DPA Version 1.0

Effective
August 1, 2023
-
DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) may be incorporated by reference into a Software as a Service Agreement (the “SSA”) between Awardco, Inc. (“Processor”) and a customer of Awardco (such customer and, to the extent required under Applicable Data Protection Laws, its Authorized Affiliates, collectively “Controller”). Processor and Controller may be referred to collectively as the “Parties” and each individually as a “Party”. All capitalized terms contained but not defined in this DPA have the meaning given to them in the SSA.

Processor provides certain Awardco Services to Controller pursuant to the SSA, and in the course of providing such Awardco Services Processor may Process Personal Data on behalf of Controller. To ensure adequate safeguards with respect to the Processing of Personal Data provided by Controller to Processor, the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. DEFINITIONS

“Applicable Data Protection Laws” means all applicable laws, regulations, regulatory guidance, or requirements in any jurisdiction relating to data protection, privacy, or confidentiality of Personal Data including but not limited to (a) the GDPR together with any transposing, implementing or supplemental legislation, and (b) the CCPA.

“Authorized Affiliate” means any of Controller’s Affiliates which (a) are subject to Applicable Data Protection Laws, and (b) are permitted to use Processor for Processing pursuant to the SSA.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, as amended from time to time.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the avoidance of doubt, the Party identified as “Controller” above is the Controller under this DPA.

“Data Breach” means a breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed.

“Data Protection Authority” means any representative or agent of a government entity or agency who has the authority to enforce Applicable Data Protection Laws.

“Data Subject” means a natural person to whom Personal Data relates.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information that is considered “personal information,” “personal data,” or “personally identifiable information,” or any functional equivalent of these terms under any applicable laws relating to data privacy, data protection, or cybersecurity.

“Process” shall mean any operation or set of operations which is performed upon Personal Data by the or in connection with and for the purposes of the provision of the Awardco Services, whether or not accomplished by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as otherwise defined by Applicable Data Protection Laws.

“Processor” means the entity which Processes Personal Data on behalf of Controller. For the avoidance of doubt, the Party identified as “Processor” above is the Processor under this DPA.

“Service Provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that process information on behalf of a Data Controller and to which the Data Controller discloses a Data Subject’s Personal Data for a Business Purpose pursuant to a written contract, provided that the contract prohibits the Service Provider from retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services specified in the contract, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the Personal Data for a Commercial Purpose other than providing the services specified in the contract with the Data Controller. The terms “Business Purpose” and “Commercial Purpose” have the same meaning as those terms are used in the CCPA.  For the avoidance of doubt, Processor is a Service Provider.    

“Sub-processor” means any entity which Processes Personal Data on behalf of Processor.

2. PROCESSING OF PERSONAL DATA

2.1   Roles of the Parties. The parties acknowledge and agree that with respect to the Processing of Personal Data, customer is the Controller and Awardco, Inc. is the Processor or Service Provider. The subject matter, duration, purpose of the Processing, and the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 below.

2.2   Controller’s Obligations. Controller’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquires Personal Data and provides it to Processor.

2.3 Processor’s Obligations. All Personal Data Processed by Processor pursuant to the SSA is Confidential Information and Processor will Process Personal Data only in accordance with Controller’s documented instructions set forth in Schedule 1 or as otherwise provided by Controller in writing. Processor will not sell the Personal Data Processed under this DPA and will not retain, use, or disclose Personal Data outside of the direct business relationship between Processor and Controller.  Processor shall comply with all Applicable Data Protection Laws with regard to Processing Personal Data.  Processor will not combine Personal Data provided by Controller with Personal Data that it receives from other sources.  In the event Processor believes that compliance with any instructions by Controller would result in a violation of any Applicable Data Protection Law, Processor shall notify Controller thereof in writing without delay. Processor shall make available to Controller all information necessary to demonstrate Processor’s compliance with its obligations under this DPA.

