This Data Processing Agreement, including its Attachments (“DPA”), is a formal agreement between GoodHolly (“Supplier”) and the recipient of any Supplier Products (the “Customer”) through a written or electronic Agreement governing these products' provision.
This DPA becomes active when the Supplier processes Personal Data on behalf of the Customer, which is either referenced in the Agreement or signed by both parties. It is an essential component of the Agreement, effective upon signature or incorporation into the Agreement, as specified.
In situations of conflicting terms, this DPA supersedes the Agreement, ensuring clarity and consistency. Its duration aligns with the Agreement's Terms, with defined terms following those in the Agreement for uniform interpretation.
When we mention "California Personal Information," we're referring to Personal Data governed by the CCPA.
"Canadian Privacy Laws"are the data protection regulations in Canada and its provinces. These laws include:
(i) The Personal Information Protection and Electronic Documents Act of 2000 (“PIPEDA”);
(ii) In Quebec: the Act to Modernize Legislative Provisions As Regards the Protection of Personal Information, also known as Law 25 (formally known as Bill 64), and the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1, which is amended thereby (collectively “Law 25”);
(iii) In Alberta: the Personal Information Protection Act [of Alberta] (“PIPA Alberta”); and
(iv) In British Columbia: the Personal Information Protection Act [of British Columbia] (“PIPA BC”).
We abide by the definitions set forth by the CCPA for terms such as "Consumer," "Business," "Sell," and "Service Provider."
When we refer to a "Controller," we are talking about the entity responsible for determining how Personal Data is processed, whether that's an individual, organization, or public authority.
“Data Protection Laws” encompasses all relevant global regulations governing data protection and privacy. This includes European Data Protection Laws, US Data Privacy Laws, and Canadian Data Privacy Laws, among others, ensuring compliance and security in all our data processing activities.
A "Data Subject" is the individual whose Personal Data is being processed.
"European Data" refers to Personal Data subject to European Data Protection Laws.
“European Data Protection Laws” refer to the data protection regulations applicable in the European Union, the European Economic Area (“EEA”), their member states, Switzerland, and the United Kingdom. These laws, subject to updates, amendments, or replacements, include:
(i) Regulation 2016/679 of the European Parliament and of the Council (GDPR), focusing on safeguarding personal data and its free movement;
(ii) Directive 2002/58/EC, revised by Directive 2009/136/EC, addressing personal data processing and privacy in electronic communications;
(iii) National implementations of the aforementioned regulations, including the Data Protection Act of 2018 and the UK GDPR as part of UK domestic law;
(iv) Swiss Federal Act on Data Protection of 19 June 1992, along with its Ordinance (FADP), updated as of 25 September 2020.
“Instructions”are clear, written directives issued by Customers to suppliers directing actions related to personal data.
“Onward Transfer” refers to the movement of Personal Data from one third-party, like a Processor, to another, such as a Sub-Processor, or beyond that.
“Permitted Affiliates” include any of our customers' Affiliates (as defined in the Agreement) that can use our Products as per the Agreement, for whom we process Personal Data, and who are bound by Data Protection Laws.
“Personal Data”encompasses any information collected on behalf of our customers or provided by them, pertaining to an identifiable individual and is protected under relevant Data Protection Laws.
"Personal Data Breach" refers to a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise processed by the Supplier and/or its subcontractors during the provision of Products.
"Processing" covers any operation or series of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transmission-based disclosure, dissemination, alignment, restriction, or erasure of Personal Data.
A "Processor" denotes a natural or legal person, public authority, agency, or other entity that processes Personal Data on behalf of the Controller.
"Products" refers to the goods and services offered by GoodHolly.com to customers under the terms of our Agreement.
“Standard Contractual Clauses” (SCCs) refers to the standard contractual clauses endorsed by the European Commission in decision (EU) 2021/914 dated 4 June 2021 and the International Data Transfer Addendum applicable under the UK GDPR.
