Data Processing Agreement
This Data Processing Agreement (“DPA”) is an addendum to the legal Agreement between you and Infin8 for your use of the Infin8 Services.
For the purposes of the DPA the following definitions apply;
“Customer Personal Data” means all Personal Data which Infin8 processes on behalf of the Customer.
“Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, the “GDPR”) (ii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union), and (iii) the Norwegian legislation implementing the GDPR.
“New Sub-Processor” means any Sub-Processors engaged by the Infin8 after the effective date of the Agreement.
“SCC” means the European Commission’s standard contractual clauses for data transfers between EU and non-EU countries.
“SCC” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Sub-Processor” means an entity to which Infin8 subcontracts its processing of the Customer Personal Data to.
“Data Subject“, “Controller“, “Personal Data“, “Personal Data Breach” “Processor” “Supervisory Authority” shall have the meaning provided to such term pursuant to Data Protection Law.
All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For the avoidance of doubt, all references to the Agreement shall include this DPA (including the SCCs (where applicable), as defined herein.
- Roles and responsibilities
The parties acknowledge and agree that with regards to the processing of Customer Personal Data, Customer is the controller and Infin8 is a processor acting on behalf of Customer as further described in Annex A (Details of Data Processing).
Infin8 shall process Customer Personal Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”).
The Customer shall (i) comply with its obligations under applicable laws, including Data Protection Laws, in respect of its processing of Customer Personal Data and any processing instructions issued to Infin8; (ii) provide all notices and contain all constants and rights necessary under Data Protection Laws for Infin8 to process Customer Personal Data for the purposes described in the Agreement and this DPA does not relieve the Customer’s obligations under Data Protection Law.
Customers will not provide (or cause to be provided) any Sensitive Data to Infin8 for processing under the Agreement, and Infin8 will have no liability for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
If, in Infin8’s opinion, an instruction from the Customer is in violation of Data Protection Law or other mandatory national or EU/EEA law, Infin8 shall immediately notify the Customer thereof.
The above limitation does not apply in so far as Infin8 is obligated to process Customer Personal Data pursuant to national law or EU/EEA law. In the event of any such obligation, Infin8 shall immediately notify the Customer, unless mandatory law prevents Infin8 from disclosing this information.
Infin8 will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and any other breach of security in accordance with Article 32 (1) of the GDPR. The security measures shall at all times be designed to preserve the security and confidentiality of Customer Personal Data in accordance with Infin8’s security standards set out in Annex B to this DPA.
Infin8 shall ensure that Customer Personal Data is solely processed by Infin8’s personnel who is authorized by Infin8 to process Customer Personal Data. This entails that relevant Infin8 personnel who process Customer Personal Data are (i) granted access to the Customer Personal Data on a need-to-know basis, (ii) familiar with the provisions under Data Protection Law and the obligations imposed on Infin8 under this DPA, (iii) regularly trained in the care, protection and handling of Personal Data, (iv) authorized to Process the Customer Personal Data, and (v) subject to a duty of confidentiality (whether a contractual or statutory duty).
Customer is responsible for reviewing relevant information pertaining to data security as is made available by Infin8. Based on such information, the Customer shall make an independent assessment on whether the Infin8 Service complies with the Customer’s obligations pursuant to applicable laws, including Data Protection Laws. Customer understands that the Infin8 security measures may be updated or modified as needed, provided that such updates and/or modifications does not negatively degrade the overall level of security for the Infin8 Services provided to Customer.
- Security incidents and notification
Upon becoming aware of any Personal Data Breach, Infin8 shall (i) without undue delay notify the Customer, and where feasible, in any event no later than 24 hours from becoming aware of the Personal Data Breach, (ii) promptly take reasonable steps to contain and investigate any Personal Data Breach and (iii) provide all reasonable information and cooperation necessary for the Customer to fulfil its Personal Data Breach requirements under Data Protection Law. Notwithstanding the foregoing, the Customer is responsible for notifying the Personal Data Breach to the competent Supervisory Authority. Infin8’s notification of or response to a Personal Data Breach under this Section 4 shall not be construed as an acknowledgment by Infin8 of any fault or liability with respect to the Personal Data Breach.
- Cooperation with the Customer
Taking into account the nature of the processing, Infin8 shall by appropriate technical and organizational measures, insofar as this is possible, assist the Customer to respond to Data Subject’s request for exercising the Data Subject’s rights under Chapter 3 of the GDPR.
Furthermore, taking into account the nature of the processing and the information available to Infin8, Infin8 shall assist the Customer with the Customer’s obligations to:
- Implement appropriate technical and organizational measures for the purpose of complying with Data Protection Law;
- Carry out data protection impact assessments; and
- Conduct prior consultations with Supervisory Authorities.
For the avoidance of doubt, Infin8 shall be entitled to receive remuneration for any documented costs Infin8 incurs in connection with its assistance under this section 5.
- Audit and compliance review
Infin8 shall, in relation to its processing of Customer Personal Data, maintain documentation of its compliance with this DPA and Data Protection Law, including written records of all Customer Personal Data processed on behalf of the Customer. Infin8 shall provide access to the aforementioned documentation upon the Customer’s reasonable notice.
