Data Processing Addendum (“ADDENDUM”)

Last updated: 2/7/2024

This Data Processing Addendum (“Addendum”) to the Tango Terms and Conditions (“Agreement”) sets out the data privacy, data protection, and data security obligations applicable to Processor’s Processing of Personal Data by and between Tango Card (“Processor”) and Customer (“Customer”) for the provision of professional services under the Agreement (“Services”). This Addendum will be valid and enforceable upon entrance into the Tango Terms and Conditions.

  1. Defined Terms. Capitalized terms used in this Addendum that are not otherwise defined herein will have the same meaning ascribed to them as set forth in the Agreement. As used herein, the term “Agreement” refers to the terms and conditions of both the Agreement and this Addendum in effect following the Addendum Effective Date, or any equivalent agreement between the parties that may be in place during the Term of this Agreement.

    a. “Appropriate Safeguards” means technical, physical, and organizational measures, standards, requirements, specifications, or obligations designed to ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Data to be protected, taking into account the state of the art; costs of implementation; the nature, scope, context, and purposes of Processing; and the risk of varying likelihood and severity for the rights and freedoms of natural persons.

    b. “Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this Agreement, including the European Union (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, the United Kingdom (“UK”) General Data Protection Regulation (“UKGDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act, Ca. Civ. Code 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations (the “CCPA”), and any other applicable local, state or federal privacy law and/or foreign laws, treaties, and/or regulations, including but not limited to the laws of the European Union and European Economic Area (“EEA”), laws of the UK, and implementations of the GDPR into national law.

    c. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj., and completed as set forth in Section 3 below.

    d. The following terms have the definitions given to them in the CCPA: “Business,” “Sale,” “Share,” “Service Provider,” and “Third Party.”

    e. “Personal Data” means any information reasonably relating to an identified or identifiable natural person or household (“data subject”). For the avoidance of doubt, the meaning of “Personal Data” shall be consistent with the term as it is defined in Article 4(1) of the GDPR and UKGDPR, shall be consistent with the term “personal information” as that term is defined in the CCPA, Ca. Civ. Code 1798.140(o), and shall be consistent with any other similar term in applicable Data Protection Laws.  Notwithstanding the foregoing, Personal Data processed under the Agreement shall only include information if, and only if, Processor requires and requests such information in order to perform its Processing of the Data. For clarity, therefore, if Customer provides to Processor additional data that may be included in definitions of Personal Data under Applicable Law, but is not requested or required by Processor to provide Services, Processor will take commercially reasonable steps to avoid Processing such information.

    f. “Processing, Process, Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. For the avoidance of doubt, the meaning of “Processing,” “Process,” and “Processed” shall be consistent with the term as it is defined in applicable Data Protection Laws.

    g. Processor means means an entity that processes personal data on behalf of another entity. “Processor” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Service Provider,” as context requires.

    h. “Remediation Efforts” means, with respect to any Security Incident, activities designed to remedy a Security Incident which may be required by applicable law or by Customer policy or procedures, or which may otherwise be necessary, reasonable or appropriate under the circumstances, commensurate with the nature of such Security Incident.  Remediation Efforts may include: (i) development and delivery of legal notices to affected individuals or other third parties as may be required by applicable law or as otherwise appropriate; (ii) establishment and operation of toll-free telephone numbers (or, where toll-free telephone numbers are not available, dedicated telephone numbers) for affected individuals to receive specific information and assistance; (iii) provision of free credit reports, credit monitoring and credit or identity repair services for affected individuals; (iv) provision of identity theft insurance for affected individuals; (v) cooperation with and response to regulatory inquiries and other similar actions; (vi) undertaking of investigations of such Security Incident; or (vii) cooperation with and response to litigation with respect to such Security Incident, as may be required by applicable Data Protection Laws.

    i. “Security Incident” means (i) the unauthorized, accidental, or unlawful use of, loss of, alteration to, disclosure of, or access to, any Personal Data transmitted, stored, or otherwise Processed.

    j. “Subprocessor” means any third party that Processor engages in accordance with Section 2(c) of this Addendum in order to perform the Processing.

