Watchers Corporate Customer Data Processing Agreement

VERSION: 1.1

LAST UPDATED: 04/11/2024


Watchers App Limited (“Watchers” or “us” or “our”) serves enterprises, public sector entities and other organizations (“Customers”) and protects Customer Data in compliance with the terms of this Corporate Customer Data Processing Agreement (“DPA”). “Customer Data” means personal data relating to named or identifiable individuals that Customer’s authorized users upload to our servers in compliance with applicable law and our applicable service agreement or other commercial contract terms (“Contract”) when Customer’s use our remote access software-as-a-service offerings and related data processing services as described in our Documentation and Technical Specifications as amended from time to time (“Services”).


1. Control and Ownership

The subject matter, nature, purpose, and duration of the processing, as well as the types of Customer Data collected and categories of data subjects, are described in Schedule 1 of this DPA. Customers own and control all Customer Data. Watchers does not use Customer Data, except: (a) in the interest and on behalf of the Customer; (b) as necessary to provide the Services, or (c) as contemplated or directed by the Contract. Watchers shall notify Customer in the event Watchers decides that it can no longer meet its obligations under applicable privacy law. Watchers returns or deletes Customer Data at Customer’s request, as agreed in the Contract, or after the Contract expires or is terminated. Watchers reserves all rights to the Services, Watchers‘ technology and Watchers’ data, including any information that Watchers discovers, creates or derives as it provides Services, except Customer Data. Customer understands that it is solely responsible for obtaining any needed consents or authorizations for Watchers to process Customer Data. Customer will ensure that its instructions comply with applicable law, including any applicable privacy laws. Customer acknowledges that Watchers is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Watchers’ provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Watchers’ processing of Customer Data, when done in accordance with Customer’s instructions, will not cause Watchers to violate any applicable law or regulation, including applicable privacy laws.


2. Security

Watchers applies the technical, administrative, and organizational data security measures as set forth in Schedule 2 of this DPA (collectively, “TOMS”). Watchers may update and modify its TOMs from time to time, but Watchers must not reduce the level of security provided thereunder, except with Customer’s consent or with 90 days prior written notice (or sooner if required to avoid or mitigate a security incident).


3. Cooperation with Compliance Obligations

At Customer’s reasonable request and as required by applicable privacy law, Watchers will (a) reasonably assist Customer with data access, deletion, portability and other requests, subject to compensation for any custom efforts required of Watchers, (b) assist Customer in ensuring compliance with its obligations under applicable privacy law, including taking into account the nature of processing and the information available to the Watchers and (c) enter into additional contractual agreements to meet specific requirements that are imposed by mandatory laws on Customer pertaining to Customer Data and that, due to their nature, can only be satisfied by Watchers in its role as service provider or that Customer specifically explains and assigns to Watchers in an addendum or amendment to the applicable Contract, subject to additional cost reimbursement or fees as appropriate. For the avoidance of doubt, Watchers shall only assist and enable Customer to meet Customer’s obligations to satisfy data subjects' rights, but Watchers shall not respond directly to data subjects, unless required by law to do so. Also, when requested to do so by Customer, Watchers will promptly make available to Customer all information necessary to assist Customer with its obligations related to conducting a privacy impact assessment. If Customer can no longer legally use Watchers’ services due to changes in law or technology, Watchers shall allow Customer to terminate certain or all contracts and provide transition or migration assistance as reasonably required, subject to termination charges and fees as mutually agreed in good faith by the parties.


4. Notify Breaches

Unless otherwise prohibited by applicable law, Watchers notifies Customer of a Security Breach without undue delay after Watchers confirms a Security Breach. “Security Breach” means a breach of Watchers’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data in Watchers’ possession, custody, or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.


