Trackfuze Logo
EU Compliant

GDPR Compliance

General Data Protection Regulation

What is the GDPR?

On May 25, 2018, the European Union enforces a new data privacy law, the General Data Protection Regulation (GDPR). A primary aim of the GDPR is to harmonise data privacy laws across the European Union, to protect and empower all EU citizens' privacy both online and offline and to reshape the way organisations across the EU approach their customers personal data.

As such, any company that collects or processes personal data of EU citizens falls under the scope of the GDPR, even if the company has no physical presence in the European Union. This means that most businesses with a global or online presence, including Trackfuze are required to apply and follow the GDPR to all data processing activities.

At Trackfuze, we understand the importance of protecting your data and adapted all services in accordance with the principles set out in the GDPR. In particular, were our clients use our products and services to process end-user data regardless of this being personal data and/or business personal data.

Data Processing Addendum

The following Data Processing Addendum governs the processing of personal data by Trackfuze when acting as data processor and on behalf of our clients, the data controllers. In other words, a data processing addendum is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data where one company uses the services offered by another company to process data of its own end-users.

In order that you as a service user and data controller (referred to as "Controller" or "you" or "Client") may use or continue to use Trackfuze's platform (the "Services") offered by us, Trackfuze Limited and data processor (referred to as "Trackfuze" or "Processor"), you have agreed that these data processing terms ("Terms") shall apply in order to address the compliance obligations imposed upon Trackfuze and its Clients pursuant to applicable Data Protection Law and in particular, Regulation (EU) 2016/679 (GDPR).

1 Definitions

1.1

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with, a party from time to time during the Term.

1.2

"Data Protection Law" means the data privacy laws applicable to the processing in connection with the Services, including, where applicable, the GDPR, or the applicable data privacy laws of any other relevant jurisdiction.

1.3

"Contractual Clauses" means the standard contractual clauses of the European Commission for the transfer of personal data across borders, as amended or replaced from time to time.

1.4

"Business Personal Data" means the personal data processed by Processor in connection with the Services on behalf of Client during the Term and may include Financial Data, Personal Data, and Special Categories Data as specifically required and transferred by the Client.

2 Appointment

2.1

Trackfuze is designated by its Clients, Client Affiliates and Business Affiliates (collectively "Instructing Parties") to provide and manage various services, including the Services on their behalf.

2.2

Processor is appointed by Client to process Business Personal Data on behalf of Client and/or the Instructing Parties, as the case may be, as is necessary to provide the Services or as otherwise agreed by the parties in writing.

3 Duration

The Terms shall commence on the Effective Date and shall continue in full force and effect until such time as all Services have ceased and all Business Personal Data in the Processor's possession or within its reasonable control has been returned or destroyed (the "Term").

4 Data Protection Compliance

In relation to its processing of Business Personal Data, save as otherwise required by law, Trackfuze agrees to:

Process Business Personal Data only as required in connection with the Services and in accordance with Client's documented lawful instructions.

Inform Client if, in Trackfuze's opinion, an instruction infringes Data Protection Law.

Ensure that all personnel authorised by Trackfuze to process Business Personal Data have committed themselves to confidentiality.

Implement appropriate technical and organisational measures to appropriately safeguard Business Personal Data.

Promptly inform Client of any data subject requests under Data Protection Law.

Make available to Client information reasonably necessary to demonstrate Trackfuze's compliance with these Terms.

5 Subprocessors

5.1

Processor will sub-contract, outsource, assign, novate or otherwise transfer obligations under these Terms or engage any subcontractors involved in the processing of Business Personal Data only with Client's prior written consent.

5.2

When engaging a Sub processor, Processor will carry out reasonable due diligence, enter into appropriate contracts, and inform Client of any intended changes concerning the addition or replacement of a Sub processor.

6 Security Incidents

"Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Business Personal Data transmitted, stored or otherwise processed.

  • Processor will notify Client without undue delay if Processor is aware of any Security Breach.
  • Processor will investigate the Security Breach and take reasonable action to identify, prevent and mitigate the effects.
  • Processor may not release or publish any notices concerning any Security Breach without Client's prior written approval.

7 International Data Transfers

Trackfuze will ensure that no Personal Data are transferred out of either:

a

The by the Client approved data environment

b

Any territory in which restrictions are imposed on the transfer of Personal Data across borders under Data Protection Laws

Without the prior written consent of Client. Trackfuze will ensure that Contractual Clauses or other applicable transfer mechanism, are in place to ensure adequate level of data protection.

8 Audit

8.1

Client (or its designated representatives) may, on an annual basis or more frequently as reasonably requested, conduct an audit to verify that Trackfuze is operating in accordance with this DPA. Trackfuze will cooperate with Client in conducting any such audit.

8.2

Trackfuze shall correct any deviations from Security Best Practices that are identified in any security audit as soon as practicable, but in no event more than five days after receiving notice from Client.

9 Security Measures

Trackfuze represents, warrants, and undertakes that it has established and will at all times enforce an ongoing program of Security Policies, Security Procedures, and Security Technical Controls, which includes:

Information Security

  • Privacy and security incident management
  • Security awareness program
  • Business continuity and disaster recovery
  • Periodic independent security risk evaluations

Physical Access

  • Physical protection mechanisms
  • Facility and room entry controls
  • Access monitoring and "need to know" basis
  • Secure data destruction procedures

Logical Access

  • User authentication and authorisation
  • Auditable access logs
  • Password encryption and management
  • Account revocation procedures

System & Network

  • Current security patches
  • Security alert monitoring
  • Network segregation
  • Anti-virus software

Minimum Technical Measures

IP obfuscation for EU IPs
Device ID blanking
Properly configured firewalls
User access control management
Complex passwords with expiry
Secure configuration on all devices
Regular software updates
Secure hardware decommissioning
Real-time anti-virus protection
HTTPS encryption
Portable device encryption
Data encryption in transit
Multi-factor authentication
Secured WiFi access
Intrusion detection systems
Data backup procedures

10 Cross Border Data Transfer Mechanisms

In the event the Services are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism in accordance with the following order of precedence:

1

Trackfuze's binding corporate rules

2

The applicable Standard Contractual Clauses

3

Other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law

11 Standard Contractual Clauses

The parties agree that the 2021 Standard contractual clauses for international transfers will apply to personal data that is transferred via the Services from the European Economic Area or Switzerland to any country not recognised as providing an adequate level of protection.

Applicable Modules:

  • Module One (Controller to Controller) - Where Trackfuze is processing Client Account Data
  • Module Two (Controller to Processor) - Where Client is a controller of Client Content
  • Module Three (Processor to Processor) - Where Client is a processor of Client Content
  • Module Four (Processor to Controller) - Where Client is a processor of Client Usage Data

Questions About GDPR Compliance?

Our team is here to help you understand how we protect your data and ensure compliance.

Contact Our Data Protection Team