Branch SaaS DPA
1. Introduction
This Data Processing Addendum (“DPA”) forms part of Branch Metrics, Inc.’s (“Branch”) Main Services Agreement (or or other written or electronic agreement between Customer and Branch for the purchase of Branch’s online Services,) which together with one or more Order Forms and exhibits, form the “Agreement” between Branch and Customer. This DPA governs the manner in which Branch shall Process Customer Personal Data on behalf of Customer (who is Controller of the data subject to this DPA) and only applies to the extent Branch serves as a Processor of such Customer Personal Data on behalf of the Controller. This DPA shall be effective as of the last signature date and will automatically terminate upon expiration or termination of the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement, including Order Forms and exhibits, and this DPA, this DPA shall control. The parties agree that this DPA shall replace any existing data processing addendum the parties may have previously entered into in connection with the Branch Services. Capitalized terms have the meaning given to them in the Agreement, unless otherwise defined below.2. Definitions
For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
b) “Applicable Data Protection Law(s)” means any data protection and data privacy laws, rules and regulations applicable to the processing of Customer Personal Data and including without limitation, the laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states.
c) “CCPA” means the California Consumer Privacy Act, California Civil Code sections 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, including any implementing regulations.
d) “Controller” means the natural person, or entity which determines the purposes and means of the Processing of Personal Data. Controller is also a “Business,” as that term is defined under the CCPA.
e) “Customer Personal Data” means Customer Data (as defined in the Main Services Agreement) that constitutes Personal Data pertaining to Customer’s users and that is Processed by Branch on behalf of Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Schedule 1 as required by the Applicable Data Protection Laws.
f) “Data Subject” means the identified or identifiable person to whom Personal Data relates.
g) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
h) “Personal Data” means any information that relates to an identified or identifiable natural person and is protected under Applicable Data Protection Laws and Processed by Branch in the provision of its Services pursuant to the Agreement and shall have the meaning assigned to the terms “personal data”, “personal information” or other similar terminology under Applicable Data Protection Law(s).
i) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
j) “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data subject to this DPA. Processor is also a “service provider,” as that term is defined in the CCPA.
k) “Sensitive Personal Data” shall have the meaning assigned to the terms “sensitive personal information,” “sensitive personal data,” or “special categories of personal data” under Applicable Data Protection Law(s) and shall include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
l) “Standard Contractual Clauses” only as applicable to Customer means, (i) the UK Standard Contractual Clauses; and (ii) EU Standard Contractual Clauses.
m) “Sub-processors” means Branch-authorized contractors, agents, vendors and third-party service providers that Process Customer Personal Data.
n) “Supervisory Authority” means any local, national, or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other legislative body responsible for administering Applicable Data Protection Laws.
o) “UK Standard Contractual Clauses” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the effective date of this DPA at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/), completed as set forth in this DPA.
p) “EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914, completed as set forth in this DPA.
3. Processing of Personal Data
Role of the Parties. The parties agree that with regards to the Processing of Personal Data Customer is the Controller of Customer Personal Data, and Branch shall Process Customer Personal Data as a Processor acting on behalf of Customer, as to the Processing as specified in Schedule 1. For the avoidance of doubt, to the extent Processing of Personal Data is subject to the CCPA, the parties agree that Customer is the “Business” and Branch is the “Service Provider” (as those terms are defined by the CCPA).
General Compliance by Branch. Customer Personal Data shall be Processed by Branch to provide the Branch Services as specified in the Agreement and otherwise in compliance with the terms of this DPA and all Applicable Data Protection Law(s).
Following Instructions. Branch shall treat Personal Data as confidential and shall Process Customer Personal Data on behalf of and only in accordance with the documented instructions of Customer as specifically authorized by the Agreement and this DPA, or Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where mutually agreed to by Branch and provided such instructions are consistent with and not in conflict with the terms of the Agreement and this DPA. Branch will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions or Applicable Data Protection Law(s). The Agreement and this DPA are Customer’s complete and final documented instructions at the time of signature to Branch for the Processing of Personal Data.
General Compliance by Customer. Customer agrees that (i) it shall comply with its obligations as Controller under Applicable Data Protection Law(s) in respect of its Processing of Customer Personal Data and any Processing instructions it issues to Branch, and (ii) it has provided notice and obtained (or shall obtain) all necessary consents (including without limitation, verifiable consent) and rights necessary under Applicable Data Protection Law(s) for Branch to Process Customer Personal Data and provide the Branch Services pursuant to the Agreement and this DPA. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Applicable Data Protection Laws. Customer shall be solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which Customer acquired Personal Data.
