This Winnin Data Processing Agreement and its Annexes ( "DPA") reflects the partiesagreement with respect to Processing of Personal Data by Winnin Inc. and itssubsidiaries (jointly "Winnin Inc.") on behalf of you in connection with the WinninInsights Subscription Services under the Winnin Insights Terms of Service and PrivacyPolicy between you and us (also referred to in this DPA as the "Agreement").
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement. In case of any conflict orinconsistency with the terms of the Agreement, this DPA will take precedence over theterms of the Agreement to the extent of such conflict or inconsistency.
We update these terms from time to time. If you have an active Winnin Insightssubscription, we will let you know when we do via email or throughout Winnin InsightsPlatform. You can find archived versions of the DPA here, if any.
The term of this DPA will follow the term of the Agreement. Terms not otherwise definedin this DPA will have themeaning as set forth in the Agreement.
a) Winnin acts as a data Controller.
b) You wish to contract Winnin Insights Platform, which imply the processingof personal data, to the Data Processor.
c) The Parties seek to implement a data processing agreement that complieswith the requirements of the current legal framework in relation to dataprocessing.
d) The Parties wish to lay down their rights and obligations.
2. Definitions and Interpretations
Unless otherwise defined herein, capitalized terms and expressions used in thisAgreement shall have the following meaning:
- “Agreement” means this Data Processing Agreement and all Schedules;
- “Company Personal Data” means any Personal Data Processed by a ContractedProcessor (including data of its employees, contractors, collaborators,customers, prospects, suppliers and subcontractors) on behalf of Company
pursuant to or in connection with the Principal Agreement;
- “Contracted Processor” means a Subprocessor;
- “Controller” means the natural or legal person, public authority, agency or otherbody which, alone or jointly with others, determines the purposes and means ofthe Processing of Personal Data. Winnin Inc. acts as a Data Controller.
- “Data Protection Laws” means all applicable worldwide legislation relating to dataprotection and privacy which applies to the respective party in the role ofProcessing Personal Data in question under the Agreement, including withoutlimitation EU General Data Protection Regulation (GDPR) and the BrazilianGeneral Law of Data Protection (LGPD).
- “Data Subject” means the individual designated as User of Winnin InsightsPlatform by the Company and to whom Personal Data relates.
- “Instructions” means the written, documented instructions issued by a Controllerto a Processor, and directing the same to perform a specific or general actionwith regard to Personal Data (including, but not limited to, depersonalizing,blocking, deletion, making available).
- "Permitted Affiliates" means any of your Affiliates that (i) are permitted to use theSubscription Services pursuant to the Agreement, but have not signed their ownseparate agreement with us and are not a “Company” as defined under theAgreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii)are subject to European Data Protection Laws and Brazilian Data ProtectionLaws.
- “Personal Data” means any information relating to an identified or identifiableindividual where such information is contained within Company Personal Dataand is protected similarly as personal data, personal information or personallyidentifiable information under applicable Data Protection Laws.
- “Data Transfer” means: (I) a transfer of Company Personal Data from theCompany to a Contracted Processor; or (II) an onward transfer of CompanyPersonal Data from a Contracted Processor to a Subcontracted Processor, orbetween two establishments of a Contracted Processor, in each case, wheresuch transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions ofData Protection Laws);- “Processing” means any operation or set of operations which is performed on
Personal Data, encompassing the collection, recording, organization, structuring,storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment or
combination, restriction or erasure of Personal Data. The terms “Process”,“Processes” and “Processed” will be construed accordingly.
- “Processor” means a natural or legal person, public authority, agency or otherbody which Processes Personal Data on behalf of the Controller.
- “Subprocessor” means any person appointed by or on behalf of the Processor toprocess Personal Data on behalf of the Company in connection with theAgreement.
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “PersonalData”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have thesame meaning as in the GDPR and LGPD, and their cognate terms shall be construedaccordingly.
3. Customer obligations
a. Compliance with Laws. Within the scope of the Agreement and in its use of theservices, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Dataand the Instructions it issues to us.
