ScroogeFrog Data Processing Addendum
This Data Processing Addendum with its appendices (the «DPA») is incorporated into the Agreement available at _________ and as updated from time to time (or other electronic or mutually executed written agreement) between ScroogeFrog and the Customer that references it (the «Agreement’). This DPA is effective as of the effective date of the Agreement. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
1. Definitions
All capitalized terms not specifically defined in this DPA shall have the meanings assigned to them in the Agreement. The following terms shall be understood as follows:
- «Applicable Data Protection Laws»: Any legislation applicable to ScroogeFrog or the Customer that safeguards the rights and privacy of individuals with respect to the processing of Personal Data. This includes the GDPR, US Data Protection Legislation, any national implementing or supplementary legislation, and other applicable privacy or data protection laws relevant to ScroogeFrog or the Customer. In this DPA, terms such as «controller, ” „processor, ” „data subject, ” „process, ” „service provider, ” „subprocessor, ” „personal data breach, ” „data importer, ” „data exporter“ and their variations shall have the meanings ascribed to them in the Applicable Data Protection Laws.
- „Authorised Business Purposes“: The use of Personal Data for operational purposes deemed reasonably necessary, including those outlined in the CPRA and for the following ScroogeFrog processing purposes: (i) ensuring compliance with applicable regulations, including the retention of proof of such compliance, (ii) establishing, exercising, or defending legal claims, (iii) developing, testing, and improving the functionality of the Service, including for machine learning, data annotation, testing, and training for fraud prevention and detection, and generating anonymized or aggregated statistical reporting and research.
- „CPRA“: The California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq).
- „EEA“: The European Economic Area
- „GDPR“: The Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- „Personal Data“: Any Customer Data, including End Users’ data that: (a) is linked or reasonably linkable to an identified or identifiable individual; or (b) is otherwise defined as „personal data,“ „personal information,“ „personally identifiable information,“ or similar under the Applicable Data Protection Laws.
- „Personal Data Breach“: A security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data that is transmitted, stored, or otherwise processed.
- „Sold“ and „Shared“: As defined by applicable US Data Protection Legislation.
- „Standard Contractual Clauses“ or „SCCs“: The European Commission’s standard data protection clauses for transferring personal data to third countries, as set out in Implementing Decision (EU) 2021/914 of 4 June 2021, and as may be amended or replaced by the European Commission or any relevant authority
- „Third Country“: Refers to a country or territory where the personal data is processed, and ensures an adequate level of protection for the rights and freedoms of data subjects in relation to personal data processing.
- „US Data Protection Legislation“: United States federal and state laws relevant to data protection and/or privacy, including but not limited to the CPRA, as applicable to ScroogeFrog or the Customer and as amended over time.
2. Scope and Roles of Personal Data Processing.
2.1. ScroogeFrog acts as a processor and processes the Personal Data provided by the Customer or its End Users for and on behalf of the Customer as necessary for the provision of the Service, which includes the Service’s quality assurance and improving activities, and, to the extent allowed by law for the Authorised Business Purposes.
2.2. The Customer is a controller, determines the purposes and scope of processing, and instructs ScroogeFrog on how to process the Personal Data unless the processing is allowed or mandated by the law of the European Union, any European Union member state, or any other applicable law to which ScroogeFrog is subject; in such a case ScroogeFrog shall inform the Customer before processing the Personal Data unless ScroogeFrog is legally not allowed to notify the Customer.
2.3. Where ScroogeFrog acts as a processor on the Customer’s behalf, the parties will comply with the obligations set out in this Agreement.
2.4. Regarding the Personal Data of the parties’ representatives, each party shall be individually and separately responsible for complying with the obligations that apply to it under the Applicable Data Protection Laws.
3. Personal Data Processing
3.1. Appendix A describes the subject matter, duration, nature, and purpose of processing, the Personal Data categories, categories of data subjects and ScroogeFrog’s role
3.2. Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Laws.
3.3. The parties agree that this DPA and the Agreement, including instructions provided by the Customer to ScroogeFrog through the Service, together form the Customer’s documented instructions regarding ScroogeFrog’s processing of Personal Data («Customer’s Instructions»). ScroogeFrog will only process Personal Data according to these Customer’s Instructions. Any additional instructions outside this scope will require a prior written agreement between ScroogeFrog and the Customer. Given the nature of the processing, the Customer acknowledges that ScroogeFrog may be unable to assess whether the Customer’s Instructions violate any of the Applicable Data Protection Laws. However, should ScroogeFrog form such an opinion, it will immediately notify the Customer, who may then choose to withdraw or modify the Customer’s Instructions.