4. Sub-processors
4a. Authorization to Use Sub-processors. Customer hereby acknowledges and agrees that (i) Branch ’s Affiliates may be retained as Sub-processors; and (ii) Branch and Branch’s Affiliates respectively may engage third-party Sub-processors to assist Branch with respect to Branch’s obligations under the Agreement to provide the Services. Branch or a Branch Affiliate has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
4b. Branch Sub-processors. The current list of Sub-processors engaged in Processing Personal Data for the performance of the Service, including a description of their processing activities and countries of location, is listed under the Sub-processors List which can be found at https://legal.branch.io/saas/subprocessor-list/. Customer hereby consents to these Sub-processors, their locations and processing activities as it pertains to their Customer Personal Data. Branch may appoint new Sub-processors at any time and shall update the Sub-processors List upon such appointments. Customer may subscribe to receive notifications of new Sub-processors via email by sending an email to [email protected] to request a subscription to such notices, and if Customer subscribes, Branch shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Personal Data in connection with the provision of the applicable Service.
4c. Right to Object to New Sub-processors. In order to exercise its right to object to Branch’s use of a new Sub-processor, Customer shall notify Branch promptly in writing within ten (10) calendar days after receipt of Branch’s notice in accordance with the mechanism set out above. In the event Customer objects to a new Sub-processor, and that objection is not unreasonable, Branch will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially-reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Branch is unable to make available such change within a reasonable time period, which shall not exceed thirty (30) days, Branch will proceed with engaging the Sub-processor. Customer may terminate the applicable Order Form(s) with respect only to those aspects of the Service which cannot be provided by Branch without the use of the objected-to new Sub-processor by providing written notice to Branch, and may do so without penalty as its sole and exclusive remedy, or another such resolution as the parties may agree. Branch will refund Customer the pro-rata prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Service. To the extent that Branch reasonably believes engaging a new Sub-processor on an expedited basis is necessary to protect the confidentiality, integrity or availability of Customer Personal Data or avoid material disruption to the Services, Branch reserves the right to give such notice as soon as reasonably practicable.
4d. Sub-processors and the Standard Contractual Clauses. Upon Customer’s request pursuant to Clause 9(c) of the EU Standard Contractual Clauses, Branch will provide the copies of the requested Sub-processor agreements, and Branch may remove or redact all commercial or proprietary information or clauses beforehand to protect business secrets or other confidential information, and that such copies will be provided by Branch in a manner to be determined in its discretion, only upon request by Customer.
5. Confidentiality.
Branch shall take commercially reasonable steps to ensure that any person authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.6. Data Subject Requests.
Branch shall to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure or right to be forgotten, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (collectively “Data Subject Rights”). To the extent legally permitted, Branch agrees to comply with reasonable instructions from Customer related to any requests from Data Subjects exercising their Data Subject Rights in Customer Personal Data granted to them under Applicable Data Protection Law(s) (“Data Subject Request”). Branch shall reasonably assist Customer, by appropriate technical and organizational measures and to the extent possible, in fulfillment of Customer’s obligations to respond to a Data Subject Request under Applicable Data Protection Laws. Notwithstanding the foregoing, if Branch receives a Data Subject Request from a Data Subject in relation to their Customer Personal Data, Branch is permitted to respond to the Data Subject to direct them to submit their request to Customer, and Customer will be responsible for responding to any such request.7. Data Protection Impact Assessment and Prior Consultation.
Upon Customer’s request, Branch agrees to provide reasonable assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Service, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Branch. Branch shall provide reasonable assistance to Customer in the cooperation or prior consultation with the relevant data protection authorities in the performance of its tasks relating to this section of this DPA, to the extent required under the GDPR.8. Demonstrable Compliance.
Branch agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide such records to Customer upon reasonable request to assist Customer with complying with supervisory authorities’ requests. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including any use of Customer Personal Data not expressly authorized in this DPA.9. Processing of Certain Types of Personal Data.
Customer agrees that it shall not use the Branch Services to Process Sensitive Personal Data without Branch’s explicit and prior written consent.10. Other Obligations.