In particular but without prejudice to the generality of the foregoing, you acknowledgeand agree that you will be solely responsible for: (i) the accuracy, quality, and legality ofCompany Personal Data and the means by which you acquired Personal Data; (ii)complying with all necessary transparency and lawfulness requirements under
applicable Data Protection Laws for the collection and use of the Personal Data,including obtaining any necessary consents and authorizations (particularly for use byYou for marketing purposes); (iii) ensuring you have the right to transfer, or provideaccess to, the Personal Data to us for Processing in accordance with the terms of theAgreement (including this DPA); (iv) ensuring that your Instructions to us regarding theProcessing of Personal Data comply with applicable laws, including Data ProtectionLaws; and (v) complying with all laws (including Data Protection Laws) applicable to anyemails or other content created, sent or managed through the Subscription Services,including those relating to obtaining consents (where required) to send emails, thecontent of the emails and its email deployment practices. You will inform us without undue delay if it is not able to comply with its responsibilities under this subsection (a) orapplicable Data Protection Laws.
b. Controller Instructions. The Parties agree that the Agreement (including this DPA),together with your use of the Winnin Insights Subscription Service in accordance withthe Agreement, constitute your complete and finalInstructions to us in relation to theProcessing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between us and you.
4. Winnin obligations
a. Compliance with Instructions. We will only Process Personal Data for the purposesdescribed in this DPA or as otherwise agreed within the scope of your lawful Instructions,except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industrythat are not generally applicable to us.
b. Conflict of Laws. If we become aware that we cannot Process Personal Data inaccordance with your Instructions due to a legal requirement under any applicable law, wewill (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing andmaintaining the security of the affected Personal Data) until such time as you issue newInstructions with which we are able to comply. If this provision is invoked, we will not beliable to you under the Agreement for any failure to perform the applicable Winnin InsightsSubscription Services until such time as you issue new lawful Instructions with regard to theProcessing.
c. Security. We will implement and maintain appropriate technical and organizationalmeasures to protect Personal Data from Personal Data Breaches, as described underAnnex 2 to this DPA ("Security Measures"). Notwithstanding any provision to thecontrary, we may modify or update the Security Measures at our discretion provided that
such modification or update does not result in a material degradation in the protectionoffered by the Security Measures.
d. Confidentiality. We will ensure that any personnel whom we authorize to ProcessPersonal Data on our behalf is subject to appropriate confidentiality obligations (whethera contractual or statutory duty) with respect to that Personal Data.
We take reasonable steps to ensure the reliability of any employee, agent or contractorof any Contracted Processor who may have access to the Company Personal Data,ensuring in each case that access is strictly limited to those individuals who need toknow / access the relevant Company Personal Data, as strictly necessary for thepurposes of the Principal Agreement, and to comply with Applicable Laws in the contextof that individual’s duties to the Contracted Processor, ensuring that all such individualsare subject to confidentiality undertakings or professional or statutory obligations ofconfidentiality
e. Personal Data Breaches. We will notify you without undue delay after it becomesaware of any Personal Data Breach and will provide timely information relating to thePersonal Data Breach as it becomes known or reasonably requested by you. At yourrequest, we will promptly provide you with such reasonable assistance as necessary to
enable you to notify relevant Personal Data Breaches to competent authorities and/oraffected Data Subjects, if you are required to do so under Data Protection Laws.
f. Deletion or Return of Personal Data. We will delete or return all Customer Data,including Personal Data (including copies thereof) Processed pursuant to this DPA, ontermination or expiration of your Winnin Insights Subscription Service in accordancewith the procedures and timeframes set out in the Agreement, save that thisrequirement shall not apply to the extent we are required by applicable law to retainsome or all of the Company Personal Data, or to Company Personal Data it hasarchived on back-up systems, which data we will securely isolate and protect from anyfurther Processing and delete in accordance with its deletion practices. You may requestthe deletion of your Winnin Insights account after expiration or termination of yoursubscription by sending a request. You may retrieve your ata from your account bycontacting us on firstname.lastname@example.org.
You agree that we may engage Sub-Processors to Process Personal Data on yourbehalf. We have currently appointed, as Sub-Processors, the Winnin Inc. and thirdparties listed in Annex 3 to this DPA. We will notify you if we add or removeSub-Processors to Annex 3 on a regular basis.
Where we engage Sub-Processors, we will impose data protection terms on theSub-Processors that provide at least the same level of protection for Personal Data asthose in this DPA (including, where appropriate, the Standard Contractual Clauses), tothe extent applicable to the nature of the services provided by such Sub-Processors.
