Our Platform
Our Solutions
Our Company
This Data Processing Addendum (“DPA”) forms an integral part of the main agreement (“Agreement”) between Sportority Inc. d/b/a Minute Media, and/or its Affiliate entity as set out in the Agreement (“Minute Media”) and the counterparty agreeing to those terms (“Recipient”, each a “Party”, together the “Parties”), in the context of which Personal Data is disclosed to or processed by the Recipient. This DPA is entered into by Minute Media and Recipient and supplements the Agreement, and any future related documents and business engagements between Parties. This DPA will be effective, and replaces any previously applicable terms relating to its subject matter, from effective date of the Agreement.
If you are accepting this DPA on behalf of Recipient, you warrant that: (a) you have full legal authority to bind Recipient to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Recipient, to this DPA. If you do not have the legal authority to bind Recipient, please do not accept this DPA.
This DPA reflects the Parties’ agreement on the processing of Personal Data in connection with the Parties’ obligations under the Agreement in accordance with the Data Protection Laws.
Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws.
In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.
In this DPA:
“Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, "control" (including, with correlative meanings, the terms "controlling", "controlled by" and "under common control with") means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
“Approved Jurisdiction“ means a member state of the European Economic Area, or other jurisdiction approved as having adequate legal protections for data by the European Commission, currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
“Data Protection Laws” means any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including, but not limited to: (i) the Privacy and Electronic Communications Directive 2002/58/EC (as amended, and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); (ii) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); (iii) the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); (iv) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), and (v) the Canadian Personal Information Protection and Electronic Documents Act or any substantially similar provincial legislation and any amendments or replacements to the foregoing.
“Data Subject” means a natural person to whom Personal Data relates.
“EU-U.S. DPF” means the EU-U.S. Data Protection Framework adopted by the Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the Adequate Level of Protection of Personal Data Under the EU-US Data Privacy Framework.
“European Economic Area” consists of the member states of the European Union (“EU”) and Iceland, Liechtenstein and Norway.
“Personal Data” means any personally identifiable information including “personal data” or “personal information” (as these terms are defined under the applicable Data Protection Laws), and that is shared with or processed by the Recipient in the context of the performance of the Agreement.
“Security Incident” means any accidental or unlawful destruction, deletion, loss, alteration, unauthorized disclosure, processing or use of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach (as defined under the GDPR) will comprise a Security Incident.
“Standard Contractual Clauses" means (a) where the GDPR applies, the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en; and (b) with respect to data transfers to which the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which entered into force on 21 March, 2022, as available here: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf ("UK Addendum"); both (a) or (b) above, as applicable, are incorporated herein by reference and subject to the amendments set forth in Schedule A.
“UK-US Bridge” means the Data Protection (Adequacy) (United States of America) Regulations 2023, effective from 12 October 2023.
The terms “controller”, “processing” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, a controller shall be deemed a “Business“ and a processor shall be deemed to be a “Service Provider“ or a "Contractor", as these terms are defined in the CCPA or CPRA.
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
The Parties acknowledge and agree that this DPA will only apply to the extent that: (i) either Party processes Personal Data made available by the other Party in connection with the Agreement; and (ii) the Data Protection Laws apply to the processing of such Personal Data.
Independent Controllers. Each Party acknowledges and agrees that it:
(a) is an independent controller of Personal Data under the Data Protection Laws;
(b) will, as required under the Data Protection Laws, maintain accurate written records of all the processing activities conducted by it in the course of performing its respective obligations under the Agreement;
(c) will individually determine the purposes and means of its processing of Personal Data;
(d) will be responsible for ensuring that any Personal Data collected and processed by it is accurate and remains accurate for the duration of its processing;
(e) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data;
(f) will be responsible for exercising and responding to any requests by Data Subjects exercising his or her rights under the Data Protection Laws, including, but not limited to, Articles 15-22 of the GDPR (“Data Subject Rights”);
(g) will provide reasonable cooperation and assistance to the other Party in connection with a Data Subject exercising his or her Data Subject Rights; and
(h) will promptly notify the other Party of any circumstances in which it is unable or becomes unable to comply with this DPA or the applicable Data Protection Laws, or any actual or potential changes to the applicable Data Protection Laws, if this shall affect the other Party’s ability to comply with its obligations under this DPA or the applicable Data Protection Laws.
Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either Party’s rights to use or otherwise process Personal Data under the Agreement.
