Data Processing Agreement — FalconDive

1. Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meaning provided below:

Data Controller, Data Processor, Data Protection Officer, Data Subject, Personal Data, Personal Data Breach, Processing and Supervisory Authority shall have the same meaning as found in the GDPR.
Data Protection Legislation shall mean the GDPR, and any other applicable national implementing law as amended from time to time, as well as any other applicable law concerning the processing of personal data and privacy.
Data Subject Request shall mean a request by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation regarding their Personal Data.
GDPR shall mean the General Data Protection Regulation (Regulation (EU) 2016/679).
Protective Measures shall mean appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which may include, but are not limited to, the pseudonymisation and encrypting of Personal Data, ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner in the event of an incident and regularly testing, assessing and evaluating the effectiveness of the measures adopted.
Sub-processor shall mean any vendor appointed to process Personal Data on behalf of FalconDive related to this Agreement.

All other capitalised terms shall have the same meaning provided in the Agreement.

2. Processing of Personal Data

The Parties acknowledge that, for the purposes of the Data Protection Legislation, the Client is the Data Controller and FalconDive is the Data Processor. The processing of Personal Data that FalconDive is authorised to perform is exhaustively listed in Schedule A and may not be determined or amended by FalconDive at any time. FalconDive may only process the Personal Data, including in respect of international transfers, in line with the written instructions of the Client and may not use the Personal Data for its own purposes unless FalconDive is required to do otherwise by Law.

Provided that if so required and permissible at law, FalconDive shall notify the Client, without delay, prior to processing such data.

The Client agrees to share the personal data detailed in Schedule A with FalconDive in order for the agreed processing to take place, as required for the provision of the services as detailed in the Main Agreement.

FalconDive shall comply with all applicable Data Protection Legislation in the processing of the Client's Personal Data.

FalconDive shall notify the Client immediately if it considers that any of the instructions infringe Data Protection Legislation.

The Client shall be responsible for notifying Data Subjects of a data breach or for a request from the Data Subject themselves or from a corresponding provision of an otherwise applicable national data protection law.

The Client agrees and warrants that it shall comply fully with the terms of the GDPR and shall ensure that the Personal Data that it supplies or discloses to FalconDive has been obtained fairly and lawfully and in accordance with the provisions of the Data Protection Legislation.

3. Protective Measures

FalconDive shall ensure that Protective Measures, which are in line with the requirements of Article 32 of the GDPR and detailed in Schedule C are in place to appropriately protect against a Personal Data Breach, having taken into account the:

nature of the data to be protected;
harm that might result from a Personal Data Breach;
state of technological development; and
cost of implementing any measures.

In determining the appropriate level of Protective Measures, FalconDive shall take into account the risks that are presented by the Processing taking place and in particular from a Personal Data Breach.

4. FalconDive Personnel

FalconDive shall ensure that FalconDive personnel do not process Personal Data except in accordance with this Agreement and that all reasonable steps are taken to ensure the reliability and integrity of any FalconDive personnel who have access to the Personal Data, particularly that they:

are aware of and comply with FalconDive's duties under this Agreement;
are subject to appropriate confidentiality undertakings, or professional or statutory obligations of confidentiality with FalconDive;
are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Client or as otherwise permitted by this Agreement; and
have undergone adequate training in the use, care, protection and handling of Personal Data.

FalconDive shall limit access to the Client's Personal Data to those employees that need to know or access the Personal Data as is strictly necessary for the purposes of the main Agreement between the Parties.

5. International Data Transfers

FalconDive shall not transfer Personal Data outside of the EEA unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:

FalconDive complies with the general conditions laid down in relation to such transfers (in accordance with GDPR Article 44);
FalconDive complies with its obligation to provide appropriate safeguards, which safeguards shall ensure the availability of enforceable Data Subject rights and of effective legal remedies (in accordance with GDPR Article 46);
All transfers take place with appropriate security measures in place to protect the personal data; and
FalconDive complies with any reasonable instructions notified to it in advance by the Client with respect to the transfer of the Personal Data.

6. Sub-Processing

The sub-processors which FalconDive uses for the processing of Personal Data in accordance with this Agreement are listed in Schedule B of this Agreement, as may be amended or updated from time to time upon notification to the Client.

