Data Processing Terms and Conditions

These Data Processing Terms and Conditions form part of the Publisher Terms and Conditions Agreement (the “Agreement”) for the contract of service with Exit Bee as the Processor (“Processor”) and the Publisher as the Controller (“Controller”). Each individually referred to as the “Party” and jointly referred to as the “Parties”. These Data Processing Terms and Conditions reflect the parties agreement with regard to the Processing of Personal Data. In the course of providing the Services to the Controller pursuant to the “Agreement”, Exit Bee may Process Personal Data on behalf of the Controller and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. 

 

RECITALS

  1. WHEREAS the Parties have agreed that the Controller will act as the sole Controller of the Personal Data and that the Processor renounces any rights it may have to act as a data controller of the Personal Data held by the Controller
  2. WHEREAS the Parties have agreed that it may be necessary for the Processor to Process certain Personal Data on behalf of the Controller
  3. WHEREAS in light of this Processing, the Parties have agreed to these Data Processing Terms and Conditions to address the compliance obligations imposed upon the Controller pursuant to the Applicable Law
  4. WHEREAS the Parties agree that the provision of the services under Exit Bee’s Publisher Terms and Conditions Agreement may qualify as commissioned data Processing as per Art. 17 of the European sec. 28 of the General Data Protection Regulation 2016/679
  5. WHEREAS the Parties agree that this Data Processing Terms and Conditions shall render any and all other previous agreements entered into between the Controller and the Processor in relation to data processing, before the Period as defined in the Publisher Terms and Conditions Agreement, null and void.

 

  • DEFINITIONS AND INTERPRETATION

 

Agreement Means the Publisher Terms and Conditions Agreement, including all Appendixes.
Data Processing Terms and Conditions  Means these Data Processing Terms and Conditions including all schedules, notifications and all notices to these Terms and Conditions
Applicable Law Means the relevant data protection and privacy laws to which the Parties are subject, including the EU General Data Protection Regulation 2016/679
Data Subject Means the identified or identifiable  person to whom Personal Data relates
Personal Data Means “any information relating to an identified or identifiable natural person (data subject); and identifiable person is one who can be identified directly or indirectly,  in particular by reference identifier such as a name, and identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, as defined under the EU General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Law
Process,

Processing

Or Processed

Means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not  by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”, as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Law
Purpose Means the services and the associated Processing of Personal Data as defined in Schedule 1 to this Agreement
Services Means the contracted Service offered by ExitBee having a variety of resources including but not limited the Presentation of Content and Advertising Content, Publisher Content to website visitors on exit intent, browsing behaviour, the Presentation of lead forms, surveys and other functionalities developed and introduced by Exit Bee from time to time
Terms of Service Means the legal agreement between the Controller as the user and the  Processor, that governs the Controller’s limited, non-exclusive and terminable right to the user of the Exit Bee Site and Services as defined in the Terms of Service

 

 

  • APPOINTMENT

 

      1. The Processor is appointed by the Controller to Process such Personal Data for and on behalf of the Controller as is necessary to provide the Processing services. 
      2. The Controller shall Process Personal Data in accordance with the requirements of the Applicable Laws. For the avoidance of doubt, the Controller’s instructions for the Processing of Personal Data shall comply with the Applicable Law and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable law. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires the Personal Data.

 

  • DURATION

 

      1. This Data Processing Terms and Conditions come into effect on the Start Date of the Period defined in the Publisher Terms and Conditions Agreement and shall continue in full force and effect until the termination without renewal of such Period.
      2. Notwithstanding Clause 3.1. And in those instances where the Purpose consists of a number of Processing activities, the Parties may agree to terminate part of the Processing activities forming part of the Purpose, in which case such termination shall take effect on the date agreed by the Parties in writing and shall not affect the validity of the remaining Processing activities forming  part of the same Purpose.