3.4. ScroogeFrog shall keep all Personal Data confidential and will not disclose it to third parties unless explicitly authorized by the Customer or the Agreement, or as required by law. If a legal requirement mandates that ScroogeFrog process or disclose the Personal Data, ScroogeFrog must first inform the Customer of this requirement, allowing the Customer an opportunity to object or challenge it, unless prohibited by law from providing notice. ScroogeFrog will ensure that all personnel with access to Personal Data:
- is informed of the confidential nature of the Personal Data and are bound by confidentiality and usage restrictions regarding the Personal Data;
- has received training on the Applicable Data Protection Laws relevant to handling Personal Data and understands how it applies to their specific duties;
- is aware of both ScroogeFrog’s obligations and its own personal responsibilities under the Applicable Data Protection Laws and this DPA.
3.5. ScroogeFrog will take reasonable steps to ensure the reliability, integrity, and trustworthiness of the personnel with access to Personal Data, including conducting background.
3.6. ScroogeFrog will provide reasonable assistance to the Customer in meeting compliance obligations under the Applicable Data Protection Laws. This assistance, considering ScroogeFrog’s role in processing and the information available, will include support for the exercise of data subject rights, conducting data protection impact assessments, and consulting with supervisory authorities as required by the Applicable Data Protection Laws.
4. Use of Sub-processors
4.1. ScroogeFrog has the Customer’s general authorization to engage sub-processors to support the provision of services. A current list of sub-processors is available in Appendix C and is updated periodically.
4.2. ScroogeFrog shall inform the Customer of any intended addition or replacement of subprocessors, providing the Customer with an opportunity to object within thirty (30) days of receiving such notification.
4.3. ScroogeFrog shall ensure that each sub-processor complies with data protection obligations equivalent to those set out in this DPA, including adherence to appropriate SCCs or other lawful transfer mechanisms when transferring Personal Data outside the EEA.
5. International Data Transfers
5.1. ScroogeFrog shall only transfer the Personal Data to a third country or international organization in compliance with applicable transfer mechanisms under the Applicable Data Protection Laws.
5.2. For transfers of Personal Data, including through the Service, to Customers outside of the EEA or Third Countries, the SCCs Modules 1 and 4 are incorporated into this DPA by reference and form an integral part of the Agreement. In such circumstances, parties agree as follows:
- ScroogeFrog is the «data exporter»;
- The Customer in the «data importer»;
- Clause 7 (Docking clause): Not applicable;
- Clause 11 (Redress): The optional level will not apply;
- Clause 17 (Governing law): The laws of the Republic of Estonia apply. For Clause 17, option 1 applies to Module 1;
- Clause 18 (Choice of forum and jurisdiction): The Harju County Court (Estonia, Tallinn) has jurisdiction. For Clause 18 (b) the courts of Estonia apply to Module 1;
- Annex I of the SCCs is completed with the information in Appendix A to this DPA;
- Annex II of the SCCs is completed with the information in Appendix B to this DPA;
- Annex III of the SCCs is completed with the information in Appendix C to this DPA.
5.3. If ScroogeFrog implements an alternative transfer mechanism different from those outlined in this DPA —including any revised version or successor to the Standard Contractual Clauses— due to factors like an amended or rescinded list of Third Countires or changes in other relevant transfer mechanisms impacting the validity of current methods, the new transfer mechanism will automatically replace the previous ones specified in this DPA. The Customer agrees to fully assist ScroogeFrog in amending this DPA and/or taking any actions needed to legally implement the alternative transfer mechanism. If either ScroogeFrog or the Customer adopts and certifies compliance with the alternative mechanism, the Customer represents and warrants that it will comply with all legal principles and requirements related to that mechanism. Furthermore, if a court with appropriate jurisdiction or a supervisory authority issues an order declaring that the provisions outlined in this DPA are no longer valid for lawful cross-border data transfers, then at the request of either party, both parties will work together to address any issues related to non-compliance.
6. Security Measures
6.1. ScroogeFrog shall implement and maintain appropriate security, technical, and organizational measures to protect the Personal Data as specified in Appendix B.
