Thumbmark Data Processing Agreement
Last updated: 18.6.2026
Effective date: 18.6.2026
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Thumbmark Terms of Service available at www.thumbmarkjs.com/terms (the “Terms”), under which Thumbmark Oy, Business ID 3570706-5, a limited liability company registered in Finland (“Thumbmark”, “we”, “us”, or the “Processor”) makes available its browser fingerprinting and visitor identification API services (the “Services”).
This DPA applies between Thumbmark and the entity or person that agrees to the Terms (“Customer” or “you”); each is a “Party” and together the “Parties”. By entering into the Terms, Customer agrees to this DPA, and no separate signature is required. Where the Terms are accepted on behalf of a legal entity, the individual accepting warrants that they have authority to bind it; in that case, “Customer” and “you” mean that entity.
This DPA, together with its Schedules, governs Thumbmark’s Processing of Customer Personal Data under the Terms. In the event of any conflict between this DPA and the remainder of the Terms, this DPA prevails with respect to the Processing of Customer Personal Data. Capitalised terms used but not defined in this DPA have the meanings given to them in the Terms or, where applicable, in the GDPR.
If Customer has entered into a separate written agreement with Thumbmark that governs the Processing of personal data in connection with the Services, that agreement controls to the extent of any conflict, and this DPA does not apply to Processing governed by that agreement.
1. DEFINITIONS
“Applicable Data Protection Law” means data protection or privacy law applicable to the Processing of Customer Personal Data and may include, without limitation, the GDPR, the Finnish Data Protection Act (1050/2018), and the ePrivacy Directive 2002/58/EC as implemented in Finland.
“Controller” means the entity which determines the purposes and means of the processing of Personal Data. In the context of this DPA, “Controller” refers to Customer.
“Customer Personal Data” means Personal Data that Thumbmark Processes on behalf of Customer pursuant to the Terms and this DPA.
“Documented Instructions” means the Processing instructions set out in Schedule 1, the Terms, and any subsequent written instructions agreed by the Parties (including Customer providing instructions via the API and configuration tools made available by Thumbmark for the Services).
“Effective Date” means the date on which the Terms first become effective between Customer and Thumbmark, being the date on which Customer first accepts the Terms or first accesses or uses the Services, whichever is earlier.
“EU SCCs” means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time.
“GDPR” means Regulation (EU) 2016/679.
“Personal Data” means any information that constitutes “Personal Data” under Applicable Data Protection Law.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
“Processor” means the entity which processes Personal Data on behalf of the Controller. In the context of this DPA, “Processor” refers to Thumbmark.
“Processing” has the meaning given in the GDPR.
“Processor-to-Processor Clauses” means Module 3 (Processor to Processor) of the EU SCCs.
“Processor-to-Controller Clauses” means Module 4 (Processor to Controller) of the EU SCCs.
“Service Controls” means the controls, features, and functionalities that the Services provide to Customer, including the API, dashboard, configuration options, and Documentation, that Customer can use to retrieve, correct, delete, export or restrict Processing of Customer Personal Data.
“Standard Contractual Clauses” means (i) the Processor-to-Controller Clauses or (ii) the Processor-to-Processor Clauses, as applicable in accordance with Section 10.2.
“Subprocessor” means any third party engaged by Thumbmark to Process Customer Personal Data on its behalf.
“Terms” means the Thumbmark Terms of Service into which this DPA is incorporated.
“Third Country” means a country outside the EEA not recognised by the European Commission as providing an adequate level of protection for Personal Data.
2. SCOPE AND ROLES
2.1 Roles
This DPA applies when Customer Personal Data is Processed by Thumbmark for the provision of Services as set out in the Terms. In this respect, Thumbmark acts as a Processor on behalf of Customer. Customer can act either as a Controller or as a Processor of Customer Personal Data. Where Customer acts as a Processor, Customer’s Documented Instructions may be based on the instructions of Customer’s own controller(s). References in this DPA to “Controller” shall be read as references to Customer acting in its applicable capacity.
2.2 Subject Matter and Duration
The subject matter, nature, purpose, and duration of Processing, the types of Personal Data, and categories of Data Subjects are described in Schedule 2.
2.3 Customer’s Responsibilities
Customer will comply with Applicable Data Protection Law in relation to the Processing of Customer Personal Data concerned by this DPA. Without limiting the foregoing, Customer is solely responsible for ensuring that its Documented Instructions comply with Applicable Data Protection Law.