Infin8 shall allow for and contribute to audits, including inspections, conducted by the Customer of Infin8’s premises and security systems specific for Customer, as Customer may reasonably require to ascertain compliance with Data Protection Law. The Parties shall agree on the timing of such audits, including the scope and methods for the audits. Unless otherwise is agreed, a maximum of one (1) audit may be conducted each year. Notwithstanding the foregoing, the Customer shall be entitled to carry out additional audits to the extent that the performance of such audits are necessary for the Customer’s compliance with Data Protection Law. The Customer shall give Infin8 reasonable notice of the audit. The audit shall be conducted in a manner that causes the least possible disruption to Infin8’s ordinary operations.
The Customer may appoint a third party to conduct audits on its behalf at Customer’s own expense. The relevant third party may not be a competitor of Infin8.
Costs for any audits initiated by the Customer pursuant to this Section 6 shall be borne by the Controller. Notwithstanding the foregoing, if audits, pursuant to this Section 6, identifies that Infin8 is in material non-compliance with this DPA or Data Protection Laws, costs for such audits shall be borne by Infin8.
- Use of Sub-Processors
Infin8 may subcontract its processing of the Customer Personal Data to a Sub-Processor.
Infin8 shall enter into a written agreement with each Sub-Processor, requiring the Sub-Processor to comply with data protection obligations equivalent in all material respects to those imposed on Customer under this DPA. Infin8 shall be responsible for any acts or omissions of such Sub-Processor in breach of this DPA and for any acts or omissions of such Sub-Processors that cause Infin8 to breach any of its obligations under this DPA.
Infin8 will notify the Customer if Infin8 intends to appoint or use a New Sub-Processor to the extent applicable to the nature of the service provided by such New Sub-Processor. If the Customer has reasonable grounds to object to Infin8’s use of a New Sub-Processor, and such objection directly relates to Customer’s obligations under Data Protection Law, the Customer shall notify Infin8 thereof in writing within fifteen (15) calendar days after receipt of Infin8’s notice. The list of Infin8´s current Sub-Processors are available here.
Following such an objection from the Customer, Infin8 shall be entitled to terminate the Agreement for convenience without being obligated to refund any amounts that You have already paid, to the fullest extent permitted under applicable law.
- International Transfers
Customer agrees that Infin8 shall be entitled to transfer and process Customer Personal Data within the EU/EEA.
Subject to section 7, Customer acknowledges that Infin8 may transfer and process Customer Personal Data to areas outside the EU/EEA because of the geographical location of the data centers of some of our Sub-Processors. Infin8 shall ensure that such transfers are made in compliance with the requirements of the Agreement, this DPA and Data Protection Law.
To the extent that Infin8 transfers Customer Personal Data protected by EU Data Protection Laws to a country outside of EU/EEA that is not recognized as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), Infin8 shall ensure that the transfer is based on SCC´s in the form currently approved by the European Commission. Infin8 shall enter into written agreement including SCCs with all of Infin8´s sub-processors that might process Customer Data outside the EU/EEA, and shall require that its sub-processors abide by and process EU Data in compliance with SCCs. For the purposes of the descriptions in the SCCs, Infin8 agrees that it is the “data importer”, and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located outside the EU/EEA).
- Return or Deletion of Data
Upon termination of the Agreement, Infin8 shall delete or return to Customer, at Customer’s choice, all Customer Personal Data in Infin8´s possession or control. This requirement shall not apply to the extent Infin8 is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived in back-up systems, which Infin8 shall securely isolate, protect from any further processing and eventually delete in accordance with Infin8´s deletion policies, except to the extent required by applicable law.
Annex A – Details of Data Processing
Infin8 is the Processor of Customer Personal Data.
The Customer is the Controller of Customer Personal Data.
The subject matter of the data processing under this DPA is Customer´s Personal Data.
Duration of processing:
Infin8 will process Customer Personal Data as outlined in Section 9 (Return or Deletion of Data) of this DPA
Purposes of processing:
Infin8 shall only process Customer Personal Data for the following purposes; (i) processing as necessary to provide the Infin8 Services in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Infin8 Services; and (iii) processing to comply with any other reasonable instructions by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement.
Nature of the processing:
Infin8 provides a learning platform, and related services, that allows our users to create and upload content, play and host games and invite others to join a game, as more particularly described in the Agreement.
Data Subjects include the individuals about whom data is provided to Infin8 via the Infin8 Service under the Agreement, for example participants in a Infin8 game, Customer´s employees or students, and other third parties that Customer includes in the use of the Infin8 Services.
Categories of Personal Data
The Customer may upload, submit or otherwise provide certain Personal Information to or for the use of the Infin8 Services, the extent of which is typically determined and controlled by the Customer in its sole discretion, and may include email addresses (required for login), organization (required), user name, name, location, picture, game reports (including scores and in-game activities), and profile bio.
Infin8 Does not want to, nor does it intentionally, collect or process any Sensitive Data as part of the provision of the Services.
Annex B – Security Measures
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 3 of this DPA).