Between:
The User/Subscriber, as defined by Poper's Terms and Conditions, to which the present Data Processing Agreement is attached (the "Controller", or the "Client");
And:
Poper, as defined by Poper's Terms and Conditions, to which the present Data Processing Agreement is attached (the "Processor").
For the purpose of this Data Processing Agreement, the Controller and the Processor may also be collectively referred to as the "Parties", or individually as a "Party".
1. Definitions
For the purpose of this Data Processing Agreement, the following terms shall have the meaning attributed to them by Regulation (EU) 2016/679 of April 27th, 2016 (the "General Data Protection Regulation", also referred to as the "GDPR"): Personal Data, Processing, Data Controller, Data Processor, Recipient.
The term "Data Subject" refers to any natural person whose Personal Data is processed.
The term "Sub-processor" refers to any natural or legal person engaged by the Processor to carry out specific processing activities on behalf of the Controller.
The term "Services" shall have the meaning attributed to it by Poper's Terms and Conditions.
2. Purpose
The purpose of this Data Processing Agreement is to ensure the compliance of the Processing of Personal Data with the GDPR and any other applicable data protection laws and regulations.
Pursuant to Article 28.3 of the GDPR, the Parties wish to formalize their rights and obligations regarding the Processing of certain Personal Data by the Processor on behalf of the Controller, in connection to Poper's Terms and Conditions.
3. Authorized processing
The following table describes the Processing carried by the Processor:
Subject-matter of the Processing: Operations necessary for Poper to provide the Services to the Client.
Purposes of the Processing: To provide the Services to the Client in accordance with the Terms and Conditions, including but not limited to creating and managing popups, collecting and analyzing user data, and generating AI-powered content.
Categories of Personal Data:
- Data collected by the Client (and transmitted to Poper): Any Personal Data collected by the Client when using the Services, which is determined by the Client in its capacity of Controller. These data may include, but are not limited to: identification and contact data such as first name, surname, email address, phone number, and any additional categories of data processed according to Client requirements.
- Data collected by Poper: Visitor's interactions with popups, browsing history on the Client's website, IP address, and any additional information attached to the visitor's session by the Client.
Categories of Data Subjects: Visitors of the Client's website and users interacting with Poper AI-generated popups.
Duration of the Processing: The Personal Data is retained for the duration of the subscription to the Services unless otherwise indicated by the Client or required by applicable laws and regulations.
4. Obligations of the Processor
a. Processing operations
The Processor shall process the Personal Data only for the purposes documented by the Controller unless it is required to do so by any law of the European Union or a Member State.
If the Processor is required to process Personal Data by any such law, it shall inform the Controller in advance, unless that law prohibits such information.
The Processor shall inform without delay the Controller if it considers that a documented instruction constitutes a violation of the GDPR or any other provision of EU law or the law of a Member State to which the Processor is subject.
b. Assistance to the Controller
The Processor shall respond, to the best of its ability, to any request of the Controller aimed at fulfilling the Controller's obligations under Articles 32 to 36 of the GDPR.
Poper makes its Security Policy available to the Client upon request. Poper may update this Security Policy from time to time.
The Processor shall provide to the Controller, on its request, any information necessary to demonstrate compliance with the Processor's obligations under this Data Processing Agreement.
The Processor shall allow for and contribute to any audit or inspection mandated by the Controller, being understood that the Controller shall (i) conduct a maximum of one audit or inspection per year, (ii) respect a five working days' written notice and (iii) support the exclusive costs of the audit or inspection.
c. Confidentiality and security
Poper takes the security of your data very seriously. In addition to complying with the requirements of Article 32 of the GDPR, we implement a number of security measures to protect your data:
- Secure Transport Layer (HTTPS): All communication between your web browser and Poper's servers is encrypted using HTTPS. This helps to protect your data from being intercepted by unauthorized third parties.
- AWS Cognito for Managed Authentication: Poper utilizes Amazon Cognito, a service by Amazon Web Services (AWS), to manage user authentication. Cognito provides features like secure user registration, login, and access control.
- Regular Backups: Poper maintains regular backups of its data to ensure that information can be recovered in case of any incident. These backups are stored securely and separately from the live data.
