This Data Sharing Agreement ("Agreement") forms a legally binding contract between User/his representative/assistant/spouse/relative/etc (further - You) and Ayflot LLC (AYFLOT LLC, OGRN 1215000017770, Address: 141078, region. Moskovskaya, Korolev city, pr-kt Koroleva, d. 5D k. 1, premise 069 room 7, floor 6 - further Ayflot), applies to the extent you and Ayflot share Customer Personal Data as described below, and is incorporated into the other internal documents in accordance with UAE Federal Law No. 45 of 2021 On Personal Data Protection. Ayflot acts as the data controller under this Agreement regardless of which Ayflot entity you contract with for the underlying services.
"Customer Personal Data" means the personal data of UAE residents data subjects that is provided to you or Ayflot (the "Receiving Party") by or on behalf of the other party (the "Disclosing Party") when both the Receiving Party and Disclosing Party are each a controller.
"Data Protection Law" means the UAE Federal Law No. 45 of 2021 On Personal Data Protection.
"Personal Data Breach" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or controlled by a party.
The terms "personal data," "data subject," "processing," "controller," "processor," "representative," and "supervisory authority," each as used in this Agreement, have the meanings given in the UAE Federal Law No. 45 of 2021 On Personal Data Protection, as applicable, in each case irrespective of whether Data Protection Law applies.
2. Roles and Restrictions
a. Roles of Parties. You and Ayflot are each an independent data controller of Customer Personal Data that will, subject to any restrictions set forth in this Agreement and the services terms, including any supplemental terms and policies, independently determine the purposes and means of the processing of Customer Personal Data under Data Protection Law.
b. Transparency and Data Protection Rights. You and Ayflot will individually inform data subjects and allow data subjects to exercise their rights under Data Protection Law.
c. Details of Data Processing. The subject matter and details of processing are described in Schedule 1 of this Agreement.
d. Compliance with Law. Each party agrees it will comply with its obligations under the Data Protection Law relating to any Customer Personal Data it processes under or in relation to this Agreement.
e. Data Security. In accordance with Data Protection Law, each party will implement and maintain all appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the processing and the nature of Customer Personal Data; and (ii) prevent unauthorized or unlawful processing of Customer Personal Data, accidental loss, disclosure or destruction of, or damage to, Customer Personal Data.
f. Confidentiality. Each party will ensure that only personnel who may be required to assist in meeting its obligations under the services terms or this Agreement will have access to Customer Personal Data and that such personnel are bound by appropriate obligations of confidentiality, and take all reasonable steps in accordance with best industry practice to ensure the confidentiality of the Customer Personal Data.
3. Personal Data Breach
a. Notification. You will notify Ayflot without undue delay and, where feasible, no more than 72 hours after becoming aware of a Personal Data Breach. You will also provide Ayflot with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, (to the extent known) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available, and you will cooperate with any reasonable request made by Ayflot relating to the Personal Data Breach.
b. Investigation. You agree to immediately take action to investigate the Personal Data Breach, to identify, prevent, and mitigate the effects of any such Personal Data Breach, and with Ayflot's prior agreement, to carry out any recovery or other action necessary to remedy the Personal Data Breach.
4. Data Transfers
a. If there are any transfers of Customer Personal Data from one party to the other outside the UAE, then the Data Transfer Agreement shall:
(i) apply to such transfers;
(ii) take precedence over all other terms, including the terms of this Agreement, in respect of such transfers;
(iii) form a legally binding contract between you as the data exporter and Ayflot as or on behalf of the data importer; and
(iv) be hereby incorporated into the services terms.
b. With respect to personal data of UAE residents data subjects, you and Ayflot agree that each party may process Customer Personal Data outside the UAE where the Data Protection Law requirements are fulfilled, or an exception applies.
This Agreement will terminate automatically upon termination of the Business Services Terms.
If this Agreement or the Data Transfer Agreement conflicts with the services terms then to the extent of the conflict the governing documents will be, in descending order: the Data Transfer Agreement, this Agreement, the supplemental terms and policies, the services terms.
7. Data categories
Customer Personal Data relating to individuals provided by the Disclosing Party to the Receiving Party via the Business Services, which may include:
• email address
• telephone number
• mobile ad ID
• IP address
• cookie ID
• browser user agent
• demographic data
• connections between users
• session, transaction, and user IDs
• gender, height, weight, age, and other personal characteristics
• transaction data such as purchases and refunds information
• actions and events taken on websites and apps, including pages viewed, purchases, searches, check-out events, wish lists, installs, and user registration methods
8. Ayflot Security Measures
1. Implementation of and compliance with a written information security program consistent with established industry standards and including administrative, technical, and physical safeguards appropriate to the nature of the Customer Personal Data and designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the data controller, the data controller's customers, or the data controller's employees; and any anticipated threats or hazards to the security or integrity of such information.
2. Adopting and implementing reasonable policies and standards related to security.
3. Assigning responsibility for information security management.
4. Devoting adequate personnel resources to information security.
5. Carrying out verification checks on permanent staff who will have access to the Customer Personal Data.
6. Conducting appropriate background checks and requiring employees, vendors, and others with access to the Customer Personal Data to enter into written confidentiality agreements.
7. Conducting training to make employees and others with access to the Customer Personal Data aware of information security risks and to enhance compliance with Ayflot's policies and standards related to data protection.
8. Preventing unauthorized access to the Customer Personal Data through the use, as appropriate, of physical and logical (passwords) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, built-in system audit trails, use of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection, monitoring compliance with Ayflot's policies and standards related to data protection on an ongoing basis.
In particular, Ayflot has implemented and complies with, as appropriate and without limitation:
• Physical access control measures to prevent unauthorized access to data processing systems (e.g., access ID cards, card readers, desk officers, alarm systems, motion detectors, alarms, video surveillance, and exterior security);
• Denial-of-use control measures to prevent unauthorized use of data protection systems (e.g., automatically enforced password complexity and change requirements and firewalls.);
• Requirements-driven authorization scheme and access rights, and monitoring and logging of system access to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that the Customer Personal Data cannot be read, copied, modified, or removed without authorization;
• Data transmission control measures to ensure that the Customer Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data media, and transfer and receipt of records. In particular, Ayflot's information security program will be designed:
o To encrypt in storage any data sets in Ayflot's possession, including sensitive personal data, using appropriate encryption levels based on industry-leading encryption standardsand storing user identities on the system using key value pair such as ghost_id to prevent storage of actual user ID; and
o To ensure that any sensitive personal data transmitted electronically (other than by facsimile) to a person outside Ayflot's IT system or transmitted over a public network is encrypted using the newest supported versions of TLS 1.2 protocol to protect the security of the transmission;
• Data entry control measures to ensure Ayflot can check and establish whether and by whom the Customer Personal Data has been input into data processing systems, modified, or removed;
• Continuous security testing measures to ensure information security practices remain relevant, effective, and up to date, including annual penetration testings, bug bounty program, use of system scanning tools, tabletop exercises, backup restoration tests, pre-production failovers, and conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans;
• Subprocessor supervision measures to ensure that, if Ayflot is permitted to use subprocessors, the Customer Personal Data is processed strictly in accordance with the data controller's instructions including, as appropriate:
- Measures to ensure that the Customer Personal Data is protected from accidental destruction or loss including, as appropriate and without limitation, data backup, retention and secure destruction policies; secure offsite storage of data sufficient for disaster recovery; uninterrupted power supply, and disaster recovery programs; and
- Measures to ensure that data collected for different purposes can be processed separately including, as appropriate, physical or adequate logical separation of Customer Personal Data.