Data Processing Addendum (Online)
Published February 18, 2026
This Data Processing Addendum (“DPA”) forms part of the Service Order or other services agreement(s) (collectively, “Agreement”) between the entity that entered into the Agreement (the “Client”) and Friendbuy pursuant to which Friendbuy will provide the Service (as defined in the Agreement) to Client. Friendbuy agrees to comply with the following provisions with respect to any Personal Data Processed for Client in connection with the provision of the Service. References to the Agreement will be construed as including this DPA. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement.
1. DEFINITIONS
In this DPA, the following terms shall have the meanings set out below:
“Affiliates” means any entity which is controlled by, controls, or is in common control with Friendbuy.
“Client” means the Client that has executed the Agreement.
“Client Personal Data” means Personal Data that is provided by Client to Friendbuy or is collected or received by Friendbuy on behalf of Client to provide the Service.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means, to the extent applicable to the Processing of Personal Data under the Agreement, the data protection and data privacy laws and regulations of the United States, the European Economic Area, Switzerland, and the United Kingdom, as they may be amended or replaced from time to time, including laws and regulations that are enacted or become effective after the Effective Date, including, but not limited to, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”), Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”), the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”), and the Swiss Federal Data Protection Act (“Swiss DPA”).
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Client Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Client Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 as may be updated, amended, or replaced from time to time; and (iii) where the Swiss DPA applies, a transfer of Client Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner as may be updated, amended, or replaced from time to time.
“Security Breach” has the meaning set forth in Section 7 of this DPA.
“Standard Contractual Clauses” or “SCCs” means, collectively: (i) the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be updated, amended, or replaced from time to time, and (ii) the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 (“UK Addendum”), as may be updated, amended or replaced from time to time.
“Sub-processor” means any entity engaged by Friendbuy to Process Client Personal Data.
“Affiliates” means any entity which is controlled by, controls, or is in common control with Friendbuy.
“Client” means the Client that has executed the Agreement.
“Client Personal Data” means Personal Data that is provided by Client to Friendbuy or is collected or received by Friendbuy on behalf of Client to provide the Service.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means, to the extent applicable to the Processing of Personal Data under the Agreement, the data protection and data privacy laws and regulations of the United States, the European Economic Area, Switzerland, and the United Kingdom, as they may be amended or replaced from time to time, including laws and regulations that are enacted or become effective after the Effective Date, including, but not limited to, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (“CCPA”), Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”), the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”), and the Swiss Federal Data Protection Act (“Swiss DPA”).
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Client Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Client Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 as may be updated, amended, or replaced from time to time; and (iii) where the Swiss DPA applies, a transfer of Client Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner as may be updated, amended, or replaced from time to time.
“Security Breach” has the meaning set forth in Section 7 of this DPA.
“Standard Contractual Clauses” or “SCCs” means, collectively: (i) the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be updated, amended, or replaced from time to time, and (ii) the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 (“UK Addendum”), as may be updated, amended or replaced from time to time.
“Sub-processor” means any entity engaged by Friendbuy to Process Client Personal Data.
2. PROCESSING OF CLIENT PERSONAL DATA
2.1 The parties agree that with regard to the Processing of Client Personal Data, Client is the Data Controller and Friendbuy is the Data Processor.
2.2 Client shall, in its use or receipt of the Service, Process Client Personal Data in accordance with the requirements of the Data Protection Laws and Client will ensure that its instructions for the Processing of Client Personal Data comply with the Data Protection Laws. Client shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data; Client’s compliance with Data Protection Laws; and the means by which Client obtained the Client Personal Data.
