Last updated: 9/23
This Data Processing Agreement (“Addendum”) to the Enterprise Terms of Service or Tango Card Terms and Conditions, whichever is applicable, previously entered into between Tango Card, Inc. (“Tango” or “Processor”) and Tango’s customer (“Customer” or “Controller”) sets out the data privacy, data protection, and data security obligations applicable to the Processing of Personal Data by and between Tango and Customer for the provision of professional services under the Agreement (“Services”).
- Defined Terms. Capitalized terms used in this Addendum that are not otherwise defined herein will have the same meaning ascribed to them as set forth in the Agreement. As used herein, the term “Agreement” refers to the terms and conditions of both the Agreement and this Addendum in effect following the Addendum Effective Date, or any equivalent agreement between the parties that may be in place during the Term of this Agreement.
a. “Appropriate Safeguards” means technical, physical, and organizational measures, standards, requirements, specifications, or obligations designed to ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Data to be protected, taking into account the state of the art; costs of implementation; the nature, scope, context, and purposes of Processing; and the risk of varying likelihood and severity for the rights and freedoms of natural persons.
b. “Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this Agreement, including the European Union (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, the United Kingdom (“UK”) General Data Protection Regulation (“UKGDPR”), the California Consumer Privacy Act, Ca. Civ. Code 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations (the ““CCPA”), and any other applicable local, state or federal privacy law and/or foreign laws, treaties, and/or regulations, including but not limited to the laws of the European Union and European Economic Area (““EEA”), laws of the UK, implementations of the GDPR into national law.
c. The following terms have the definitions given to them in the CCPA: “Business,” “Sale,” “Share,” “Service Provider,” and “Third Party.”
d. “Personal Data” means any information reasonably relating to an identified or identifiable natural person or household (“data subject”). For the avoidance of doubt, the meaning of “Personal Data” shall be consistent with the term as it is defined in Article 4(1) of the GDPR and UKGDPR, shall be consistent with the term “personal information” as that term is defined in the CCPA, Ca. Civ. Code 1798.140(o), and shall be consistent with any other similar term in applicable Data Protection Laws. Notwithstanding the foregoing, Personal Data processed under the Agreement shall only include information if, and only if, Processor requires and requests such information in order to perform its Processing of the Data. For clarity, therefore, if Customer provides to Processor additional data that may be included in definitions of Personal Data under Applicable Law, but is not requested or required by Processor to provide Services, Processor will take commercially reasonable steps to avoid Processing such information.
e. “Processing, Process, Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. For the avoidance of doubt, the meaning of “Processing,” “Process,” and “Processed” shall be consistent with the term as it is defined in applicable Data Protection Laws.
f. Processor means an entity that processes personal data on behalf of another entity. “Processor” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Service Provider,” as context requires.
g. “Remediation Efforts” means, with respect to any Security Incident, activities designed to remedy a Security Incident which may be required by applicable law or by Customer policy or procedures, or which may otherwise be necessary, reasonable or appropriate under the circumstances, commensurate with the nature of such Security Incident. Remediation Efforts may include: (i) development and delivery of legal notices to affected individuals or other third parties as may be required by applicable law or as otherwise appropriate; (ii) establishment and operation of toll-free telephone numbers (or, where toll-free telephone numbers are not available, dedicated telephone numbers) for affected individuals to receive specific information and assistance; (iii) provision of free credit reports, credit monitoring and credit or identity repair services for affected individuals; (iv) provision of identity theft insurance for affected individuals; (v) cooperation with and response to regulatory inquiries and other similar actions; (vi) undertaking of investigations of such Security Incident; or (vii) cooperation with and response to litigation with respect to such Security Incident, as may be required by applicable Data Protection Laws.
h. “Security Incident” means (i) any incident leading to the actual unauthorized, accidental, or unlawful use of, loss of, alteration to, disclosure of, or access to, any Personal Data transmitted, stored, or otherwise Processed; and (ii) any security breach, incident, or event (or substantially similar term) as defined by applicable Data Protection Laws.
i. “Subprocessor” means any third party that Processor engages in accordance with Section 2(c) of this Addendum in order to perform the Processing.
j. “Valid Transfer Mechanism” means any data transfer mechanism recognized by the European Commission as a legitimate basis for the transfer of Personal Data outside the European Economic Area, or the Information Commissioner’s Office for the transfer of Personal Data outside the United Kingdom.
