- (a) make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by FingerprintJS or such additional charges as FingerprintJS may reasonably determine; or
- (b) terminate the Agreement and the Services. *
- (a) to the extent that FingerprintJS processes Customer Personal Data as a processor on behalf of the Customer, the Processor Clauses shall apply to any transfers of Customer Personal Data falling within the scope of the GDPR from the Customer (as data exporter) to FingerprintJS (as data importer); and
- (b) to the extent that FingerprintJS processes Customer Personal Data as a controller, the Controller Clauses shall apply to any transfers of Customer Personal Data falling within the scope of the GDPR from the Customer (as data exporter) to FingerprintJS (as data importer).
- (a) Annex I.A (List of Parties) shall be deemed to incorporate the information in Schedule 1;
- (b) Annex I.B (Description of Transfer) shall, for the purposes of the Processor Clauses, be deemed to incorporate the information in Part 1 of Schedule 2;
- (c) Annex I.B (Description of Transfer) shall, for the purposes of the Controller Clauses, be deemed to incorporate the information in Part 2 of Schedule 2;
- (d) Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority identified in Schedule 1; and
- (e) Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Schedule 3.
- (a) neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 (together, the “UK Data Protection Laws”);
-
(b) the Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate:
- (i) for transfers made by the Customer to FingerprintJS, to the extent that UK Data Protection Laws apply to the Customer’s processing when making that transfer; and
- (ii) to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR; and
-
(c) the amendments referred to in clause (b) include (without limitation) the following:
- (i) references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;
- (ii) references to Regulation (EU) 2018/1725 are removed;
- (iii) references to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”;
- (iv) the “competent supervisory authority” shall be the Information Commissioner;
-
(v) clause 17 of the Standard Contractual Clauses is replaced with the following:
“These Clauses are governed by the laws of England and Wales”; -
(vi) clause 18 of the Standard Contractual Clauses is replaced with the following:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”; and - (vii) any footnotes to the Standard Contractual Clauses are deleted in their entirety.
- (a) it has provided all applicable notices to data subjects and, to the extent required, obtained consent from data subjects in each case as required for the lawful processing of Customer Personal Data in accordance with the Agreement and this DPA; and
-
(b) without prejudice to the generality of clause 8 of the Standard Contractual Clauses (as applicable), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 3 are:
- (i) appropriate to ensure the security of the Customer Personal Data, including protection against a personal data breach; and
- (ii) otherwise consistent with the Customer’s obligations under Article 32 of the GDPR.
-
(a) all such audits shall be conducted:
- (i) on reasonable written notice to FingerprintJS;
- (ii) only during FingerprintJS’ normal business hours; and
- (iii) in a manner that does not disrupt FingerprintJS’ business; and
-
(b) the Customer (or, where applicable, a third party independent auditor appointed by the Customer) shall:
- (i) enter into a confidentiality agreement with FingerprintJS prior to conducting the audit in such form as FingerprintJS may request; and
- (ii) ensure that its personnel comply with FingerprintJS’ and any Sub-processor’s policies and procedures when attending FingerprintJS’ or Sub-processor’s premises, as notified to the Customer by FingerprintJS or Sub-processor.
- (a) to the extent required by applicable laws, and only for such period and such purposes as required by applicable laws; or
- (b) to the extent that the Customer Personal Data has been archived on back-up systems, provided that FingerprintJS shall securely isolate and protect such Customer Personal Data from any further processing, except to the extent required by applicable law, and purge such Customer Personal Data from the applicable back-up systems in accordance with its normal back-up cycle,
- (a) implementing any changes to the Services under clause 4.4;
- (b) facilitating and contributing to any audits of FingerprintJS under or clauses 8.9(c) and (d) of the Standard Contractual Clauses;
- (c) facilitating and contributing to any audits of FingerprintJS conducted by a supervisory authority;
- (d) responding to queries or requests for information from the Customer relating to the processing of Customer Personal Data under clauses 8.9(a), 8.9(c) or 8.9(e) of the Standard Contractual Clauses;
- (e) any assistance provided by FingerprintJS to the Customer with its fulfilment of its obligations to respond to data subjects’ requests for the exercise of their rights under the GDPR; and
- (f) any assistance provided by FingerprintJS to the Customer with any data protection impact assessments or prior consultation with any supervisory authority of the Customer.