2.3 Friendbuy shall Process Client Personal Data only on behalf of Client and in accordance with the Agreement and Client’s instructions. Client instructs Friendbuy to Process Client Personal Data for the following limited purposes: (i) Processing in accordance with the Agreement and any applicable statements of work; and (ii) Processing to comply with other reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement. Client represents and warrants that it has established a lawful basis for Friendbuy to Process Client Personal Data as instructed by Client as part of Friendbuy’s provision of Service. For the avoidance of doubt, Friendbuy will not (i) collect, retain, use, or otherwise disclose Client Personal Data outside of the direct business relationship with Client; (ii) collect, retain, use, or otherwise disclose Client Personal Data for any purpose other than performing the Processing instructed by Client or as otherwise permitted by Data Protection Laws; (iii) sell Client Personal Data or share Client Personal Data for targeted online advertising; or (iv) combine Client Personal Data with Personal Data received from another person or persons except as permitted for a Data Processor under Data Protection Laws. Friendbuy certifies that it understands the restrictions in this section.
2.4 The nature and purpose of Processing of Client Personal Data by Friendbuy is the performance of the Service pursuant to the Agreement, and the duration of the Processing shall be for the duration of the Service. The types of Client Personal Data and categories of Data Subjects Processed under this DPA include names, IP addresses, device identifiers, email addresses, and other Personal Data as instructed by Client associated with users of Client’s website and other online properties and with individuals referred to Client by those users. Friendbuy may associate other information with this Client Personal Data including transactional records, identification numbers and other profile information used by Client to identify End Users or their devices, and information from social media platforms.
2.2 Client shall, in its use or receipt of the Service, Process Client Personal Data in accordance with the requirements of the Data Protection Laws and Client will ensure that its instructions for the Processing of Client Personal Data comply with the Data Protection Laws. Client shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data; Client’s compliance with Data Protection Laws; and the means by which Client obtained the Client Personal Data.
2.3 Friendbuy shall Process Client Personal Data only on behalf of Client and in accordance with the Agreement and Client’s instructions. Client instructs Friendbuy to Process Client Personal Data for the following limited purposes: (i) Processing in accordance with the Agreement and any applicable statements of work; and (ii) Processing to comply with other reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement. Client represents and warrants that it has established a lawful basis for Friendbuy to Process Client Personal Data as instructed by Client as part of Friendbuy’s provision of Service. For the avoidance of doubt, Friendbuy will not (i) collect, retain, use, or otherwise disclose Client Personal Data outside of the direct business relationship with Client; (ii) collect, retain, use, or otherwise disclose Client Personal Data for any purpose other than performing the Processing instructed by Client or as otherwise permitted by Data Protection Laws; (iii) sell Client Personal Data or share Client Personal Data for targeted online advertising; or (iv) combine Client Personal Data with Personal Data received from another person or persons except as permitted for a Data Processor under Data Protection Laws. Friendbuy certifies that it understands the restrictions in this section.
2.4 The nature and purpose of Processing of Client Personal Data by Friendbuy is the performance of the Service pursuant to the Agreement, and the duration of the Processing shall be for the duration of the Service. The types of Client Personal Data and categories of Data Subjects Processed under this DPA include names, IP addresses, device identifiers, email addresses, and other Personal Data as instructed by Client associated with users of Client’s website and other online properties and with individuals referred to Client by those users. Friendbuy may associate other information with this Client Personal Data including transactional records, identification numbers and other profile information used by Client to identify End Users or their devices, and information from social media platforms.
3. COMPLIANCE; NOTIFICATION
3.1 Friendbuy will provide all assistance reasonably necessary for Client to comply with Data Protection Laws, and Client may take commercially reasonable and appropriate steps to ensure that Friendbuy Processes Client Personal Data in a manner consistent with Client’s obligations under Data Protection Laws. If Friendbuy determines that it can no longer meet own obligations under Data Protection Laws as a Data Processor, Friendbuy agrees to notify Client of such determination. Upon such notice or in the event Client otherwise become aware of unauthorized Processing of Client Personal Data, Client may take commercially reasonable and appropriate steps to stop and remediate the unauthorized Processing by directing Friendbuy to temporarily suspend its processing of Client Personal Data until Friendbuy can meet its material obligations as a Data Processor under Data Protection Laws.