5. GDPR Obligations

Watchers does not accept or disclose any Customer Data as consideration for any payments, services, or other items of value. Watchers does not sell or share any Customer Data except as provided in Clause 6 of this Agreement, as those terms may be understood in applicable data protection law, including the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). Watchers processes Customer Data solely for the business purposes specified in the written contract with the Customer. Watchers does not retain, use, or disclose Customer Data (a) for targeted advertising across different contexts or (b) outside the direct business relationship with the Customer. Watchers does not combine Customer Data with other data if and to the extent this would contravene data protection limitations applicable to data processors under the UK GDPR. Where Watchers receives deidentified data from the Customer or where Services enable the deidentification of Customer Data, Watchers represents and warrants that it will not reidentify, attempt to reidentify, or direct any third party to reidentify any data that has been deidentified, except where expressly permitted upon the separate Agreement.


6. Sub-processors

Customer hereby agrees and provides a general authorization that Watchers may engage Watchers’ affiliates or third parties as sub-processors to provide the Services. Watchers will be fully liable for the acts and omissions of any sub-processors to the same extent as if the acts or omissions were performed by Watchers. Unless otherwise necessary to protect the security or integrity of Customer Data, in which Watchers shall promptly provide prior notice, Watchers shall provide Customer a notice of any additional or replacement sub-processors via our administrative dashboard and our website at https://watchers.io/legal/sub-processors. After being notified, Customer must notify Watchers in writing (email shall suffice) of any reasonable objection it has to such sub-processors. If Watchers is unable to make available such change within a reasonable period, Customer may terminate the Services provided under the Licence Agreement or the Master Services Agreement in respect only to those services which cannot be provided by Watchers without the use of the objected-to sub-processors, by providing a written notice to Watchers.


7. Confidentiality

Without prejudice to any existing contractual arrangements between the parties, Watchers will treat all Customer Data as confidential and it will inform all its employees, contractors, agents, and any approved sub-processors engaged in processing the Customer Data of the confidential nature of the Customer Data. Watchers will ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.


8. EEA and UK Personal Data

With respect to any Customer Data that is subject to the EU General Data Protection Regulation (“EU GDPR”) or the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR” and together with the EU GDPR, the “GDPR”), Watchers, in addition to the obligations in this DPA, will agree, at Customer’s request, to enter into the appropriate transfer documentation, including the European Union’s Standard Contractual Clauses and the United Kingdom’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses.


9. Deletion of Customer Data

  1. Customer Data Deletion upon Termination or Expiration. Upon termination or expiration of the customer’s subscription to Watchers Services, Watchers shall delete all Customer Data from its systems or return it to the Customer, unless applicable law requires the retention of certain Customer Data.
  2. Timeframe for Deletion. Watchers will complete the deletion of Customer Data within 30 days following the termination or expiration of services, unless otherwise agreed upon in writing with the Customer.
  3. Confirmation of Deletion. Upon request, Watchers will provide written confirmation to the Customer certifying the deletion of Customer Data, in line with applicable data protection laws, within the specified timeframe.
  4. Exemptions for Retention. If retention of any Customer Data is required by applicable laws or regulations, Watchers will securely isolate and protect that data from any further processing except to the extent required by law.
  5. Deletion of Backups. Watchers will delete Customer Data from backup systems as part of its regular backup cycle, typically within 90 days after data deletion from the active system, unless otherwise required by law.


10. Integration.

This Data Processing Addendum (“DPA”) is binding on Watchers if and to the extent it is expressly agreed or incorporated by reference in the Licence Agreement or the Master Services Agreement. This DPA does not create third-party beneficiary rights. Watchers does not accept or submit to additional requirements relating to Customer Data, except as specifically and expressly agreed in writing with explicit reference to the Licence Agreement, the Master Services Agreement, and this DPA. To the extent permitted by applicable law, any claims brought under or in connection with this DPA shall be subject to the exclusions and limitations of liability set forth in these Terms.


Schedule A – Details of Processing

1. Subject Matter

The context for the processing of Customer Data is Watchers’ provision of the Services.


2. Categories of Customer Data

Customer Personal Data is contained in communication content, traffic data, End-User data, and customer usage data.

