Last Updated on July 25th, 2025
This Data Protection Agreement (DPA) forms an integral part of the Agreement entered into by Groovin and the Customer.
Capitalized terms used but not defined in this appendix shall have the meanings provided in the Terms of Services.
Definitions
For the purpose of this DPA, the capitalized terms shall have the meaning set forth below:
" Data Protection Regulation” means any law and regulation in force applicable to the Personal Data Processing activities carried out under this Agreement, including without limitation the regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
"Data Subject" means an identified or identifiable natural person.
“Personal Data” means any information relating to a Data Subject.
The following capitalized term shall have the meaning assigned to them in article 4 of the GDPR, “Controller”, “Data Breach”, “Personal Data”, "Processing”, “Processor”
Processing
The Parties acknowledge that for the performance of the Agreement (i) the Client acts as a Controller and (ii) Groovin acts as a Processor.
General obligations of Groovin as Data Processor
Groovin shall process the Personal Data in accordance with the Controller’s documented instructions and for the sole purpose set forth in Exhibit “Processing Description” attached to this DPA.
Furthermore, Groovin undertakes to:
notify immediately the Customer if it considers that an instruction constitutes a violation of the Data Protection Regulation,
ensure that its personnel are committed to confidentiality and receive appropriate training regarding data protection,
take all appropriate measures, including physical security measures, to ensure the protection of the Personal Data throughout the duration of this Agreement.
Assistance
Groovin undertakes to:
assist the Customer to fulfil its obligation to handle Data Subjects’ requests. In the event that a Data Subject sends a request directly to Groovin to exercise his/her rights, Groovin shall forward it to the Controller as soon as possible.
assist the Controller, within reasonable measures, to perform data privacy impact assessments of the processing activities carried out under the Agreement (if such assessment is required by Data Protection Regulation).
Upon Controller’s request, provide a copy of Groovin’s data privacy documentation to demonstrate its compliance with Data Protection Regulation.
Security
Groovin shall implement and maintain appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk, including the following measures:
means to ensure the confidentiality, integrity, availability and resilience of processing systems and services;
means to restore the availability of, and access to, Personal Data within an appropriate timeframe in the event of a physical or technical incident;
a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
Data Breach
Groovin shall notify the Controller of any Data Breach as soon as possible, and in all events no later than forty-eight (48) hours after becoming aware of it.
This notification shall include all necessary information in order to enable the Controller to determine whether the incident must be notified to the supervisory authority and / or the Data Subjects.
This information shall include:
a description of the nature of the Data Breach including, if possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
a description of the likely consequences of the Data Breach;
a description of the measures taken or proposed to be taken by Groovin to address the Data Breach, including, where appropriate, measures to mitigate any adverse consequences.
Deletion of the Personal Data
Upon termination of the Agreement for any reason whatsoever, Groovin shall delete all manual or computerized files storing the Personal Data and any existing copies thereof, unless applicable law requires their retention.
Upon Controller’s request, Groovin will certify in writing that all Personal Data and copies thereof have been permanently erased from its systems.
Subcontracting
The Controller expressly authorizes Groovin to hire subcontractors ("the Subsequent Data Processor") for the performance of the Services. The list of authorized Subsequent Data Processor is provided below:
Controller must be informed in advance of any modifications of this list, including any addition or replacement of a Subsequent Data Processor, in order to have the possibility of objecting to such modifications for a legitimate reason.
In the absence of any written objection from the Controller within 15 business days following the notification, the modification of the list of the Subsequent Data Processors shall be deemed accepted.
In the event of a legitimate objection by the Controller regarding the modification of this list, the Parties shall meet as soon as possible to find a reasonable solution. If no amicable solution can be found within a reasonable time, the Agreement may be terminated by either Party.
Groovin remains liable for the performance by the Subsequent Data Processor of its obligations.
Data transfer
Groovin shall not transfer any Personal Data from the European Union to a third country that does not have an adequate level of protection (as defined by the European Commission) without taking appropriate safeguards required by the GDPR.
Obligations of the Data Controller
The Customer acting as Controller, shall comply with Data Protection Regulation.
In particular, Customer is solely responsible for:
providing the Data Subjects with accurate and complete information regarding the Processing of their Personal Data;
ensuring that the Personal Data Processing activities are based on a legal basis provided by the GDPR;
using and Processing the Personal Data for its own needs and business activity in compliance with Data Protection Regulation,
carrying out all assessments and analysis that may be required by Data Protection Regulation to process the Personal Data;
managing any request from Data Subjects exercising their rights in compliance with the Data Protection Regulation,
documenting in writing any instructions given to Groovin regarding the Processing of Personal Data carried out under the Agreement.
Exhibit – Processing Description
Contact
Groovin: privacy@groovin.com