4. RIGHTS OF DATA SUBJECTS
4.1 To the extent Client, in its use or receipt of the Service, does not have the ability to correct, amend, block, delete, or restrict or stop processing of Client Personal Data, as required by Data Protection Laws, Friendbuy will use commercially reasonable efforts to comply with requests by Client to facilitate such actions to the extent Friendbuy is legally permitted to do so.
4.2 Friendbuy shall, to the extent legally permitted, notify Client if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data. Client is responsible for responding to all such requests. Friendbuy shall provide Client with commercially reasonable assistance in relation to the handling of a Data Subject’s request, to the extent legally permitted and to the extent Client does not have access to such Client Personal Data through its use or receipt of the Service.
4.2 Friendbuy shall, to the extent legally permitted, notify Client if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data. Client is responsible for responding to all such requests. Friendbuy shall provide Client with commercially reasonable assistance in relation to the handling of a Data Subject’s request, to the extent legally permitted and to the extent Client does not have access to such Client Personal Data through its use or receipt of the Service.
5. PROCESSOR PERSONNEL
5.1 Friendbuy shall ensure that its personnel engaged in the Processing of Client Personal Data are informed of the confidential nature of the Client Personal Data and are subject to obligations of confidentiality.
5.2 Friendbuy shall ensure that access to Client Personal Data is limited to those personnel who require such access to perform the Service.
5.2 Friendbuy shall ensure that access to Client Personal Data is limited to those personnel who require such access to perform the Service.
6. SUB-PROCESSORS
6.1 Client acknowledges and agrees that (i) Friendbuy Affiliates may be retained as Sub-processors; and (ii) Friendbuy may engage third-party Sub-processors in connection with the provision of the Service. Any such Sub-processors will be permitted to obtain Client Personal Data only to provide the Service. Friendbuy agrees that Sub-processors will be engaged pursuant to written agreements that include substantially the same data protection obligations as set out in this DPA.
6.2 Friendbuy may continue to use those Sub-processors already engaged by Friendbuy or any Friendbuy Affiliate as of the date of this DPA.
6.3 Friendbuy shall make available to Client a current list of Sub-processors located at www.friendbuy.com/privacy-sub-processors and Client may receive prior email notice of new Sub-processors by signing up to receive email alerts of changes to the Sub-processors list. Friendbuy will keep the Sub-processor list current and inclusive of any new Sub-processors at that time that it is made available to Client. Client may object, on reasonable grounds, to the appointment of any new Sub-processor within 5 days of receipt of the updated Sub-processor List. If Client notifies Friendbuy in writing of any such objections, Friendbuy shall use reasonable steps to address the objections raised by the Client and shall inform the Client of the steps taken.
6.2 Friendbuy may continue to use those Sub-processors already engaged by Friendbuy or any Friendbuy Affiliate as of the date of this DPA.
6.3 Friendbuy shall make available to Client a current list of Sub-processors located at www.friendbuy.com/privacy-sub-processors and Client may receive prior email notice of new Sub-processors by signing up to receive email alerts of changes to the Sub-processors list. Friendbuy will keep the Sub-processor list current and inclusive of any new Sub-processors at that time that it is made available to Client. Client may object, on reasonable grounds, to the appointment of any new Sub-processor within 5 days of receipt of the updated Sub-processor List. If Client notifies Friendbuy in writing of any such objections, Friendbuy shall use reasonable steps to address the objections raised by the Client and shall inform the Client of the steps taken.
7. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS
7.1 Friendbuy will take steps to protect Client Personal Data as required by Data Protection Laws. This will include, at minimum, Friendbuy maintaining the safeguards established in Annex II of this DPA.
