RCGNZ Summit early bird registration now open.

 

DPA Version 2.0

Effective
May 1, 2026
-
DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) may be incorporated by reference into a Software as a Service Agreement (the “SSA”) between Awardco, Inc. (“Processor”) and a customer of Awardco (such customer and, to the extent required under Applicable Data Protection Laws, its Authorized Affiliates, collectively “Controller”). Processor and Controller may be referred to collectively as the “Parties” and each individually as a “Party”. All capitalized terms contained but not defined in this DPA have the meaning given to them in the SSA.

Processor provides certain Awardco Services to Controller pursuant to the SSA, and in the course of providing such Awardco Services Processor may Process Personal Data on behalf of Controller. To ensure adequate safeguards with respect to the Processing of Personal Data provided by Controller to Processor, the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. DEFINITIONS

"Applicable Data Protection Laws” means all applicable laws, regulations, regulatory guidance, or requirements in any jurisdiction relating to data protection, privacy, or confidentiality of Personal Data including but not limited to (a) the GDPR together with any transposing, implementing or supplemental legislation, and (b) the CCPA.

“Authorized Affiliate” means any of Controller’s Affiliates which (a) are subject to Applicable Data Protection Laws, and (b) are permitted to use Processor for Processing pursuant to the SSA.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing
regulations, as amended from time to time.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the avoidance of doubt, the Party identified as “Controller” above is the Controller under this DPA.

“Data Breach” means a breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, access to, or other Processing of Personal Data transmitted, stored, or otherwise Processed.

“Data Protection Authority” means any representative or agent of a government entity or agency who has the authority to enforce Applicable Data Protection Laws.

“Data Subject” means a natural person to whom Personal Data relates.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any information that is considered “personal information,” “personal data,” or “personally identifiable information,” or any functional equivalent of these terms under any applicable laws relating to data privacy, data protection, or cybersecurity.

“Process” shall mean any operation or set of operations which is performed upon Personal Data by the or in connection with and for the purposes of the provision of the Awardco Services, whether or not accomplished by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; and as otherwise defined by Applicable Data Protection Laws. 2 ACO260501.Proc

“Processor” means the entity which Processes Personal Data on behalf of Controller. For the avoidance of doubt, the Party identified as “Processor” above is the Processor under this DPA.

“Service Provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that process information on behalf of a Data Controller and to which the Data Controller discloses a Data Subject’s Personal Data for a Business Purpose pursuant to a written contract, provided that the contract prohibits the Service Provider from retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services specified in the contract, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the Personal Data for a Commercial Purpose other than providing the services specified in the contract with the Data Controller. The terms “Business Purpose” and “Commercial Purpose” have the same meaning as those terms are used in the CCPA. For the avoidance of doubt, Processor is a Service Provider.

“Sub-processor” means any entity which Processes Personal Data on behalf of Processor.

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The parties acknowledge and agree that with respect to the Processing of Personal Data, customer is the Controller and Awardco, Inc. is the Processor or Service Provider. The subject matter, duration, purpose of the Processing, and the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 below.

2.2 Controller’s Obligations. Controller’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquires Personal Data and provides it to Processor.

2.3 Processor’s Obligations. All Personal Data Processed by Processor pursuant to the SSA is Confidential Information and Processor will Process Personal Data only in accordance with Controller’s documented instructions
set forth in Schedule 1 or as otherwise provided by Controller in writing. Processor will not sell the Personal Data Processed under this DPA and will not retain, use, or disclose Personal Data outside of the direct business relationship between Processor and Controller. Processor shall comply with all Applicable Data Protection Laws with regard to Processing Personal Data. Processor will not combine Personal Data provided by Controller with Personal Data that it receives from other sources. In the event Processor believes that compliance with any instructions by Controller would result in a violation of any Applicable Data Protection Law, Processor shall notify Controller thereof in writing without delay. Processor shall make available to Controller all information necessary to demonstrate Processor’s compliance with its obligations under this DPA.

2.4 Assistance Requirements. Processor shall assist Controller with the following: compliance with Applicable Data Protection Laws when required by Applicable Data Protection Laws; suspected and relevant Data Breaches; notifications to, or inquiries from a Data Protection Authority; notifications to, and inquiries from, Data Subjects; and Controller’s obligation to carry out data protection impact assessments and prior consultations with a Data Protection Authority.

