General
This Data Processing Addendum ("hereinafter Addendum", "DPA") forms part of, and is incorporated into, the Terms of Service or any other written or electronic agreement governing the provision of Services (the "Agreement") between the Journify entity under the Agreement ("Journify", "we", "us", "our") and the Client ("Client" or "you") to ensure compliance with applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and Saudi Personal Data Protection Law ("PDPL").
The Client, for the purposes of this Addendum, is acting as a Controller of personal data (the "Controller") and Journify is acting as a respective processor (the "Processor"). The Client and Journify are hereinafter collectively referred to as the "Parties" and individually as a "Party".
We may update this Addendum from time to time, and we will provide reasonable notice of any such updates. The Annexes to this Addendum form an integral and inseparable part of the Addendum. All terms and obligations set out in the Annexes shall have the same legal force and effect as if they were included in the main body of this Addendum.
Purpose, subject matter & scope
Due to the scope and subject-matter of the Agreement, it is necessary for the Processor to process the personal data on behalf of the Controller. This Addendum reflects the parties' roles, relationships and responsibilities with respect to the processing of personal data by Journify as a Processor on the Client's behalf.
This Addendum applies solely to the extent that Journify is a Processor of personal data in connection with the Agreement. The personal data is processed by Journify on behalf of the Client under the Addendum including processing as reasonably necessary, proportionate, and consistent with the business purpose of providing the Services to the extent permitted by applicable data protection laws and regulations.
Definitions and interpretation
Addendum will have the meaning as set forth in the Agreement. In case of any conflict or inconsistency,
the terms of the Addendum will take
precedence over other terms in the Agreement to the extent of such conflict or
inconsistency. In the event of any conflict or inconsistency between this Addendum and
the EU SCCs, the EU SCCs shall prevail.
The terms used in this Addendum have the following meaning:
- Applicable data protection laws and regulations — any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of personal data including: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (ii) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the UK Data Protection Act 2018; and (iv) the Saudi Personal Data Protection Law (“PDPL”); in each case, as updated, amended or replaced from time to time. The terms “data subject”, “personal data”, “personal data breach”, “processing”, “Processor,” “Controller,” and “supervisory authority” shall have the meanings set forth in the EU GDPR.
- Client data / personal data — means any personal data that is provided by or on behalf of the Client to Journify, or otherwise collected, accessed, or processed by Journify on behalf of the Client, in connection with the provision of the Services.
- Ex-EEA Transfer — the transfer of personal data, which is processed in accordance with Regulation (EU) 2016/679 (the "EU GDPR"), from the data exporter to the data importer (or its premises) outside the European Economic Area (the "EEA"), and which is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the EU GDPR.
- Ex-UK Transfer — the transfer of personal data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the data exporter to the data importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
- General Data Protection Regulation (“GDPR”) — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Saudi Personal Data Protection Law (“PDPL”) — the personal data protection law of the Kingdom of Saudi Arabia issued pursuant to Royal Decree No. M/19 dated 09/02/1443H corresponding to 16/09/2021, as amended, and the Implementing Regulation of the Personal Data Protection Law.
- Personal data breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Public authority — a government agency or law enforcement authority, including judicial authorities.
- Services — shall have the meaning set forth in the Agreement.
- Standard Contractual Clauses (SCCs) — Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission (the “EU SCCs”), (ii) the UK Addendum to the EU SCCs and (iii) the Standard Contractual Clauses, as applicable, for the transfer of personal data outside the Kingdom of Saudi Arabia pursuant to the PDPL, as adopted by the competent authority in the Kingdom of Saudi Arabia.
- Sub-processor — a third-party who has a need to know or otherwise access the Client data to enable Journify to perform its obligations under this Addendum or the Agreement, and who is either (1) listed in Annex 3 or (2) subsequently authorized under this Addendum.
- Supervisory authority — an independent public authority responsible for monitoring the application of the applicable data protection legislation.
- Technical and organisational security measures — the measures which are included into the Annex 2 to this DPA and aimed at the protection of personal data against unintentional destruction or unintentional loss, alteration, unauthorised disclosure or access, particularly where the Processing involves the transmission of data via a network, and against all other unlawful forms of processing.
- UK Addendum — the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf.