7.2 No more than once per year, Client may request, in writing, that Friendbuy permit an audit of Friendbuy’s compliance with Data Protection Laws. Client agrees that Friendbuy may arrange for a qualified and independent third party to conduct such an audit, at Friendbuy’s expense, so long as (i) the third party uses an appropriate and accepted control standard or framework and audit procedure such as a SOC 2 Type II audit; and (ii) Friendbuy will provide a copy of an attestation from the third-party auditor to Client upon request. Client will enter into a non-disclosure agreement with Friendbuy regarding such attestations and will use such attestations solely to audit Friendbuy for the purposes of meeting Client’s audit requirements pursuant to any Data Protection Laws that require such audits. To request a copy of an attestation, Client must submit a request to legal@friendbuy.com.
7.3 No more than once per year, Client may request that Friendbuy make available to Client information necessary (i) to demonstrate Friendbuy’s compliance with Data Protection Laws; or (ii) for Client to conduct a privacy impact assessment required by Data Protection Laws. Friendbuy will reasonably cooperate with such requests, at Client’s expense.
7.2 No more than once per year, Client may request, in writing, that Friendbuy permit an audit of Friendbuy’s compliance with Data Protection Laws. Client agrees that Friendbuy may arrange for a qualified and independent third party to conduct such an audit, at Friendbuy’s expense, so long as (i) the third party uses an appropriate and accepted control standard or framework and audit procedure such as a SOC 2 Type II audit; and (ii) Friendbuy will provide a copy of an attestation from the third-party auditor to Client upon request. Client will enter into a non-disclosure agreement with Friendbuy regarding such attestations and will use such attestations solely to audit Friendbuy for the purposes of meeting Client’s audit requirements pursuant to any Data Protection Laws that require such audits. To request a copy of an attestation, Client must submit a request to legal@friendbuy.com.
7.3 No more than once per year, Client may request that Friendbuy make available to Client information necessary (i) to demonstrate Friendbuy’s compliance with Data Protection Laws; or (ii) for Client to conduct a privacy impact assessment required by Data Protection Laws. Friendbuy will reasonably cooperate with such requests, at Client’s expense.
8. SECURITY BREACH MANAGEMENT AND NOTIFICATION
- 8.1 If Friendbuy becomes aware of any unlawful access to any Client Personal Data stored on Friendbuy’s equipment, or in other systems under Friendbuy’s control or any unauthorized access to such equipment or systems resulting in material loss, disclosure, or alteration of Client Personal Data (“Security Breach”), Friendbuy will promptly: (i) notify Client of the Security Breach; (ii) investigate the Security Breach and provide Client with information about the Security Breach; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
8.2. Client agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Client Personal Data or to any of Friendbuy’s equipment or systems storing Client Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
8.3. Notification(s) of Security Breaches, if any, will be delivered to one or more of Client’s business, technical or administrative contacts by any means Friendbuy selects, including via email. It is Client’s sole responsibility to ensure it maintains accurate contact information on Friendbuy’s support systems at all times.
9. RETURN AND DELETION OF CLIENT PERSONAL DATA
At the end of Friendbuy’s provision of the Service, upon Client’s written request sent to legal@friendbuy.com, Friendbuy shall return Client Personal Data to Client, to the extent feasible, and/or delete Client Personal Data. Client can also use Friendbuy’s Merchant API to request or delete Client Personal Data.
10. STANDARD CONTRACTUAL CLAUSES
Friendbuy processes Client Personal Data in the United States. This Section will apply only in the event of a Restricted Transfer. If any provision of this DPA or the Agreement conflicts with the SCCs, the SCCs will prevail solely to the extent of any Restricted Transfer. To the extent the transfer of Client Personal Data to Friendbuy is a Restricted Transfer and Data Protection Laws require that appropriate safeguards be put in place with respect to such transfer, such transfer will be subject to the SCCs, which will be incorporated by reference into this DPA as follows:
a. EU GDPR. For Restricted Transfers of Client Personal Data that are subject to the EU GDPR, the SCCs will apply as follows: (1) Module Two (controller to processor) will apply; (2) in Clause 7, the optional docking clause will apply; (3) in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 6 of this DPA; (4) in Clause 11, the optional language will not apply; (5) in Clause 17, the governing law is the law of the EU Member State: (i) where Client is established in an EU Member State, the law in that EU Member State, (ii) where Client is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of the EU GDPR, the law in the EU Member State in which the Client’s representative is located, or (iii) where Client is not established in an EU Member State and is not required to appoint a representative pursuant to Article 27(2) of the GDPR, the law of Ireland; (6) in Clause 18(b), the country of the applicable court in respect of any disputes arising from SCCs is the courts of the EU Member State in which in which the parties have denoted choice of law per Section 10 above; and (7) Annexes I and II of the SCCs will be deemed completed with the information in Annexes I and II to this DPA, respectively.