- Processor Obligations
a. Data Use.
i. Processor shall Process the Personal Data only: (i) for the purpose of performing the Processing activities in accordance with Annex I during the term of this Agreement; (ii) pursuant to documented instructions from Customer, including with respect to transfers of Personal Data to a third country or international organization; or (iii) when required to do so by applicable law, and the Processor informs Customer of that legal requirement before Processing, unless that law prohibits the disclosure to Customer. Processor shall share Personal Data only with its employees who have a need to know the same for the performance of the Processing and have either expressly committed to protecting the confidentiality of such data or are under an appropriate statutory obligation of confidentiality.
ii. Processor is prohibited from: (a) Selling or Sharing personal data; (b) retaining, using, or disclosing personal data for any purpose other than for the specific business purpose of performing Customer’s documented instructions for the business purposes defined in this Agreement, including retaining, using, or disclosing the personal data for a commercial purpose other than performing Customer’s instructions; or (c) retaining, using, or disclosing the personal data outside of the direct business relationship between the parties as defined in this Agreement. Processor certifies that it understands these restrictions.
iii. Processor will notify Customer without unreasonable delay if it determines that it can no longer meet its obligations under this Agreement.
b. Appropriate Safeguards. Processor shall implement and maintain a written information security program that includes appropriate technical and organizational measures to protect Personal Data, including, as appropriate: (i) the pseudonymization and encryption of Personal Data, both in transit and in storage on Processor’s network or systems; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including against unauthorized access, use, disclosure, alteration, or destruction of Personal Data; (iii) the ability to timely restore the availability and access to the Personal Data in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing, and evaluating the effectiveness of the administrative, technical, organizational, and physical measures for ensuring the security of the Processing. Such measures take into account the nature, scope, context and purpose of processing, and include, but are not limited to, the additional supplementary measures set forth in Annex II.
c. Subprocessors. Customer acknowledges and agrees that Processor may engage Subprocessors to perform Processing activities. Processor will enter into contracts with Subprocessors that will include terms which contain the same or greater obligations as Processor’s obligations as set out in this Agreement and Addendum, and which comply with the CCPA and its implementing regulations. Processor shall not engage a Subprocessor without obtaining prior specific or general written authorization from Customer, which shall not be unreasonably withheld. Customer grants Processor a general written authorization to engage Subprocessors, and a list of current Subprocessors may be found in Annex III. The list of Subprocessors engaged by Processor shall be made available online and may be updated from time to time. For the avoidance of doubt, any update to the online list shall constitute notice to Customer. Upon changes to the list of Subprocessors, Customer may object to such changes. Additionally, Processor and Subprocessor shall enter into a written contract or other legally binding agreement requiring Subprocessor to: (1) comply with the same data protection requirements described in this Addendum; and (2) guarantee it will implement appropriate technical and organizational measures sufficient to meet the requirements of applicable Data Protection Laws. Processor shall be liable for the Subcontractor’s acts and omissions to the same extent as if such acts and omissions were performed by Processor. The inclusion of prepaid cards in Customer’s rewards program(s) does not and shall not constitute “subprocessing” under this Agreement, and no provider of prepaid cards shall be deemed to be a Subprocessor.
d. Security Incidents. Processor shall notify Customer of any Security Incident within seventy-two (72) hours of Processor becoming aware of such Security Incident that affects Customer. Processor shall notify Customer without undue delay of the Security Incident, and shall cooperate in the investigation and remediation of the Security Incident. Processor shall investigate any such Security Incident and take all necessary steps to eliminate or contain the exposures that led to such Security Incident in accordance with the Appropriate Safeguards and applicable laws. After receiving notice of a Security Incident from Processor, Customer may take steps to remediate any unauthorized use of Personal Data.