- Saudi Arabia SCCs — Standard Contractual Clauses, as applicable, for the transfer of personal data outside the Kingdom of Saudi Arabia pursuant to the PDPL, as adopted by the competent authority in the Kingdom of Saudi Arabia, and as may be amended from time to time, which can be found at https://sdaia.gov.sa/Documents/StandardContractualClausesForPersonalDataTransferEN.pdf.
Relationship of the parties & instructions
The parties acknowledge and agree that with regard to the processing of personal data, the Client acts as a Controller and, except as expressly set forth in this Addendum, Journify is a Processor of personal data.
When Journify acts as the Processor, and the Client acts as the Controller, the Parties agree that the Agreement, this Addendum and the Client’s configuration and use of the Services (including, the data sources and destination configuration) constitute the Controller’s complete and final documented instructions (“instructions”) regarding the Journify processing of the Client data on the Controller’s behalf.
Any additional or alternate instructions must be consistent with the terms and conditions of the Agreement and Addendum between the Client as a Controller and the Journify as a Processor.
Controller responsibilities
The Client retains control of the personal data and remains responsible for its compliance obligations under the applicable data protection legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.
Client shall be responsible for the following:
- Lawful instructions — Client shall ensure that the processing of personal data in accordance with Client’s instructions will not cause Journify to be in breach of the applicable data protection legislation (e.g. provide Journify only with personal data that has been lawfully and validly obtained).
- Data accuracy & legality — Client is solely responsible for the accuracy, integrity, confidentiality, quality, and legality of the personal data provided to Journify by or on behalf of Client, the means by which Client acquired any such personal data; and the instructions it provides to Journify regarding the processing of such personal data.
- Appropriate data — Client shall not provide or make available to Journify any personal data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Journify from all claims and losses in connection therewith.
- Consents & authorizations — Client is solely responsible for obtaining any necessary consents or authorizations under applicable data protection laws, including the GDPR and PDPL.
- Data subject rights procedures — Client shall establish and maintain procedures for the exercise of the rights of data subjects whose personal data is processed on behalf of Client.
- Data minimization — Client shall ensure that the personal data provided is relevant and proportionate in relation to the purposes for which it is processed.
- Instructions compliance — Client shall ensure that the instructions given to Journify regarding the processing of the Client data comply with the GDPR, PDPL and other applicable laws and regulations, including complying with principles of data minimisation, purpose and storage limitation.
Processor responsibilities
Processor shall not process personal data:
- Purpose limitation — for purposes other than those set forth in the Agreement.
- Instruction compliance — in a manner inconsistent with this Addendum or any other documented instructions provided by Client, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by supervisory authority to which the Processor is subject; in such a case, the Processor shall inform Client of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
- Legal compliance — in violation of the applicable data protection laws and regulations.
The subject matter, nature, purpose, and duration of this processing, as well as the types of personal data collected and categories of data subjects, are described in Annex 1 to this Addendum.
Confidentiality
Processor shall ensure that any person it authorizes to process personal data has agreed to protect personal data in accordance with Processor's confidentiality obligations in the Agreement.
Client acknowledges and agrees that, as part of the Services, the Client may configure and enable the transfer of Client Data to third-party destinations selected by the Client, including advertising platforms, analytics platforms, and other integrations. Such third-party destinations shall act as independent controllers (or, where applicable, processors engaged separately by the Client) with respect to the Client data they receive. Processor acts solely as the Client's processor in transmitting Client data to such destinations in accordance with the Client's configuration, instructions, the Agreement, and this Addendum, and shall not be responsible for the processing activities of such third-party destinations.
Notices to the Controller
Upon becoming aware, the Processor shall inform the Client of any legally binding request for disclosure of the Client data by a public authority, unless the Processor is otherwise forbidden by law to inform the Client, for instance, to preserve the confidentiality of the investigation by a public authority. The Processor will inform the Client if it becomes aware of any notice, inquiry, or investigation by a supervisory authority with respect to the processing of the Client data under the Addendum conducted between the Processor and the Client.
With regard to the processing of Client data, the Processor shall:
- Unlawful instructions — inform the Client if the Client's instructions may be in violation of the provisions of the GDPR, PDPL or other applicable data protection laws and regulations.