  1. Communication content, which may include Personal Data or other personalized characteristics, depending on the communication content as determined by Customer.
  2. Traffic data, which may include Customer Personal Data about the routing, duration, or timing of a message, whether it relates to an individual or a company.
  3. End-User data, such as any identifier used in setting up and sending messages, which is disclosed in detail below in a section “End-User Data”.
  4. Customer usage data may contain data that can be linked to Customer included in statistical data and information related to Customer’s account and service activities, service-related insights and analytic reports regarding communication sent and customer support.

Sensitive data may, from time to time, be processed via the Services where Customer or End-Users choose to include sensitive data within the communications that are transmitted using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting End-Users to transmit or process any sensitive data via the Watchers’ Services.


3. Categories of Data Subjects

Customer’s contact persons or employees, contractors, or temporary workers using the Services through the Customer’s account (“Users”); End- Users. Any individual (i) whose contact details are included in the Customer's contacts list(s); (ii) whose information is stored on or collected via the Watchers’ Services, or (ii) to whom Customer sends communications or otherwise engage or communicate with via the Watchers’ Services (collectively, “End-Users”).


4. End-User Data

a. Personal Data which is not Biometric or Special:

  1. Chat name (pseudonym) –provided by Users or Client for authorization purposes of the Social Platform Software;
  2. UserID - provided by Client and used for the purpose of authorization on the Social Platform Software;
  3. Data about user’s device (IP address and port number) - Controller has the capability through the administrative panel to enable the automatic collection of IP addresses associated with text messages sent by users.


b. User Engagement and Interaction Data:

  1. User Access: detailed logs of user sign-ins and activities, including timestamps.
  2. Messaging: records of sent and received messages with text or images, including metadata such as timestamps and delivery status.
  3. Room Interaction: data on user entry, exit, and activities within chat rooms.
  4. Poll Engagement: records of user participation in polls, including options chosen.
  5. Marketing Offer Engagement: data on marketing offers and user interactions.
  6. Live Stream feedback: user feedback with ratings, issues reported, and associated comments.
  7. Ranking: user ranking details, including positions on leaderboards and badges earned.
  8. Reactions: usage data on reactions and emotions associated with messages.
  9. Gamification: information on sticker usage and details of bets placed, including those shared through the copy-betting widget.
  10. Chatbot Interaction: usage frequency and token consumption by the chatbot.


c. Moderation and Compliance Data:

  1. Reports: details of user reports including reasons, timestamps, and resolution status.
  2. Bans: ban records with target user information, duration, and reasons.
  3. Content Flags: log of flagged messages, reasons, and actions taken.


d. Copy-Widget Data:

  1. Widget Interaction: data on user interactions with the copy-widget.
  2. Deal Sharing: details of deals shared, including types, outcomes, and related events.
  3. Deal Copying: data on the deals copied by users, including the number of times a deal was copied.
  4. Deal Records: data on the last placed deals by users.


e. Performance Data:

  1. Connection Statistics: real-time metrics on socket connections and durations.
  2. Service Settings: usage data for service settings, including modifications made.
  3. Service Statistics: overall usage statistics such as user counts and message volume.


5. Nature and Purpose of Processing

For the nature and purposes required to provide the Services, including:

  1. Authorizing a user on the Watchers’ Social Platform and providing them with access to its functionality.
  2. Personalizing the user experience.
  3. Maintaining statistics and improving the functionality of the Social Platform.
  4. Compliance with applicable laws.


6. Means of Processing

The processing of Customer Data is automated and may include various operations such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction.


7. Duration of Processing

As long as needed to provide the Services.