 

  • DATA PROCESSING

 

      1. The Processor shall process Personal Data for the Purpose as described in the Terms of Service, as entered into between the parties, on behalf of the Controller and as summarized in Schedule 1 hereunder.
      2. The data will be processed exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Any transfer of data to a country which is not a Member State of either the EU or the EEA requires the prior consent of the Controller and is subject to compliance with the special requirements on transfers of personal data to countries outside the EU/EEA and in compliance with the technical and organizational measures set out in clause 5. 
      3. Depending on how the Controller chooses to use the Service, the subject matter of Processing of personal data may cover the following types/categories of data:
        • Device’s IP address (captured and stored in an anonymized format)
        • Device screen resolution
        • Device type (unique device identifiers), operating system, and browser type
        • Geographic location
        • Mouse events or finger events for mobile devices
        • Keypresses
        • Referring URL and domain
        • Pages visited
        • Date and time when website pages were accessed
      4. The group of Data Subjects affected by the Processing of their personal data under the Agreement includes end-users of the Controller’s websites.

 

  • TECHNICAL AND ORGANIZATIONAL MEASURES

 

      1. The Processor shall establish data security in accordance with the Applicable Laws. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, must be taken into account.
      2. The Processor has laid down the technical and organizational measures, in Schedule 2 of this Agreement. 
      3. The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time. In so doing, the security level of the defined measures must not be reduced.

 

  • RECTIFICATION, RESTRICTION AND ERASURE OF DATA

 

      1. The Processor may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless this is required by law or the Processor’s Data Processing Terms and Conditions), but shall only do so on documented instructions from the Controller and in accordance to data retention rules associated to the Controller subscription plan.
      2. If a Data Subject should apply directly to the Processor to request the rectification, erasure or restriction of his Personal Data, the Processor must forward this request to the Controller without delay.

 

  • QUALITY ASSURANCE AND OTHER OBLIGATIONS OF THE PROCESSOR

 

      1. The Processor shall comply with all statutory requirements applicable when carrying out this Agreement. In particular, the Processor ensures compliance with the following requirements:
        • The Processor has appointed a data protection officer, who shall perform such duties in compliance with the Applicable Laws. The data protection officer can be contacted via email on legal@exitbee.com
        • The Processor shall keep Personal Data logically separate to data Processed on behalf of any other third party
        • The Processor and any person acting under its authority shall process the Personal Data in accordance with the Data Processing Terms and Conditions and on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest
        • The Processor entrusts only such persons (whether legal or natural) with the data Processing under this Agreement who have given and undertaking to maintain confidentiality and have been informed of any special data protection requirements relevant to their work
        • The Processor and the Controller shall cooperate, on request, with the supervisory authority in performance of its tasks
        • The Processor shall inform the Controller immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to the Processing of the Controller’s data under this Agreement’ this also applies if the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any civil or criminal law, or administrative rule or regulation regarding the Processing of personal data in connection with the Processing of the Controller’s data under this Agreement
        • The Processor shall undertake reasonable efforts to support the Controller if the Controller is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with this Agreement
        • The Processor shall periodically monitor the internal processes and the technical and organizational measures to ensure that Processing is in accordance with the requirements of applicable data protection laws and the protection of the rights of the Data Subject
        • The Processor shall verify the technical and organisational measures conducted as part of the Controller’s monitoring rights referred to Schedule 2 of this Agreement.

 

  • MONITORING RIGHTS OF THE CONTROLLER

 

      1. The Controller has the right, after consultation with the Processor, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The Controller has the right to convince itself of the compliance with this Agreement by the Processor in its business operations by means of a check, that is to be communicated in advance and in good time. These rights of the Controller shall not extend to facilities which are operated by sub-processors, subcontractors or any third parties which the Processor may use to attain its Purpose and provide its Services. The Processor shall ensure that the Processing activities carried out by any sub-processors, subcontractors or any third parties which the Processor may use to attain its Purpose and provide its Services meet the requirements laid down in this Agreement and in Applicable Law
      2. The Processor shall ensure that the Controller is able to verify compliance with the obligations of the Processor in accordance with the Applicable Laws. The Processor undertakes to provide to the Controller all necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures as mentioned in Schedule 2 within a reasonable timeframe
      3. Evidence of the implementation of any measures in this regard may also be presented in the form of up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, internal audit, the data protection officer, the IT security department or quality auditors) or suitable certification by way of an IT security or data protection audit or by other measures provided by law

 

  • NOTIFICATIONS OF SECURITY BREACHES BY THE PROCESSOR

 