6.2. ScroogeFrog shall regularly monitor, review, and update its security practices to ensure ongoing compliance with industry standards and the Applicable Data Protection Laws.
7. Data Subject Requests, Complaints, and Other Data Subject Rights and Third-Parties Rights
7.1. ScroogeFrog shall assist the Customer in responding to requests from data subjects exercising their rights (e.g., access, rectification, erasure) under the Applicable Data Protection Laws by implementing appropriate technical and organizational measures.
7.2. ScroogeFrog must notify the Customer immediately and without undue delay upon receiving a request from a data subject to access their Personal Data or to exercise any of their related rights under Applicable Data Protection Laws.
7.3. ScroogeFrog will provide the Customer with full cooperation and assistance in responding to any complaint, notice, communication, or other data subject request regarding Personal Data processing.
7.4. ScroogeFrog must not disclose Personal Data to any data subject or third party except at the Customer’s Instruction, or as required by law
7.5. Upon instruction from the Customer, ScroogeFrog will correct or delete Personal Data in accordance with the Customer’s request, provided such action does not conflict with any applicable legal requirements.
8. Personal Data Breach:
8.1. ScroogeFrog will promptly and without undue delay notify the Customer if any Personal Data is lost, destroyed, damaged, corrupted, or becomes unusable.
8.2. ScroogeFrog will also notify the Customer immediately and without undue delay if it becomes aware of any accidental, unauthorized, or unlawful processing of the Personal Data or any Personal Data Breach.
8.3. Upon becoming aware of the circumstances described in clause 8.2., ScroogeFrog will, without undue delay, provide the Customer with the following information: (i) a description of the causes and nature of the breach or incident, including the categories and approximate number of both affected data subjects and Personal Data records; (ii) the likely consequences; and (iii) a description of measures taken or proposed to address the issue, including measures to mitigate possible adverse effects.
8.4. Immediately following any unauthorised or unlawful processing of the Personal Data or the Personal Data Breach, the Parties will coordinate to investigate the matter. ScroogeFrog will cooperate with the Customer in handling the issue
8.5. ScroogeFrog will not inform any third party of the Personal Data Breach without first obtaining the Customer’s prior written consent, except when required by law.
8.6. The Customer has sole discretion to determine: (i) whether to notify data subjects, supervisory authorities, regulators, law enforcement, or other entities about a Personal Data Breach, including the content and method of notification; and (ii) whether to offer any type of remedy to affected data subjects, including the nature and scope of such a remedy.
8.7. ScroogeFrog will cover all reasonable expenses associated with meeting these obligations unless the issue arose due to the Customer’s specific instructions, negligence, willful misconduct, or breach of this DPA or the Agreement, in which case the Customer will cover such reasonable expenses.
9. Data Protection Impact Assessment
9.1. Upon request, ScroogeFrog shall provide reasonable assistance to the Customer in conducting data protection impact assessments (DPIAs) when required by law.
10. Data Retention, Return, and Deletion
10.1. Upon the Customer’s request, ScroogeFrog will provide a copy of or access to the Customer’s Personal Data within its possession or control in the format and media reasonably specified by the Customer.
10.2. ScroogeFrog will cease processing and delete or, if directed in writing by the Customer, return all or any portion of the Customer’s Personal Data related to this Agreement upon (i) the Customer’s instruction in connection with the Service or (ii) the Customer’s written request in connection with the termination or expiration of this Agreement for any reason (iii) within one year after termination or expiration of this Agreement.
10.3. If any applicable law, regulation, or governmental or regulatory authority requires ScroogeFrog to retain any documents or materials that would otherwise be returned or destroyed, ScroogeFrog will notify the Customer in writing of this retention requirement, including details of the specific documents or materials, the legal basis for retention, and a timeline for destruction once the retention requirement expires.
10.4. Following the Customer’s instruction to delete the Personal Data, ScroogeFrog will confirm in writing that the Personal Data has been destroyed within 30 days of completing the deletion process.
11. Audits and Inspections
11.1. ScroogeFrog shall allow for and contribute to audits conducted by the Customer or a Customer’s designated auditor. Audits may occur with at least thirty (30) days' notice, during regular business hours, and are limited to one (1) audit annually unless otherwise warranted by a Personal Data Breach.
