Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Skillful Squirrel Creative Inc. (operating as "Sweeperoo") ("Processor" or "we") and you ("Controller" or "you") for the provision of sweepstakes platform services ("Services").

• "Personal Data" means any information relating to an identified or identifiable natural person collected through your use of the Services.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
• "Data Subject" means the individual to whom Personal Data relates (sweepstakes participants).
• "Controller" means you, the business user who determines the purposes and means of Processing Personal Data.
• "Processor" means Sweeperoo, who Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by Sweeperoo to Process Personal Data.
• "Applicable Data Protection Laws" means PIPEDA, GDPR, CCPA, and other applicable privacy laws.

2.1 Controller Responsibilities

You acknowledge and agree that you are the Controller of all participant Personal Data collected through your sweepstakes campaigns. As Controller, you are responsible for:

• Determining the purposes and means of Processing Personal Data
• Ensuring you have a legal basis for Processing under Applicable Data Protection Laws
• Obtaining all necessary consents from Data Subjects
• Providing clear privacy notices to Data Subjects
• Responding to Data Subject rights requests
• Ensuring your instructions to us comply with Applicable Data Protection Laws
• Maintaining records of Processing activities as required by law

2.2 Processor Responsibilities

We acknowledge and agree that we are the Processor of participant Personal Data. As Processor, we will:

• Process Personal Data only on your documented instructions
• Ensure persons authorized to Process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist you in responding to Data Subject rights requests
• Assist you with data breach notifications
• Delete or return Personal Data upon termination (subject to legal requirements)
• Make available information necessary to demonstrate compliance

3.1 Subject Matter and Duration

• Subject Matter: Provision of sweepstakes platform services
• Duration: For the term of your subscription and retention periods thereafter
• Purpose: To enable you to run sweepstakes campaigns and manage participant entries

3.2 Nature of Processing

We Process Personal Data to:

• Collect and store participant entries
• Verify participant eligibility
• Verify phone numbers via SMS when required by campaign settings
• Detect and prevent fraudulent entries
• Enable winner selection
• Generate analytics and reports
• Facilitate prize fulfillment

3.3 Categories of Data Subjects

• Sweepstakes participants (entrants)
• Sweepstakes winners

3.4 Types of Personal Data

• Name and email address
• Date of birth
• Location (country/province/state)
• Phone number and verification status (when SMS verification is enabled)
• Mailing address (for prize fulfillment)
• Social media handles (if applicable)
• Third-party platform data (Twitch user ID, Discord user ID and server membership, OAuth tokens)
• IP address and device information
• Entry method completion data
• Survey responses (if applicable)

4.1 Authorization

You authorize us to engage Sub-processors to Process Personal Data on your behalf. We maintain a current list of Sub-processors at sweeperoo.com/subprocessors.

4.2 Sub-processor Requirements

We ensure that all Sub-processors:

• Are bound by written agreements with data protection obligations equivalent to this DPA
• Implement appropriate technical and organizational security measures
• Process Personal Data only as instructed
• Maintain confidentiality

4.3 Changes to Sub-processors

We will notify you of any intended changes to Sub-processors (additions or replacements) at least 30 days in advance via email and platform notification. You may object to a new Sub-processor on reasonable data protection grounds by notifying us within 30 days. If we cannot accommodate your objection, you may terminate the affected Services.

We implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Controls: Role-based access control and multi-factor authentication
• Network Security: Firewalls, intrusion detection, DDoS protection
• Monitoring: 24/7 security monitoring and incident response
• Backups: Encrypted backups with disaster recovery procedures
• Employee Training: Security awareness and confidentiality agreements
• Vulnerability Management: Regular security assessments and penetration testing

6.1 Assistance with Requests

We will assist you in responding to Data Subject rights requests, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object

6.2 Response Timeframe

We will respond to your requests for assistance within 5 business days and provide the necessary data or actions within 30 days, or as required by Applicable Data Protection Laws.

6.3 Direct Requests

If we receive a Data Subject rights request directly, we will promptly forward it to you for handling, as you are the Controller.

7.1 Notification

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data. Notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for more information

7.2 Investigation and Remediation

We will investigate the breach, take steps to mitigate harm, and implement measures to prevent future breaches. We will cooperate with you in any breach investigation and notification to Data Subjects or authorities.

8.1 Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside your jurisdiction, including:

• Primary Storage: Canada (adequate jurisdiction under GDPR)
• Sub-processors: United States (via Sub-processors)

8.2 Standard Contractual Clauses

For transfers of Personal Data from the European Economic Area (EEA) or United Kingdom to countries not recognized as providing adequate protection, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable.

The Standard Contractual Clauses are incorporated by reference and form an integral part of this DPA. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

8.3 Additional Safeguards

In addition to the SCCs, we implement supplementary measures including:

• Encryption of Personal Data in transit and at rest
• Strict access controls and authentication
• Contractual obligations on Sub-processors
• Regular security assessments

9.1 Information and Audits

We will make available to you information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws. Upon reasonable notice and subject to confidentiality obligations, we will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

9.2 Audit Frequency

You may conduct audits no more than once per year, unless required by a supervisory authority or in response to a suspected data breach.

9.3 Audit Costs

You are responsible for all costs associated with audits, unless the audit reveals material non-compliance with this DPA.

10.1 Retention Periods

We will retain Personal Data for the following periods:

• Active campaign data: Campaign duration plus 90 days
• Winner information: 6-7 years for tax compliance (IRS/CRA requirements)
• Non-winner data: Until you request deletion or campaign end + 90 days
• Fraud detection records: 3 years for security purposes

10.2 Deletion Upon Termination

Upon termination of the Services, we will:

• Provide a 30-day grace period for you to export all Personal Data
• Delete or return all Personal Data within 90 days of termination
• Retain only data required by law (e.g., winner information for tax purposes)
• Certify deletion upon your request

10.3 Legal Holds

We may retain Personal Data longer if required by law, legal process, or to establish, exercise, or defend legal claims.

11.1 Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be limited or excluded by law

11.2 Indemnification

You agree to indemnify us against any claims, damages, or losses arising from:

• Your breach of this DPA
• Your failure to obtain necessary consents from Data Subjects
• Your instructions that violate Applicable Data Protection Laws
• Claims by Data Subjects related to your Processing activities

12.1 Term

This DPA takes effect on the date you accept the Terms of Service and continues for the duration of the Services.

12.2 Survival

The provisions of this DPA that by their nature should survive termination will survive, including data deletion obligations, confidentiality, liability, and audit rights.

13.1 Amendments

We may update this DPA to reflect changes in Applicable Data Protection Laws or our Processing activities. We will notify you of material changes with 30 days' advance notice.

13.2 Governing Law

This DPA is governed by the laws of Ontario, Canada, except where Applicable Data Protection Laws require otherwise.

13.3 Order of Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

13.4 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.