Pursuant to Article 28 (2) of the GDPR, the Client grants to FalconDive a general authorization to use Sub-processors to provide processing activities on Client's data in accordance with this chapter 6. FalconDive website shall list the Sub-Processors used by FalconDive. At least 15 days before engaging with a Sub-processor, FalconDive shall update its website and notify the Client via email. The Client can object to such Sub-processor by (i) ceasing to use the Services for which FalconDive has appointed the respective Sub-processor or (ii) request to have the data stored in a data center/server which is not provided by the respective Sub-processor.

Prior to FalconDive engaging a Sub-processor to process any Personal Data related to this Agreement, FalconDive must:

carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by the Data Protection Legislation;
notify the Client of the intended Sub-processor, processing and any international data transfers, in accordance with this chapter 6;
enter into a written agreement with the Sub-processor, applying the same data protection obligations set out in this Agreement, in particular providing sufficient guarantees to meet the security requirements of Article 32 of the GDPR;
incorporate the European Commission Standard Contractual Clauses into any agreement with a sub-processor when an international transfer is taking place to a country not providing adequate safeguards; and
provide the Client with such information, regarding the Sub-processor, as it may reasonably require.

FalconDive shall remain fully liable for all acts or omissions of any Sub-processor.

7. Notification

FalconDive shall notify the Client without delay if it:

becomes aware of a Personal Data Breach;
receives a Data Subject Request;
receives any other request, complaint or communication relating to the Parties' obligations under Data Protection Legislation;
receives any communication from any Supervisory Authority or any other regulatory authority in connection with Personal Data processed under this Agreement; or
receives a request from any third party for the disclosure of Personal Data.

Provided that the obligation to notify shall include the prompt provision of further information to the Client, upon the Client's request.

FalconDive shall not respond to any such requests, except on the documented instructions of the Client, unless FalconDive is obliged to respond by law, in which case FalconDive shall notify the Client of that obligation before responding to the request.

8. Assistance

FalconDive shall, taking into account the nature of the processing, provide the Client with reasonable assistance in relation to the Client's obligations under Data Protection Legislation to respond to requests for exercising Data Subject rights and to security, breach notifications, and consultations with supervisory authorities, insofar as possible and as may reasonably be required by the Client and applicable Data Protection Legislation, including by promptly providing:

the Client with full details and copies of the complaint, communication or request;
such assistance as is reasonably requested by the Client to comply with any request made by a Data Subject exercising their rights within the relevant timescales set out in the Data Protection Legislation, including but not limited to access, rectification, or deletion of data;
the Client, at its request, any Personal Data it holds in relation to a Data Subject;
full assistance to the Client in ensuring compliance with Articles 32-36 of the GDPR regarding security of personal data and data breaches; and
assistance as requested by the Client with respect to any request from any Supervisory Authority, or any consultation between the Client and any Data Protection Supervisory Authority.

FalconDive shall, in accordance with its legal obligations as Data Processor and at no additional charge, expense or fee to the Client, provide all reasonable assistance to the Client in the preparation of any privacy impact assessment prior to the commencement of any processing activities. Such assistance may, at the Client's discretion, include but may not be limited to:

a systematic description of the envisaged processing operations and the purpose of the processing;
an assessment of the necessity and proportionality of the processing operations in relation to the services;
an assessment of the risks posed to the rights and freedoms of the Data Subjects; and
the measures envisaged to address the risks and ensure the protection of Personal Data, including safeguards, security measures and mechanisms.

9. Record Keeping

In line with their legal obligations as a Data Processor, FalconDive shall maintain complete and accurate records and information to meet the requirements of Article 30(2) of the GDPR and as evidence of meeting the requirements of Article 28 of the GDPR. FalconDive shall also provide these records to the Client upon request.

10. Audits

FalconDive shall allow for and contribute to audits of its Processing activity by the Client or the Client's designated auditor.

The Client shall give FalconDive reasonable notice of any audit and shall reasonably avoid causing any disruption to FalconDive's operations, equipment, premises, and personnel while the audit is being carried out.

FalconDive need not give access to its premises for the carrying out of such an audit:

Outside normal business hours at those premises, unless the audit needs to be conducted on an emergency basis and the Client has given notice to FalconDive that this is the case prior to the commencement of the audit outside normal business hours;
For the purposes of more than one audit, in respect of FalconDive, in any calendar year, except for any additional audits which:
- the Client reasonably considers necessary because of genuine concerns as to FalconDive's compliance with this Agreement; or
- the Client is required or requested to carry out by Data Protection Legislation, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Legislation in any country or territory; or
- the Client has identified its concerns or the relevant requirement or request in its notice to FalconDive of the audit.