e. Data Subjects’ Rights. To the extent reasonably practicable, Processor shall implement the necessary technical and organizational measures to facilitate Customer’s fulfillment of its obligations related to the exercise of the data subjects’ rights.
f. Record Retention. Processor shall maintain the relevant records related to its Processing activities performed on behalf of Customer as are required by Data Protection Laws.
g. Evaluations. Processor shall make available to Customer all information necessary to demonstrate compliance with the obligations of this Agreement and Addendum, as well as with applicable Data Protection Laws, and allow for and contribute to audits conducted by the Customer or another third party, as designated by the Customer. If Processor is unable to demonstrate such compliance, Controller may suspend the processing of Personal Data until Processor remedies any non-compliance.
h. Data Return or Destruction. At Customer’s written instruction, Processor shall destroy or return all Personal Data to Customer promptly upon the expiration or termination of this Agreement provided, however, that in all cases, Processor is entitled to keep, and shall keep, Personal Data as necessary to preserve its records (a) for financial auditing purposes, (b) as required by applicable laws and regulations, or (c) in cases where Processor has a legitimate interest, and provided that the return of Customer Personal Data shall be undertaken only to the extent that the return of such Personal Data does not unduly burden Processor. Processor shall also delete all existing copies of Personal Data in its possession, unless applicable laws require their continued storage.
i. Facilitating Company’s Compliance. To the extent reasonably practicable, Processor shall assist Customer in complying with its obligations related to Security Incidents; data protection impact assessments; and required prior consultations with the supervisory authority regarding potential Processing. Processor shall also immediately inform Customer if, in its opinion, an instruction from Customer related to Processing would infringe an applicable Data Protection Laws.
- International Data Transfers.
a. EU Standard Contractual Clauses To the extent required by Applicable Data Protection Laws, the parties agree that the clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will apply to Personal Data that is transferred under the Agreement from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data (“Restricted Transfer”). For data transfers from the European Economic Area that are subject to the EU SCCs, the EU SCCs where customer is a controller and Tango is a Processor, Module 2 (Controller to Processor), will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
i. In Clause 7, the optional docking clause shall apply;
ii. In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be thirty (30) days;
iii. In Clause 11, the optional redress language will not apply;
iv. In Clause 13(a), all three options may be retained and apply, depending on the circumstances, and as relevant where the transfer falls within the territorial scope of the Regulation (EU) 2016/679;
v. In Clause 17, Option 1 will apply and the EU SCCs will be governed by Irish law;
vi. In Clause 18(b), disputes will be resolved before the courts of Ireland; and
vii. The Annexes included below shall apply to the Annexes listed within the EU Standard Contractual Clauses as follows: Annex I serves as Annex I of the EU SCCs; Annex II serves as Annex II of the EU SCCs and Annex III serves as Annex III of the EU SCCs.
For data transfers from the European Economic Area that are subject to the EU SCCs, the EU SCCs, where Customer is a controller and Tango is a controller, Module 1 (Controller to Controller), will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
viii. In Clause 7, the optional docking clause shall apply;
ix. In Clause 11, the optional redress language will not apply;
x. In Clause 13(a), all three options may be retained and apply, depending on the circumstances, and as relevant where the transfer falls within the territorial scope of the Regulation (EU) 2016/679;
xi. In Clause 17, Option 1 will apply and the EU SCCs will be governed by Irish law;
xii. In Clause 18(b), disputes will be resolved before the courts of Ireland; and
xiii. The Annexes included below shall apply to the Annexes listed within the EU Standard Contractual Clauses as follows: Annex I serves as Annex I of the EU SCCs; and Annex II serves as Annex II of the EU SCCs.