- Inability to comply — inform the Client if the Processor cannot comply with its obligations under this Addendum, in which case the Client may terminate the Agreement or take any other reasonable actions, including suspending data processing operations.
Security of personal data
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.
The Processor shall implement such measures to ensure a level of security appropriate to the risk involved. Annex 2 sets forth additional information about Processor’s technical and organizational security measures.
The Client acknowledges that security measures are subject to technical progress so that the Processor may modify or update security measures set out in this Addendum at sole discretion, provided that such modification or update does not result in a material degradation in the security measures offered by this Addendum.
Personal data breach & reasonable assistance
The Processor shall assist Client in ensuring compliance with its obligations pursuant to the applicable privacy laws and regulations, taking into account the nature of processing and the information available to the Processor, including assisting with the notification of personal data breaches to supervisory authorities and/or communication of personal data breaches to data subjects.
The Processor shall without undue delay notify the Client if the Processor becomes aware of any personal data breach.
Where the Processor becomes aware of a personal data breach, the Processor shall, without undue delay, also provide the Client with:
- Description of the breach — description of the causes and nature of the personal data breach, including the categories and approximate number of both the data subjects and the personal data records concerned.
- Remedial measures — the likely consequences and description of the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate the possible adverse effects.
Immediately, following any unauthorised or unlawful processing of the personal data or the personal data breach, the Parties shall coordinate with each other to investigate the matter. The Processor shall reasonably cooperate with the Client in the Client’s handling of the matter, including
- Assisting with any investigation.
- taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the personal data breach or the unlawful processing of the personal data
The Processor shall not inform any third party of any personal data breach without first obtaining the Client's prior written consent, except when required to do so by law.
The Processor agrees that the Client has the sole right to determine whether to provide a notice of the personal data breach to any data subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Controller’s discretion, including the contents and delivery method of the notice.
Return and deletion of Client data
Following completion of the Services or upon expiration or termination of the Agreement, at the Client's choice, the Processor shall return or delete any retained Client data, unless further storage of such personal data is required or authorized by applicable laws and regulations.
If return or destruction is impracticable or prohibited by law, rule or regulation, Processor shall take measures to block such personal data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the personal data remaining in its possession, custody, or control.
Authorized sub-processors
The Processor may not authorise a third party (sub-processor) to process the personal data, unless all of the following conditions are met:
- General written authorisation — the Client has given its general written authorisation to the engagement of the sub-processor(s).
- Written agreement — the Processor shall enter into a written agreement with each of the authorised sub-processors, which shall contain terms substantially the same as those set out in this Addendum in particular, in relation to requiring appropriate technical and organisational data security measures.
The Client hereby gives a general authorisation to involve sub-processors to process the personal data under this Addendum (current list of authorized sub-processors is set out in Annex 3 ). In case the Processor intends to update the list of sub-processors engaged, the Processor shall inform the Client in advance and provide the Client with the information necessary to enable the Client to exercise the right to object.
The Client may object to the appointment of the new sub-processor within ten (10) days of the notification.
Where the sub-processor fails to fulfil its obligations under such written agreement, the Processor remains liable to the Client for the sub-processor’s performance of its obligations.
Transfers of personal data
The Parties agree that the Processor may transfer personal data processed under this Addendum outside the EEA, the UK, or Saudi Arabia as necessary to provide the Services, subject to the safeguards set out in this Clause 13. If the Processor transfers personal data processed under this Addendum to a jurisdiction for which the European Commission, the UK Secretary of State, or the Saudi Data & AI Authority (SDAIA) has not issued an adequacy decision or approval, as applicable to the origin of the personal data, the Processor will ensure that appropriate safeguards such as the applicable SCCs are in place prior to any such transfer, in accordance with applicable data protection laws and regulations.
Where Client configures or enables a third-party destination on Journify platform (list of supported destinations). Client instructs and authorizes Journify to transmit Client Data to that destination. Client is responsible for determining the legal basis, notices, consents, transfer basis, and contractual relationship required for the destination’s receipt and further processing of Client Data, including where the destination acts as an independent controller or as a processor engaged separately by Client. Journify acts only as Client’s processor in transmitting Client Data to such destination in accordance with Client’s configuration and documented instructions.