Within this DPA, a “Sub-Processor” denotes any third-party entity engaged by the Supplier for specific Processing tasks.
For GDPR, UK GDPR, or FADP purposes, a “Third Country” signifies a country outside the EEA, United Kingdom, or Switzerland not recognized as providing adequate data protection.
"US Privacy Laws" refers to applicable United States data protection regulations, including laws in California, Colorado, Connecticut, Utah, and Virginia.
European Data Protection Laws: Regarding European Data processed under this DPA, both parties acknowledge that Supplier is a Processor while Customer is either a Controller or a Processor acting on behalf of a Controller not party to the Agreement or this DPA.
CCPA: Concerning California Personal Information, both parties agree that Customer is a Business and Supplier is a Service Provider, unless Attachment 1, Section A specifies any instances where Supplier processes Personal Data as a third party under the CCPA, in which case Supplier becomes a CCPA Third Party.
US Privacy Laws excluding CCPA: Regarding Personal Data governed by US Privacy Laws other than CCPA, both parties acknowledge that Supplier is a Processor and Customer is either a Controller or a Processor acting on behalf of a Controller not part of the Agreement or this DPA.
Canadian Privacy Laws: Concerning Personal Data governed by Canadian Privacy Laws, both parties agree that Supplier processes Personal Data on behalf of Customer and undertakes obligations under applicable Canadian Privacy Laws in that role. Customer determines the purposes and means of Personal Data Processing through its Instructions and assumes corresponding obligations.
Compliance with Laws:Customers must comply with all obligations under applicable Data Protection Laws. If customers are unable to meet these obligations, they must promptly notify GoodHolly.com.
Customers are solely responsible for ensuring Personal Data accuracy, quality, and lawful collection.
Customers must comply with transparency and lawfulness requirements under Data Protection Laws, including obtaining required consents and authorizations, particularly for marketing-related Personal Data.
Customers must ensure they have the right to transfer or provide access to Personal Data to GoodHolly.com for Processing in accordance with the Agreement.
Customers must ensure that all Instructions provided to GoodHolly.com comply with applicable laws, including Data Protection Laws.
Customers are responsible for complying with all applicable laws related to content created, sent, or managed through GoodHolly.com Products, including obtaining required communication consents and ensuring lawful communication practices.
Guidelines: Customer Instructions to GoodHolly.com include the terms of the Agreement and this DPA, guidance provided through the use of Products, and general authorization allowing GoodHolly.com to process Personal Data as necessary to provide the Products.
Any additional Instructions require mutual agreement through formal modification of the Agreement or this DPA.
Security Assurance: Customers are responsible for determining whether the security measures within the Products meet their legal obligations and for securely using the Products, including protecting account access and securing Personal Data during transmission.
Adherence to Guidelines: Supplier shall process Personal Data only in accordance with this DPA, including Attachment 1, or lawful Instructions from the Customer, unless otherwise required by applicable law.
Supplier is not responsible for ensuring Customer compliance with Data Protection Laws except where such laws are directly applicable to Supplier.
Legal Compliance: If Supplier is legally required to deviate from Customer Instructions, Supplier will notify the Customer where permitted by law and suspend Processing activities, except for storage and security, until new lawful Instructions are provided.
During such suspension, Supplier will not be liable for service interruptions resulting from the lack of lawful Instructions.
Data Security Measures: Supplier will maintain appropriate technical and organizational measures to protect Personal Data as described in Attachment 2 and may update such measures without materially reducing security protections.
Confidentiality: Supplier will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
Personal Data Breaches:In the event of a Personal Data Breach, GoodHolly will notify Customers in accordance with applicable Data Protection Laws and may notify authorities or affected individuals as required.
If Customers are responsible for breach notifications, GoodHolly will provide reasonable assistance to support compliance.
Deletion or Return of Personal Data: Upon termination or expiration of services, GoodHolly will delete or return Personal Data unless retention is required by law or necessary for backup purposes.