The parties acknowledge and agree that signatures to this Addendum shall serve as signatures to the EU SCCs.
b. UK Addendum. In relation to Personal Data that is protected by the UKGDPR, the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) shall apply. To the extent that the UK Addendum applies, Annexes I, II, and III of this Addendum shall also apply. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
i. For Table One, the details as set out in Annex I of this Addendum shall apply.
ii. For Table Two, the check-box referring to the following shall apply “the Approved EU SCCs, including the Appendix Information and with only the modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of the UK Addendum.” Within the table, Module 2 shall apply and shall be filled out in the same way as the EU SCCs as filled out in Section 3(a) (EU Standard Contractual Clauses) above.
iii. For Table Three, the following shall apply to the referenced columns: Annex I (Description of Processing) of this Addendum shall apply to the columns entitled Annex IA and Annex IB; Annex II (Technical and Organizational Security Measures Implemented by the Vendor) of this Addendum shall apply to the column entitled Annex II; and Annex III (List of Subprocessors) shall apply to the column entitled Annex III.
iv. For Table Four, the data importer and the data exporter shall have the right to terminate this Addendum.
The parties acknowledge and agree that signatures to this Addendum shall serve as signatures to the UK Addendum.
- Indemnification. The Indemnification provisions of the Agreement shall apply to the terms of this Addendum.
- Limitation of Liability. The Limitation of Liability provisions of the Agreement shall apply to the terms of this Addendum.
- Precedence. This Addendum incorporates by reference all of the other terms and conditions of the Agreement which shall remain in effect. However, as agreed to herein, this Addendum modifies such terms and conditions to account for the protection of Personal Data. Accordingly, the parties hereby agree that to the extent the terms of this Addendum and the Agreement conflict with one another, the terms and conditions of this Addendum shall control.
IN WITNESS WHEREOF, the parties have each caused this Addendum to be signed by their respective duly authorized representative as documented in and as of the date listed in the Agreement.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Customer. Customer’s name, address, and contact information and use case for the Services as . provided in the signature block for the relevant Agreement will apply here unless otherwise stated by Customer.
Signature and date: The signature on the Agreement or acceptance of the click through Tango Card Terms and Conditions shall apply to this Annex 1.
Role (controller/processor): Controller
Data importer(s):
Name: Tango Card, Inc.
Address: 4700 42nd Ave SW, Suite 430A, Seattle, WA 98116
Contact person’s name, position and contact details: Monica Bush Monica.bush@tangocard.com
Activities relevant to the data transferred under these Clauses:
• distribution of rewards and payments
• customer service related to redemption of rewards
• fraud monitoring and program reporting
Signature and date: The signature on the Agreement shall apply to this Annex 1.
Role (controller/processor): Processor when providing Services under the Agreement; Controller when performing fraud prevention services across multiple customers.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Data subjects are the individuals whose personal data is processed by the data importer under the. data exporter's instructions as specified in the Agreement. These individuals may include, for example, Customer's: employees, customers and clients, end users, advisers, research participants, and students.
Categories of personal data transferred:
• Contact Data, such as name and email address
• Online Tracking Data, such as cookies and IP address
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis.
Nature of the processing
As set out in the Agreement.
Purpose(s) of the data transfer and further processing
As set out in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data importer will retain personal data until its deletion in accordance with the provisions of the Agreement and as required by law or regulatory agency.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
In accordance with theAgreement and applicable law or regulatory agency.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Data Protection Commission
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The parties shall comply with the technical and organizational measures identified in Article 32 of the EU and UK GDPR.
1. Information Security Policies and Standards. Processor will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
2. Physical Security. Processor will maintain commercially reasonable security systems at all Processor sites at which an information system that uses or stores Personal Data is located that include reasonably restricting access to such locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. Processor will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
4. Network Security. Processor maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control. Processor agrees that: (1) only authorized Processor staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Processor protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
7. Personnel. Processor has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
8. Business Continuity. Processor implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Processor also adjusts its information security program in light of new laws and circumstances, including as Processor’s business and Processing change.
ANNEX III
LIST OF SUB-PROCESSORS
EXPLANATORY NOTE:
This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).
The controller has authorised the use of the following subprocessors:
- Ada Support, Inc.
- Amazon Web Services, Inc.
- ColorArt, LCC
- Intercom R&D Unlimited Company
- LexisNexis Risk Solutions Group
- Salesforce, Inc.
- Sendgrid, Inc.
- Sift Science, Inc
- Sumo Logic, Inc
- Talkdesk, Inc.
- Workato, Inc.