b. UK GDPR. For Restricted Transfers of Client Personal Data that are subject to the UK GDPR, the SCCs: (1) shall apply as completed in accordance with Section 10(a) above; and (2) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes I and II of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “neither party.”
c. Swiss DPA. For Restricted Transfers of Client Personal Data that are subject to the Swiss DPA, the SCCs shall apply as completed in accordance with paragraph (a) above, with the following modifications: (1) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (2) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (3) the term “Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (4) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (5) in Clause 17, the SCCs shall be governed by the laws of Switzerland; and (6) with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
a. EU GDPR. For Restricted Transfers of Client Personal Data that are subject to the EU GDPR, the SCCs will apply as follows: (1) Module Two (controller to processor) will apply; (2) in Clause 7, the optional docking clause will apply; (3) in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 6 of this DPA; (4) in Clause 11, the optional language will not apply; (5) in Clause 17, the governing law is the law of the EU Member State: (i) where Client is established in an EU Member State, the law in that EU Member State, (ii) where Client is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of the EU GDPR, the law in the EU Member State in which the Client’s representative is located, or (iii) where Client is not established in an EU Member State and is not required to appoint a representative pursuant to Article 27(2) of the GDPR, the law of Ireland; (6) in Clause 18(b), the country of the applicable court in respect of any disputes arising from SCCs is the courts of the EU Member State in which in which the parties have denoted choice of law per Section 10 above; and (7) Annexes I and II of the SCCs will be deemed completed with the information in Annexes I and II to this DPA, respectively.
b. UK GDPR. For Restricted Transfers of Client Personal Data that are subject to the UK GDPR, the SCCs: (1) shall apply as completed in accordance with Section 10(a) above; and (2) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes I and II of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “neither party.”
c. Swiss DPA. For Restricted Transfers of Client Personal Data that are subject to the Swiss DPA, the SCCs shall apply as completed in accordance with paragraph (a) above, with the following modifications: (1) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (2) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (3) the term “Member State” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (4) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (5) in Clause 17, the SCCs shall be governed by the laws of Switzerland; and (6) with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
11. PARTIES TO THIS DPA
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
12. LIABILITY
Friendbuy’s obligations under this DPA shall be subject in all instances to the limitation of liability contained in the Agreement.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
The Client, as identified in the Agreement, using Friendbuy’s Referral Program Software and associated services and/or Friendbuy’s Loyalty Program Software and associated services. The Client is the data controller. For purposes of this Annex, the relevant Client contact person is the signatory to the Agreement.
Data importer:
Friendbuy, located at Malaga Cove Plaza 2516 Via Tejon, Suite 201, Palos Verdes Estates, California 90274. Friendbuy is the data processor. For purposes of this Annex, the relevant Friendbuy contact person is the signatory to the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
The data subjects include users of the Client’s website and other online properties, and the individuals referred to the Client’s website and other online properties.
Categories of personal data transferred
The Personal Data transferred concern the following categories of data: names, IP addresses, device identifiers, email addresses, dates of birth, phone numbers, and other Personal Data as instructed by Client associated with users of Client’s website and other online properties and with individuals referred to Client by those users. Friendbuy may associate other information with this Client Personal Data including transactional records, identification numbers and other profile information used by Client to identify end users or their devices, and information from social media platforms.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Not applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data is transferred as needed and continuously in the course of providing services to Client.