Branch hereby certifies that it understands its restrictions and obligations set forth in the CCPA, GDPR, as well as in this DPA, and will comply with those restrictions and obligations directly applicable to Branch’s provision of the Service. Except as explicitly authorized by Applicable Data Protection Laws, and to the extent applicable to Branch’s provision of the Service, Branch shall:- not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified. Customer Personal Data without Customer’s express written permission;
- provide the same level of protection for Customer Personal Data as is required under Applicable Data Protection Law(s) applicable to Customer; and
- not otherwise engage in any Processing of Customer Personal Data that is prohibited or not permitted by “processors” or “service providers” under Applicable Data Protection Law(s).
11. CCPA Personal Data Restrictions.
To the extent that Customer Personal Data is subject to the CCPA, Branch shall not: (i) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement or Annex I or, as otherwise permitted by the CCPA; (ii) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Branch; (iii) “sell” or “share” any Customer Personal Data, as such terms are defined under the CCPA, to any third party; or (iv) combine Customer Personal Data with personal data that Branch receives from, or on behalf of, another person or persons, or that Branch collects from any interaction between it and any individual, except where required to provide the Service and as permitted by Applicable Data Protection Laws.12. International Data Transfer Mechanisms.
Customer authorizes Branch and its Sub-processors to transfer Customer Personal Data across international borders, including from the European Economic Area or the United Kingdom to the United States. Any crossborder transfer of Customer Personal Data subject to the GDPR or the UK Data Protection Law must be supported by an approved adequacy mechanism. 12a. UK Standard Contractual Clauses:i) General. The parties acknowledge and agree that to the extent that Branch Processes any Customer Personal Data under the Agreement, any related Order Forms, or exhibits, that are subject to the UK Standard Contractual Clauses, Branch and Customer hereby enter into the UK Standard Contractual Clauses for Controllers to Processors (and incorporated into this DPA by reference). The UK Standard Contractual Clauses shall be interpreted in a manner consistent with the terms of this DPA and Applicable Data Protection Law(s). To the extent that the terms of this DPA directly contradict the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will control.
ii) Application. The UK Standard Contractual Clauses will apply to (i) the legal entity that has executed this DPA and entered into the UK Standard Contractual Clauses as a data exporter, and (ii) all Affiliates of Customer established within the United Kingdom, which have signed Order Forms for the Services. For purposes of the UK Standard Contractual Clauses, the aforementioned entities will act as the “data exporters” and Branch will act as the “data importer”. The UK Standard Contractual Clauses shall be deemed completed as follows (with undefined capitalized terms meaning the definitions in the UK Standard Contractual Clauses):
(1) Table 1 of the UK Standard Contractual Clauses: (a) the Parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in the Appendix of this Addendum; and (b) the Key Contact shall be the contacts set forth in the Appendix of this Addendum.
(2) Table 2 of the UK Standard Contractual Clauses: The Approved EU SCCs referenced in Table 2 shall be the EU Standard Contractual Clauses as executed by the parties.
(3) Table 3 of the UK Standard Contractual Clauses: Annex 1A, 1B, II, and III shall be set forth in Section 4(b) and the Appendix of this Addendum.
(4) Table 4 of the UK Standard Contractual Clauses: Either party may end this Addendum as set out in Section 19 of the UK Standard Contractual Clauses.
(5) By entering into this Addendum, the parties are deemed to be signing the UK Standard Contractual Clauses and its applicable Tables and Appendices.
12b. EU Standard Contractual Clauses:i) General. The parties acknowledge and agree that to the extent that Branch Processes any Customer Personal Data transferred from the European Economic Union or Switzerland under the Agreement, any related Order Forms, or exhibits, outside the European Economic Area in a country that has not been designated as providing an adequate level of protection for Personal Data, including the United States, Branch and Customer hereby enter into the EU Standard Contractual Clauses for Controllers to Processors (and incorporated into this DPA by reference). The EU Standard Contractual Clauses shall be interpreted in a manner consistent with the terms of this DPA and Applicable Data Protection Law(s). To the extent that the terms of this DPA directly contradict the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will control.
ii) Application. The EU Standard Contractual Clauses will apply to (i) the legal entity that has executed this DPA and entered into the Standard Contractual Clauses as a data exporter and, (ii) all Affiliates of Customer established within the European Economic Area or Switzerland, which have signed Order Forms for the Services. For purposes of the EU Standard Contractual Clauses, the aforementioned entities will act as the “data exporters” and Branch will act as the “data importer”. Customer acts as a Controller and Branch acts as Customer’s Processor with respect to the Personal Data subject to the EU Standard Contractual Clauses, and its Module 2 applies. With respect to the EU Standard Contractual Clauses:
(1) in Clause 7, the optional docking clause does not apply;
(2) in Clause 9, Option 2 applies; the time period for prior notice of Subprocessor changes will be as set forth in Section 4(c) (Right to Object to New Subprocessors) of this DPA;
(3) in Clause 11, the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply;
(4) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
(5) In Clause 18(b), disputes will be resolved before the courts of Ireland; and
(6) Annexes I and II of the EU Standard Contractual Clauses are set forth in the Appendix of this DPA. Annex III is not applicable as the parties have chosen general authorization under Clause 9.