    k. “Valid Transfer Mechanism” means any data transfer mechanism recognized by the European Commission as a legitimate basis for the transfer of Personal Data outside the European Economic Area, or the Information Commissioner’s Office for the transfer of Personal Data outside the United Kingdom.
  2. Processor Obligations

    a. Data Use.

         i.
    Processor shall Process the Personal Data only: (i) for the purpose of performing the Processing activities in accordance with Annex I during the term of this Agreement; (ii) pursuant to documented instructions from Customer, including with respect to transfers of Personal Data to a third country or international organization; or (iii) when required to do so by applicable law, and the Processor informs Customer of that legal requirement before Processing, unless that law prohibits the disclosure to Customer.  Processor shall disclose Personal Data only with its employees who have a need to know the same for the performance of the Processing and have either expressly committed to protecting the confidentiality of such data or are under an appropriate statutory obligation of confidentiality.

         ii. Processor is prohibited from: (a) Selling or Sharing personal data; (b) retaining, using, or disclosing personal data for any purpose other than for the specific business purpose of performing Customer’s documented instructions for the business purposes defined in this Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than performing Customer’s instructions; or (c) retaining, using, or disclosing the personal data outside of the direct business relationship between the parties as defined in this Agreement. Processor certifies that it understands these restrictions.

         iii. Processor will notify Customer without unreasonable delay if it determines that it can no longer meet its obligations under this Agreement.

    b. Appropriate Safeguards. Processor shall implement and maintain a written information security program that includes appropriate technical and organizational measures to protect Personal Data, including, as appropriate: (i) the pseudonymization and encryption of Personal Data, both in transit and in storage on Processor’s network or systems; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including against unauthorized access, use, disclosure, alteration, or destruction of Personal Data; (iii) the ability to timely restore the availability and access to the Personal Data in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing, and evaluating the effectiveness of the administrative, technical, organizational, and physical measures for ensuring the security of the Processing. Such measures take into account the nature, scope, context and purpose of processing, and include, but are not limited to, the additional supplementary measures set forth in Annex II.

    c. Subprocessors. Customer acknowledges and agrees that Processor may engage Subprocessors to perform Processing activities. Processor will enter into contracts with Subprocessors that will include terms which contain the same or greater obligations as Processor’s obligations as set out in this Agreement and Addendum, and which comply with applicable Data Protection Laws.  Processor shall not engage a Subprocessor without obtaining prior authorization from Customer, which shall not be unreasonably withheld. Customer grants Processor a general written authorization to engage Subprocessors, and a list of current Subprocessors may be found in Annex III. Customer hereby consents to Processor’s use of such Subprocessors. The list of Subprocessors engaged by Processor shall be made available online and may be updated from time to time. For the avoidance of doubt, any update to the online list shall constitute notice to Customer. Upon changes to the list of Subprocessors, Customer may object to such changes. Additionally, Processor and Subprocessor shall enter into a written contract or other legally binding agreement requiring Subprocessor to: (1) comply with the same data protection requirements described in this Addendum; and (2) guarantee it will implement appropriate technical and organizational measures sufficient to meet the requirements of applicable Data Protection Laws.  To the extent applicable to Subprocessor’s Processing of Customer’s Personal Data on Processor’s behalf, Processor shall be liable for the Subcontractor’s acts and omissions to the same extent as if such acts and omissions were performed by Processor. The inclusion of prepaid cards in Customer’s rewards program(s) does not and shall not constitute “subprocessing” under this Agreement, and no provider of prepaid cards shall be deemed to be a Subprocessor.

    d. Security Incidents. Processor shall notify Customer of any Security Incident within seventy-two (72) hours of Processor becoming aware of such Security Incident that affects Customer. Processor shall notify Customer without undue delay of the Security Incident, and shall cooperate in the investigation and remediation of the Security Incident. Processor shall investigate any such Security Incident and take all necessary steps to eliminate or contain the exposures that led to such Security Incident in accordance with the Appropriate Safeguards and applicable laws.  After receiving notice of a Security Incident from Processor, Customer may take steps to remediate any unauthorized use of Personal Data.