Demonstration of Compliance: GoodHolly will provide information necessary to demonstrate compliance and allow audits or inspections once per year.
Supplier Assistance: GoodHolly will assist Customers in meeting their Data Protection Law obligations primarily through Product features, which Customers agree to use before requesting additional assistance.
In accordance with Section 4(f), GoodHolly.com will assist customers in responding to requests from data protection authorities and individuals exercising rights under applicable Data Protection Laws, referred to as Data Subject Requests, where required by law.
All Data Subject Requests must include sufficient information to allow verification of the individual’s identity in order to be processed efficiently.
GoodHolly.com may charge reasonable fees for assistance that goes beyond standard support services.
If a Data Subject Request or communication regarding Personal Data processing is received by GoodHolly.com and the Customer can be identified as the data source, GoodHolly.com will notify the Customer and direct the Data Subject to contact the Customer directly.
If the Customer cannot be identified, the Customer remains solely responsible for responding to any Data Subject Requests.
In compliance with applicable laws, GoodHolly will provide reasonable assistance to customers in conducting and documenting data security assessments, subject to the availability of relevant information and provided such information is not already available to the customer.
Customers acknowledge and authorize GoodHolly to engage Sub-Processors to process Personal Data on their behalf and approve the listed Sub-Processors.
Any updates to the list of Sub-Processors must follow the amendment process set forth in this Data Processing Agreement.
GoodHolly will enter into written agreements with Sub-Processors that impose data protection obligations providing at least the same level of protection as required under this DPA.
GoodHolly remains responsible for ensuring Sub-Processor compliance with this DPA and for addressing any breaches resulting from a Sub-Processor’s actions or omissions.
You acknowledge and agree that GoodHolly may process Personal Data globally as necessary to provide the Products under the Agreement, in compliance with applicable Data Protection Laws.
Scope: These provisions apply exclusively to European Data and will take precedence over any conflicting terms in this Agreement.
Assistance with Compliance: As required by European Data Protection Laws, GoodHolly will assist with data protection impact assessments and consultations with supervisory authorities, provided relevant information is reasonably available.
Cross-Border Data Transfers: GoodHolly will not transfer European Data outside of Europe without ensuring compliance with applicable data protection requirements, including the use of approved transfer mechanisms.
Standard Contractual Clauses: Standard Contractual Clauses apply to transfers of European Data to non-European countries. Transfers from the EEA or Switzerland are governed by Part 1 of Attachment 3, and transfers from the United Kingdom are governed by Part 2 of Attachment 3.
Exceptions apply where GoodHolly has implemented Binding Corporate Rules or another legally recognized transfer mechanism.
In the event of a conflict between the Standard Contractual Clauses and this Agreement, the Standard Contractual Clauses shall prevail.
a. Applicability. This section applies specifically to dealings involving California Personal Information. If there are conflicting terms between this section and other sections of this DPA, the terms in this section will prevail.
b. Supplier's Duties as a Service Provider. When the Supplier acts as a Service Provider, both parties agree that the Supplier will handle California Personal Information strictly for the purposes outlined in Attachment 1 of this DPA and as allowed by the CCPA.
As a Service Provider, the Supplier will not merge California Personal Information with data from other sources unless required for permitted Business Purposes, will not sell or share California Personal Information, will not use it for non-Business or unauthorized commercial purposes, and will not disclose it outside the direct business relationship unless permitted by the CCPA.
As a Service Provider, the Supplier will comply with all applicable CCPA obligations, ensure required privacy protections, apply reasonable security measures, act promptly on customer requests, address unauthorized use, and notify customers of CCPA-related communications within seven business days where applicable.
c. Responsibilities as a CCPA Third Party. When acting as a CCPA Third Party, GoodHolly will process California Personal Information solely for permitted purposes, comply with all CCPA obligations, maintain required privacy protections, implement appropriate security measures, support customers in addressing unauthorized use, and promptly notify customers of any CCPA-related communications.