3. NOTIFICATION OBLIGATIONS

3.1 Processor’s Notification Obligations. Processor shall immediately notify Controller, in writing, of the following:

3.1.1 A Data Subject’s request to exercise their privacy rights such as accessing, rectifying, erasing, transporting, objecting to, or restricting their Personal Data;

3.1.2 Any request or complaint received from Controller’s customers or employees;

3.1.3 Any question, complaint, investigation, or other inquiry from a Data Protection Authority;

3.1.4 Any request for disclosure of Personal Data that is related in any way to Processor’s Processing of Personal Data under this DPA;

3.1.5 A Data Breach pursuant to the notification obligations set forth in Section 7.1; and

3.1.6 Where the Personal Data becomes subject to search a seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed.

Processor will assist Controller in fulfilling Controller’s obligations to respond to requests relating to Sections 3.1.1 through 3.1.6 above and will not respond to such requests without Controller’s prior written consent unless Processor is required to respond by applicable law.

4. CONFIDENTIALITY

4.1 Confidential Information. All Personal Data provided to Processor pursuant to the SSA is Confidential Information.

4.2 Processor’s Personnel. Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements, and further that such confidentiality obligations survive the termination of their respective employment relationship with such individuals.

4.3 Limitation of Access. Processor shall ensure that Processor’s access to Personal Data is limited to those personnel performing the Awardco Services in accordance with the SSA.

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Controller acknowledges and agrees that Processor and Processor’s Affiliates may engage third-party Sub-processors in connection with the provision of the Awardco Services. Processor or Processor’s Affiliate shall enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the services provided by such Sub-processor.

5.2 Notification of Changes to Sub-processors. Processor will notify Controller in writing of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days prior to its use of such new Sub-processor.

5.3 Objection Right for New Sub-processors. Controller may object to Processor’s use of a new Sub-processor by notifying Processor promptly in writing within fourteen (14) days after receipt of Processor’s notice under Section 5.2. In the event Controller objects to a new Sub-processor, Processor will use reasonable efforts to make available to Controller a change in the Awardco Services to avoid Processing of Personal Data by the objected-to new Sub- processor. If Processor is unable to make available such change, Controller may terminate the SSA with respect to those Awardco Services which cannot be provided by Processor without the use of the objected-to new Sub-processor.

5.4 Liability for Acts of Sub-Processors. Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

6. SECURITY.

6.1 Protection of Personal Data. Processor shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6.2 Audit Rights. Controller, or Controller’s designee, has the right to audit and inspect, at Controller’s sole cost and expense, Processor’s premises, policies, procedures, and computer systems to make sure Processor complies with the requirements in this DPA. Such audit and inspection shall be commercially reasonable in scope and nature and will be subject to Processor’s confidentiality obligations with Processor’s other clients. Controller, or Controller’s designee, will provide at least 72 hours written notice before conducting an audit, unless, under applicable law, such audit is required due to a Data Breach involving Processor.

7. DATA BREACHES.

7.1 Data Breach Notification. Processor shall notify Controller in writing without undue delay after becoming aware of a Data Breach.

7.2 Data Breach Management. Processor shall make reasonable efforts to identify the cause of such Data Breach and take those steps as Processor deems necessary and reasonable to remediate the cause of such a Data Breach to the extent the remediation is within Processors reasonable control.

8. TERMINATION.

8.1 Termination. This DPA shall terminate automatically upon the later of (a) the termination or expiration of the SSA, or (b) Processor’s deletion or return of Personal Data. Controller shall further be entitled to terminate this DPA for cause if Processor is in material or persistent breach of this DPA which, in the case of a breach capable of remedy, shall not have been remedied within thirty (30) days from the date of receipt by Processor of a notice from Controller identifying the breach and requesting its remedy.

8.2 Return or Deletion of Data. Upon termination of this DPA, Processor will delete or return all existing copies of Personal Data unless applicable law requires continued retention of the Personal Data. Upon the request of Controller, Processor shall confirm compliance with such obligations in writing and delete all existing copies. In instances where applicable law requires Processor to retain Personal Data, Processor will protect the confidentiality, integrity, and accessibility of the Personal Data; will not actively Process the Personal Data; and will continue to comply with the terms of this DPA.

