribute to audits and inspection in this regard. Arrows Up will inform Client without delay, and in any event within 48 hours, if Arrows Up experiences a personal information breach (as defined in the ADPL), and will provide full details to Client, including all information reasonably needed by Client to comply with ADPL, including without limitation, the root cause of the incident, information about the affected data subjects and the possible consequences of the incident, and further developments or information as it becomes available. In cooperation with Client, Arrows Up shall mitigate the effects of any personal information breach or unauthorized or unlawful processing and implement appropriate remedial measures to prevent recurrence.
10. Arrows Up will report to Client upon written request, on the manner in which the obligations contained in this DPA are implemented, and shall maintain up to date records of its processing activities performed on behalf of Client in accordance with the record keeping requirements under ADPL.
11. Unless otherwise required by ADPL, Arrows Up shall return or delete, at Client's sole discretion, all personal information upon the termination of the processing activities carried out under the Agreement.
12. Arrows Up may not assign its respective rights and obligations hereunder, other than if such assignment is by way of merger or acquisition of all or substantially all Arrows Up's equity or assets, or change of control.
13. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives. The choice of law and jurisdiction governing this agreement will be the same as those governing the Agreement.
14. Client's Data Protection personnel may be contacted at the email provided in the registration form. Arrows Up's Data Protection personnel may be contacted at [email protected].