11.2. The audit shall be limited to areas relevant to ScroogeFrog’s data processing activities, and both parties agree to maintain confidentiality regarding all audit findings. The Customer must also ensure that its representatives conducting the audit maintain the confidentiality of all information obtained during the audit, in accordance with the Agreement.
11.3. The Customer is required to reimburse ScroogeFrog for the time spent conducting an audit at ScroogeFrog’s reasonable professional service rates, which will be provided to the Customer upon request. Furthermore, If requested by ScroogeFrog, the Customer shall execute an enhanced nondisclosure agreement that is mutually acceptable. Additionally, the Customer must comply with ScroogeFrog’s security policies while present on ScroogeFrog’s premises. The Customer is also obligated to promptly disclose to ScroogeFrog any written audit report generated and any findings of noncompliance identified during the audit.
12. Liability and Indemnification
12.1. Each party’s liability under this DPA is subject to the limitations of liability specified in the Agreement, except where prohibited by applicable law.
13. Governing Law and Jurisdiction
13. Governing Law and Jurisdiction
13.2. Any disputes arising out of or related to this DPA shall be resolved in the courts of Estonia.
14. Duration and Termination
14.1. This DPA shall remain in full force and effect as long as: (a) the Agreement is in effect, or (b) ScroogeFrog retains any Personal Data related to the Agreement in its possession or control (collectively referred to as the «Term»).
14.2. ScroogeFrog is entitled to terminate this DPA if, after notifying the Customer that its instructions violate any of the Applicable Data Protection Laws and the Customer insists on adherence to those instructions.
14.3. Any provision of this DPA that, expressly or by implication, should come into or continue in effect after the termination of the Agreement in order to protect Personal Data shall remain in full force and effect.
14.4. In the event that a change in any of the Applicable Data Protection Laws hinders either party from fulfilling all or part of its obligations under the Agreement, both parties will suspend the processing of Personal Data until compliance with the new requirements is achieved. If the parties are unable to bring the Personal Data processing into compliance with the Applicable Data Protection Laws within two months, either party may terminate the Master Agreement by providing written notice to the other party
15. US Data Protection Legislation
15.1. This section applies in addition to the other parts of this DPA and is relevant to the extent that US Data Protection Legislation governs the processing of Personal Data for the provision of the Service and Authorised Business Purposes.
15.2. Regarding the Personal Data subject to US Data Protection Legislation, ScroogeFrog is prohibited from, without the Customer’s instruction, (i) selling or sharing the Personal Data; (ii) retaining, using, or disclosing the Personal Data for any purpose other than the Authorised Business Purposes or as otherwise permitted by Applicable Data Protection Laws; (iii) retaining, using, or disclosing the Personal Data outside of the direct business relationship between the Parties; and (iv) combining the Personal Data with any Personal Data received from or on behalf of another individual or individuals, or collected through its own interactions with the data subject unless it’s anonymized or it is otherwise permitted by Applicable Data Protection Laws or instructed by the Customer.
15.3. ScroogeFrog will promptly notify the Customer if it determines that it can no longer fulfill its obligations under US Data Protection Legislation.
15.4. ScroogeFrog shall not materially decrease the level of security provided for the protection of Personal Data.
15.5. ScroogeFrog certifies that it understands the restrictions and obligations outlined in this DPA and will comply with them.