      1. The Processor shall assist the Controller in complying with the statutory obligations regarding the security and protection of personal data and shall make appropriate documentation in this regard. This includes, in particular, the obligation:
        • To ensure an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the Processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable and immediate detection of relevant infringement events
        • To notify the Controller in the most expedient time possible under the circumstances and without unreasonable delay and, where feasible, not later than seventy-two (72) hours after having become aware of any accidental, unauthorized, or unlawful destructions, loss, alteration, or disclosure of, or access to, Personal Data (“Security Breach”). In consultation with the Controller, the Processor shall take appropriate measures to secure the data and limit any possible detrimental effect on the Data Subjects
        • To cooperate with the Controller and provide the Controller with any information which the Controller may reasonably request relating to the Security Breach. The Processor shall investigate the Security Breach and shall identify, prevent and make reasonable efforts to mitigate the effects of any such Security Breach and, with the Controller’s prior agreement, to carry out any recovery or other action necessary to remedy the Security Breach
        • To assist the Controller by appropriate measures with regard to the Controller’s obligation to inform Data Subjects and competent authorities in case of a Security Breach
        • To assist the Controller with regard to the Controller’s obligation to provide information to the Data Subject concerned and to immediately provide the Controller with all relevant information in this regard.

 

  • AUTHORITY OF THE CONTROLLER TO ISSUE INSTRUCTIONS

 

      1. The Personal Data may only be handled under this Data Processing Terms and Conditions, in alignment with the Processor’s Publisher Terms of Service, and under the instructions issued by the Controller. Under the terms of this Agreement, the Controller retains a general right of instruction as to the nature, scope and method of data Processing, which may be supplemented with individual instructions. 
      2. The Processor may only pass on information to third parties provided they render the data subject unidentifiable and for targeting or reporting purposes relating to the Presentation of Advertising Content as outlined in the Agreement or with the prior written consent of the Controller.
      3. The Processor will only accept instructions via electronically communicated text in writing or in text form. The Processor must not use the data for any other purpose and is particularly forbidden to disclose the data to third parties. No copies or duplicates may be produced without the knowledge of the Controller. This does not apply to backup copies where these are required to assure proper data Processing, or to any data required to comply with statutory retention rules.
      4. The Processor shall inform the Controller immediately, if it believes that there has been infringement of legal data protection provisions. The Processor may then postpone the execution of the relevant instruction until it is confirmed or changed by the Controller’s representative.

 

  • DELETION AND RETURN OF PERSONAL DATA

 

      1. Upon completion of the contractual work as laid down in the Principal Agreement or when requested by the Controller, and within a reasonable time which shall not exceed 30 calendar days, the Processor must return to the Controller all documents in its possession and all work products and data produced, or deleted them in compliance with the Applicable Law with the prior consent of the Controller. The same applies to any test data. The deletion log must be presented upon request.
      2. Electronic documentation intended as proof of proper data Processing must be kept by the Processor beyond the termination of the relationship between the Parties and this Agreement, in accordance with relevant retention periods relevant to the Controller’s subscription plan and timeframes corresponding to each subscription plan. The Processor may hand such documentation over to the Controller after expiry of the AGreement, upon request by the Controller.
      3. The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making.
      4. Taking into account the nature of the Processing, the Processor shall assist Controller by appropriate technical and organizational measures, insofar as the right to be forgotten is possible, for the fulfilment of the Controller’s obligation to respond to a Data Subject’s request under the Applicable Law. The obligation to delete the Data Subject’s data shall, at all times, remain with the Controller. For the avoidance of doubt, the Processor will not undertake any data deletion efforts for an on behalf of the Controller.

 

  • INDEMNIFICATION

 

