Data processing addendum
Data processing terms for customers subject to GDPR, CCPA, and other privacy regulations.
1. Definitions
This Data Processing Addendum (DPA) supplements the Master Service Agreement (MSA) between Incenify and Customer. Capitalized terms not defined herein have the meanings in the MSA. "Personal Data" means information relating to an identified or identifiable natural person processed by Incenify on behalf of Customer. "GDPR" means EU General Data Protection Regulation 2016/679. "Data Subject" means the individual to whom Personal Data relates. "Controller," "Processor," "Processing," and "Supervisory Authority" have the meanings in GDPR.
2. Roles and scope
Customer is the Controller and Incenify is the Processor of Personal Data submitted to the Services. This DPA applies only to Personal Data processed by Incenify on Customer's behalf in connection with the Services. The subject matter, duration, nature, and purpose of processing, types of Personal Data, and categories of Data Subjects are described in Exhibit A (Processing Details).
3. Customer instructions
Incenify will process Personal Data only in accordance with Customer's documented instructions, which are (a) to provide the Services as described in the MSA and SOW; (b) as further documented in written instructions provided by Customer; and (c) as necessary to comply with applicable law. If Incenify believes an instruction violates GDPR or other data protection law, Incenify will promptly inform Customer. Customer is responsible for ensuring its instructions comply with applicable law.
4. Security measures
Incenify will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current security measures are described at incenify.com/security and include: encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, authentication mechanisms, logging and monitoring, regular security testing, and incident response procedures. Incenify will review and update security measures as appropriate to maintain compliance with applicable law.
5. Subprocessors
Customer consents to Incenify engaging subprocessors to process Personal Data, provided Incenify: (a) maintains a current list at incenify.com/security/subprocessors; (b) provides at least thirty (30) days' notice of new or replacement subprocessors; (c) imposes data protection obligations on subprocessors substantially similar to this DPA; and (d) remains liable for subprocessor acts and omissions. Customer may object to a new subprocessor on reasonable data protection grounds by notifying legal@incenify.com within fifteen (15) days. If the parties cannot resolve the objection, Customer may terminate the affected Services and receive a pro-rata refund of prepaid fees.
6. Data subject rights
Incenify will, to the extent legally permitted and taking into account the nature of processing, assist Customer in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection). If Incenify receives a Data Subject request directly, Incenify will promptly forward it to Customer. Customer is responsible for responding to Data Subject requests. Incenify may charge a reasonable fee for assistance beyond what is required under this DPA.
7. Data breach notification
Incenify will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data. Notification will include available information about the breach, affected data categories, approximate number of Data Subjects and records, likely consequences, and measures taken or proposed. Incenify will reasonably cooperate with Customer's investigation and provide information necessary for Customer to meet breach notification obligations under applicable law. Notification is made to the security contact specified in the SOW or security@incenify.com.
8. Audits and inspections
Incenify will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice (at least thirty (30) days) and no more than once per year, Customer or its authorized auditor may audit Incenify's data protection practices, provided the audit: (a) is conducted during business hours; (b) does not unreasonably interfere with operations; and (c) is subject to confidentiality obligations. In lieu of an audit, Customer may accept Incenify's SOC 2 Type II report, third-party certifications, or completed security questionnaires. Customer is responsible for audit costs unless the audit reveals material non-compliance.
9. International transfers
Incenify may transfer Personal Data to countries outside the European Economic Area (EEA). Where such transfers occur, Incenify will ensure appropriate safeguards are in place, including: (a) Standard Contractual Clauses approved by the European Commission (incorporated in Exhibit B); (b) adequacy decisions under GDPR Article 45; or (c) other legally recognized transfer mechanisms. Customer authorizes such transfers provided appropriate safeguards are maintained.
10. Data retention and deletion
Incenify will retain Personal Data only as long as necessary to provide the Services and meet legal obligations. Upon termination or expiration of the MSA, Incenify will, at Customer's written request made within thirty (30) days, either return Personal Data to Customer or securely delete it, except to the extent Incenify is required by law to retain copies. After thirty (30) days from termination, Incenify may delete Personal Data in accordance with its standard data retention schedule. Certification of deletion will be provided upon request.
11. Customer obligations
Customer represents and warrants that: (a) it has provided all necessary notices and obtained all required consents for Incenify to process Personal Data as contemplated by the Services; (b) its instructions and use of the Services comply with applicable data protection laws; and (c) it has implemented appropriate security measures for its own systems and accounts. Customer will indemnify Incenify against claims arising from Customer's breach of data protection obligations.
12. Cooperation and assistance
Upon Customer's reasonable request and at Customer's expense, Incenify will provide reasonable assistance to Customer with: (a) data protection impact assessments; (b) consultations with Supervisory Authorities; (c) compliance with data protection obligations under applicable law; and (d) implementing technical and organizational measures. Such assistance does not include legal advice; Customer should consult its own counsel.
Exhibit A: Processing details
Subject Matter: Provision of channel incentive management platform. Duration: Term of the MSA. Nature and Purpose: Processing operations necessary to deliver verification, gamification, rewards, and telemetry services. Types of Personal Data: Names, email addresses, phone numbers, employment information, transaction data, activity logs, IP addresses, device identifiers. Categories of Data Subjects: Customer's employees, channel partner employees, end users enrolled in incentive programs.
Exhibit B: Standard Contractual Clauses
For transfers of Personal Data from the EEA to countries without an adequacy decision, the parties agree to the Standard Contractual Clauses for the transfer of personal data to processors established in third countries (Commission Decision 2021/914 of 4 June 2021). The parties' roles and module selections are: Customer is the data exporter (Module Two: Controller to Processor); Incenify is the data importer. Optional clauses: Docking clause applies; parties select Clause 11(a) (independent dispute resolution); parties select Clause 17 (Option 1, governing law of EU Member State where data exporter is established); parties select Clause 18(b) (courts of EU Member State where data exporter is established). Annex I and Annex II information is as described in this DPA. Full text of Standard Contractual Clauses available at incenify.com/legal/scc.
Last updated 2025.