Data Processing Addendum

Effective date: May 1, 2025
Last modified: April 28, 2025

This Data Processing ("Agreement") is entered into by and between Playbook Digital, Inc. ("Playbook") and Customer to govern Playbook's processing of Personal Data on behalf of the Customer in compliance with the applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and applicable U.S. state privacy laws.

1. Definitions

Capitalized terms used but not defined herein shall have the meanings given to them under the GDPR.

  • "Controller" means the entity that determines the purposed and means of the Processing of Personal Data.
  • "Processor" means the entity that Processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Process" or "Processing" means any third party engaged by Playbook to Process Personal Data.
  • "Subprocessor" means any third party engaged by Playbook to Process Personal Data.

2. Scope and Roles

The Customer acts as the Controller and Playbook acts as the Processor. This Agreement governs all Processing of Personal Data carried out by Playbook on behalf of the Customer.

3. Nature and Purpose of Processing

Playbook Processes Personal Data for the purpose of providing, maintaining, securing, and improving Playbook's Services, including storage, organization, collaboration, sharing and support.

4. Categories of Data Subjects and Personal Data

  • Data Subjects: Users of Playbook services and individuals whose personal data may be contained in uploaded content.
  • Personal Data: Names, email addresses, profile information, uploaded files, IP addresses, device information, metadata related to account activity.
  • Sensitive Data: Playbook does not intentionally collect special categories of personal data.

5. Duration

Personal Data will be Processed for as long as necessary to provide the Services or until account deletion is requested.

6. Subprocessing

  • Playbook may engage Subprocessors to support delivery of the Services.
  • Subprocessors are listed in Annex III.
  • Playbook shall provide Customer with prior notice of any new Subprocessor.
  • Customer may object to new Subprocessors within 30 days of notice.

7. Security Measures

Playbook shall implement appropriate technical and organization measures to ensure a level of security appropriate to the risk, including those listed in Annex II.

  • Personal data is encrypted at rest and in transit using industry-standard encryption protocols.
  • Access to systems and environments where personal data is processed is restricted based on role-based access controls.
  • Authentication mechanisms are in place for user and employee accounts, including multi-factor authentication (MFA) for internal systems where applicable.
  • Monitoring for unauthorized access, vulnerabilities, and abnormal activities through system logs and security analytics.
  • Only data necessary for the provision of services is collected and retained.
  • Payment information is processed exclusively through trusted third-party providers; Playbook does not store full payment card details.
  • Incident response procedures are maintained to detect, report, and remediate security incidents, including GDPR-compliant breach notification within required timeframes. 
  • Users are provided with tools to manage, update, download, and delete their personal information within the platform.
  • Employee confidentiality obligations and training on data protection best practices.

8. Data Subject Rights

Playbook shall provide assistance to the Customer in fulfilling obligations to respond to Data Subject requests under GDPR, including rights to access, rectify, erase, restrict, object, and data portability.

9. Audit Rights

  • Customer may audit Playbook's compliance upon reasonable prior notice.
  • Playbook may satisfy audit obligations through third-party certifications (e.g., ISO 27001, SOC 2) or provide reasonable access to documentation.
  • Audits shall occur no more than once annually, unless required by law.

10. Breach Notification

  • Playbook shall notify Customer without undue delay and no later than seventy-two (72) hours after becoming aware of a Personal Data Breach.
  • Notification shall describe the nature of the breach, likely consequences, mitigation steps, and corrective actions taken.
  • Playbook shall cooperate with Customer in any required notification to Supervisory Authorities and Data Subjects.

11. Return and Deletion of Data

  • Upon termination or expiration of the Services, Customer may instruct Playbook to delete or return all Personal Data.
  • Playbook shall certify in writing the deletion of all Personal Data, unless retention is required by law.

12. Cooperation with Authorities

  • Playbook shall cooperate, upon Customer's request, with any Supervisory Authority in connection with the Services.
  • Playbook shall notify Customer promptly of any legally binding request for disclosure of Personal Data.