9. MECHANISMS FOR INTERNATIONAL TRANSFERS.

9.1 Transfers Outside of the EU/UK/Switzerland to a Country with an Adequacy Decision. Processor shall rely on an adequacy decision to transfer Personal Data when such adequacy decision has been granted under applicable data protection laws. For the avoidance of doubt, if Processor is certified under the Data Privacy Framework Program, granted by the Commission Implementing Decision of 10.7.2023 on the Adequate Level of Protection of Personal Data Under the EU-US Data Privacy Framework, along with the UK Extension to the EU-U.S. Data Privacy 5 ACO260501.Proc Framework and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”), the DPF shall apply and supersede the applicable transfer mechanism(s) set forth in Section 9.2 of this DPA as a valid transfer mechanism to Personal Data transferred to the United States.

9.2 Transfers Outside of the EU/UK/Switzerland to a Country without an Adequacy Decision. During the provision of Awardco Services, it may be necessary for Controller to transfer Personal Data from the European Union, the European Economic Area and/or their member states, the United Kingdom, or Switzerland to Processor in a country that does not have an adequacy decision or is not located in the European Economic Area. In the event of such a transfer, the Standard Contractual Clauses apply as follows:

9.2.1. In relation to Personal Data that is subject to the GDPR (i) Processor will be deemed the “data importer” and Controller is the “data exporter”; (ii) the Module Two terms shall apply where Controller is a Data Controller and where Processor is a Data Processor; (iii) in Clause 7, the optional docking clause shall be deleted; (iv) in Clause 9 of Module Two, Option 2 shall apply and
the list of Sub-processors and time period for notice of changes shall be as agreed under Section 5 of this DPA; (v) in Clause 11, the optional language shall be deleted; (vi) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by the member state where Controller is domiciled; (vii) in Clause 18(b), disputes shall be resolved before the courts of the member state where Controller is domiciled; (viii) Annex I and Annex II shall be deemed completed with the information set out in Schedule 1 of this DPA respectively; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of the SSA (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict. For this section, the Standard Contractual Clauses from the Commission Implementing Decision (EU) 2021/914 are incorporated by reference and available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

9.2.2. In relation to Personal Data that is subject to UK Data Protection Laws, the International Data Transfer Agreement (“IDTA”) shall apply with the following modifications: (i) the contact information about the parties to the SSA is the contact information for the IDTA; (ii) Controller is the data exporter and Processor is the data importer; (iii) the laws that govern the IDTA and the location where legal claims can be made is England and Wales; (iv) the UK GDPR does not apply to the data importer’s processing of transferred data; (v) the Parties do not use the additional security or commercial clauses from the IDTA; and (vi) the information in this DPA and Schedule 1 can be used for Tables 1-4. The Part 4 Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses, are incorporated by reference and available here: https://ico.org.uk/media2/migrated/4019538/international-data-transfer-agreement.pdf

9.2.3. In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses referenced in Section 9.1.1 shall apply with the following modifications (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" shall be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" shall be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".

9.3. Alternative Data Transfer Mechanisms. The Parties acknowledge that the laws, rules and regulations relating to international data transfers are rapidly evolving. In the event that Controller adopts another mechanism authorized by applicable laws, rules or regulations to transfer Personal Data (each an “ Alternative Data Transfer Mechanism”), the Parties agree to work together in good faith to implement any amendments to this DPA necessary to implement the Alternative Data Transfer Mechanism.

10. MISCELLANEOUS PROVISIONS.

10.1. Amendments. This DPA may not be amended or supplemented, nor shall any of its provisions be deemed to be waived or otherwise modified, except through a writing duly executed by authorized representatives of both Parties.

10.2 Governing Law. This DPA shall be governed by the governing law set forth in the SSA.

[SCHEDULES 1 AND 2 FOLLOW]

SCHEDULE 1
Description of Processing

Contact Information

For Processor: Awardco, Inc., 2080 W 400 N, Lindon, UT 84042, Attn: Data Privacy Officer; privacy@awardco.com

For Controller: the individual, address, and email set forth in the applicable Order Form under the SSA.

Subject-Matter

The subject matter of Processing is the Awardco Services pursuant to the SSA.

Duration

The duration of Processing is as set forth in the SSA.

Extent, Type, and Purpose of the Processing

The extent, type, and purpose of the Processing is as set forth in the SSA.

Frequency of Transfer

The frequency of transfer is continuous.

Data Subjects

Personal Data Processing may relate to Controller’s employees.