We will remain responsible for each Sub-Processor’s compliance with the obligations ofthis DPA and for any acts or omissions of such Sub-Processor that cause us to breachany of its obligations under this DPA
6. Data Transfers
You acknowledge and agree that we may access and Process Personal Data on aglobal basis as necessary to provide the Winnin Insights Subscription Service inaccordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Winnin Inc. and to other jurisdictions where Winnin Affiliates and
Sub-Processors have operations. We will ensure such transfers are made in compliancewith the requirements of Data Protection Laws.
7. General Provisions
a. Amendments. Notwithstanding anything else to the contrary in the Agreement andwithout prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA,we reserve the right to make any updates and changes to this DPA.
b. Severability. If any individual provisions of this DPA are determined to be invalid orunenforceable, the validity and enforceability of the other provisions of this DPA will notbe affected.
c. Limitation of Liability. Each party and each of their Affiliates' liability, taken inaggregate, arising out of or related to this DPA (and any other DPAs between theparties) and the Standard Contractual Clauses (where applicable), whether in contract,tort or under any other theory of liability, will be subject to the limitations and exclusions
of liability set out in the 'Limitation of Liability' section of the Agreement and the WinninInsights Software Agreement and any reference in such sections to the liability of aparty means aggregate liability of that party andall of its Affiliates under the Agreement(including this DPA).
d. Governing Law. This DPA will be governed by and construed in accordance with the‘Contacting Entity; ‘Applicable Law; Notice’ sections of the Jurisdiction Specific Terms,unless required otherwise by Data Protection Laws.
8. Parties to this DPA
a. Permitted Affiliates. By signing the Agreement, you enter into this DPA on behalf ofyourself and, to the extent required under applicable Data Protection Laws, in the nameand on behalf of your Company and Permitted Affiliates, thereby establishing a separateDPA between us, your Company and each such Permitted Affiliate subject to theAgreement and the ‘General Provisions’ and ‘Parties to this DPA’ sections of this DPA.
Company and Each Permitted Affiliate agrees to be bound by the obligations under thisDPA and, to the extent applicable, the Agreement. For the purposes of this DPA only,and except where indicated otherwise, the terms “Company”, “you” and “your” willinclude you, the Company you are acting on behalf of and such Permitted Affiliates.
b. Authorization. The legal entity agrees to this DPA as You represent that it isauthorized to agree to and enter into this DPA for and on behalf of itself and, asapplicable, each of its Permitted Affiliates.
c. Remedies.Except where applicable Data Protection Laws require a Permitted Affiliateto exercise a right or seek any remedy under this DPA against us directly by itself, theparties agree that (i) solely the entity you are acting on behalf of that is the contractingparty to the Agreement will exercise any right or seek any remedy any Permitted Affiliatemay have under this DPA on behalf of its Affiliates, and (ii) the Company you are acting on behalf of that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combinedmanner for itself and all of its Permitted Affiliates together. The Company that you areacting on behalf of that is the contracting entity responsible for coordinating allcommunication with us under the DPA and will be entitled to make and receive anycommunication related to this DPA on behalf of its Permitted Affiliates.
d. Other rights. The parties agree that you will, when reviewing our compliance with thisDPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonablemeasures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Company you are acting on behalf of that is the
contracting party to the Agreement and all of its Permitted Affiliates in one single audit.
9. Governing Law and Jurisdiction
This Agreement is governed by Brazilian law. Any dispute arising in connection with thisAgreement, which the Parties will not be able to resolve amicably, will be submitted tothe exclusive jurisdiction of the Central Court of Judicial District of Rio de Janeiro,Brazil, to the exclusion of all other jurisdictions, no matter how privileged they might be.
Annex 1 - Details of Processing
This Annex forms part of the DPA.
A. Nature and Purpose of Processing
We will Process Personal Data as necessary to provide the Winnin Insights SubscriptionServices pursuant to the Agreement, as further specified in the Order Form, and asfurther instructed by you in your use of the Winnin Insights Subscription Services.
B. Duration of Processing
Subject to the 'Deletion or Return of Personal Data' section of this DPA, we will ProcessPersonal Data for the duration of the Agreement, unless otherwise agreed in writing orrequired by law.
