ninetailed

Data Processing Addendum

The purpose of this DPA is to reflect the agreement on the processing of personal data in accordance with data protection legislation.

Last revised on December 27, 2023

This Data Processing Addendum (the "Agreement") forms a part of the contract of Application Services between Processor and Controller (Terms & Conditions) listed on the ninetailed.io website. This Agreement shall reflect the parties' agreement with regards to Processing of Personal Data.

If the Controller signing this Agreement is a customer of Ninetailed, this Agreement forms part of a contract of service with Ninetailed. If the Controller is not a user or customer of Ninetailed, this Agreement is not valid and not legally binding.

This Agreement is between Customer ("Controller") and Ninetailed ("Processor"). Each individually is referred to as "Party", and jointly referred to as "Parties".

  • Parties have agreed that the Controller will act as the sole Controller of the Personal Data, and that the Processor renounces any rights it may have to act as a data controller of the Personal Data held by the Controller.

  • Parties agree that it may be necessary to process certain Personal Data on behalf of Controller.

  • In light of this, Ninetailed offers this Agreement to address compliance obligations imposed upon Controller.

  • Parties agree that Application Services rendered by Ninetailed may qualify as commissioned Data Processing as per sec. 28 of the General Data Protection Regulation (2016/679)

Definitions

Applicable Law means the relevant Data Protection and Privacy laws to which Parties are subject, including the GDPR directive (2016/679).

Personal Data means any information which can be related to an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, and supplied by Controller to Ninetailed under the Terms & Conditions, or which Ninetailed or any of its Sub Processor generate, collect, store, transmit, or otherwise process on behalf of Controller in connection with this Agreement. Personal Data may include information which is related to Customer's users, employees, and other individuals.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure or destruction, as defined under Applicable Law.

Visitors means the identified or identifiable person to whom Personal Data relates.

Sub Processors means any affiliate, agent or assignee of Ninetailed that may process Personal Data pursuant the terms of the Agreement, and any unaffiliated processor engaged by Ninetailed.

Breach Incident means a breach leading to the accidental or unlawful loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Third-Party Application means any software, platform, data sources, software-as-a-service, or other products or services not provided by Ninetailed that are integrated with our Services as described in the Agreement.

Indemnification

Customer will indemnify, defend, and hold Ninetailed harmless against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees, and settlement amounts) made or brought against Ninetailed by a third party alleging that Personal Data received by Ninetailed from Customer or processed by Ninetailed in accordance with Customer’s instructions, is in breach of Applicable Law.

Privacy By Design

The Ninetailed platform is designed to be sensitive to the Visitors' privacy through several core design choices.

  • Ninetailed does not collect unnecessary data; we provide a real-time connection that typically gets actioned primarily in the Visitor's browser and sends asynchronous events to verify technical success.

  • Ninetailed aggregates and anonymizes data insofar possible; minimizing the chances of being able to identify individual visitors.

  • Ninetailed has extensive technical and physical safeguards protecting our customers' information.

  • Ninetailed provides Controller with a free SDK Plugin to aid Controller in getting the appropriate informed consent from their Visitors.

  • Ninetailed provides Controller with an EU endpoint to process their customer data exclusively in the EU.

Data Retention and Destruction

Ninetailed will only retain Personal Data for as long as services are provided to Customer under this agreement. Following expiration or termination of the Agreement, Ninetailed will delete or return to Customer all Personal Data in its possession as provided in the Agreement except to the extent Ninetailed is required by Applicable Law to retain some or all of the Personal Data (in which case Ninetailed will implement reasonable measures to prevent the Personal Data from any further processing).

Relationship

  • The Processor is appointed by the Controller to Process Such Personal Data for and on behalf of the Controller as is necessary to provide the Processing services.

  • The Controller shall Process Personal Data in accordance with the requirements of the Applicable Laws. For the avoidance of doubt, the Controller's instructions for the Processing of Personal Data shall comply with the Applicable Law and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable Law. The Controller shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which it acquires the Personal Data.

  • Processor agrees to notify Controller if it becomes unable to comply with the terms of this Agreement, and take reasonable and appropriate measures to remedy such non-compliance.

  • Controller agrees to and warrants that Visitors have been informed of Ninetailed' use of Personal Data as required by Applicable Law, that Controller has obtained the appropriate consents and permits from Visitors as required under Applicable Law and has displayed, if applicable, a link to Ninetailed privacy policy (e.g. As part of Controller's privacy policy or elsewhere, easily discoverable by Visitors).

Data Processing

The Processor shall process Personal Data for the Purpose as described in this agreement as entered into between Parties.

  • Automatically personalize visitors interaction with Controller's online platforms across the web, mobile web, mobile apps and email.

  • Build actionable visitor segments in real time, enabling Controller to take instant action via personalization, product/content recommendations, automatic optimization and real-time messaging.

Depending on how the Controller chooses to use the Application Services, the subject matter of Processing of personal data may cover the following types of information.

  • Visitor information (first name, last name, etc.);

  • Email address;

  • Geographical information (City, State, Country, Currency);

  • Audience membership, a collection of technical attributes based on real-time identifiers

  • IP address;

  • Data encoded into the URL or shown in plain format;

  • Referring URL and domain;

  • Online Identifiers (i.e. online data collected from visitors' devices, applications and protocols which leave traces which may identify them), such as UDID, cookie identifiers, device type, operating system, and browser type.

  • Page views, interactions and time on site;

  • Data and time when website pages were accessed.

Data Safety, Privacy & Security

  • The Processor shall establish data security in accordance with the Applicable Laws. The measures taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems.

  • These measures are listed in Exhibit A and outline commercially reasonable security-related policies, standards and practices in line with the complexity of the Ninetailed platform.