2.4   Assistance Requirements. Processor shall assist Controller with the following: compliance with Applicable Data Protection Laws when required by Applicable Data Protection Laws; suspected and relevant Data Breaches; notifications to, or inquiries from a Data Protection Authority; notifications to, and inquiries from, Data Subjects; and Controller’s obligation to carry out data protection impact assessments and prior consultations with a Data Protection Authority.

3. NOTIFICATION OBLIGATIONS.

3.1 Processor’s Notification Obligations.  Processor shall immediately notify Controller, in writing, of the following:

3.1.1    A Data Subject’s request to exercise their privacy rights such as accessing, rectifying, erasing, transporting, objecting to, or restricting their Personal Data;

3.1.2    Any request or complaint received from Controller’s customers or employees;

3.1.3    Any question, complaint, investigation, or other inquiry from a Data Protection Authority;

3.1.4    Any request for disclosure of Personal Data that is related in any way to Processor’s Processing of Personal Data under this DPA;

3.1.5    A Data Breach pursuant to the notification obligations set forth in Section 7.1; and

3.1.6    Where the Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed.

Processor will assist Controller in fulfilling Controller’s obligations to respond to requests relating to Sections 3.1.1 through 3.1.6 above and will not respond to such requests without Controller’s prior written consent unless Processor is required to respond by applicable law.

4. CONFIDENTIALITY.

4.1 Confidential Information. All Personal Data provided to Processor pursuant to the SSA is Confidential Information.

4.2 Processor’s Personnel. Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements, and further that such confidentiality obligations survive the termination of their respective employment relationship with such individuals.

4.3 Limitation of Access. Processor shall ensure that Processor’s access to Personal Data is limited to those personnel performing the Awardco Services in accordance with the SSA.

5. SUB-PROCESSORS.

5.1 Appointment of Sub-processors. Controller acknowledges and agrees that Processor and Processor’s Affiliates may engage third-party Sub-processors in connection with the provision of the Awardco Services. Processor or Processor’s Affiliate shall enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the services provided by such Sub-processor.    

5.2 Notification of Changes to Sub-processors. Processor will notify Controller in writing of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days prior to its use of such new Sub-processor.

5.3   Objection Right for New Sub-processors. Controller may object to Processor’s use of a new Sub-processor by notifying Processor promptly in writing within fourteen (14) days after receipt of Processor’s notice under Section 5.2. In the event Controller objects to a new Sub-processor, Processor will use reasonable efforts to make available to Controller a change in the Awardco Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If Processor is unable to make available such change, Controller may terminate the SSA with respect to those Awardco Services which cannot be provided by Processor without the use of the objected-to new Sub-processor.

5.4   Liability for Acts of Sub-Processors. Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

6. SECURITY.

6.1 Protection of Personal Data. Processor shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6.2 Audit Rights. Controller, or Controller’s designee, has the right to audit and inspect, at Controller’s sole cost and expense, Processor’s premises, policies, procedures, and computer systems to make sure Processor complies with the requirements in this DPA. Such audit and inspection shall be commercially reasonable in scope and nature and will be subject to Processor’s confidentiality obligations with Processor’s other clients. Controller, or Controller’s designee, will provide at least 72 hours written notice before conducting an audit, unless, under applicable law, such audit is required due to a Data Breach involving Processor.

7. DATA BREACHES.

7.1 Data Breach Notification. Processor shall notify Controller in writing without undue delay after becoming aware of a Data Breach.

7.2 Data Breach Management. Processor shall make reasonable efforts to identify the cause of such Data Breach and take those steps as Processor deems necessary and reasonable to remediate the cause of such a Data Breach to the extent the remediation is within Processors reasonable control.