d. Certification. GoodHolly.com confirms its understanding of and commitment to comply with the limitations and responsibilities outlined for Service Providers and CCPA Third Parties.
a. Amendments. GoodHolly may update this DPA or the list of Sub-Processors with thirty days’ notice. Customers are responsible for reviewing updates and may object prior to the effective date, in which case GoodHolly may negotiate in good faith or terminate the agreement with appropriate notice and refund.
b. Severability. If any provision of this DPA is deemed invalid or unenforceable, the remaining provisions will remain in effect.
c. Limitation of Liability. Liability under this DPA is subject to the limitations outlined in the Agreement, except where limited liability is not permitted under applicable data protection laws.
d. Governing Law. This DPA is governed by the law and jurisdiction specified in the Agreement unless data protection laws require otherwise.
a. Permitted Affiliates. The Customer enters into this DPA on behalf of itself and its Permitted Affiliates, creating separate DPAs between GoodHolly and each Permitted Affiliate.
b. Authorization. The Customer confirms it has the authority to enter into this DPA on behalf of itself and its Permitted Affiliates.
c. Remedies. Unless required otherwise by law, rights and remedies under this DPA will be exercised by the contracting Customer entity on behalf of all Permitted Affiliates collectively.
At GoodHolly.com, we handle Personal Data for specific purposes outlined in our Agreement. This includes providing Products as per the Agreement terms, specified in Order Forms or SOWs, and following Customer instructions for Product use.
GoodHolly.com processes Personal Data only for the duration of the Agreement unless otherwise agreed upon in writing. In compliance with Data Protection Laws, Personal Data may be retained beyond the Agreement period for legal obligations, fraud prevention, tax compliance, and contractual commitments to third parties. Such processing is carried out in accordance with this DPA and applicable Data Protection Laws.
Customers may share Personal Data of various Data Subjects while using the Products. These Data Subjects include the Customer’s employees, contractors, collaborators, customers, partners, prospects, suppliers, subcontractors, and individuals interacting with or providing Personal Data to the Customer’s end users.
When using GoodHolly.com’s Products, customers may share different types of Personal Data, as determined solely by the customer. This may include contact information such as name, email address, phone number, online usernames, IP address, user agent, and similar details. It may also include financial information such as bank account and credit card details, as well as any other Personal Data submitted, sent, or received by the customer, their partners, advertisers, or end users through the Products.
GoodHolly.com and its customers do not expect to process special categories of Personal Data or sensitive information as defined under applicable Data Privacy Laws.
All Personal Data is processed in accordance with the Agreement and this DPA. Processing activities may include storage and other operations necessary to provide, maintain, and improve the Products, as well as disclosure as permitted by the Agreement, this DPA, or as required by applicable laws.
At GoodHolly.com, we adhere to technical and organizational measures to maintain a high standard of Personal Data protection. These measures are designed by considering the nature, scale, context, and purpose of our data processing activities, along with potential risks to individuals’ rights and freedoms.
GoodHolly.com uses outsourced cloud infrastructure providers to host its cloud services and maintains contractual agreements to ensure services comply with the Data Processing Agreement. These arrangements rely on strong contractual safeguards, privacy policies, and vendor compliance programs to protect processed or stored data.
The product infrastructure is hosted with multi-tenant outsourced infrastructure providers that follow strict physical and environmental security controls. These controls are regularly audited for compliance with SOC 2 Type II, ISO 27001, and other recognized industry certifications.
A standardized password policy is enforced across all customer products. Users must authenticate before accessing non-public customer data through product interfaces.
Customer Data is stored in multi-tenant systems and accessed only through application user interfaces and programming interfaces. Direct access to infrastructure is restricted. Authorization frameworks ensure that only individuals with appropriate permissions can access specific features, views, and datasets.
Public product APIs can be accessed using API keys or authorized authentication mechanisms.
Industry-standard access controls and detection systems are used within internal networks to prevent unauthorized use.
Network access control mechanisms block unauthorized protocols from reaching product infrastructure using Virtual Private Cloud configurations, security groups, and firewall rules.
