Pushy is committed to complying with the General Data Protection Regulation ("GDPR"), and enabling our Clients to comply with this regulation. We understand the GDPR has robust requirements and obligations for both data controllers and data processors and we are committed to helping our Clients use Pushy in a compliant manner. Our DPA is available below so that our Clients can be confident that their data is processed in a lawful and transparent manner.

This GDPR Data Processing Addendum ("DPA") forms part of the Terms of Use and Privacy Policy (as applicable, the "Agreement"), entered into by and between the Client and Pushy LLC ("Pushy"), pursuant to which Client has accessed the Pushy website, dashboard, APIs, and SDKs (the "Service"). The purpose of this DPA is to reflect the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.

This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Client and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.

In the course of providing the Service to Client pursuant to the Agreement, Pushy may process personal data on behalf of Client. Pushy agrees to comply with the following provisions with respect to any personal data submitted by or for Client to the Service or collected and processed by or for Client through the Service. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.

Data Processing Terms

In this DPA, "Data Protection Legislation" means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.

The terms "data controller", "data processor", "data subject", "personal data", "processing", and "appropriate technical and organisational measures" shall be interpreted in accordance with applicable Data Protection Legislation.

The parties agree that Client is the data controller and that Pushy is its data processor in relation to personal data that is processed in the course of providing the Service. Client shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Pushy pursuant to the Agreement.

The subject-matter of the data processing covered by this DPA is the Service ordered by Client either through the Service or through an Ordering Document and provided by Pushy to Client via or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Client’s ordering of the Service ceases.

In respect of personal data processed in the course of providing the Service, Pushy:

1. shall process the personal data only in accordance with the documented instructions from Client (as set out in this DPA or the Agreement or as otherwise notified by Client to Pushy). If Pushy is required to process the personal data for any other purpose provided by applicable law to which it is subject, Pushy will inform Client of such requirement prior to the processing unless that law prohibits this on important grounds of public interest.
2. shall notify Client without undue delay if, in Pushy's opinion, an instruction for the processing of personal data given by Client infringes applicable Data Protection Legislation.
3. shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
4. may hire other companies to provide limited services on its behalf, provided that Pushy complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Pushy has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Pushy remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Pushy transfers personal data will have entered into written agreements with Pushy requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Client in the List of Sub-Processors of this DPA. If Client requires prior notification of any updates to the list of subprocessors, Client can request such notification in writing by emailing Pushy support. Pushy will update the list within thirty (30) days of any such notification if Client does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Pushy reasonable opinion, such objections are legitimate, the Client may, by providing written notice to Pushy, terminate the Agreement.
5. shall ensure that all Pushy personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause.
6. at the Client’s request and cost (and insofar as is possible), shall assist the Client by implementing appropriate and reasonable technical and organisational measures to assist with the Client’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Pushy reserves the right to reimbursement from Client for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.
7. when the General Data Protection Regulation (Regulation (EU) 2016/279) comes into effect, shall take reasonable steps at the Client’s request and cost to assist Client in meeting Client’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Pushy reserves the right to reimbursement from Client for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.
8. at the end of the applicable term of the Service, upon Client’s request, shall securely destroy or return such personal data to Client.
9. may transfer personal data from the EEA to the US for the purposes of this DPA.
10. If Pushy becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Pushy in the course of providing the Service (an "Incident") under the Agreement it shall without undue delay notify Client and provide Client (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Client information. Pushy shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.

Data Subjects

The Client, any users of the Client's apps, websites, or systems, or any other individual whose data the Client chooses to process through Pushy.

Data Processing Activities

The provision of Service by Pushy to the Client.

Term

This DPA shall remain in effect as long as Pushy carries out Personal Data processing operations on behalf of Client or until the termination of the Pushy Contract (and all Personal Data has been returned or deleted in accordance with the Privacy Policy).

List of Sub-Processors

• Google, Inc. - Analytics, GDPR-compliant
• Stripe, Inc. - Payment gateway, PCI-compliant, GDPR-compliant
• Amazon Web Service, Inc. - Cloud infrastructure, GDPR-compliant

If you have any questions about this Data Processing Addendum, the practices of this Service, or your dealings with this Service, please reach out at privacy@pushy.me.