Nature of the processing
The nature of the processing is to provide the Service to Client as described in the Agreement. Friendbuy’s Referral Program Software allows Client’s users to submit Personal Data about themselves and their contacts in order to refer their contacts to receive marketing and other outreach from Client. Friendbuy’s Loyalty Program Software allows Client’s users to submit Personal Data about themselves and their contacts in order to receive incentives or rewards from the Client.
Purpose(s) of the data transfer and further processing
The personal data will be processed to provide the Service as described in the Agreement, namely to enable Client to provide a loyalty program and/or engage in referral marketing using Friendbuy’s platform.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Friendbuy retains the personal data according to its internal data retention policy. It retains such data in accordance with applicable laws and the Client’s instructions.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
Friendbuy transfers personal data to sub-processors to assist in providing the Service to Client as described in the Agreement. More information about Friendbuy’s sub-processors is available here:
https://www.friendbuy.com/privacy-sub-processors.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Unless otherwise provided in the Agreement, the Irish Data Protection Commission.
Data exporter(s):
The Client, as identified in the Agreement, using Friendbuy’s Referral Program Software and associated services and/or Friendbuy’s Loyalty Program Software and associated services. The Client is the data controller. For purposes of this Annex, the relevant Client contact person is the signatory to the Agreement.
Data importer:
Friendbuy, located at Malaga Cove Plaza 2516 Via Tejon, Suite 201, Palos Verdes Estates, California 90274. Friendbuy is the data processor. For purposes of this Annex, the relevant Friendbuy contact person is the signatory to the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
The data subjects include users of the Client’s website and other online properties, and the individuals referred to the Client’s website and other online properties.
Categories of personal data transferred
The Personal Data transferred concern the following categories of data: names, IP addresses, device identifiers, email addresses, dates of birth, phone numbers, and other Personal Data as instructed by Client associated with users of Client’s website and other online properties and with individuals referred to Client by those users. Friendbuy may associate other information with this Client Personal Data including transactional records, identification numbers and other profile information used by Client to identify end users or their devices, and information from social media platforms.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Not applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data is transferred as needed and continuously in the course of providing services to Client.
Nature of the processing
The nature of the processing is to provide the Service to Client as described in the Agreement. Friendbuy’s Referral Program Software allows Client’s users to submit Personal Data about themselves and their contacts in order to refer their contacts to receive marketing and other outreach from Client. Friendbuy’s Loyalty Program Software allows Client’s users to submit Personal Data about themselves and their contacts in order to receive incentives or rewards from the Client.
Purpose(s) of the data transfer and further processing
The personal data will be processed to provide the Service as described in the Agreement, namely to enable Client to provide a loyalty program and/or engage in referral marketing using Friendbuy’s platform.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Friendbuy retains the personal data according to its internal data retention policy. It retains such data in accordance with applicable laws and the Client’s instructions.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
Friendbuy transfers personal data to sub-processors to assist in providing the Service to Client as described in the Agreement. More information about Friendbuy’s sub-processors is available here:
https://www.friendbuy.com/privacy-sub-processors.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Unless otherwise provided in the Agreement, the Irish Data Protection Commission.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Definitions.
1.1. “Personal Data” means any information that, either individually or when combined with other information maintained by Friendbuy, identifies a specific individual end users. As used in this Annex, Personal Data shall include individuals’ full names and email addresses.
1.2. “Data Security Incident” means any unauthorized destruction, loss, acquisition, or alteration of or access to Client Data.
1.3. “Applicable Privacy Laws” means all data protection and data security laws, rules, and regulations that apply to Client Data.
1.4. “Client Data” means all Personal Data that is collected or received by Friendbuy from or on behalf of Client in the course of providing Friendbuy’s services under the Agreement.
