.svg)
Ethos Data Processing Agreement
V26.01
This Data Processing Agreement (“DPA”) is entered into by and between Ethos (the “Processor”) and the applicable Brand (the “Controller”) and forms an integral part of the Terms between the Parties.
Purpose and Scope
The Brand acknowledges and agrees that Ethos may collect, process, store and transmit certain data relating to Users who have enrolled in a Membership with the Brand (and who often are also customers of the Brand), including personal data (“User Data”), in connection with the operation and provision of the Ethos Platform.
User Data may include, but is not limited to, a User’s email address, and any additional personal information voluntarily submitted by Users into the Ethos Platform, including, for example, birthdates or other identifiers. The extent of such data collection shall be influenced by the Brand’s configuration of features enabled within the Ethos Platform and the data voluntarily provided by Users. Ethos takes reasonable steps to minimize data collection and to only collect data that is necessary for the operation of the Ethos Platform.
For the avoidance of doubt, Ethos acts as a data controller with respect to personal data it processes for its own business purposes as described in the Ethos Privacy Policy, and as a data processor with respect to User data processed on behalf of the Brand under this DPA.
Compliance with applicable data protection laws
Ethos represents and warrants that it shall process User Data in compliance with all Applicable Laws relating to data protection, including, where applicable, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy and data protection laws, solely in its capacity as a data processor and in accordance with the documented instructions of the Brand. Ethos does not determine the purposes or means of processing User data and does not assume any obligations of a data controller under Applicable Laws.
Ethos shall process User Data solely for the purpose of providing and supporting the Ethos Platform in accordance with the Ethos Privacy Policy, this DPA, the User Terms of Use and the Terms of Service. Ethos shall not use User data for any other purpose without the prior written consent of the Brand. As set out in the Terms, the Brand acknowledges and accepts that Ethos will share User data with the Brand and other third parties, the purpose of such sharing of User Data with the Brand is intended to assist in operation and performance of the Brand’s customer loyalty programs and to enable the Brand to enhance engagement, loyalty and interaction with the User through initiatives and activities conducted by the Brand.
Upon the receipt of any User data by the Brand, the Brand acknowledges that it acts as the data controller and assumes full responsibility for its access, processing and storage of such data. The Brand represents and warrants that it will process User data in compliance with all Applicable Laws. The Brand is solely responsible for establishing and documenting a lawful basis for processing of such personal data.
The Brand further covenants that it shall:
• Only use User Data in accordance with its own published privacy policy;
• Not sell, disclose or otherwise make User Data available to any third party except as required by law or with the explicit consent of the User;
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the User Data.
Data Security and Protection Measures
Ethos shall implement and maintain reasonable and appropriate technical and organizational security measures, in line with industry standards, to protect User Data against unauthorized or unlawful access, disclosure, alteration, loss or destruction. Such measures may include, but are not limited to:
• Encryption of data in transit and at rest;
• Access controls based on the principle of least privilege;
• Regular security testing and vulnerability management;
• Employee and contractor confidentiality obligations.
In the event of a confirmed data breach involving User Data that is likely to result in a risk to the rights and freedoms of Users, Ethos shall:
• Notify the Brand in writing without undue delay, and in any event, within 72 hours of becoming aware of the breach;
• Provide reasonable details about the nature of the breach, the data affected and mitigation efforts;
• Cooperate with the Brand in any legally required notifications.
Ethos will take all reasonable steps to remediate such breach as soon as reasonably practicable but in any event within 30 days of discovery or as otherwise required by Applicable Laws.
Data Retention and Deletion
Ethos shall retain User data only for as long as necessary to provide the Ethos Platform services or as required by Applicable Laws. Upon termination of the Brand’s Subscription, Ethos shall, if requested in writing by the Brand, delete all User data related to the Users who have enrolled in a Membership of the Brand within 30 days of the request, except to the extent that Ethos is required to retain such data by Applicable Laws or for compliance with legal obligations. Backups containing User data will be subject to deletion on a rolling basis in accordance with the Ethos backup retention schedule, typically not exceeding 90 days from deletion of the primary data.
Access to User Data
Ethos limits access to User data to those employees, agents, contractors and authorized sub-processors who have a legitimate business need to access such data in order to provide and support the Ethos Platform. All such individuals and entities are subject to confidentiality obligations and must adhere to data protection standards no less protective than those set forth in this DPA. Ethos shall maintain a list of current material sub-processors and will make such list available to the Brand upon written request. Upon request in writing by the Brand, Ethos may provide the Brand with notice of any intended changes concerning the addition or replacement of material sub-processors. The Brand may have the opportunity to object to such changes for a period of 15 days from receipt of such written notice. Ethos shall promptly investigate and, where appropriate, revoke access privileges of any User or party who engages in the unauthorized collection, use, or disclosure of User data or who otherwise breaches Applicable Laws.
User Data Export
Upon written request, Ethos shall provide the Brand with a structured, commonly used and machine-readable export of User Data in its possession. Such requests shall be fulfilled within 30 days of receipt of the request, subject to any reasonable technical limitations and any legal restrictions.
INTERNATIONAL DATA TRANSFERS
The Brand acknowledges and agrees that User data may be processed, stored, or otherwise accessed in jurisdictions outside of the country in which it was originally collected, including by Ethos and its authorized sub-processors. Ethos shall ensure that any such cross-border transfers of User data are conducted in compliance with Applicable Laws and are subject to appropriate safeguards, which may include standard contractual clauses or equivalent transfer mechanisms where required by law. The Brand represents and warrants that it has obtained all necessary consents or has another lawful basis under Applicable Laws relating to data protection to permit such cross-border processing of User data.
Data Subject Rights
Ethos shall, to the extent legally permitted and technically feasible, assist the Brand in responding to requests from Users to access, rectify or erase their personal data or to exercise other rights under Applicable Laws.
Limited Enhanced liability for certain data protection failures
Notwithstanding any limitation of liability set forth in the Terms of Service or any other agreement between the Parties, Ethos’s aggregate liability arising directly out of a confirmed personal data breach shall not exceed two (2) times the total fees paid or payable by the Brand to Ethos in the twelve (12) months immediately preceding the event giving rise to the claim, provided that such personal data breach was caused solely and directly by Ethos’s gross negligence or willful misconduct in its processing of User data.
For clarity, this enhanced liability cap shall apply only to the specific circumstances described above and where the Brand is able to prove direct documented damages. In all other circumstances the liability provisions within the Terms of Service shall prevail. In no event shall Ethos be liable for any indirect, incidental, consequential, special, or punitive damages, including loss of profits, revenue, goodwill, or regulatory fines, even if advised of the possibility thereof.
Audit Rights
If required by a data protection authority or Applicable Law, or if Ethos is unable to provide reasonably adequate information through documentation, and if required by a Brand that is an enterprise client of Ethos, Ethos will permit a third-party audit only under mutually agreed scope and terms, provided such audit does not unreasonably disrupt operations.
Language Discrepancy
In the event of any discrepancy or inconsistency between this DPA and any translated version thereof, the English-language version shall prevail.
Contact
For any data protection-related inquiries or notices under this DPA, the Brand may contact:
Privacy Officer
Email: privacy@ethos.com
Mailing Address: 1600 - 925 West Georgia Street Vancouver BC V6C 3L2 CANADA
.svg)
.svg){kind=icon}
.svg)