13. International Transfers

  • Transfer of Personal Data from the EEA, UK, and Switzerland to Playbook in the United States are governed by the Standard Contractual Clauses incorporated be reference in Section 14.

14. Incorporation of Standard Contractual Clauses (SCCs)

The parties agree that the Standard Contractual Clauses issued by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), including Module 2 (Controller to Processor transfers), are incorporated by reference into and form an integral part of this Agreement. The parties further agree that, where applicable, references to the "Member State" shall be deemed to refer to Ireland.

15. Liability and Indemnification

  • Each party's liability arising out of or related to this Agreement shall be subject to the limitations of liability set forth in the Playbook Terms of Service.
  • Each party shall indemnify the other against fines or damages arising from its own breach of this Agreement.

16. Governing Law and Jurisdiction

  • This Agreement shall be governed by the laws of Ireland.
  • Disputes shall be subject to the exclusive jurisdiction of the courts of Dublin, Ireland.

Annex I:
List of Parties and Description of Transfer

A. List of Parties

Data Exporter:
Name: Customer (users of Playbook.com)
Contact details: As provided in the User's Playbook account.
Activities relevant to the data transfer: Uploading, storing, organizing, and sharing digital assets on Playbook platform.
Role: Controller

Data Importer:
Name: Playbook Digital, Inc. (provider of the platform)
Contact details: 341 Moultrie Street, San Francisco, CA 94110, United States.
Activities relevant to the data transfer: Providing digital asset storage, organization, collaboration, and sharing services via Playbook platform.
Role: Processor

B. Description of Transfer

Categories of data subjects whose personal data is transferred:
User of Playbook.com including freelancers, agencies, creative teams and individuals appearing in uploaded content.

Categories of personal data transferred:
Email addresses, names, profile info, uploaded files (images, videos, documents, audio,…), IP addresses, device info.

Sensitive data transferred:
Playbook does not intentionally collect sensitive data, but users may upload such data at their own discretion.

Frequency of the transfer:
Continuous – as long as user interacts with the platform.

Nature of the processing:
Collection, storage, organization, hosting, access, retrieval, collaboration, sharing.

Purposes of the data transfer and further processing:
Providing, maintaining, securing, and improving Playbook’s cloud platform services.

The period of which the personal data will be retained:
For the duration of the user’s account, or until deletion is requested.

Subject matter, nature, and duration of the processing by sub-processors:
See Annex III – duration is tied to user account lifecycle.

C. Competent Supervisory Authority

Ireland Data Protection Commission (DPC)

Annex II:
Technical and Organizational Measures

Playbook specifically implements the following security measures with respect to Personal Information:

Data encryption:
• Personal data is encrypted at rest and in transit using industry-standard encryption protocols.

Access controls:
• Access to systems and environments where personal data is processed is restricted based on role-based access controls.
• Authentication mechanisms are in place for user and employee accounts, including multi-factor authentication (MFA) for internal systems where applicable.

Network and system security:
• Monitoring for unauthorized access, vulnerabilities, and abnormal activities through system logs and security analytics.

Data minimization and storage:
•  Only data necessary for the provision of services is collected and retained.
• Payment information is processed exclusively through trusted third-party providers; Playbook does not store full payment card details.

Incident response:
• Incident response procedures are maintained to detect, report, and remediate security incidents, including GDPR-compliant breach notification within required timeframes. 

User controls:
• Users are provided with tools to manage, update, download, and delete their personal information within the platform.

Internal governance:
•  Regular audits and evaluations of internal privacy practices.
•  Employee confidentiality obligations and training on data protection best practices.

Annex III:
List of Subprocessors

  1. Google LLC
    Service provided: File storage, email, G suite
    Location: USA
  2. SendGrid, Inc.
    Service provided: Cloud-based email notification services
    Location: USA
  3. Stripe
    Service provided: Payment processing
    Location: USA