Sub-processor Transfers

The following table lists the Sub-processors that will receive Personal Data, the subject matter for those transfers, how that information will be processed, and the duration of processing:

Sub-processor Name General description of what will be processed and how Duration of Processing
Cloudinary Image management service for images and videos uploaded to the Awardco platform. Processing shall be the lesser of the duration of the agreement or six years.
Files.com Online SFTP allowing customers to securely deliver data to process for the Awardco platform. Processing shall be the lesser of the duration of the agreement or six years.
Microsoft Azure Cloud hosting services. Processing shall be the lesser of the duration of the agreement or six years.
SendGrid Email delivery service allowing customers to receive relevant email notifications from the Awardco platform. Processing shall be the lesser of the duration of the agreement or six years.
Categories of Data

The Personal Data Processed may concern the following categories of data:
● Identifying Information
● Social and Contact Information
● Tracking Data

Technical and Organizational Measures to Secure Data

Set forth in Schedule 2

SCHEDULE 2
Awardco Technical and Organizational Measures to Secure Data
Technical Security Measures

- Endpoint protection, anti-malware, and EDR on all machines. Awardco deploys anti-virus, endpoint protection, and endpoint detection and response technologies across company-managed machines, with security tooling configured to remain current and active.

- All endpoints are encrypted. Endpoints are protected with full-disk encryption to help safeguard data stored on company-issued devices.

- Identity and Access Management (IAM). Awardco uses an Identity and Access Management system to manage the identity and assign appropriate permission sets for each employee.

- MFA and SSO are required to log into Awardco systems. Combined with the Identity and Access Management System, access to company systems is protected through strong authentication controls, including single sign-on and multi-factor authentication, to reduce the risk of unauthorized access.

- Awardco enforces strict password requirements. Users must create long, complex passwords, and accounts are locked after five failed login attempts. Awardco also prevents the reuse of the previous five passwords and restricts the use of common passwords

- All corporate endpoints are managed with the capability to wipe the machines. Company-issued devices are centrally managed and can be remotely wiped when necessary to protect data in the event of loss, theft, or device retirement.

- No employees have admin access to their machines. Employee admin access is restricted and managed through technical controls.

- Awardco production environment utilizes several next gen firewalls, a web application firewall (WAF), and load balancers to allow approved traffic only into the environment. The production environment is protected by layered network security controls, including a WAF, designed to restrict inbound and outbound traffic to approved and authorized connections only. Additionally, the WAF targets the OWASP vulnerabilities.

- Corporate, development, and production environments are all segmented and cannot access each other. Awardco maintains segregated environments to reduce the risk of unauthorized access, cross-environment exposure, and unapproved changes reaching production.

- All data at rest is encrypted using AES-256. Data at rest is encrypted using AES-256 to help protect sensitive information stored in production systems.

- All data in transit is encrypted using TLS 1.3. Data transmitted between customer and processor networks is encrypted using TLS 1.3 to protect information in transit between users, systems, and services.

- Awardco backs up data within industry standard methodology. Production data is backed up frequently and replicated in a manner intended to support availability, resiliency, and recovery.

- Awardco has a DR site that is ready to take traffic at any moment should the need arise. Awardco maintains disaster recovery capabilities designed to support service continuity and recovery in the event of a disruption.

- Awardco utilizes a SOC and SIEM to monitor the environment 24/7. Security monitoring is performed on a continuous basis through security operation functions and SIEM capabilities to support the detection, investigation, and response to suspicious or malicious activity. Additionally, Awardco leverages Microsoft Azure security toolsets to enhance its overall security monitoring posture.

- Awardco uses DLP controls to help prevent private data from being moved, copied, or stolen. Data loss prevention controls are used to help detect and prevent unauthorized movement, copying, or exfiltration of sensitive data.

- Awardco maintains a formal vulnerability management program. Vulnerabilities are regularly identified, prioritized based on risk, and tracked through remediation to reduce exposure to known security weaknesses.

- Awardco maintains a patch management process for systems and endpoints. Security patches are evaluated and deployed according to defined timelines and risk-based requirements to reduce exposure to known vulnerabilities.

- Awardco uses formal change management procedures for production systems. Changes to applications, infrastructure, and supporting systems are reviewed, tested, approved, and tracked before deployment to production.

- Awardco logs and monitors system and administrative access. Access to key systems and services is logged and monitored to support security oversight, investigation, and auditability. This function is executed via the SIEM platform as part of centralized security monitoring and event correlation.