A Web Application Firewall is implemented to protect customer websites and internet-accessible applications from malicious attacks.
Regular static code analysis and security reviews are conducted to ensure secure coding practices and identify potential vulnerabilities.
Annual penetration testing is performed by industry-recognized providers to detect and mitigate potential attack vectors.
Access to products and customer data is restricted to authorized employees for support, troubleshooting, and security purposes. Access is role-based, logged through just-in-time requests, and reviewed regularly. External access follows a least-privilege model and requires multi-factor authentication.
All employees undergo third-party background checks before employment, in compliance with applicable laws, and are required to follow company confidentiality and ethical standards.
During data transmission, GoodHolly.com enforces HTTPS encryption using SSL or TLS across all login interfaces. Industry-standard encryption algorithms and certificates are used for secure data transfer.
At rest, user passwords are stored according to industry-standard security practices, and stored data is encrypted to ensure ongoing protection.
System behavior, traffic, authentication events, and application requests are extensively logged. Monitoring systems alert staff to any malicious or unusual activity, enabling prompt incident response by security, operations, and support teams.
Security incidents are documented with detailed records, including timelines and resolutions. Confirmed incidents are investigated and addressed to minimize damage or unauthorized disclosure, and customers are notified in accordance with the Agreement.
The infrastructure is designed to maintain a minimum uptime of 99.95%, supported by redundancy across power, networking, and environmental systems.
Fault tolerance measures include backup and replication strategies, with customer data stored across multiple durable systems and availability zones.
Production databases maintain online replicas and backups using industry-standard methods to protect data integrity.
The product architecture emphasizes redundancy and failover to avoid single points of failure and minimize downtime during maintenance or updates.
Upon request, GoodHolly.com can provide independently validated security reports such as SOC 2 Type II and ISO 27001, demonstrating ongoing compliance with recognized security standards.
Both parties acknowledge and agree that the Standard Contractual Clauses, together with this Part 1, are incorporated into this agreement and apply to the transfer of Personal Data from the European Economic Area or Switzerland to Third Countries.
Module Two (Controller to Processor) of the Standard Contractual Clauses applies when the Customer, acting as the Controller of Personal Data, transfers data to a Third Country where the Supplier acts as the Processor.
Module Three (Processor to Processor) of the Standard Contractual Clauses applies when the Customer, acting as the Processor of Personal Data, transfers data to a Third Country where the Supplier acts as a Sub-Processor.
The parties acknowledge that certain clauses in the Standard Contractual Clauses require input from both parties. Clause 7 of the Standard Contractual Clauses does not apply. For Clause 9(a), Option 2, which allows general written authorization, is selected with a thirty-day prior notice period for changes in Sub-Processors. The optional language in Clause 11 does not apply, and Data Subjects may not file complaints with an independent dispute resolution body. Clause 17 is governed by the laws of the Republic of Ireland. For Clause 18(b), the courts of the Republic of Ireland are selected as the forum and jurisdiction.
The Data Exporter is the entity identified as the Customer in the Data Processing Agreement. The address and contact details are those associated with the Customer’s account or as specified in the Data Processing Agreement or Agreement. The activities relevant to the data transfer are described in Attachment 1 of the Data Processing Agreement. The role of the Data Exporter is Controller for Module Two and Processor for Module Three.
The Data Importer is GoodHolly. The activities relevant to the data transfer are described in Attachment 1 of the Data Processing Agreement. The role of the Data Importer is Processor for both Module Two and Module Three.
By entering into the Data Processing Agreement, both the Data Exporter and Data Importer are deemed to have signed the Standard Contractual Clauses and their Annexes as of the effective date of the Data Processing Agreement.
The categories of individuals whose personal data is transferred, as well as the types of personal data transferred, are outlined in Attachment 1 of the Data Processing Agreement.