- (a) The Standard Contractual Clauses (or, with respect to transfers of Customer Personal Data subject to the UK GDPR, the Standard Contractual Clauses as amended by clause 3.3).
- (b) The main body of this DPA.
- (c) The Agreement.
- (a) where the Customer is established outside the UK, the laws of Ireland; or
- (b) where the Customer is established in the UK, the law of England and Wales;
- (a) where the Customer is established outside the UK, the courts of Ireland; or
- (b) where the Customer is established in the UK, the courts of England and Wales;
Schedule 1
PARTIES TO THE PROCESSING
| Party: | Customer / data exporter | FingerprintJS / data importer |
|---|---|---|
| Role | Controller | Processor |
| Contact person | Name:\ Position:\ Contact details: | Name: Valentin Vasilyev Position: Chief Technology Officer Contact details: dpo@fingerprint.com |
| Activities / services provided | The Services (as defined in the Agreement) | |
| Competent supervisory authority | n/a | |
Schedule 2
Details of processing
Part 1
Processing subject to the Processor Clauses The data exporter is the Customer The data importer is FingerprintJS The personal data transferred concern the following categories of data subjects:- Users of Customer websites.
- Personal data contained within Visitor Data (as defined in the Agreement), including information relating to a user’s device, operating system, browser, browser configuration, IP address, and approximate location.
as set out in Schedule 4
Part 2
Processing subject to the Controller Clauses The Customer’s employees and contractors that the Customer authorises to access and use the Services. The purpose of the data transfer and further processing is the operation, maintenance and improvement of FingerprintJS’ products and services, including billing, account management, technical support, product development and sales and marketing. The personal data transferred concern the following categories of data:- contact information, including name, address, phone number, email address, login details, employing / engaging organisation;
- payment and transaction information;
- contact preferences, including preference set for notifications, marketing communications, how the Service is displayed and the active functionalities on the Service;
- comments and opinions; and
- technical information regarding access to the Services (including IP address, approximate location, pages viewed and log data).
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
- Sub-processors listed in Schedule 4.
- Wildbit, LLC (d/b/a “Postmark”).
- Data exporter: the contact details provided with the Account.
- Data importer: dpo@fingerprint.com
- Administration, improvement, troubleshooting and testing of the data importer’s technology, including browser fingerprinting bot detection and account sharing prevention technology.
- Calculation of charges and fees owed by the Customer to FingerprintJS in respect of the Services.
- Communication with Customer and their users in respect of the Services.
- as set out in Schedule 4.
Schedule 3
Technical and Organisational Security Measures
1. Introduction The data importer employs a combination of policies, procedures, guidelines and technical controls to protect the personal data it processes from accidental loss and unauthorised access, disclosure or destruction. 2. Governance and Policies The data importer has organised leadership and defined policies related to information security to ensure alignment with business objectives to adequately serve clients. These policies are reviewed and approved annually by management and updates are communicated to employees and relevant external parties. Roles and responsibilities for teams and team members are defined within the data importer’s organisational structure and reporting lines as well as written job descriptions. Management reviews the data importer’s organisational structure at least annually as part of strategic planning, and any changes are made as needed based on changing reporting lines, authorities, and responsibilities. The data importer has following security policies and related processes in place:- (a) Data classification and business impact assessment
- (b) Selection, documentation, and implementation of security controls
- (c) Assessment of security controls
- (d) User access authorization and provisioning
- (e) Removal of user access
- (f) Monitoring of security controls
- (g) Security management
- (a) Minimum password length is 16 characters
- (b) Require at least one uppercase letter from Latin alphabet (A–Z)
- (c) Require at least one lowercase letter from Latin alphabet (a–z)
- (d) Require at least one number
- (e) Require at least one non alphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ’.
- (f) Passwords expires in 90 days
- (g) Allow users to change their own password
- (a) Information transmitted over the public internet (HTTPS)
- (b) Data transferred within system components (TLS)
- (c) Data transferred between organisations (SFTP)
- (a) Evidence of device encryption
- (b) Enterprise antivirus enabled
- (c) Antivirus daily updates
- (d) Requirement of user name and password
- (e) Patches or regular OS updates
Schedule 4
List of Sub-processors
- Available upon request.