European Union
The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows: Module Two (Controller to Processor) of the EU SCCs apply when Client is the Controller and Journify is the Processor pursuant to Section 2 of this DPA.
The Parties agree to the EU SCCs shall be completed as follows:
- In Clause 7 of the EU SCCs, the optional docking clause shall not apply.
- In Clause 9 of the EU SCCs, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in this Addendum.
- In Clause 11 of the EU SCCs, the optional language will not apply.
- In Clause 17 of the EU SCCs (Option 1), the EU SCCs will be governed by Irish law.
- In Clause 18(b) of the EU SCCs, disputes will be resolved before the courts of Ireland.
- In Annex I, Part A of the EU SCCs: Client is the data exporter and Journify is the data importer; each party's contact details are identified in the Agreement. By entering into the Agreement, each party is deemed to have signed these EU SCCs, including their Annexes, as of the effective date of the Agreement.
- In Annex I, Part B of the EU SCCs: as specified Annex 1 and 3 of this Addendum.
- In Annex I, Part C of the EU SCCs: the competent supervisory authority shall be determined in accordance with Clause 13 of the EU SCCs, unless otherwise agreed upon by the Parties in writing.
- In Annex II of the EU SCCs: as specified in Annex 2 of this Addendum.
United Kingdom
Ex-UK Transfers. The Parties agree that ex-UK Transfers shall be made pursuant to the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (“UK Addendum”), which is hereby incorporated into this DPA by reference. The UK Addendum shall be deemed completed on the following basis:
- Table 1 — Parties. The Parties and their key contact information are set out in Clause 1 of this DPA.
- Table 2 — Selected SCCs, Modules and Selected Clauses. The Approved EU SCCs are the EU SCCs referenced in Section 13.1.1. of this DPA, including the applicable Modules selected therein.
- Table 3 — Appendix Information. The Appendix Information required by the UK Addendum is set out as follows: Annex 1 (Personal data processing purposes and details),Annex 2 (Description of the technical and organisational security measures), Annex 3 (Journify’s list of sub-processors).
- Table 4 — Both the Importer and the Exporter may end the UK Addendum in accordance with the terms of the UK Addendum.
Switzerland
Ex-Switzerland Transfers. The Parties agree that transfers of personal data subject to the Swiss Federal Act on Data Protection (the “FADP”) (“Ex-CH Transfers”) shall be made in accordance with the requirements of the FADP.
Where personal data is transferred to a jurisdiction that has not been recognized by the Swiss Federal Council as providing an adequate level of data protection, the Parties agree that such transfers shall be subject to appropriate safeguards. For this purpose, the Parties agree that the EU SCCs shall apply to Ex-CH Transfers, subject to the following adaptations:
- References to “Regulation (EU) 2016/679” shall be interpreted as references to the FADP, where applicable.
- References to “EU”, “Union”, or “Member State law” shall be interpreted to include Switzerland and Swiss law, as applicable.
- References to the “competent supervisory authority” shall be interpreted as references to the Federal Data Protection and Information Commissioner (FDPIC), insofar as the transfer is governed by the FADP.
Saudi Arabia
Processor shall at all times observe the obligations and restrictions on personal data transfer outside the jurisdiction of the Kingdom of Saudi Arabia as set out in the PDPL and shall not transfer any such Client data unless it is in accordance with PDPL.
In relation to transfers of personal data originating from the Kingdom of Saudi Arabia, Processor must comply with all of the data importer obligations as set out in the PDPL, including the Saudi Arabia SCCs. All such obligations are fully incorporated into this Appendix 4 by this reference.
The Saudi Arabia SCCs, attached as Annex 4, shall apply where Client is the Controller (Data Exporter) and Processor is the Processor (Data Importer). The parties agree that if the SCCs are replaced, amended or no longer recognized as valid under the PDPL, or if a competent authority and/or the PDPL requires the adoption of an alternative transfer solution, the parties will:
- promptly take such steps requested including putting an alternative transfer mechanism in place to ensure the processing continues to comply with the PDPL;or
- cease the transfer of Client data and at Client’s option, delete or return the Client Data to the Client.