Schedule B – Technical and Organisational Measures

1. Service Infrastructure Management

  1. Network Security. Watchers has established procedural and technical standards for deploying network functions to production. These standards include baseline configurations for network components, network architecture, and approved protocols and ports. All network components are monitored to prevent malicious activities that might affect the company's infrastructure and to maintain compliance with technical standards.
  2. Cloud Security. The Watchers service is hosted on GCP which offers state-of-the-art physical protection for the servers and related infrastructure that comprise the service environment. GCP geographic regions and Auto Scaling allows Watchers to build a highly resilient service for clients. It also allows Watchers to manage the production servers so that they remain operational against the effects of unexpected events such as natural disasters and local outages.
  3. Monitoring. Watchers' monitoring program focuses on detecting and reporting vulnerabilities in their service and products. Based on inbound security reports, our engineers quickly analyse vulnerabilities, find the best solutions, and resolve issues.
  4. Audit Log. Watchers only grants authorized employees or contractors’ access to Customer Data based on the principle of least privilege. They are required to use proprietary monitoring tools to detect intrusion attempts and other security-related alerts and to record audit logs for their activities. Audit logs are maintained for all operations and activities such as privileged user access and unauthorized access attempts of Customer Data.


2. Access Security

  1. Authentication - MFA, OTP. Access to Customer Data is restricted to authorized employees and contractors. Watchers applies multi- factor authentication (MFA) and controls for administrative access to its system. Temporary access to Customer Data is granted to only a limited group of employees and contractors. All related activities are tracked by audit logs.
  2. Password Management. Employees and contractors are required to change passwords regularly according to the Watchers’ Password Policy. The policy defines and configures the corporate password requirements including complexity, length, history, and duration.


3. Change Management

  1. Development. In the event of software releases, the company uses a proprietary ticketing system to document procedures for tracking, testing, approving, and validating. A change management project is created when the ticketing system tracks activities from software development and customer requests. Any changed source code is reviewed and approved before it is released to the production environment by using proprietary tools such as GitLab.
  2. Tracking. All audit logs are recorded for easy tracking of the changes in the ticketing system. Watchers’ Safety Team regularly checks these logs to make sure procedures comply with system change management. Watchers also maintains updates to management policies regarding security code reviews and emergency fixes.
  3. Vulnerability Management. Watchers operates its own vulnerability management program that actively investigates security vulnerabilities using a combination of automated scans and penetration tests. Automated scans identify all types of vulnerabilities in the software, system, and network components. Once vulnerabilities are identified, the vulnerability management program classifies and remediates vulnerabilities across all Watchers services. Watchers also takes corrective actions, when necessary, based on the results of our annual penetration tests conducted by an external independent third party.


4. Customer Data Security

  1. Encryption. Watchers stores all types of data in the GCP relational database and the data are protected by strong encryption at rest and in transit. GCP provides data-at-rest options and key management to support the encryption process for stored data. Watchers uses the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES-256 encryption. Data at rest in GCP relational database are also encrypted.
  2. Incident Management. Watchers’ Safety Team has established protocols and guidelines for responding to emergency security incidents. All incidents are thoroughly investigated, documented, and reported to our Incident Response team for timely mitigation, including suspected or known violations of privacy and security.
  3. Retention. The Licence Agreement or the Master Services Agreement, along with this DPA, set out the duration of how long Watchers retains Customer Data after the termination of the contract. Customer Data will be removed from the Watchers server accordingly. Watchers will delete the End-User data within 30 days from the date of termination of the Agreement unless otherwise agreed in a separate Agreement.


5. Business Continuity

  1. Business Continuity Plan. Business Continuity Planning (BCP) has been established for Watchers’ services, which provides detailed procedures for recovery and reconstitution of systems. The BCP focuses on monitoring its sub-service organization (GCP), protecting Watchers employees, contractors, and reallocating resources. Our BCP is reviewed on an annual basis.
  2. Disaster Recovery Drills. The engineering department conducts annual business continuity and disaster recovery drills to test communication plans, fail-over scenarios, operational transition, and other emergency responses. All teams that participate in the business continuity and disaster recovery exercise develop drill plans and post-mortems.
  3. Data Backup Management. All Customer Data is replicated to protect the availability of Watchers’ services. Data replication occurs within the same region of GCP in which the client’s service is hosted. With reference to data replication, Watchers’ services can resume database operations right after failover is completed. Furthermore, Watchers’ services operate globally on multiple GCP regions and availability zones within each of those regions. Resources, such as database instances and Customer Data, are backed up and managed by GCP on a regional basis.