    e. Data Subjects’ Rights. To the extent reasonably practicable, Processor shall implement the necessary technical and organizational measures to facilitate Customer’s fulfillment of its obligations related to the exercise of the data subjects’ rights.

    f. Record Retention. Processor shall maintain the relevant records related to its Processing activities performed on behalf of Customer as are required by Data Protection Laws.

    g. Evaluations. Processor shall make available to Customer all information necessary to demonstrate compliance with the obligations of this Agreement and Addendum, as well as with applicable Data Protection Laws, provided that such audit shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, at Customer’s sole expense, and to the extent Processor’s personnel are required to cooperate therewith, only during Processor’s normal business hours. Notwithstanding the foregoing, in the event of a Security Incident resulting from Processor’s Processing of Personal Data on behalf of Customer, Customer shall have the right to request an audit with no frequency cap, and any audits performed as the result of a Security Breach shall be performed at Processor’s sole expense. If Processor is unable to demonstrate such compliance, Controller may suspend the processing of Personal Data until Processor remedies any non-compliance.

    h. Data Return or Destruction. At Customer’s written instruction, Processor shall destroy or return all Personal Data to Customer promptly upon the expiration or termination of this Agreement provided, however, that in all cases, Processor is entitled to keep, and shall keep, Personal Data as necessary to preserve its records (a) for financial auditing purposes, (b) as required by applicable laws and regulations, or (c) in cases where Processor has a legitimate interest, and provided that the return of Customer Personal Data shall be undertaken only to the extent that the return of such Personal Data does not unduly burden Processor.  Processor shall also delete all existing copies of Personal Data in its possession, unless applicable laws require their continued storage.

    i. Facilitating Company’s Compliance. To the extent reasonably practicable, Processor shall assist Customer in complying with its obligations related to Security Incidents; data protection impact assessments; and required prior consultations with the supervisory authority regarding potential Processing.  Processor shall also immediately inform Customer if, in its opinion, an instruction from Customer related to Processing would infringe an applicable Data Protection Laws.
  3. International Data Transfers. Processor shall ensure that Personal Data is not transferred to, allowed access by, or otherwise Processed across national borders (whether performed by itself or by a Subcontractor), unless it receives documented instructions to make such transfer by Company and such transfer will comply with all applicable Data Protection Laws and Valid Transfer Mechanisms. The Parties agree that the EU Standard Contractual Clauses and UK SCCs (as defined below), then in force and effect (and modified as required to comply with applicable law) shall be used as the data transfer mechanism and executed by both Parties, as set forth in Appendix 1 and Appendix 2 to this Addendum. To the extent required by Data Protection Laws, the Processor agrees to implement the additional adequacy measures set forth in Annex II to Appendix 1.

    a.
    To the extent legally required, by signing this Addendum, Customer and Processor are deemed to have signed the EU SCCs, which form part of this Addendum and (except as described in Section 3(b) and (c) below) will be deemed completed as follows:

         i. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to Processor (as a processor);

         ii. Clause 7 (the optional docking clause) is included;

         iii. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Schedule C of this DPA and Processor shall propose an update to that list at least thirty (30) days in advance of any intended additions or replacements of Subprocessors in accordance with Section 2(c) of this Addendum;

         iv. Under Clause 11 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;

         v. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the law of Ireland.

         vi. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;

         vii. Annex I(A) and I(B) (List of Parties) is completed as set forth in Annex I of this Addendum;

        viii. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

        ix. Annex II (Technical and organizational measures) is completed with Annex II of this Addendum; and

        x. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9. Tailscale’s current subprocessors are listed in Annex III.Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9. Tailscale’s current subprocessors are listed in Annex III.

    b. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK SCCs”) forms part of this Addendum and takes precedence over the rest of this Addendum as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:

         i. Table 1 of the UK SCCs:

         ii. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.

         iii. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Annexes I, II, and III below.

         iv. Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs.

         v. By entering into this Addendum, the Parties are deemed to be signing the UK SCCs.

    c. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (3) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
  4. Indemnification. The Indemnification provisions of the Agreement shall apply to the terms of this Addendum.
  5. Limitation of Liability. The Limitation of Liability provisions of the Agreement shall apply to the terms of this Addendum.