- Access Controls: Poper employs strict access controls that limit access to personal data to authorized personnel only. This includes the use of role-based access control (RBAC) to ensure that users can only access the data they need to perform their job duties.
- Data Encryption: Poper encrypts personal data both at rest and in transit. Data at rest is encrypted on our servers using industry-standard encryption algorithms. Data in transit is encrypted using HTTPS, as mentioned earlier.
- Intrusion Detection and Prevention (IDS/IPS): Poper utilizes intrusion detection and prevention systems to monitor for and block malicious activity on our network. These systems help to identify and prevent unauthorized access attempts, denial-of-service attacks, and other security threats.
- Software Vulnerability Management: Poper keeps its software up-to-date with the latest security patches to address known vulnerabilities. This helps to reduce the risk of attacks that exploit software vulnerabilities.
- Regular Security Reviews: Poper conducts regular security reviews of its systems and processes to identify and address any potential security risks.
By implementing these security measures, Poper strives to create a secure environment for your data. We are constantly evaluating and improving our security posture to stay ahead of evolving threats.
The Processor shall take any security measure required by Article 32 of the GDPR, including but not limited to implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The Processor shall enter into a confidentiality agreement with any person that it authorizes to process the Personal Data unless that person is under an appropriate statutory obligation of confidentiality.
5. Obligations of the Controller
The Controller acknowledges and guarantees that the Processing is fully carried out in accordance with the provisions of the GDPR and all applicable regulations related to the protection of personal data.
The Controller shall document in writing all instructions given to the Processor in connection to the Processing of Personal Data detailed in Article 3 and ensure that the Processor can access all Personal Data that it processes on its behalf.
6. Notification of Personal Data breaches
The Processor shall notify the Controller of any Personal Data breach as soon as possible, and in any case within a 72-hour period, after becoming aware of it. Such notification must be accompanied with any relevant documentation to allow the Controller, if necessary, to notify the competent supervisory authority of the breach and, where applicable, to communicate the breach to the Data Subjects.
7. Sub-processing and data transfers
To this date, Poper's Sub-processors are:
| Name | Location | Purpose |
| AWS Cognito | N. Virginia, USA | Secured authentication |
| Hetzner Cloud | Ashburn, VA, USA | Hosting Poper app and database |
| Cloudflare | Worldwide | DNS provider and CDN to store and serve user files |
| OpenAI (optional) | Worldwide | For AI generations |
| Google Fonts (Optional) | Worldwide | Fonts for popups |
The Controller gives the Processor general authorization to engage other Sub-processors.
The Controller will be informed of any change, addition, or replacement of Sub-processors. Such information is aimed at allowing the Controller to object to the change and terminate the Services within a 15-day period from the date of the information update. Absence of objection from the Controller following this 15-day period will be considered acceptance of the change.
The Processor shall impose the same data protection obligations as this Data Processing Agreement on any Sub-processor by way of a contract or other legal act. This act shall provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
If a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.
8. Individual rights of Data Subjects
The Controller shall inform the Data Subjects (its website visitors) of all information required by the Personal Data Regulations, notably their individual rights pertaining to their Personal Data, the purpose of the Processing and the Recipients of their Personal Data.
The Controller shall respond in due time to any request from any supervisory authority or from any Data Subject.
The Processor shall take all appropriate technical and organisational measures to assist the Controller in responding to Data Subjects' requests regarding the exercise of their GDPR individual rights.
9. Termination of the Processing
Upon termination of the Processing, the Processor shall:
a) At the choice of the Controller, delete or return the Personal Data to the Controller, and b) Delete any existing copy of the Personal Data, except as required to keep by the laws of the European Union or any Member State.
The Processor shall confirm in writing the compliance to this obligation within a 30-day period following termination of the Terms and Conditions to which this Data Processing Agreement is attached.
10. General
The liability and dispute settlement provisions of Poper's Terms and Conditions shall apply to this Data Processing Agreement.
11. Contact
The Controller may contact Poper regarding data protection issues by sending an email to the following address: privacy@poper.ai