11. Deletion and Return of Data

Within ten (10) days of the termination date of this Agreement the Client may, in its absolute discretion and by written notice, request FalconDive to:

return a complete copy of all Client Personal Data to the Client by secure file transfer in such format as is reasonably notified by the Client; and/or
delete and procure the deletion of all other copies of Personal Data processed by FalconDive and any other contracted Sub-processor.

If the Client does not request the return or retention of their data within thirty (30) days of the termination date of this Agreement, FalconDive will, without further notice, delete the Client's data and provide a certificate of destruction to confirm the deletion. Silence or failure to act within this period will be considered acceptance of data deletion. FalconDive is also required to ensure that any Sub-processor that is engaged deletes or returns Personal Data.

FalconDive and each contracted Sub-processor may nonetheless retain Personal Data to the extent required by Data Protection Legislation and any other applicable law to the extent and for such period as required by virtue of such laws and always ensuring the confidentiality of such data. FalconDive will notify the Client if this clause applies on receipt of a written notice as detailed under 11.1.

12. Agreement

This Agreement expressly replaces and supersedes any and all other agreements, oral or written, between the Parties hereto with respect to the subject matter hereof.

13. Amendments

The Client may, at any time, with no less than thirty (30) working days' notice, revise this addendum by replacing the terms with applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or those set by a relevant Supervisory Authority.

14. Data Protection Officer

FalconDive shall, where required, appoint a Data Protection Officer (DPO) and provide the Client the contact details of such person. The transmission of any communication between the Parties related to the Personal Data should be performed by e-mail.

If FalconDive is not required to appoint a Data Protection Officer, FalconDive will still provide details for a contact person for data protection issues.

The Client must appoint a DPO and forward contact details to FalconDive.

FalconDive has appointed a DPO/responsible person for Data Protection matters — Rakesh Manne, who may be contacted on rakesh.manne@lognormal.io.

15. Term and Termination

This Agreement shall enter into force concurrently with the Agreement and shall thereafter remain in force as long as the Agreement remains in force. This Agreement shall terminate, without notice, concurrently with the Agreement, regardless of the reason, save for those clauses which have been expressly stipulated to survive termination.

16. Liability

The Parties liability for damages as a result of breaches of this Agreement is, unless otherwise expressly stated, subject to the same limitations of liability as set forth in the Agreement. In case of multiple claims for damages under this Agreement and the Service Agreement, such liability shall be cumulative in relation to the maximum liability.

Nothing contained within this Agreement relieves FalconDive of their own direct responsibilities and liabilities as a Data Processor under Data Protection Legislation.

17. Costs

Each Party is responsible for its own costs in relation to the preparation and performance of this Agreement, including but not limited to fees and costs for its own representatives, advisors, brokers and other intermediaries and authorities.

Any additional performance or speed enhancements beyond what has been agreed upon in this Agreement or its Schedules will be provided by FalconDive only at an additional cost. Such costs will be communicated and agreed upon with the Client prior to implementation.

18. Severability

If any provision, in whole or in part, of this Agreement shall be held by a court of competent jurisdiction to be illegal, invalid or unenforceable, then the provision in question shall be deemed null and void whilst remaining provisions shall continue in full force and effect.

19. Disputes and Governing Law

The parties to this Agreement hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims arising under this Agreement.

Miscellaneous

In the event of any conflict between the terms of this DPA and any provision of the Services Agreement and any other agreement between the Parties, this DPA shall prevail solely with respect to any data protection matters.

Amendments to this agreement shall be made exclusively in writing. This shall also apply to this requirement of written form.

Should any provision of this agreement be invalid or ineffective, it shall, to the extent permitted by law, be replaced by that provision which comes closest in economic terms to the invalid or ineffective provision.

Schedule A — Instructions

Processing, Personal Data and Data Subjects

The Contractor shall comply with any further written instructions with respect to processing by the Customer. Any such further instructions shall be incorporated into this Schedule.

Subject matter of the processing

FalconDive provides a platform to the Client which provides access, in real time, to data concerning registration, deposit, log in, player bets, the result of a bet and other transactional data on its end users, to allow the Client to efficiently manage, segment and perform analytics on such end users.

Duration of the processing

For the Term of the Agreement.