Precedence. This Addendum incorporates by reference all of the other terms and conditions of the Agreement which shall remain in effect. However, as agreed to herein, this Addendum modifies such terms and conditions to account for the protection of Personal Data. Accordingly, the parties hereby agree that to the extent the terms of this Addendum and the Agreement conflict with one another, the terms and conditions of this Addendum shall control.

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

     Customer. Customer’s name, address, and contact information and use case for the Services as .      provided in the signature block for the relevant Agreement will apply here unless otherwise stated      by Customer.

     Signature and date: The signature on the Agreement shall apply to this Annex 1.

     Role (controller/processor): Controller

Data importer(s):

     Name: Tango Card, Inc.

     Address: 4700 42nd Ave SW, Suite 430A, Seattle, WA 98116

     Contact person’s name, position and contact details: Monica Bush Monica.bush@tangocard.com

     Activities relevant to the data transferred under these Clauses:

          • distribution of rewards and payments

          • customer service related to redemption of rewards

          • fraud monitoring and program reporting

     Signature and date: The signature on the Agreement shall apply to this Annex 1.

     Role (controller/processor): Processor when providing Services under the Agreement; Controller when performing fraud prevention services across multiple customers.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

     Data subjects are the individuals whose personaldata is processed by the data importer under the data exporter’s instructionsas specified in the Agreement. These individuals may include, for example, Customer’s:employees, customers and clients, end users, advisers, research participants,and students.

Categories of personal data transferred:

             • Contact Data, such as name and email address

            • Online Tracking Data, such as cookies and IP address

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

            None.

     The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

           Continuous basis.

     Nature of the processing

            As set out in the Agreement.

     Purpose(s) of the data transfer and further processing

            As set out in the Agreement.

     The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

            The data importer will retain personal data until its deletion in accordance with the  provisions             of the Agreement and as required by law or regulatory agency.

     For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

            In accordance with applicable law or regulatory agency.

C. COMPETENT SUPERVISORY AUTHORITY

     Identify the competent supervisory authority/ies in accordance with Clause 13

            Irish Data Protection Commission

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The parties shall comply with the technical and organizational measures identified in Article 32 of the EU and UK GDPR.

1. Information Security Policies and Standards. Processor will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.

2. Physical Security. Processor will maintain commercially reasonable security systems at all Processor sites at which an information system that uses or stores Personal Data is located that include reasonably restricting access to such locations, and implementing measures to detect, prevent, and respond to intrusions.

3. Organizational Security. Processor will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.

4. Network Security. Processor maintains commercially reasonable information security policies and procedures addressing network security.

5. Access Control. Processor agrees that: (1) only authorized Processor staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.

6. Virus and Malware Controls. Processor protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.

7. Personnel. Processor has implemented and maintains a security awareness program to train employees about their security obligations.  Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.

8. Business Continuity. Processor implements disaster recovery and business resumption  plans that are kept up to date and revised on a regular basis. Processor also adjusts its information security program in light of new laws and circumstances, including as Processor’s business and Processing change.

ANNEX III

LIST OF SUB-PROCESSORS

EXPLANATORY NOTE:

The controller has authorised the use of the following subprocessors for the general services listed below, all of which are located in the United States:

  • Ada Support Inc: customer and recipient support
  • Amazon Web Services, Inc.: cloud services and data storage
  • ColorArt LLC: creation of physical Reward Links
  • Coralogix: logging
  • LexisNexis Risk Solutions Group: fraud protection and identity verification
  • Salesforce, Inc.: customer and recipient support
  • Sendgrid Inc.: fraud protection and identity verification
  • Sift Science, Inc.: fraud protection and identity verification
  • Sumo Logic, Inc.: logging
  • Talkdesk, Inc.: customer and recipient support
  • Workato, Inc.: customer and recipient support