Complaints, data subject requests & third-party rights
The Processor shall take technical and organisational measures as may be appropriate and promptly provide such information to the Client, as the Client may reasonably require, to enable the Client to comply with:
- Data subject rights — the rights of the data subjects under the applicable data protection legislation, including the data subjects’ access rights, the rights to rectify and erase the personal data, object to the processing and automated processing of the personal data, and restrict the processing of the personal data; and
- Supervisory authority notices — information or assessment notices served on the Client by any supervisory authority under the applicable data protection laws and regulations.
The Processor shall notify the Client without undue delay if the Processor receives any complaint, notice or communication that relates directly or indirectly to the Processing of the personal data or to either Party’s compliance with the data protection laws and regulations.
In the event that a data subject contacts the Processor with regard to the exercise of their rights under the data protection laws and regulations (in particular, requests for access to, rectification or deletion of the Client data, the Processor will use all reasonable efforts to forward such requests to the Client as a controller).
If the Processor is legally required to respond to such a request, the Processor must immediately notify the Client, and provide the latter with a copy of the request unless the Processor is legally prohibited from doing so.
Audits
Processor shall provide the Client with the information necessary to demonstrate compliance with its obligations and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client with respect to such processing, provided that:
- Advance notice — the Client provides at least thirty (30) days' prior written notice of any audit
- Frequency — audits shall not occur more than once in any twelve (12) month period, except where required by a competent supervisory authority or following a personal data breach affecting the Client data.
- Conduct — such audits are conducted during normal business hours and in a manner that minimizes disruption to the Processor's business operations.
Processor shall, upon the Client's written request and within a reasonable period, provide the Client with all information necessary for such audit, to the extent that such information is within the Processor's control and the Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
Term and duration
This Addendum shall remain in force until:
- Agreement termination — the termination or expiration of the Agreement between the Parties.
- Data return or deletion — until all personal data has been returned or deleted in accordance with the provisions of this Addendum.
Non-compliance with the Addendum and termination
Without prejudice to any provisions of the applicable laws and regulations, in the event that the Processor is in breach of its obligations under this Addendum, the Client may instruct the Processor to suspend the processing of the personal data until the Processor complies with its obligations under this Addendum or the Addendum is terminated.
The Client shall be entitled to terminate the Addendum if:
- Suspension not remedied — the processing of the personal data by the Processor has been suspended by the Client pursuant to Clause 17.1 hereof and if compliance with the obligations under this Addendum is not restored within a reasonable time and in no event later than within 1 (one) month following suspension.
- Substantial breach — the Processor is in substantial or persistent breach of its obligations under this Addendum or its obligations under the applicable Laws and regulations.
- Non-compliance with binding decision — the Processor fails to comply with a binding decision of a competent court or a competent supervisory authority regarding its obligations pursuant to this Addendum or other applicable Laws and regulations.
Except where the suspension or termination results from the Processor's breach of the Agreement, applicable law, or its obligations relating to the processing of personal data, the Client shall remain liable for the payment of all applicable fees and charges accruing under the Agreement during the suspension period and until the effective date of termination.
The Processor shall be entitled to terminate the Addendum where, after having informed the Client that the Addendum’s instructions infringe applicable legal requirements in accordance with Clause 8.2 hereof, the Client insists on compliance with the instructions. In such a case, the Client’s payment obligations set out in Clause 17.2. shall apply accordingly.
Any provision of this Addendum that is intended to apply after termination of the Agreement, including provisions necessary to protect personal data, will remain in full force and effect after termination.
Governing law
This Addendum shall be governed by, construed and interpreted in accordance with the laws indicated in the Agreement between the Client and the Processor.
Any dispute arising out of or in connection with this Addendum shall be resolved amicably through amicable negotiation. If the dispute cannot be settled amicably within thirty (30) days from the date on which either party has served written notice on the other party, the dispute shall exclusively and finally be resolved as specified in the Agreement.
Questions about this DPA?
Our privacy team are here to answer your data privacy related questions.
Annex 1 — Personal data processing purposes and details
Subject-matter and nature of processing
The processing of personal data to the extent required for the provision of the Services and performance of the obligations set out in the Agreement. The nature of the processing activities implies the set of operations, such as collection, processing and forwarding of data.