Nature and purposes of the processing

New transactions and events will be transferred to FalconDive in real time or agreed data refresh cycle.

Historical data (transactions such as deposits, withdrawals, bets placed) may be migrated from time to time and will be transferred via secure FTP upload, imported once to FalconDive and then the source file will be destroyed.

FalconDive will not be collecting any data on their own and will solely depend on the data provided by the Client.

The Client will be using FalconDive platform to orchestrate various reporting and analytical activities.

FalconDive platform will process transactional data and the Client may act, based on such data engage the customer, and/or notify internal teams.

FalconDive will not process, store, transmit, or access any sensitive personal data of the Client's customers.

Type of Personal Data

Marketing consent, age, birthday, country, transactional data (deposits, withdrawals), transactional data relating to spins or bets made, bonus and rewards information, blocked / self-exclusion statuses, registration date, affiliate reference, dates of transactions, device usage, current balance which in no way includes sensitive personal data of the client's customers such as name, last name and address.

Categories of Data Subject

Customers of the Client (not including any personal or sensitive specific data of the customers of the client).

Plan for return and destruction

In accordance with Clause 11 of this Agreement, FalconDive shall comply with a request to return and/or delete any and all copies of Client Personal Data within 40 days of such request, ensuring the same with regard to each Sub-processor. Nonetheless, Client Personal Data may be retained to the extent required by applicable Data Protection Legislation for as long as required by such laws, always ensuring the confidentiality of such data and upon notice to the Client.

Schedule B — Approved Sub-processors

Sub-processor

Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855, Luxembourg

Location of Processing

London

Nature and Purpose

FalconDive may use the technical infrastructure provided by Amazon Web Services (AWS) in order to perform the Services stipulated in the Agreement with the Client. AWS is used for the following main purposes:

Store the personal and transactional data of the Client's customers on AWS servers and databases.
Enable the performance of the Services rendered by FalconDive, including the launch of marketing campaigns by the Client in relation to the Client's customers or data modelling/science activities.
Enable segmentation processes of the data transferred by the Client to FalconDive, in accordance with the instructions of the Client.

AWS is SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017 and ISO 27018 certified.

FalconDive uses AWS data center from London, England. However, in case the Client stores data on servers located outside Europe, for technical performance purposes, FalconDive may rely on other data center of AWS and shall inform the Client accordingly about the location of such data center.

Schedule C — Technical and Organisational Security Measures

General Measures

The following control requirements are implemented across the FalconDive platform:

Information Security Policies

A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.
Personnel agree to terms and conditions concerning information security.
A formal information security risk assessment process shall be defined and implemented.
An information security risk treatment process shall be implemented to select appropriate risk treatment options.

Organisation of Information Security

All information security responsibilities shall be defined and allocated.
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of assets.
Security measures shall be implemented to protect information accessed, processed or stored when using mobile computing and teleworking.

Human Resource Security

Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics.
All employees and contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures.

Asset Management

Ownership of assets shall be assigned and managed during the asset's lifecycle.
All employees and external party users shall return all assets upon termination.
Information shall be classified in terms of legal requirements, value, criticality and sensitivity.
Appropriate procedures for information labelling shall be developed and implemented.
Sensitive and removable storage media shall be protected against unauthorized access, misuse or corruption.

Access Control

Client information shall be protected from other cloud customers' or unauthorized persons' access.
A formal user registration and de-registration process shall be implemented.
Individual user identities shall be enforced.
Privileged access rights shall be restricted and controlled.
Default and temporary passwords shall be changed from defaults prior to use.
Passwords shall be stored and transmitted in a safe way.
A secure password reset process shall be implemented.
Access rights shall be reviewed and documented at regular intervals.
Access rights shall be removed upon termination or adjusted upon change.
Quality passwords shall be enforced.
Utility programs that might override system controls shall be restricted and tightly controlled.
Access to systems and applications shall be controlled by a secure log-on procedure.

Physical and Environmental Security

Security perimeters shall be defined and used to protect areas that contain sensitive or critical information.
Secure areas shall be protected by appropriate entry controls.
Physical protection against natural disasters, malicious attack or accidents shall be applied.
Equipment shall be sited and protected to reduce risks from environmental threats.
Equipment shall be protected from power failures and other disruptions.
Security shall be applied to off-site assets.