    1. The Controller will indemnify the Processor in respect of all liabilities, costs and expenses suffered or incurred by the Processor in its capacity as processor of the data of the Controller arising from any Security Breach in the Data Processing or any negligent act or omission by the Controller in the exercise of the rights granted to it under the Applicable Law provided that:
      • The Processor, within reasonable time, notifies the Controller of any actions, claims or demands brought or made against it concerning any alleged Security Breach
      • The Processor will not compound, settle or admit to any actions, claims or demands without the consent of the Controller except by order of a court of competent jurisdiction
      • The Controller shall be entitled at its own cost to defend or settle any proceedings
      • The Processor shall not have acted of its own accord and independently of the instructions given to it by the Controller in its role as data processor in accordance with the provisions of this Agreement, except in specific situation sas laid down in the Processor’s Terms of Service
      • This indemnity shall exclude any loss that has arisen out of negligence or willful acti, default or omission of the Processor, its employees, contractors, subcontractors or any other person outside the Controller’s control
      • Unless otherwise restricted or limited by any legislation in the applicable jurisdiction, the Controller’s maximum aggregate liability under this Agreement shall, in no case exceed the maximum coverage paid out for such claim under the Controller’s insurance policy with respect to such claim. In the absence of an insurance policy, such liabilities, costs and expenses shall be capped at a level of one hundred thousand Euros (€100,000) whether in respect of a single claim or a series of claims arising from the same incident except in the event of death or personal injury where there shall be no limit.

The Processor’s right to claim damages shall be forfeited if the Processor fails to give written notice of any damages that may be sustained as aforesaid within ten (10) business days from the occurrence thereof or commences to make good such damages before written notice is given as aforesaid.

      1. The Processor will indemnify the Controller in respect of all liabilities, costs and expenses suffered or incurred by the Controller in its capacity as controller of the data of the Processor arising from any Security Breach in the terms of this Agreement or any negligent act or omission by the Processor in the exercise of the rights granted to it under the Applicable Law provided that:
        • The Controller, within reasonable time, notifies the Processor of any actions, claims or demands brought or made against it concerning any alleged Security Breach
        • The Processor shall be entitled at its own cost to defend or settle any proceedings
        • Unless otherwise restricted or limited by any legislation in the applicable jurisdiction, the Processor’s maximum aggregate liability under this Data Processing Terms and Conditions shall, in no case exceed the maximum coverage paid out for such claim under the Processor’s insurance policy with respect to such claim
        • Nothing in this Agreement shall restrict or interfere with the Processor’s rights against the Controller or any other person in respect of contributory negligence.
      2. In the event of a breach of this Agreement caused by the actions of a sub-processor, the Processor shall assign the right to the Controller to take action under the sub-processor contract as it deems necessary in order to protect and safeguard Personal Data. The Processor acknowledges and agrees that it shall remain liable to the Controller for any breach of the terms of this Agreement or any sub-processor contract by any sub-processor and other subsequent third party processors appointed by it.

 

  • SUB-PROCESSING

 

    1. ‘Sub-Processing’, in the meaning of this Agreement, does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data Processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller’s data, even in the case of outsourced ancillary services to Sub-Processors.
    2. The Controller agrees to the commissioning of the following sub-processors on the condition of a contractual agreement in accordance with applicable data protection laws:
Sub-Processor Country Service
Amazon Web Services Ireland Secure Cloud Service Platform for Database Storage
Hetzner Online GmbH Germany Database Servers
Google Cloud Platform Ireland – Belgium Secure Cloud Service
Rackspace United Kingdom Managed Services – Google Cloud Platform Infrastructure
Redis St. Ghislain, Belgium  Google Cloud Service, Memorystore
Kubernetes St. Ghislain, Belgium Google Cloud Platform, Google Kubernetes Engine
Elasticsearch Frankfurt, Germany Amazon Web Services, Amazon Elasticsearch Service
MySQL St. Ghislain, Belgium Google Cloud Platform Cloud SQL for MySQL

 

      1. Outsourcing to further Sub-Processors or changing any existing Sub-Processors is permissible provided the Processor maintains the same privacy and security standards. The Controller shall not unreasonably object to any required Sub-Processing. In addition, the following provisions apply:
        • The transfer of Personal Data to the Sub-Processor and the Sub-Processor’s commencement of the data Processing shall be in compliance with all requirements of the Data Processing Terms and Conditions
        • If the Sub-Processor provides the agreed service outside the EU/EEA, the Processor shall ensure compliance with Applicable Laws
        • The Processor shall impose on the Sub-Processor the same data protection obligation as set out in this Agreement, in particular with regard to the provision of sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Applicable Law.
      2. With respect to each Sub-Processor, the Processor will before the Sub-Procesor first Processes any data of the Controller, carry out adequate due diligence to ensure that the Sub-Processor is capable of providing the level of protection for the Personal Data required by this Agreement and shall ensure that the agreement between the Processor and the relevant Sub-Processor, is governed by a written contract including terms which offer at least the same level of protection for the Controller as those set out in this Agreement and meets the requirements of article 28(3) of the GDPR.