Purpose of processing
To enable the Client data activation, data ingestion from various sources (such as websites, mobile apps, and e-commerce stores), integration with advertising platforms (Google, Meta, TikTok, etc.), campaign optimization, targeting enhancement, and real-time analytics. In particular, to enable secure activation and transfer of the client's first-party data to advertising platforms for the purposes of:
- Ad performance measurement
- Campaign optimization
- Conversion tracking and attribution accuracy
- Signal quality enhancement for marketing platforms
Data subjects
for the purposes of this Addendum, individuals whose data is being processed by Journify on behalf of a Client as solely determined by the Client.
Duration of processing
the processing will continue for the term of the Agreement
- Data is transiently processed for the purpose of transfer only.
- Journify does not store, resell, or reuse any transferred personal data.
- To support the proper operation of the Services and for the Client’s benefit, Journify may temporarily capture a limited number of sample events (where PII is masked) for debugging or diagnostic purposes, ensuring that such data is used solely to identify and resolve technical issues and is retained only for as long as necessary to fulfill this function. Such sample events are available only within the active debugging session and are automatically deleted when the Client ends the debugging session.
- Logs only for debugging and operational verification purposes (e.g., up to 30 days), then automatically deleted.
- Permanent storage occurs solely at the destination platform (e.g., Meta, Google) under their respective data retention policies.
The frequency of the transfer: Client data is transferred on a continuous basis.
Personal data categories may include:
- Contact details (e.g., firstname, lastname, email addresses, phone numbers — hashed).
- Online identifiers (device IDs, IP addresses ( hashed)).
- Behavioral data (page views, purchases, session events, conversions).
- Any other first-party data events voluntarily collected by the client and transmitted for marketing performance optimization.
A more detailed list of data points that may be transferred through the Services is available at https://docs.journify.io/tracking, as updated from time to time.
Annex 2 — Description of the technical and organisational security measures
Scope and Application
These Technical and Organisational Measures ("TOMs") describe the security measures implemented and maintained by the Processor (Journify) in connection with the processing of personal data under the Data Processing Addendum to which this Annex is attached.
Data minimisation and storage limitation
- No storage of end user personal data — The Processor does not store any personal data relating to the Controller's end users. The Services are architected such that end user personal data is processed in transit only and is not written to, or retained in, any persistent storage system operated by the Processor.
- No logging of personal data — The Processor does not log any personal information relating to the Controller's end users. System and operational logs generated in the course of providing the Services are designed and configured to exclude personal information. Log hygiene controls are reviewed periodically to ensure continued compliance with this principle. There is an exception to the IP address, it’s logged for debugging and investigation purposes.
- Data flow architecture — The Processor's data architecture has been designed to give effect to the principles of data minimisation and storage limitation under applicable data protection law. Personal data passing through the Processor's systems is handled transiently and no copies are retained beyond the immediate processing operation.
Encryption & hashing
- Encryption in transit — All data transmitted through the Processor's connectors is protected using end-to-end encryption. The Processor employs industry-standard encryption protocols (TLS) for all data in transit across all connector interfaces and integration points.
- Hashing of personal data within the forwarded events — between client sources and Processor: personal data is hashed if the client enables the hashing option (example of configuration here: https://docs.journify.io/sources/javascript#:~:text=options.enableHashing). Between the Processor and configured third party destinations: personal data is hashed by default.
- Encryption of credentials and keys — All passwords, API keys, secrets, and cryptographic material used in connection with the Services are encrypted at rest using either GCP server-side encryption AES-256 or Google Cloud Platform Key Management Service ("GCP KMS"). Access to encryption keys is restricted to authorised personnel only and is subject to the access controls described in Clause 5 below.
- Key management — Encryption keys are managed in accordance with GCP KMS best practices, including separation of key management duties, regular key rotation, and audit logging of all key access and usage events.
Certification and independent assurance
- SOC 2 Type II — The Processor maintains SOC 2 Type II certification, issued by an accredited independent third-party auditor. This certification covers the Trust Services Criteria relevant to the security, availability, and confidentiality of the systems used to provide the Services.