Operations Security

Operating procedures shall be documented and made available to all users who need them.
Changes in systems and services shall be authorized, approved and communicated by and to appropriate stakeholders.
A fallback procedure shall be defined and tested prior to a change being performed.
Development, testing and operational environments shall be separated.
Activities and decision points in the change process shall be logged.
Detection, prevention and recovery controls to protect against malware shall be implemented.
Backups of information, software and system images shall be taken according to business requirements.
Backups shall be regularly tested to ensure data integrity.
Event logs recording user activities, exceptions, faults and security events shall be produced, kept and regularly monitored.
Logging shall be enabled on all firewalls and firewall logs shall be centrally retained.
Logging facilities and log information shall be protected against tampering.
Clocks of all relevant information processing systems shall be synchronized.
Only supported and documented software shall be installed on operational systems.
Physical and virtual machines shall be hardened according to recommendations.
Vulnerabilities in systems and services shall be identified and managed.

Communications Security

Networks shall be managed and controlled to protect information in systems and applications.
Special controls shall be enabled to protect confidentiality and integrity of data in transit — TLS encryption, WPA2, managed firewall.
Web application firewalls shall be in place in front of public facing web applications and services.
Requirements for confidentiality or non-disclosure agreements shall be identified, regularly reviewed and documented.

System Acquisition, Development and Maintenance

Rules for the development of software and systems shall be established and applied.
Principles for engineering secure systems shall be documented, maintained and applied.
Acceptance testing programs and related criteria shall be established for new information systems.
Penetration testing shall be offered at least annually and after any significant upgrade or modification.
Applications and APIs shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP).
Regular manual and automated security testing shall be performed.
Confidential or sensitive information shall never be used for testing purposes.

Incident Management

Management responsibilities and procedures shall be established for quick, effective response to security incidents.
Security events shall be reported through appropriate management channels as quickly as possible.
Security events shall be assessed and classified as information security incidents where appropriate.
Specific Incident Response Plans (IRP) shall be documented for identified security incidents.
Yearly exercises shall test and improve the overall process and specific incident response plans.

Business Continuity

All IT systems shall have a documented restore and recovery procedure.
All disaster recovery plans and recovery procedures shall be verified and tested at regular intervals.

Compliance

Financial data shall be archived in accordance with applicable legislation.
Segregation of duties when processing financial data shall be defined and implemented.
An SSL Labs rating of at least "A" shall be maintained for any external website used to store or access Client's data.
Support for compliance of external and internal audits shall be provided.
Information systems shall be regularly reviewed for compliance with security policies and standards.

Specific Measures

Data Accuracy

To ensure that data is accurate and correct at all times, three main measures have been put in place:

The Client must ensure to capture and manage any and all errors from FalconDive integration API. Every transmission must be verified as received by FalconDive with an OK.
Client shall assume that upon receiving such verification through an OK, FalconDive is responsible to ensure that this data is processed and reflected in the FalconDive platform.
Client is responsible to provision the necessary monitoring to manage any failures in transmission of data. FalconDive is responsible for provisioning the necessary monitoring to manage any failures in the processing of such data. FalconDive will provide a dashboard providing transparency of data recon and any related issue to Client.

Data Access and Data Security

Historical transactional data, or specific data corrections of non-sensitive nature may in some cases not be available in API and must then be transferred in bulk. In such a case, the file including such transactions will be transferred securely using FTP (SFTP). Such files will be destroyed immediately after being processed in FalconDive's systems.

API Security

Client will provide FalconDive with an API key required when using the API.
All communication should be made over an encrypted channel using HTTPS.
Whitelisting of specific IPs used by FalconDive platform to access the Client's API.

Encryption of User Data

Outside of whatever encryption FalconDive platform already provides, the Client may suggest further encryption of fields or customer data and FalconDive may propose a solution to support this within a reasonable timeframe.

Penetration Testing / System Audit

The Client can, at its own discretion, organize potential penetration testing to audit the system. FalconDive will provide relevant resources to support such tests.
The Client should give 14 days' notice before such a test takes place.
FalconDive shall address any critical issues that might arise out of such a test.

Access to Environments

FalconDive should have total control and relevant access rights to the environment to keep FalconDive platform operational at all times. Both Parties should regularly review and ensure that minimal required access is provided.

Environments

AWS Environment may be provided by the Client and administered by FalconDive.

Contact us

For questions regarding this Data Processing Agreement, contact us at:

Email — info@falcondive.io
Phone — (+91) 4048960174