.svg)
Ethos Data Processing Agreement
V24.03.1
This Data Processing Agreement (“DPA”) is entered into by and between Ethos (the “Processor”) and the applicable Brand (the “Controller”) and forms an integral part of the Terms between the Parties.
Purpose and Scope
The Brand acknowledges and agrees that Ethos may collect, process, store and transmit certain data relating to Users who have enrolled in a Membership with the Brand (and who often are also customers of the Brand), including personal data (“User Data”), in connection with the operation and provision of the Ethos Platform.
User Data may include, but is not limited to, a User’s email address, and any additional personal information voluntarily submitted by Users into the Ethos Platform, including, for example, birthdates or other identifiers. The extent of such data collection shall be influenced by the Brand’s configuration of features enabled within the Ethos Platform and the data voluntarily provided by Users. Ethos takes reasonable steps to minimize data collection and to only collect data that is necessary for the operation of the Ethos Platform.
Ethos shall process User Data solely for the purpose of providing and supporting the Ethos Platform in accordance with the Ethos Privacy Policy, this DPA, the User Terms of Use and the Terms. Ethos shall not use User Data for any other purpose without the prior written consent of the Brand. As set out in the Terms, the Brand acknowledges and accepts that Ethos will share User Data with the Brand and other third parties, the purpose of such sharing of User Data with the Brand is intended to assist in operation and performance of the Brand’s customer loyalty programs and to enable the Brand to enhance engagement, loyalty and interaction with the User through initiatives and activities conducted by the Brand. Upon the receipt of User Data by the Brand, the Brand acknowledges that it acts as the data controller and assumes full responsibility for its access, processing and storage of such data. The Brand represents and warrants that it will process User Data in compliance with all Applicable Laws including data protection laws and regulations, including but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA), British Columbia’s Personal Information Protection Act (PIPA), and, where applicable, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). The Brand is solely responsible for establishing and documenting a lawful basis for processing of such personal data.
The Brand further covenants that it shall:
• Only use User Data in accordance with its own published privacy policy;
• Not sell, disclose or otherwise make User Data available to any third party except as required by law or with the explicit consent of the User;
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the User Data.
Data Security and Protection Measures
Ethos shall implement and maintain reasonable and appropriate technical and organizational security measures, in line with industry standards, to protect User Data against unauthorized or unlawful access, disclosure, alteration, loss or destruction. Such measures may include, but are not limited to:
• Encryption of data in transit and at rest;
• Access controls based on the principle of least privilege;
• Regular security testing and vulnerability management;
• Employee and contractor confidentiality obligations.
In the event of a confirmed data breach involving User Data that is likely to result in a risk to the rights and freedoms of Users, Ethos shall:
• Notify the Brand in writing without undue delay, and in any event, within 72 hours of becoming aware of the breach;
• Provide reasonable details about the nature of the breach, the data affected and mitigation efforts;
• Cooperate with the Brand in any legally required notifications.
Ethos will take all reasonable steps to remediate such breach as soon as reasonably practicable but in any event within 30 days of discovery or as otherwise required by Applicable Laws.
Data Retention and Deletion
Ethos shall retain User Data only for as long as necessary to provide the Ethos Platform services or as required by Applicable Laws. Upon termination of the Brand’s Subscription, Ethos shall, if requested in writing by the Brand, delete all User Data related to the Users who have enrolled in a Membership of the Brand within 30 days of the request, except to the extent that Ethos is required to retain such data by Applicable Laws or for compliance with legal obligations. Backups containing User Data will be subject to deletion on a rolling basis in accordance with the Ethos backup retention schedule, typically not exceeding 90 days from deletion of the primary data.
Access to User Data
Ethos limits access to User Data to those employees, agents, contractors and authorized sub-processors who have a legitimate business need to access such data in order to provide and support the Ethos Platform. All such individuals and entities are subject to confidentiality obligations and must adhere to data protection standards no less protective than those set forth in this DPA. Ethos shall maintain a list of current material sub-processors and will make such list available to the Brand upon written request. Upon request in writing by the Brand, Ethos may provide the Brand with notice of any intended changes concerning the addition or replacement of material sub-processors. The Brand may have the opportunity to object to such changes for a period of 15 days from receipt of such written notice. Ethos shall promptly investigate and, where appropriate, revoke access privileges of any User or party who engages in the unauthorized collection, use, or disclosure of User Data or who otherwise breaches Applicable Laws.
User Data Export
Upon written request, Ethos shall provide the Brand with a structured, commonly used and machine-readable export of User Data in its possession. Such requests shall be fulfilled within 30 days of receipt of the request, subject to any reasonable technical limitations and any legal restrictions.
Data Transfers Outside of Canada
The Brand acknowledges and agrees that User Data may be transferred to, processed and stored in jurisdictions outside of Canada, including but not limited to the United States and the European Union, by Ethos or its authorized sub-processors. Ethos shall take reasonable measures that all such transfers are conducted in compliance with Applicable Laws and that appropriate safeguards are in place, including, where required, standard contractual clauses or equivalent data transfer mechanisms. The Brand confirms that it has obtained all necessary consents and legal authority to permit such cross-border transfers of personal data, where applicable. Ethos shall take reasonable steps to ensure that data transfers are subject to appropriate safeguards, and the Brand represents that it has obtained all necessary consents or has another legal basis for participating as a party in such transfers.
Data Subject Rights
Ethos shall, to the extent legally permitted and technically feasible, assist the Brand in responding to requests from Users to access, rectify or erase their personal data or to exercise other rights under Applicable Laws.
Audit Rights
If required by a data protection authority or Applicable Law, or if Ethos is unable to provide reasonably adequate information through documentation, and if required by a Brand that is an enterprise client of Ethos, Ethos will permit a third-party audit only under mutually agreed scope and terms, provided such audit does not unreasonably disrupt operations.
Language Discrepancy
In the event of any discrepancy or inconsistency between this DPA and any translated version thereof, the English-language version shall prevail.
Contact
For any data protection-related inquiries or notices under this DPA, the Brand may contact:
Privacy Officer
Email: privacy@ethos.com
Mailing Address: 1600 - 925 West Georgia Street Vancouver BC V6C 3L2 CANADA
.svg)
.svg)
.svg){kind=icon}