C. Categories of Data Subjects
You may submit Personal Data in the course of using the Winnin InsightsSubscription Service, the extent of which is determined and controlled by you inyour sole discretion, and which may include, but is not limited to Personal Datarelating to the following categories of Data Subjects:
Your Contacts and other end users including your employees, contractors,collaborators, customers, prospects, suppliers and subcontractors designated asUsers of Winnin Insights Platform.
D. Categories of Personal Data
You may submit Personal Data to the Winnin Insights Subscription Services, theextent of which is determined and controlled by you in your sole discretion, andwhich may include but is not limited to the following categories of Personal Data:
- Contact Information, such as: name, email, telephone, country, company and title(as defined in the Agreement).
- Any other Personal Data submitted by, sent to, or received by you, or your endusers, via the Winnin Insights Subscription Service, such as: searchs terms;
watched videos; redirection to third party websites from our software, IP addressand the user's entire path on our platform.
E. Special Categories of Data (if appropriate)
The parties do not anticipate the transfer of special categories of data.
F. Processing operations
Personal Data will be Processed in accordance with the Agreement (includingthis DPA) and may be subject to the following Processing activities:
a. Storage and other Processing necessary to provide, maintain and improve theWinnin Insights Subscription Services provided to you; and/or
b. Disclosure in accordance with the Agreement (including this DPA) and/or ascompelled by applicable laws.
Annex 2 - Security Measures
This Annex forms part of the DPA.
We currently observe the Security Measures described in this Annex 2. All capitalizedterms not otherwise defined herein shall have the meanings as set forth in theAgreement.
a) Access Control:
i) Preventing Unauthorized Product Access
Outsourced processing: We host our Service with outsourced cloud infrastructureproviders. Additionally, we maintain contractual relationships with vendors in order toprovide the Service in accordance with our DPA. We rely on contractual agreements,privacy policies, and vendor compliance programs in order to provide a safeenvironment.
Physical and environmental security: We host our product infrastructure withmulti-tenant, outsourced infrastructure providers. The physical and environmentalsecurity controls are audited for SOC 2 Type II and ISO 27001 compliance, amongother certifications.
Authentication: We implement a uniform password policy for our customer products.Users who interact with the products via the user interface must authenticate beforeaccessing non-public customer data.
Authorization: User Data is stored in multi-tenant storage systems accessible to Uservia only application user interfaces and application programming interfaces. Users arenot allowed direct access to the underlying application infrastructure. The authorizationmodel in each of our products is designed to ensure that only the appropriatelyassigned individuals can access relevant features, views, and customization options.
Authorization to data sets is performed through validating the user’s permissionsagainst the attributes associated with each data set.
ii) Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for theinternal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent networktraffic using unauthorized protocols from reaching the product infrastructure. Thetechnical measures implemented differ between infrastructure providers and includeVirtual Private Cloud (VPC) implementations, security group assignment, and traditionalfirewall rules.
Static code analysis: Security reviews of code stored in our source code repositories isperformed, checking for coding best practices and identifiable software flaws.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to UserData via controlled interfaces. The intent of providing access to a subset of employeesis to provide effective User support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.
All Winnin Inc. employees are required to conduct themselves in a manner consistentwith company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available onevery one of its login interfaces and for free on every user site hosted on Winnin Insights Platform. Our HTTPS implementation uses industry standard algorithms andcertificates.
At-rest: We store user passwords following policies that follow industry standard
practices for security. We have implemented technologies to ensure that stored data is
encrypted at rest.
c) Input Control
Detection: We designed our infrastructure to log basic information about the systembehavior, traffic received, system authentication, and other application requests. Internalsystems aggregated log data and alert appropriate employees of malicious, unintended,or anomalous activities. Our personnel, including security, operations, and supportpersonnel, are responsive to known incidents.d) Availability ControlInfrastructure availability: The infrastructure providers use commercially reasonableefforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum ofN+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancyand fail-over protections during a significant processing failure. User data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed toreplicate data between no less than 1 primary and 1 secondary database. All databasesare backed up and maintained using at least industry standard methods.
Our products are designed to ensure redundancy and seamless failover. The serverinstances that support the products are also architected with a goal to prevent singlepoints of failure. This design assists our operations in maintaining and updating theproduct applications and backend while limiting downtime.
Annex 3- List of Sub-Processors