3. Information Security Program. Friendbuy will implement and maintain appropriate technical and organizational security measures designed to protect Client Data from Data Security Incidents, preserve the confidentiality of Client Data, and comply with Applicable Privacy Laws. This includes a comprehensive written Information Security Management System.
4. Employee Vetting and Education. Friendbuy will provide all employees who have access to Client Data with regular training on their responsibilities under Friendbuy’s information security program, privacy laws, and security best practices, including how to identify social engineering, phishing scams, and hackers. Friendbuy will perform comprehensive background checks for all new employees to the extent permitted by law.
5. Security Controls. Friendbuy will implement and maintain commercially reasonable and appropriate technical, physical, and administrative security controls for Client Data, which will include the following:
5.1. Identity and Access Management. Friendbuy will limit access to Client Data to its personnel, Sub-processors, or other individuals who have a business need for such access. Friendbuy's internal data access processes and policies will be designed to prevent unauthorized persons from gaining access to systems used to process Personal Data. Friendbuy will require that each individual with access to Client Data has unique account credentials and uses a password that meets industry standards with respect to length and complexity. Administrative access will be automatically logged and retained. Administrative access to servers and databases hosting Client Data will require both VPN and authorized SSH keys. Management of production servers hosting Client Data will be done through AWS Identity and Access Management (IAM) and restricted to a limited set of employees with privileged access.
5.2. Physical and Network Security. Friendbuy will implement reasonable and appropriate network security measures using a variety of techniques designed to detect and prevent unauthorized access to systems and services processing Client Data. All Client Data hosted and processed by Friendbuy will be stored and transmitted solely within Amazon AWS infrastructure. Friendbuy employees will not have physical access to the Friendbuy platform production environment. In addition to Friendbuy-implemented security measures, the AWS platform offers significant protection against both physical and network security issues. A summary of AWS security policies and practices can be found at https://aws.amazon.com/security/.
5.3. Vulnerability Management. Friendbuy will regularly monitor its systems to identify and remediate or mitigate any material vulnerabilities. It will conduct periodic vulnerability scans and regularly update and patch the software, as appropriate, that it uses in systems that maintain or process Client Data. Critical patches will be remediated within vendor recommended time frames but not later than 30 days and critical vulnerabilities will be remediated within 30 days. Friendbuy will contract with reputable external security firms to perform regular security penetration tests against all systems that host Client Data and to verify that its security practices are sound.
5.4. Encryption. Friendbuy will encrypt Client Data during transmission and at rest, including database, assets, logs, and backups, using industry-standard encryption. Friendbuy will enforce full disk encryption for all company laptops.
5.5 Change Control and Systems Development. Friendbuy will employ change control procedures for applications hosting and processing Client Data. Additionally, Friendbuy will implement a formal Systems Development Lifecycle (SDLC) policy that includes requirements for secure coding techniques, peer code reviews, and automated code reviews.
6. Redundancy. Friendbuy will design its infrastructure systems to eliminate single points of failure and minimize the impact of anticipated environmental risks. Friendbuy will perform daily database backups of Client Data databases and implement regular backup recovery testing. Friendbuy will maintain written business continuity and disaster recovery policies and procedures.
7. Risk Assessment. Friendbuy will perform periodic risk assessments of potential risks to Client Data and will evaluate the efficacy and appropriateness of its security controls for Client Data in light of the risks that it identifies.
8. Security Incidents. Friendbuy will maintain a reasonable and appropriate incident response plan for responding to any Data Security Incident.
1.1. “Personal Data” means any information that, either individually or when combined with other information maintained by Friendbuy, identifies a specific individual end users. As used in this Annex, Personal Data shall include individuals’ full names and email addresses.
1.2. “Data Security Incident” means any unauthorized destruction, loss, acquisition, or alteration of or access to Client Data.
1.3. “Applicable Privacy Laws” means all data protection and data security laws, rules, and regulations that apply to Client Data.