If sensitive Personal Data is transferred, it will be handled in accordance with the safeguards described in Attachment 1 of the Data Processing Agreement and applicable Data Protection Laws. Any sensitive Personal Data received will be subject to appropriate restrictions and security measures.
Personal Data is transferred on a continuous basis. The nature and purpose of processing are described in Attachment 1 of the Data Processing Agreement.
Personal Data will be retained until deletion or destruction is requested by the Data Exporter in accordance with the Agreement, or as otherwise permitted by applicable Data Protection Laws.
For transfers to Sub-Processors, the subject matter, nature, and duration of processing are described in Attachment 1 of the Data Processing Agreement.
The relevant supervisory authority for the purposes of Clause 13 of the Standard Contractual Clauses is the supervisory authority in the Member State specified in this Attachment.
Attachment 2 of the Data Processing Agreement constitutes Annex II of the Standard Contractual Clauses.
Section 7 of the Data Processing Agreement, concerning Sub-Processors, constitutes Annex III of the Standard Contractual Clauses.
Both parties acknowledge that the Standard Contractual Clauses, supplemented by Part 1 and modified by the UK Addendum described in Exhibit 1 of Attachment 3 of this Data Processing Agreement, are incorporated by reference and apply to the transfer of Personal Data from the United Kingdom to Third Countries. These clauses and the UK Addendum are adjusted to ensure lawful transfers under UK Data Protection Laws and to provide appropriate safeguards in accordance with Article 46 of the UK GDPR.
Part 2 must be interpreted in a manner consistent with the provisions of the UK GDPR, ensuring the intended safeguards under Article 46 and avoiding any conflict with rights and obligations established by the UK GDPR.
References to legislation, including the UK Addendum, refer to such legislation as amended, updated, or replaced from time to time, including any changes made after the effective date of this Data Processing Agreement.
In the event of any conflict between the Standard Contractual Clauses together with the UK Addendum and any other terms of this Data Processing Agreement or the Agreement, the Standard Contractual Clauses and the UK Addendum will prevail.
This International Data Transfer Addendum is Version B1.0 and came into force on 21 March 2022.
The start date of this Addendum is the effective date of the Data Processing Agreement.
The Exporter is the party sending the restricted transfer, and the Importer is the party receiving the restricted transfer.
The full legal name, trading name, main address, official registration number, and key contact details of the Exporter are as stated in Part I, Section 5(a) of Attachment 3 to the Data Processing Agreement.
The full legal name, trading name, main address, official registration number, and key contact details of the Importer are as stated in Part I, Section 5(b) of Attachment 3 to the Data Processing Agreement.
Signatures of both the Exporter and the Importer are not required for the purposes of Section 2 of this Addendum.
The version of the Approved EU Standard Contractual Clauses to which this Addendum is appended is the June 4, 2021 template, effective as of the start date stated above.
The applicable modules, clauses, and optional provisions of the Approved EU Standard Contractual Clauses are determined in accordance with Part I of Attachment 3 to the Data Processing Agreement.
The Appendix Information required for the selected modules of the Approved EU Standard Contractual Clauses is provided as follows. Annex 1A, listing the parties, is set out in Part I, Section 5 of Attachment 3 to the Data Processing Agreement. Annex 1B, describing the transfer, is set out in Part I, Section 6 of Attachment 3 to the Data Processing Agreement.
Annex II, detailing the technical and organizational measures to ensure data security, is set out in Part I, Section 8 of Attachment 3 to the Data Processing Agreement.
Annex III, listing Sub-Processors for Modules 2 and 3, is set out in Part I, Section 9 of Attachment 3 to the Data Processing Agreement.
In accordance with Section 16 of the Approved Addendum, the Importer is permitted to end this Addendum if the Approved Addendum changes.
The mandatory clauses applicable to this Addendum are those contained in Part 2 of the Approved Addendum, being template Addendum B1.0 issued by the Information Commissioner’s Office and laid before Parliament under Section 119A of the Data Protection Act 2018 on 2 February 2022, as revised in accordance with Section 18 of those mandatory clauses.