- Audit reports — The Processor will make available to the Controller, upon written request and subject to reasonable confidentiality obligations, a summary or copy of its most recent SOC 2 Type II audit report. Such reports shall be treated as the Processor's confidential information. A summary of SOC 2 Type II audit report (SOC 3) can also be requested via Journify Trust Center.
- Ongoing compliance — The Processor maintains SOC 2 Type II certification.
Access controls
- Least privilege — Access to systems involved in the provision of the Services is granted on a least-privilege basis. Personnel are granted only the access rights necessary for the performance of their role.
- Authentication — The Processor enforces multi-factor authentication ("MFA") for all administrative and privileged access to production systems.
- Access reviews — Access rights are reviewed at regular intervals and promptly revoked upon change of role or termination of employment or engagement.
Organisational measures
- Confidentiality obligations — All personnel engaged in the processing of personal data are subject to binding confidentiality obligations, whether by contract or by operation of law.
- Security policies — The Processor maintains internal information security policies consistent with its SOC 2 Type II obligations, covering incident response, vulnerability management, change management, and vendor risk.
Incident management
- Detection and response — The Processor maintains an incident detection and response capability designed to identify, contain, and remediate security incidents in a timely manner.
- Notification — In the event of a personal data breach affecting the Controller's personal data, the Processor will notify the Controller without undue delay and in accordance with the timeframes and requirements set out in the Addendum and applicable data protection law.
Sub-processors and third-party services
Sub-processor security Where the Processor engages sub-processors in connection with the Services, it will ensure that equivalent technical and organisational security obligations are imposed on such sub-processors by contract.
GCP infrastructure The Processor's services are hosted on Google Cloud Platform ("GCP"), which maintains its own certifications including ISO 27001, SOC 2 type II. Details of GCP's security measures are available at Google's security documentation portal.
Annex 3 — Journify's list of sub-processors
| # | Name | Services provided | Location |
|---|---|---|---|
| 1. | Google Cloud Platform | Data ingestion and data forwarding | USA |
| 2. | Pusher | Real-time communication | EU |
Annex 4 — PDPL Standard Contractual Clauses
For the purposes of this Annex 4: "Law" and "Implementing Regulations" shall mean the PDPL; "Competent Authority" shall mean the authority as defined in the PDPL; "Personal Data Importer" shall mean the Processor; "Personal Data Exporter" shall mean the Client (Data Controller); "Personal Data" shall mean Client data.
- 1. Processing instructions — The Personal Data Importer shall only process the transferred personal data based on written instructions from the Personal Data Exporter. If the Personal Data Importer is unable to follow the instructions, it shall inform the Personal Data Exporter in writing without undue delay.
- 2. Processing restrictions — The Personal Data Importer shall process the transferred personal data in accordance with the purposes specified in Annex 1, unless otherwise directed in writing by the Personal Data Exporter, provided that the personal data shall be processed in accordance with the provisions of the Law and its Implementing Regulations in all cases.
- 3. Compliance with the Competent Authority — In order for the Competent Authority to exercise its powers under the Law and the Implementing Regulations, the parties shall provide a copy of these Clauses to the Competent Authority upon request and without undue delay. The Competent Authority may request any additional information in relation to transfers of personal data. Each party agrees to comply with any requests made by the Competent Authority in relation to these Clauses or the processing of the transferred personal data. Upon request, the Personal Data Importer (either directly or through the Personal Data Exporter) shall disclose its identity and contact details and the categories of personal data being processed to the personal data Subject and provide a copy of these items.
- 4. Accuracy and quality of personal data — If the Personal Data Importer realises that any personal data transferred is inaccurate or not up-to-date, it shall inform the Personal Data Exporter in writing without undue delay, in which case the Personal Data Importer shall destroy the personal data and notify the Personal Data Exporter accordingly, unless the Personal Data Exporter instructs otherwise because it wishes to correct the transferred personal data.
- 5. Duration of processing and destruction — The processing shall be carried out by the Personal Data Importer only for the period specified in Annex 1. After completion of the purpose of the processing, the Personal Data Importer shall destroy all personal data processed on behalf of the Personal Data Exporter and notify the Personal Data Exporter accordingly, unless otherwise instructed by the Personal Data Exporter to: return all processed personal data to the Personal Data Exporter and delete the copies held by the Data Importer; or retain the transferred personal data for an additional period where required by applicable regulations in the Kingdom. The Personal Data Importer remains bound by these Clauses until the personal data is deleted or recovered.