8. TERMINATION.

8.1 Termination. This DPA shall terminate automatically upon the later of (a) the termination or expiration of the SSA, or (b) Processor’s deletion or return of Personal Data. Controller shall further be entitled to terminate this DPA for cause if Processor is in material or persistent breach of this DPA which, in the case of a breach capable of remedy, shall not have been remedied within thirty (30) days from the date of receipt by Processor of a notice from Controller identifying the breach and requesting its remedy.

8.2 Return or Deletion of Data. Upon termination of this DPA, Processor will delete or return all existing copies of Personal Data unless applicable law requires continued retention of the Personal Data. Upon the request of Controller, Processor shall confirm compliance with such obligations in writing and delete all existing copies. In instances where applicable law requires Processor to retain Personal Data, Processor will protect the confidentiality, integrity, and accessibility of the Personal Data; will not actively Process the Personal Data; and will continue to comply with the terms of this DPA.

9. MECHANISMS FOR INTERNATIONAL TRANSFERS.

9.1 Transfers Outside of the EU. During the provision of the Awardco Services, it may be necessary for Controller to transfer Personal Data from the European Union, the European Economic Area and/or their member states, the United Kingdom, or Switzerland to Processor in a country that does not have an adequacy decision from the European Commission or is not located in the European Economic Area. In the event of such a transfer, the Standard Contractual Clauses apply as follows:

9.1.1.   In relation to Personal Data that is subject to the GDPR (i) Processor will be deemed the “data importer” and Controller is the “data exporter”; (ii) the Module Two terms shall apply where Controller is a Data Controller and where Processor is a Data Processor; (iii) in Clause 7, the optional docking clause shall be deleted; (iv) in Clause 9 of Module Two, Option 2 shall apply and the list of Sub-processors and time period for notice of changes shall be as agreed under Section 5 of this DPA; (v) in Clause 11, the optional language shall be deleted; (vi) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by the member state where Controller is domiciled; (vii) in Clause 18(b), disputes shall be resolved before the courts of the member state where Controller is domiciled; (viii) Annex I and Annex II shall be deemed completed with the information set out in Schedule 1 of this DPA respectively; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of the SSA (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.   For this section, the Standard Contractual Clauses from the Commission Implementing Decision (EU) 2021/914 are incorporated by reference and available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

9.1.2. In relation to Personal Data that is subject to UK Data Protection Laws, the International Data Transfer Agreement (“IDTA”) shall apply with the following modifications: (i) the contact information about the parties to the SSA is the contact information for the IDTA; (ii)  Controller is the data exporter and Processor is the data importer; (iii) the laws that govern the IDTA and the location where legal claims can be made is England and Wales; (iv) the UK GDPR does not apply to the data importer’s processing of transferred data; (v) the Parties do not use the additional security  or commercial clauses from the IDTA; and (vi) the information in this DPA and Schedule 1 can be used for Tables 1-4.  For this section, the Standard Contractual Clauses from the Information Commissioner’s Office are incorporated by reference and available here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.  

9.1.3. In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses referenced in Section 9.1.1 shall apply with the following modifications (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" shall be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" shall be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".

9.2. Alternative Data Transfer Mechanisms.  The Parties acknowledge that the laws, rules and regulations relating to international data transfers are rapidly evolving. In the event that Controller adopts another mechanism authorized by applicable laws, rules or regulations to transfer Personal Data (each an “Alternative Data Transfer Mechanism”), the Parties agree to work together in good faith to implement any amendments to this DPA necessary to implement the Alternative Data Transfer Mechanism.

10.   MISCELLANEOUS PROVISIONS.

10.1. Amendments. This DPA may not be amended or supplemented, nor shall any of its provisions be deemed to be waived or otherwise modified, except through a writing duly executed by authorized representatives of both Parties.

10.2 Governing Law. This DPA shall be governed by the governing law set forth in the SSA.

SCHEDULE 1 to DPA

Description of Processing

Contact Information

For Processor: 2080 W 400 N, Lindon, UT 84042 Data Privacy Officer, privacy@awardco.com

For Controller: The individual address, and email set forth in the applicable Order Form under the SSA

Subject-Matter

The subject matter of Processing is the Awardco Services pursuant to the SSA.