Sharing of Personal Data. In performing its obligations under the Agreement, Recipient shall process Personal Data provided by Minute Media only for the purposes set forth in the Agreement or as otherwise agreed to in writing by the Parties, and such processing shall strictly comply with the applicable Data Protection Laws and Recipient’s obligations under the Agreement (the “Permitted Purposes”). In performing its obligations under the Agreement, Recipient agrees that it will not do, or permit any act or omission, in the course of processing Personal Data provided by Minute Media which would cause Minute Media to incur any liability under the Data Protection Laws. Recipient shall process Personal Data solely during the term of the Agreement, and shall securely delete or return the copies of the disclosed Personal Data to Minute Media (by secure file transfer in such format as Minute Media reasonably requests) and cease the processing of the disclosed Personal Data upon termination of the Agreement, and shall certify to Minute Media to that effect, unless and only insofar as the processing of the Personal Data is required for the fulfillment of the Permitted Purposes or is permissible under Data Protection Laws, and in which case the Recipient will inform Minute Media of any such requirement and only further process the Personal Data as necessary to comply with the foregoing. With respect to Personal Data collected under this DPA via cookies/pixels/beacons or similar tracking technologies, Recipient will comply, where and when legally necessary, with end user's opt-out or consent signals transmitted via Minute Media's and/or its partners’ consent mechanisms or otherwise.
Lawful Grounds and Transparency. Each Party shall maintain a publicly-accessible privacy policy on its mobile apps and websites that is available via a prominent link that satisfies transparency disclosure requirements of the applicable Data Protection Laws. Each Party warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use and all required notices, in accordance with the applicable Data Protection Laws, including Articles 13 and 14 of the GDPR. Both Parties will cooperate in good faith in order to identify the information disclosure requirements and each party hereby permits the other Party to identify it in the other Party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.
Subcontracting. Where either Party subcontracts the processing activities of Personal Data contemplated herein to a third party, it shall ensure that such third party enters into written contractual obligations which are (in the case of a third party controller) no less onerous than those imposed by this DPA or (in the case of a third party processor) compliant with Article 28 of the GDPR. Each Party shall be liable for the acts or omissions of its subcontractors to the same extent it is liable for its own actions or omissions under this DPA.
Where the GDPR or UK GDPR apply, either Party may transfer Personal Data outside the European Economic Area, UK or an Approved Jurisdiction, subject to one of the appropriate safeguards in Article 46 of the GDPR or UK GDPR. Such transfer to the United States may carried out in accordance with the EU-U.S. DPF and UK-US Bridge.
Where the GDPR or UK GDPR apply, to the extent that Recipient processes Personal Data outside the European Economic Area, UK or an Approved Jurisdiction, or Recipient is U.S. entity not certified under the EU-U.S. DPF or UK-US Bridge, then the Parties shall be deemed to enter into module 1 of the Standard Contractual Clauses and/or the UK Addendum, as applicable, subject to any amendments contained in Schedule A, in which event: (i) the Standard Contractual Clauses or the UK Addendum, as applicable, are incorporated herein by reference; and (ii) Minute Media shall be deemed as the data exporter and the Recipient shall be deemed as the data importer (as these terms are defined therein).
The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under the applicable Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data collected, processed and transferred under the Agreement.
If a Party suffers a confirmed Security Incident with respect to Personal Data disclosed from the other Party, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. If a Party suffers a confirmed Security Incident, then such Party shall be responsible to notify the supervisory authority and/or the Data Subjects with respect to such Security Incident, as required under Data Protection Laws.
Each Party shall:
appoint at least one representative as point of contact and responsible manager for all issues arising out of the Data Protection Laws (a "Designated Representative") and the Designated Representative(s) of both Parties will work together in good faith to reach an agreement with regards to any issues arising from time to time in relation to the processing of Personal Data in connection with the Agreement and this DPA. For the purpose of this DPA, Minute Media’s Designated Representative is Leora Goldstein Esq., dpo@minutemedia.com and Recipient’s Designated Representative;
use reasonable measures to consult with the other Party about any notices given to Data Subjects in relation to the processing of Personal Data under the Agreement;
inform the other Party (without undue delay) in the event that it receives a Data Subject request related solely and exclusively to the other Party's respective processing activities and provide all reasonable assistance to ensure the Data Subject’s request(s) is completed within the timeframe set out in Data Protection Laws;
provide the other Party with reasonable assistance (having regard to the data available to it) to enable the other Party to comply with and respond to any request or inquiries received by the other Party from supervisory authorities, Data Subjects, customers, or others;
provide the other Party with such assistance as the other Party may reasonably request from time to time to enable the other Party to comply with its obligations under the Data Protection Laws including, without limitation, with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;
provide the other Party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;
in the event of an actual or potential Security Incident which does or is reasonably likely to affect the respective processing activities of both Parties, liaise with the other Party in good faith to consider what action is required to resolve the issue in accordance with the Data Protection Laws, and provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner.
To the extent that Recipient processes Personal Data of California residents for a Business Purpose (as it is defined under the CCPA or CPRA), it shall be regarded as a Service Provider and be subject to the following obligations:
Recipient shall not sell nor share such Personal Data (as the terms "sell" and "share" are defined under the CCPA and CPRA).