 

  • MISCELLANEOUS

 

    1. With effect from 25 May 2018, upon the Controller’s request, the Processor shall provide the Controller with reasonable cooperation and assistance needed to fulfil the Controller’s obligation under the General Data Protection Regulation to carry out a data protection impact assessment related to the Controller’s use of the Processor’s Services, to the extent that the Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Processor.
    2. If any variation is required to this Agreement as a result of a change in the Applicable Law, then either Party may provide written notice to the other party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this Agreement. The Parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the relevant requirements.
    3. Clauses and other headings in this Agreement are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this Agreement. Schedules to this Agreement shall be deemed to be an integral part of this Agreement to the same extent as if they had been set forth verbatim herein.
    4. This Agreement, including the Schedules attached hereto constitute the entire agreement between the parties pertaining to the subject matter hereof and supersede all prior agreements (excluding the Terms of Service), understandings, negotiations and discussions of the Parties.
    5. The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Agreement shall remain in full force and effect. 
    6. Any notice, letter or other communication contemplated by this Agreement shall be communicated in writing via registered mail to the registered addresses of the Parties or via electronic mail, delivery and read receipt requested.
    7. The provisions of this Data Processing Terms and Conditions shall endure to the benefit of and shall be binding upon the Parties and their respective successors and assigns.
    8. The  Controller agrees to post conspicuously on each Publisher’s Site a privacy policy that complies with all Privacy Laws, and that discloses Publisher’s as well as Exit Bee’s and Exit Bee’s advertising clients’ practices with respect to data collection, use and disclosure (each, a “Privacy Policy”), including:  (a) the types/categories of data being collected for targeting purposes as described in 4.3 , (b) the circumstances under which such data will be disclosed to or used by third parties, and the purposes therefor, and (c) the use of one or more third parties for ad serving activities. The Privacy Policy must: (i) be linked from each Publisher Site in connection with this Data Processing Terms and Conditions and the Agreement, (ii) direct end-users to an industry-wide mechanism for opting-out from receiving targeted advertising, such as the Digital Advertising Alliance opt-out page at http://aboutads.info/choices, and (iii) be consistent with the Exit Bee Privacy Policy.  Publisher must comply with all Privacy Laws with respect to obtaining required opt-in consent as may be required by the Privacy Laws of various countries or regions in connection with obtaining sufficient user permission to use cookies or the collection and use of any information obtained from Publisher’s end-users, or as to restoring cookies cleared or deleted by Publisher’s end-users.  Neither Publisher nor its agents (including without limitation Publisher’s CMP) shall decide, control, amend or restrict the legal bases, purposes or features (including special features) that Exit Bee relies on to process Personal Data including, but not limited to, under Version 2.0 of the IAB’s Transparency and Consent Framework. In the event that any such decision, control, amendment or restriction is applied by Publisher, Exit Bee may, in its sole discretion, terminate this Agreement.

 

SCHEDULE 1

 

Description of Processing Operations

The Purpose

 

Exit Bee is an ad network based on behavioural analysis and exit intent.

For more information on what data is collected and the security measure taken to protect this data refer to the Exit Bee Terms of Service: http://www.exitbee.com/terms and Privacy Policy: http://www.exitbee.com/privacy.

SCHEDULE 2

 

Technical and Organizational Measures

 

The Processor warrants and undertakes in respect of all Personal Data that it Processes on behalf of the Controller that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organizational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.

Such measures shall include, but are not limited to, physical access control, logical access control (i.e. non-physical access control measures such as passwords), data access control, data transfer control, input control, availability measures, and data separation; in particular at least the measures set out in the Exit Bee Privacy Policy: http://www.exitbee.com/privacy.

The Processor shall provide the Controller, upon request, with adequate proof of compliance (e.g. the relevant parts of the Processor’s agreements with its data center provider).

For more detailed information on the latest state of the art measures adopted by our hosting providers, please refer to the following links: https:/aws.amazon.com/security/ and https://cloud.google.com/security/