Duration

The duration of Processing is as set forth in the SSA.

Extent, Type and Purpose of the Processing

The extent, type and purpose of the Processing is as set forth in the SSA.

Frequency of Transfer

The frequency of transfer is continuous.

Data Subjects

Personal Data Processing may relate to Controller’s employees.

Sub-processor Transfers

A table that sets forth Processor’s list of Sub-processors that will receive Personal Data, the subject matter for those transfers, how that information will be processed, and the duration of processing is available to Controller upon written request to privacy@awardco.com.

Categories of Data

The Personal Data Processed may concern the following categories of data:

·   Identifying Information

·   Social and Contact Information

·   Tracking Data

Technical and Organizational Measures to Secure Data

Technical security measures: Processor employs endpoint protection, anti-malware and EDR on all machines. All endpoints are encrypted. MFA and SSO are required to log into Processor systems. All corporate endpoints are managed with the capability to wipe the machines. No employees have admin access to their machines. Processor production environment utilizes several next gen firewalls and load balancers to only allow approved traffic into the environment. Corporate, development, and production environments are all segmented and cannot access each other. All data at rest is encrypted using AES256. All data in transit is encrypted using TLS 1.2. Processor backs up the data every five minutes. Processor has a DR site that is ready to take traffic at any moment should the need arise. Processor utilizes a SOC to monitor the environment 24/7. Processor also monitors the production environment with Microsoft Security Center. Processor uses a DLP system to prevent private data from being moved, copied or stolen.

Organizational measures: Only select authorized individuals have access to the production environment. Processor uses role-based access with least privilege. Processor provides annual security and privacy training to all employees. The same training is given to all new hires. Policies and procedures are written and accessible to all employees.

Build culture, incentivize performance, and power engagement. All in one place.
English (US)
Platform
OverviewRecognitionCelebrationsIncentivesBenefits & PerksRewardsIntegrationsReportingAwardco Intelligence
Solutions
OverviewUse CasesRoleBusiness SizeIndustry
Why Awardco
Why AwardcoAmazon BusinessCenter of ExcellencePlatform SupportCustomer StoriesAwardco AdvocatesSecurity & CompliancePlansRequest for ProposalGet a Demo
Resources
Resource LibraryBlogResearch & ReportsNewsroomTotal Rewards GlossaryKnowledge BaseACO CommunityROI CalculatorBudget CalculatorCompetitor GuideContact Support
Events
Upcoming EventsOn-Demand WebinarsSHRMRCGNZ Summit 2025
Company
About UsCareersRecognize the GoodCorporate ResponsibilitySustainabilityDEIPrivacy PolicyContact Us
© 2025 Awardco
Your Privacy Choices
*A-Pay® card Visa Commercial Credit cards are issued by Celtic Bank.

Privacy at Awardco

We value the trust you’ve placed in us when you provide us with your personal information. We use that information as detailed in our Privacy Notice

You can make certain privacy requests, but those options vary by state. We will fulfill these requests as determined by your state of residence.  

Creating a Privacy Request

What request would you like to make?
We need some information about you to authenticate your identity and process your request.

Thanks for your message!

We will reach back to you as soon as possible.

Oops! Something went wrong while submitting the form.
No actions available at this time

We are committed to consumer privacy and provide choices where we can about opting-out of marketing messages or using web browsers with privacy functionality built into the service. Download here.

At this time, additional requests are not available in your state of residence.  Should state or federal law change, we will evaluate how to offer more privacy choices to you in the future.  

We use cookies to improve your browsing experience, personalize content, and measure traffic.
By accepting all, you consent to the use of cookies for marketing, personalization, and analytics. You can manage your preferences and withdraw consent at any time. Learn more in our Privacy and Cookie Policy.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Preferences