- 6. Personal data security and breach notifications — The parties shall ensure that the organisational, administrative, and technical measures specified in Annex 2 provide a sufficient level of protection for the transferred personal data in compliance with Article 19 of the Law and Article 23 of the Implementing Regulation. The Personal Data Importer shall implement the security measures specified in Annex 2 and apply those measures to all transferred personal data to ensure its security and protection against any violation that may result in damage to the personal data Subject, unlawful action, loss, alteration, disclosure, or unauthorised access. The Personal Data Importer shall periodically review the security measures stipulated in Annex 2 to ensure they are implemented as required and update them as needed to ensure continued compliance. If the Personal Data Importer becomes aware of a personal data Breach incident that affects the transferred personal data or is likely to cause damage to the rights and interests of personal data Subjects, it must immediately take appropriate and necessary measures to contain the incident, minimise risks, and prevent reoccurrence. The Personal Data Exporter must be notified within 24 hours from the time of occurrence or knowledge of the breach, including a description of the incident, its causes, the measures taken or planned to contain and prevent reoccurrence, and contact details for follow-up. If the Personal Data Exporter determines that the incident may cause damage to personal data or personal data Subjects or contradict their rights or interests, it shall notify the Competent Authority within 72 hours in accordance with Article 24 of the Implementing Regulation. Upon receipt of the Data Importer's breach notification, where the incident would harm the personal data or the personal data Subject or contradict their rights or interests, the Personal Data Exporter must promptly notify the affected personal data Subjects in simple and clear language in accordance with Article 24 of the Implementing Regulation. Such notification shall include the potential risks and their nature, the measures taken or planned to contain the incident, the contact information of the Personal Data Exporter, Data Importer, and the respective personal data Protection Officers of both entities, together with recommendations to aid the Data Subject in preventing or minimising the impact of the outlined risks.
- 7. Sensitive data — Without prejudice to any restrictions related to sensitive data stipulated in the Law and its Implementing Regulations, the Personal Data Exporter shall ensure that the Personal Data Importer adopts additional means of protection commensurate with the nature of the sensitive data and guarantees its protection from any risks when processing it, while ensuring that the restrictions and additional guarantees described in Annex 2 are applied.
- 8. Subsequent transfer — The Personal Data Importer shall not transfer or disclose the transferred personal data to a third party outside the Kingdom unless that party has acceded to these Clauses in accordance with the appropriate template. Without prejudice to the provisions of Articles 8 and 15 of the Law and Article 17 of the Implementing Regulation, the provisions of the Law and Regulations shall apply to personal data that has been previously transferred or disclosed to an entity outside the Kingdom.
- 9. Compliance with these clauses — The Personal Data Importer shall respond to all inquiries of the Personal Data Exporter within the specified period and provide all information requested, including any information necessary to enable the Personal Data Exporter to demonstrate compliance with the requirements of these Clauses or the provisions of the Law and its Implementing Regulations. Each party shall be responsible for demonstrating to the Competent Authority, upon request, that all obligations under these Clauses have been fulfilled. The Personal Data Importer allows the Personal Data Exporter or its appointed representatives to audit the Data Importer's processing of personal data without undue delay upon request. The Personal Data Exporter must provide the information revealed by the audit when requested by the Competent Authority. The right of audit does not grant the Personal Data Exporter or its representatives access to any confidential information of the Personal Data Importer unless that information is closely related to the processing of the transferred personal data.
- 10. Rights of personal data subjects — The Personal Data Importer shall notify the Personal Data Exporter within 48 hours from the time of receipt of any request received from a personal data Subject. The Personal Data Importer shall not respond to such requests unless authorised to do so by the Personal Data Exporter. The Personal Data Importer shall take all necessary measures in cooperation with the Personal Data Exporter to respond to the requests of personal data Subjects and enable them to exercise their rights under the Law and Regulations. The Personal Data Importer is obligated to follow all instructions issued by the Personal Data Exporter regarding the processing of the transferred personal data. All statements made to the personal data Subject must be presented in a clear, legible, and accessible format.