Organizational Measures

- Awardco Information Security Management System (ISMS). Awardco maintains a formal ISMS program that documents and governs all facets of its information security processes. This program provides a structured framework for security policies, risk management, access control, incident response, and change management, and is regularly reviewed and updated to support continuous improvement and regulatory and contractual compliance.

- Awardco Governance, Risk, and Compliance (GRC) Program. Awardco operates a dedicated Governance, Risk, and Compliance (GRC) program responsible for designing, maintaining, and continuously improving a mature information security and compliance program. This program is independently validated through SOC 2 Type II, ISO 27001, and Cyber Essentials / Cyber Essentials Plus certifications and applicable privacy and security obligations. The GRC function also owns Awardco’s AI governance committee, ensuring AI use cases are inventoried, risk-assessed, and approved. Foundational controls are organized and mapped against key regulatory and industry frameworks, including HIPAA, GDPR, CCPA/CPRA, and relevant NIST guidance, to support a risk-based control framework, strong governance, and consistent, auditable execution of security and privacy requirements.

- Only select authorized individuals have access to the production environment. Access to the production environment is limited to authorized personnel whose job responsibilities require that level of access.

- Awardco uses role-based access with least privilege. Access is provisioned on a role-based model and restricted to the minimum privileges required to perform defined job functions.

- Awardco maintains a comprehensive security and privacy awareness program for all personnel. All employees complete mandatory, annually recurring security and privacy training covering core domains such as secure data handling, phishing and social engineering, and individual security obligations. The same curriculum is assigned to all new hires during onboarding to establish and maintain a consistent, organization-wide baseline of security and privacy awareness.

- Awardco maintains a formal incident response program. Awardco maintains incident response procedures and escalation processes to support timely identification, containment, response, and recovery from security incidents.

- Awardco maintains a formal risk management process. Risk assessments are performed, and identified risks are evaluated, tracked, and addressed through appropriate mitigation measures.

- Vendor and Third-Party Risk Management program. Awardco maintains a vendor and third-party risk management program that vets critical providers before onboarding, enforces appropriate security and privacy obligations in contracts, and continuously monitors key vendors and supply-chain dependencies as part of its broader risk and continuity planning.

- Policies and procedures are written and accessible to all employees. Security and operational policies and procedures are formally documented and centrally published to employees to promote control awareness, standardized implementation, and consistent, repeatable execution across the organization.

#1 Overall and Highest-Rated Employee Recognition Platform by Customers on G2
English (US)
Platform
OverviewRecognitionCelebrationsIncentivesBenefits & PerksRewardsEngageIntegrationsReportingAwardco Intelligence
Solutions
OverviewUse CasesRoleBusiness SizeIndustry
Why Awardco
Why AwardcoReturn on Recognition™Amazon BusinessWorkday PartnershipCenter of ExcellencePlatform SupportCustomer StoriesAwardco AdvocatesSecurity & CompliancePlansRequest for ProposalGet a Demo
Resources
Resource LibraryBlogResearch & ReportsNewsroomTotal Rewards GlossaryKnowledge BaseACO CommunityROI CalculatorBudget CalculatorCompetitor GuideContact Support
Events
Upcoming EventsOn-Demand WebinarsSHRMRCGNZ Summit 2026
Company
About UsBrand GuideCareersRecognize the GoodCorporate ResponsibilitySustainabilityDEIPrivacy PolicyLegal CenterContact Us
© 2026 Awardco
Your Privacy Choices
Cookie Settings
*A-Pay® card Visa Commercial Credit cards are issued by Celtic Bank.

Privacy at Awardco

We value the trust you’ve placed in us when you provide us with your personal information. We use that information as detailed in our Privacy Notice

You can make certain privacy requests, but those options vary by state. We will fulfill these requests as determined by your state of residence.  

Creating a Privacy Request

What request would you like to make?
We need some information about you to authenticate your identity and process your request.

Thanks for your message!

We will reach back to you as soon as possible.

Oops! Something went wrong while submitting the form.
No actions available at this time

We are committed to consumer privacy and provide choices where we can about opting-out of marketing messages or using web browsers with privacy functionality built into the service. Download here.

At this time, additional requests are not available in your state of residence.  Should state or federal law change, we will evaluate how to offer more privacy choices to you in the future.