1.4. “Client Data” means all Personal Data that is collected or received by Friendbuy from or on behalf of Client in the course of providing Friendbuy’s services under the Agreement.
3. Information Security Program. Friendbuy will implement and maintain appropriate technical and organizational security measures designed to protect Client Data from Data Security Incidents, preserve the confidentiality of Client Data, and comply with Applicable Privacy Laws. This includes a comprehensive written Information Security Management System.
4. Employee Vetting and Education. Friendbuy will provide all employees who have access to Client Data with regular training on their responsibilities under Friendbuy’s information security program, privacy laws, and security best practices, including how to identify social engineering, phishing scams, and hackers. Friendbuy will perform comprehensive background checks for all new employees to the extent permitted by law.
5. Security Controls. Friendbuy will implement and maintain commercially reasonable and appropriate technical, physical, and administrative security controls for Client Data, which will include the following:
5.1. Identity and Access Management. Friendbuy will limit access to Client Data to its personnel, Sub-processors, or other individuals who have a business need for such access. Friendbuy's internal data access processes and policies will be designed to prevent unauthorized persons from gaining access to systems used to process Personal Data. Friendbuy will require that each individual with access to Client Data has unique account credentials and uses a password that meets industry standards with respect to length and complexity. Administrative access will be automatically logged and retained. Administrative access to servers and databases hosting Client Data will require both VPN and authorized SSH keys. Management of production servers hosting Client Data will be done through AWS Identity and Access Management (IAM) and restricted to a limited set of employees with privileged access.
5.2. Physical and Network Security. Friendbuy will implement reasonable and appropriate network security measures using a variety of techniques designed to detect and prevent unauthorized access to systems and services processing Client Data. All Client Data hosted and processed by Friendbuy will be stored and transmitted solely within Amazon AWS infrastructure. Friendbuy employees will not have physical access to the Friendbuy platform production environment. In addition to Friendbuy-implemented security measures, the AWS platform offers significant protection against both physical and network security issues. A summary of AWS security policies and practices can be found at https://aws.amazon.com/security/.
5.3. Vulnerability Management. Friendbuy will regularly monitor its systems to identify and remediate or mitigate any material vulnerabilities. It will conduct periodic vulnerability scans and regularly update and patch the software, as appropriate, that it uses in systems that maintain or process Client Data. Critical patches will be remediated within vendor recommended time frames but not later than 30 days and critical vulnerabilities will be remediated within 30 days. Friendbuy will contract with reputable external security firms to perform regular security penetration tests against all systems that host Client Data and to verify that its security practices are sound.
5.4. Encryption. Friendbuy will encrypt Client Data during transmission and at rest, including database, assets, logs, and backups, using industry-standard encryption. Friendbuy will enforce full disk encryption for all company laptops.
5.5 Change Control and Systems Development. Friendbuy will employ change control procedures for applications hosting and processing Client Data. Additionally, Friendbuy will implement a formal Systems Development Lifecycle (SDLC) policy that includes requirements for secure coding techniques, peer code reviews, and automated code reviews.
6. Redundancy. Friendbuy will design its infrastructure systems to eliminate single points of failure and minimize the impact of anticipated environmental risks. Friendbuy will perform daily database backups of Client Data databases and implement regular backup recovery testing. Friendbuy will maintain written business continuity and disaster recovery policies and procedures.
7. Risk Assessment. Friendbuy will perform periodic risk assessments of potential risks to Client Data and will evaluate the efficacy and appropriateness of its security controls for Client Data in light of the risks that it identifies.
8. Security Incidents. Friendbuy will maintain a reasonable and appropriate incident response plan for responding to any Data Security Incident.
.avif)
Comparing Friendbuy vs LoyaltyLion? Discover why top DTC brands choose Friendbuy for flexible loyalty and high-converting referral programs. See how our unified platfrom delivers more ROI, faster time-to-value, and a true partnership for growth.