Recipient is prohibited from retaining, using, or disclosing such Personal Data for a commercial purpose other than providing the services to Minute Media under the Agreement and from retaining, using, or disclosing such Personal Data outside of the Agreement.
Recipient understands its obligations under this clause and will comply with them.
If either Party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities under the Agreement (a "DP Claim"), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim.
Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim.
Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.
Notwithstanding anything else in the Agreement, the total liability of either Party towards the other party under or in connection with this DPA will be limited to US$50,000. This limitation of liability will not apply to Recipient’s indemnification obligations under Section 11 of this DPA.
Recipient will defend, indemnify and hold harmless Minute Media and its past or present partners, officers, directors, shareholders, employees, members, affiliates, parent and subsidiary corporations, agents, successors in interests, predecessors in interests and assigns from any cost, charge, damages, claims, settlements, fines, liabilities, expenses (including attorneys’ fees and costs) or losses incurred as a result of Recipient’s breach of any of the provisions of this DPA.
If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
Recipient acknowledges and agrees that Minute Media may amend this DPA as may be required from time-to-time, by posting an amended DPA to this link: https://www.minutemedia.com/policies/data-protection-agreement. Any amendments to the DPA are effective as of the date of posting. Recipient’s continued use of the Services after the amended DPA is posted constitutes it’s agreement to, and acceptance of, the terms of the amended DPA.
If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.
This Schedule A sets out the Parties' agreed interpretation of their respective obligations under Module One of the Standard Contractual Clauses.
The Parties agree that forthe purpose of transfer of Personal Data between the Minute Media (Data Exporter) and the Recipient (DataImporter), the following shall apply:
(2.1) For Clause 7 of the Standard Contractual Clauses shall not be applicable.
(2.2) For Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
(2.3) For Clause 13, the supervisory authority shall be the Irish Data Protection Commission.
(2.4) For Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the laws of Ireland.
(2.5) For Clause 18(b) the Parties choose the courts of Dublin, Ireland as their choice of forum and jurisdiction.
To the extent the UK Addendum applies, the following shall apply as well:
(3.1) All the information provided under the Standard Contractual Clauses shall apply to the UK Addendum with the necessary changes per the requirement of the UK Addendum. Annexes 1A, 1B and 2 to the UK Addendum shall be replaced with Annexes I–II below, respectively.
(3.2) For Table 4 of the UK Addendum, the Parties agree that either Party may terminate the DPA in accordance with Section 19 of the UK Addendum.
The Parties shall complete Annexes I–II below, which are incorporated in the Standard Contractual Clauses by reference.
Description of the technical and organizational measures implemented by the Recipient (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Recipient actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.
To the extent Recipient process cardholder or payment data (such as payment or credit cards), Recipient will maintain its ISMS in accordance with the PCI DSS standard, augmented to cover Personal Data, or such other alternative standards that are substantially equivalent to PCI DSS for the establishment, implementation, and control of its ISMS. Additionally, Recipient will be assessed against PCI DSS annually by a non-site assessment carried out by an independent QSA (Qualified Security Assessor) and upon Minute Media's request, not to exceed once annually, Recipient will provide Minute Media with PCI DSS attestation of compliance.
Maintaining security policies and procedures;
Secure development, operation and maintenance of software and systems;
Security alert handling;
Security incident response and escalation procedures;
User account administration; and
Monitoring and control of all systems as well as access to Personal Data.
Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. For service providers with whom Personal Data is shared or that could affect the security of Personal Data a process has been set up that includes initial due diligence prior to engagement and regular (typically yearly) monitoring. Personal Data has implemented a risk-assessment process that is based on ISO 27005.
Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities;
Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle; and
Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.
Limiting access to system components and Personal Data to only those individuals whose job requires such access; and
Establishing and maintaining an access control system for system components that restricts access based on a user’s need to know, with a default “deny-all” setting.
Recipient identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for its actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.
User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.
Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.
Processes to test rogue wireless access points;
Internal and external network vulnerability tests that are carried out at least quarterly. An external, qualified party carries out the external network vulnerability tests; and
External and internal penetration tests using Recipient's penetration test methodology that is based on industry-accepted penetration testing approaches that cover the all relevant systems and include application-layer as well as network-layer tests
All test results are kept on record and any findings are remediated in a timely manner.
Recipient does not allow penetration tests carried out by or on behalf of its customers.
In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.
Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,
Specific incident response procedures,
Analysis of legal requirements for reporting compromises,
Coverage of all critical system components,
Regular review and testing of the plan,
Incident management personnel that is available 24/7,
Training of staff,
Inclusion of alerts from all security monitoring systems, and
Modification and evolution of the plan according to lessons learned and to incorporate industry developments.
Recipient has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that is maintained and regularly tested. Data backup processes have been implemented and are tested regularly.