(7) By entering into this DPA, the parties are deemed to be signing the EU Standard Contractual Clauses and its applicable Annexes.
iii) Transfers to Switzerland: For transfers of Customer Personal Data that are subject to the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws”), the following provisions shall apply:
(1) General and specific references in the EU SCCs to GDPR, EU, EEA or Member State Law, shall have the same meaning as the equivalent reference in Swiss Data Protection Laws, as applicable.
(2) Where the Customer is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.
(3) For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
12c. Revisions. In the event that the European Commission or the United Kingdom requires the use of revised standard contractual clauses that are applicable to this DPA, such revised standard contractual clauses shall automatically be deemed to replace the UK Standard Contractual Clauses or EU Standard Contractual Clauses, as applicable, without the need for any further action, unless otherwise agreed to by the parties.
12d. Termination. The Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under Applicable Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis, and Branch has implemented any measures necessary to comply with such basis.
13. Security
Branch agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as set forth in Annex II of this DPA (“Branch Information Security and PrivacyStandards”). Further, Branch agrees to regularly test, assess and evaluate the effectiveness of the Branch Information Security and Privacy Standards to ensure the security of the Processing. Customer acknowledges that the Branch Information Security and Privacy Standards may be updated from time to time to reflect process improvements or changing practices but the modifications will not materially decrease Branch’s obligations as compared to those reflected in such terms as of the Effective Date.
14. Audits
14a. Upon written request from Customer, and subject to the confidentiality obligations set forth in the Agreement, Branch agrees to reasonably cooperate with Customer for the purpose of verifying Branch’s compliance with Applicable Data Protection Law(s).
14b. Following Customer’s written request, at reasonable intervals and subject to the confidentiality obligations set forth in the Agreement, Branch shall make available to Customer information regarding Branch’s compliance with the obligations set forth in this DPA in the form of third-party certifications and audit results, to the extent that Branch makes them generally available to its customers.
14c. If after Customer’s review of such records it reasonably believes that an audit is necessary to validate Branch’s compliance and to the extent required by Applicable Data Protection Laws, including where mandated by Customer’s Supervisory Authority, Customer may contact Branch in accordance with the “Notices” section of the Agreement to request an audit of the procedures relevant to the protection of Personal Data. Customer and Branch shall mutually agree upon the scope, timing, and duration of the audit in addition to any reimbursement of expenses for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Branch. Customer shall promptly notify Branch and provide information about any actual or suspected non-compliance discovered during an audit.
15. Return or Deletion of Customer Personal Data
Upon written request by Customer, after Customer terminates use of all Branch Services, Branch shall to the extent allowed by applicable law, delete or return to Customer all Customer Personal Data in its possession or control, save that this requirement shall not apply to the extent Branch is required by applicable law to retain some or all Customer Personal Data, or to Customer Personal Data Branch has archived on back up systems, which Customer Personal Data Branch shall securely isolate and protect from any further processing, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the EU Standard Contractual Clauses shall be provided by Branch to Customer only upon Customer’s request.16. Notifications Regarding Customer Personal Data
Branch maintains reasonable and appropriate security incident management policies and procedures specified in the Information Security and Privacy Standards and shall notify Customer without undue delay after becoming aware of a breach of security resulting in the accidental or unlawful online destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, transmitted, stored or otherwise Processed by Branch or its Sub-processors (a “Customer Personal Data Incident”). Such notice will include all available details (to the extent in Branch’s reasonable possession or control) required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Customer Personal Data Incident. Branch shall make reasonable efforts to identify the cause of such Customer Personal Data Incident, and take those steps as Branch deems necessary and reasonable in order to remediate the cause of such a Customer Personal Data Incident, to the extent that the remediation is within Branch’s reasonable control. To the extent Customer requests Branch to conduct any additional measures, then any such measures which Branch agrees to implement (at its sole discretion), shall be executed at Customer’s sole expense.The obligations set forth herein shall not apply to incidents that are caused by either Customer or Customer’s Users.17. Limitation of Liability