  • The technical and organizational measures are subject to technical process and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time, insofar as the security level of the defined measures is not reduced.

  • Customer is responsible for using and configuring the Ninetailed platform in a manner which enables Customer to comply with Applicable Laws, including the implementation of appropriate technical and organizational measures.

  • Ninetailed can be reached at [email protected], for any privacy topics.

Security Breaches

Upon becoming aware of a Breach Incident, Processor will notify Controller without undue delay and will provide information relating to the Breach Incident as reasonably requested by the Controller. Ninetailed will use reasonable endeavours to assist customer in mitigating, where possible, the adverse effects of any Breach Incident.

Sub-Processing

The Controller agrees to the commissioning of the following Sub-Processors (including, but not limited to, Processors on the Ninetailed website and dashboards) on the condition of a contractual agreement in accordance with applicable data protection laws. This list may be updated from time to time.

Sub-processors for our entire product, including customer and visitor data on the Controller's website:

  • Cloudflare, performance, reliability, storage and security

  • Google Cloud Platform, hosting and storage

  • Amazon Web Services, hosting and storage

Strictly on our own website and/or in our dashboard and apps, we use the following processors:

  • Google Analytics, product analytics for our website and dashboard/app

  • Google Tag Manager, tag management system on our website and dashboard/app

  • Sendgrid, email management for onboarding emails

  • Hubspot, CRM for our website and dashboard/app

  • Frontegg, user management for our dashboard/app

Furthermore, the Controller agrees to the following.

  • Controller provides a general consent to Ninetailed to engage onward Sub-Processors (including but not limited to the provision of cloud based analytics services, machine learning and recommendation engines, personalized search and cloud processing), provided that Ninetailed has entered into an agreement with Sub-Processor which is equally restrictive to the obligations set forth under this Agreement (the the extent applicable to the services rendered).

  • Outsourcing to further Sub-Processors or changing any existing Sub-Processors is permissible if Processor informs the Controller of the identity of the Sub-Processor and the scope of the planned Sub-Processing in writing or in text form, and the controller does not object to the planned Sub-Processing in writing or in text within 10 business days. The Controller shall not unreasonably object to the planned Sub-Processing.

  • Ninetailed may transfer and process Personal Data to and in other locations around the world where Ninetailed or its Sub-Processors may perform data processing as necessary to provide Application Services.

  • If Ninetailed Processes Personal Data from the EEA, EU or Switzerland, Ninetailed shall ensure that it (or the relevant Sub-Processor) has a legally approved mechanism in place to allow for the international transfer of data (i.e. Privacy Shield for the US)

Third-party Applications

The Processor may support integrations with certain third-party platforms or applications. These integrations can be activated by Controller at will.

By enabling such Third-party Applications, Controller authorizes Processor to access the Controller’s accounts at such third-party application for the purposes described in this Agreement. Controller may be required to input their credentials in order for Processor to access such Third-party Applications.

Controller is responsible for complying with any relevant terms and conditions of the provider of the Third-party Application. Controller acknowledges and agrees that Processor has no responsibility or liability for any Third-party Application, or any data exported to a Third-party Application.

Processor does not guarantee that it will maintain any integrations with any Third-party Application, and Processor may disable such integrations at any time with or without notice to Controller.

Miscellaneous

  • This Agreement, including Exhibits attached, supersedes any and all prior agreements (Excluding Terms of Service and Privacy Agreement), understandings, negotiations and discussions of the Parties.

  • The provisions in this Agreement are severable; if any phrase, clause or provision is invalid or unenforceable in whole or in part, this shall only affect such phrase, clause or provision and the rest of this Agreement shall remain in full force and effect.

Exhibit A

Your site and visitor data are safe with Ninetailed. There are a number of steps we take to ensure only Controller can access your site data and that your visitors' privacy is respected.

Data storage

All usage data that Ninetailed collects is stored electronically in Cloudflare infrastructure. Our application servers and database servers run inside a private network within Cloudflare. The databases containing visitor and usage data are only accessible from the application servers and no outside sources are allowed to connect to the database. Our data retention times are no longer than 365 days.

Visitor privacy

  • Site visitors are assigned an unique user identifier, UUID, so that Ninetailed can keep track of returning visitors without relying on any personal information, such as the IP address.

  • IP addresses of visitors are always suppressed before being stored. We set the last octet of IPv4 addresses, all connections to Ninetailed are made via IPv4, to 0 to ensure the full IP address is never written to disk. For example, if a visitor's IP address is 1.2.3.4, it will be stored as 1.2.3.0. The first three octets of the IP address are only used to determine the geographic location of the visitor.

Data collection and transmission

  • Firewalls are in place exposing only the necessary ports through the internet and between different servers. Intrusion protection system (IPS) software is in place as a second layer of security, which will block access as soon as any suspicious login activity is detected.

  • Ninetailed transmits data from the visitor's browser to our systems using HTTPS.

  • The protocols and ciphers suite used to encrypt data in transfer is available on request.

Data access and authentication

Only Ninetailed engineers which require such access to perform their job efficiently are given access. Different engineers are given different access rights on different system components as well depending on what their job requires. Engineers who do have access, have their own credentials and these are only valid when used from specific IPs. SSH Key-Based authentication is used for server access.

Data collected through Ninetailed is exclusively reserved for use by our users and customers. Ninetailed does not make use of the data collected in any form or way unless consent is officially given by an admin of the Ninetailed account, clearly outlining what the data will be used for.

Data access and backup

At Ninetailed we use continuous backups to keep your data safe in the case of system failure. Full database backups are taken continuously, and are kept for thirty five days as an electronic copy.