Appendix A. Description of the Data Processing and Transfer
A. LIST OF PARTIES
| Applicable SCCs Module | MODULE 1 | MODULE 4 |
|---|---|---|
| Name | Scrooge Frog OÜ | |
| Address | 1 Ilmatsalu tn 36-24 Tartu 50408, Estonia | |
| Role in the transfer | Data exporter | Data exporter |
| Contact person’s name, position, and contact details | The contact details for ScroogeFrog as stated in the Agreement. Scrooge’s privacy team can be contacted at antifraud@scroogefrog.com | |
| Activities relevant to the data transferred under these Clauses/Subjectmatter | ScroogeFrog and the Customer process each other’s representatives’ data to manage the relationship under the Agreement | Processing Personal Data for the purpose of providing Service by ScroogeFrog to the Customer under the Agreement, as well as supporting, and improving the Service according to the Agreement and Authorised Business Purpose |
| Signature and date | The parties agree that execution of the Agreement constitutes execution of this Appendix A by both parties | |
| Role | Controller | Processor |
| Applicable SCCs Module | MODULE 1 | MODULE 4 |
|---|---|---|
| Name | Controller | |
| Role in the transfer | Data importer | Data importer |
| Address | The address for Customer associated with its ScroogeFrog Account or as otherwise stated in the Agreement | |
| Contact person’s name, position, and contact details | The contact details for ScroogeFrog as stated in the Agreement. Scrooge’s privacy team can be contacted at antifraud@scroogefrog.com | |
| Activities relevant to the data transferred under these Clauses/Subject matter | ScroogeFrog and the Customer process each other’s representatives’ data to manage the relationship under the Agreement | Processing Personal Data for the purpose of providing Service by ScroogeFrog to the Customer under the Agreement, as well as supporting, and improving the Service according to the Agreement and Authorised Business Purpose |
| Signature and date | The parties agree that execution of the Agreement constitutes execution of this Appendix A by both parties | |
| Role | Controller | Controller |
B. DESCRIPTION OF TRANSFER
| Applicable SCCs Module | MODULE 1 | MODULE 4 |
|---|---|---|
| Categories of data subjects whose personal data is processed/transferred | The data subjects include ScroogeFrog’s or Customer’s representatives | End Users of the Customer |
| Categories of personal data transferred | The work-related contact details of the parties’ representatives | Browser and device information, such as the device type and model, manufacturer, operating system type and version (e.g. iOS or Android), web browser type and version (e.g., Chrome or Safari), user-agent, time zone, the network connection type, IP address, referrer URL, number of fonts, fonts hash, number of plugins, plugins hash, screen height and width, color depth, platform, whether the resolution has been tampered, language or OS, whether ad blocking is enabled, whether do not track is enabled End User’s behavior on Customer’s website or another Customer-owned webpage, such as information about the activities on those Customer’s website or another Customer-owned webpage, session ID, session start/stop time, timezone offset and conversion of user |
| Sensitive data/ special categories of personal data transferred | No sensitive data is transferred | |
| The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) | Personal Data is transferred on a continuous basis | |
| Nature of the processing | Access, usage, storage, erasure, or destruction of parties’ representatives Personal Data | The set of operations such as collection, recording, organisation, structuring, usage, storage, erasure, or destruction which is performed on End Users’ Personal Data |
| Purpose (s) of the data transfer and further processing | Managing the relationship between the parties and making the work-related details of their representatives available for communication | Provision of the Service by ScroogeFrog to the Customer under the Agreement, as well as supporting, and improving the Service according to the Agreement and Authorised Business Purpose |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | For the Term of the Agreement | Subject to section 9 of the DPA |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | Shall not be transferred | The subject matter of Personal Data transferred to Sub-processors is the Customer or Customer’s End User’s Personal Data, which is transferred to Subprocessors to provide, support, and improve the Services, as outlined in the Agreement between the Customer and ScroogeFrog |
C. COMPETENT SUPERVISORY AUTHORITY
This section applies only to SCCs Module 1.
The competent supervisory authority in accordance with Clause 13 is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), email: info@aki.ee.
Appendix B
Technical and Organisational Measures to Ensure Security of the Personal Data applied by ScroogeFrog:
- Measures of pseudonymisation and encryption of personal data
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- Measures for user identification and authorisation
- Measures for the protection of data during transmission
- Measures for the protection of data during storage
- Measures for ensuring physical security of locations at which personal data are processed
- Measures for ensuring events logging
- Measures for ensuring system configuration, including default configuration
- Measures for internal IT and IT security governance and management
- Measures for certification/assurance of processes and products
- Measures for ensuring data minimisation
- Measures for ensuring data quality
- Measures for ensuring limited data retention
- Measures for ensuring accountability
- Measures for allowing data portability and ensuring erasure
Technical and Organisational Measures to Ensure Security of the Personal Data applied by the Customer
This section applies only to SCCs Module 1.
The Customer hereby confirms that, in managing the mutual relationship and processing ScroogeFrog’s representatives' work-related contact details, it will implement technical and organizational measures that are at least equivalent to those applied by ScroogeFrog to ensure a level of security appropriate to the risks associated with personal data processing. The Customer reserves the right to modify or update these technical and organizational measures as necessary, provided that any changes do not materially degrade the security of the personal data.