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability section of the Agreement , and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement . For the avoidance of doubt, Branch’s total liability for all claims from the Customer and all of its Affiliates arising out of or related to the Agreement and DPA shall apply in the aggregate for all claims under Agreement, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Affiliate that is a contractual party to any such Agreement.18. Severability
If any provision of the DPA is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that the DPA will otherwise remain in full force and effect and enforceable.Schedule 1
| 1.1 Subject Matter of Processing | The subject matter of Processing is the Branch Services pursuant to the Agreement. |
| 1.2 Duration of Processing | The Processing will continue until Branch’s receipt of notification from Customer of termination of use of all Branch Services. |
| 1.3 Categories of Data Subjects | Includes the end users of Customer’s app(s) and/or websites into which the Branch Software Development Kit (“SDK”) is integrated, and/or end users who click on Branch deep links. |
| 1.4 Nature and Purpose of Processing | The purpose of Processing of Customer Personal Data by Branch is the performance of the Branch Services pursuant to the Agreement. |
| 1.5 Types of Personal Data | The data collected via Branch’s SDK and Branch links includes the following types of Personal Data: iOS Identifier for Advertising (IDFA) iOS Identifier for Vendors (IDFV) Android Advertising ID (GAAID) Android ID IP Address Developer ID Local IP address Cookie Engagement data |
Appendix
Annexes to the Standard Contractual Clauses (If Applicable)
Annex I to the EU Standard Contractual Clauses
This Annex forms part of the EU Standard Contractual Clauses and/or UK Standard Contractual Clauses, as applicable. By entering into the Standard Contractual Clauses incorporated in the DPA, the parties also are agreeing to the terms of this Annex I. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Annex.A. List of Parties
Data exporter. The data exporter is Customer and authorized affiliates of Customer, as described in the agreement. Contact: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.
Data importer.The data importer is Branch Metrics, Inc., 1975 W El Camino Real Ste. 102, Mountain View, CA 94040, USA. Contact: Ayisha Gelin, Data Protection Officer, [email protected].
B. Description of the Transfer
Categories of Data subjects whose Personal Data is transferred. Data exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- End users of Customer’s app(s) and/or websites into which the Branch SDK is integrated, and/or end users who click on Branch deep links.
Categories of Personal Data transferred. Data exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Personal data collected via Branch’s SDK and Branch links, which includes the following types of device-related data: advertising identifier, IP address, developer ID, local IP address, cookie, engagement data.
Sensitive categories of data transferred (if applicable). The personal data transferred concern the following special categories of data: Data Subject shall not use the Services to Process Sensitive Personal Data without Data Importer’s explicit and prior written consent. Subject to explicit agreement between the parties, Data exporter may submit special categories of data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include Personal Data concerning health information. If applicable, data exporter agrees that it has reviewed and assessed the restrictions and safeguards applied to the special categories of Personal Data, including the security measures described in the Information Security and Privacy Standards (as set forth in Annex II of this DPA) and Documentation applicable to the specific Services as made available by Branch, and has determined that such restrictions and safeguards are sufficient.
Frequency of the Transfer. Subject to Customer’s use of the Service, Personal Data will be transferred on a continuous basis during the term of the Agreement.
Nature of the Processing. The Personal Data transferred will be subject to the following basic processing activities: Processing necessary for the performance of the Branch Services, as well as related support and professional services as set forth in the Agreement, or where directed by other reasonable documented instructions provided by the data exporter.
Purpose of the data transfer and further processing. To provide the Services under the Agreement.
Anticipated duration of processing. For the term of any existing Order Forms and Agreement between Branch and the data importer.
Transfers to subprocessors. The subject matter, nature, and duration of the processing is outlined at https://legal.branch.io/saas/subprocessor-list/.
C. Competent Supervisory Authority
The Irish Data Protection Authority will be the competent supervisory authority.Annex II
This Annex forms part of the EU Standard Contractual Clauses and/or UK Standard Contractual Clauses, as applicable. By entering into the Standard Contractual Clauses, the parties also are agreeing to incorporating this Annex II into the Agreement.
Description of the technical and organisational security measures implemented by the data importer in accordance with the UK Standard Contractual Clauses and the EU Standard Contractual Clauses): Branch will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Branch Services, as described in the Information Security and Privacy Standards accessible via https://legal.branch.io/saas/information-security-privacy-standards/.Branch will not materially decrease the overall security of the Services during a subscription term.