Customer shall not configure the Services to collect Special Categories of Personal Data (as defined in the GDPR) or criminal conviction data, and shall not transmit such data to Thumbmark through any means. If Customer transmits Special Categories of Personal Data or criminal conviction data to Thumbmark in breach of this provision, Thumbmark shall have no liability under this DPA in respect of such data, and Customer shall indemnify Thumbmark against any claims arising from such transmission.
Customer warrants that it has all necessary rights and authorisations to, as contemplated by this DPA, share Customer Personal Data with Thumbmark and to instruct Thumbmark to Process it.
3. PROCESSING INSTRUCTIONS
3.1 Documented Instructions
Thumbmark shall Process Customer Personal Data only in accordance with the Documented Instructions, unless required to Process by applicable Union or Member State law or other applicable law, in which case Thumbmark shall, unless prohibited by law, provide reasonable notice to Customer of such compelled Processing so that Customer has an opportunity to take such steps as it desires to challenge or contest such Processing.
3.2 Instruction Infringement
If Thumbmark forms an opinion based on available information that Documented Instructions violate Applicable Data Protection Law, it shall immediately inform Customer, in which case Customer is entitled to withdraw or modify its Documented Instructions. Thumbmark may suspend the relevant Processing until Customer confirms, modifies, or withdraws the concerned instruction. Thumbmark shall not be liable for any delay caused by such suspension.
3.3 Retention
The retention periods for Customer Personal Data are specified in the Documented Instructions (Schedule 1). Thumbmark shall maintain automated technical systems to enforce the specified retention limits and shall delete Customer Personal Data automatically upon expiry of the applicable retention period.
4. CONFIDENTIALITY
Thumbmark shall ensure that its employees and agents who are authorised to Process Customer Personal Data have access to such Customer Personal Data only on a need-to-know basis and solely to the extent necessary for performing Thumbmark’s rights or obligations as set out in the Terms, have committed themselves to confidentiality, or are under an appropriate statutory obligation of confidentiality, and Process Customer Personal Data only in accordance with the Documented Instructions.
Thumbmark shall not disclose or transfer Customer Personal Data to any third party except as permitted by the Documented Instructions, this DPA (including to authorised Subprocessors under Section 6), or as required by applicable law. Where Thumbmark is compelled by law or a governmental authority to disclose Customer Personal Data, Thumbmark shall, to the extent legally permitted, provide reasonable notice to Customer of such compelled disclosure so that Customer has an opportunity to take such steps as it desires to challenge or contest such disclosure or seek a protective order.
5. SECURITY
5.1 Measures
Thumbmark shall implement and maintain appropriate technical, physical, and organisational measures to ensure a level of security appropriate to the sensitivity of Customer Personal Data and which measures are designed to protect Customer Personal Data against loss, theft, damages, and unauthorised or unlawful access, use, disclosure or destruction, as required by Applicable Data Protection Law (the “Security Measures”). The current Security Measures implemented by Thumbmark are described in Schedule 3.
5.2 Updates
Thumbmark may update the Security Measures from time to time provided that such updates do not materially reduce the protection of Customer Personal Data or violate the requirements set out in this DPA.
5.3 Customer’s Security Responsibilities
Customer is responsible for properly configuring the Services, implementing appropriate access controls and authentication for its account, and securing Customer Personal Data after it leaves the Services (including via API responses). Thumbmark’s security obligations under this DPA apply to the infrastructure and systems operated by Thumbmark; they do not extend to Customer’s own systems, networks, or use of outputs.
6. SUBPROCESSORS
6.1 General Authorisation
Customer specifically authorises Thumbmark’s engagement of the Subprocessors listed in Schedule 4 as of the Effective Date. In addition, Customer generally authorises Thumbmark’s engagement of other third parties as Subprocessors.
6.2 Information about Subprocessors
Information about Subprocessors, including their identities, locations, and Processing activities, is set out in Schedule 4 as of the Effective Date. An up-to-date list of Subprocessors is maintained on Thumbmark’s publicly accessible subprocessor page on its website (https://www.thumbmarkjs.com/resources/subprocessors).
6.3 Requirements for Subprocessor Engagement
When engaging any Subprocessor, Thumbmark shall:
(a) impose data protection obligations on the Subprocessor by way of a written contract that imposes obligations on the Subprocessor offering, at minimum, a level of protection equivalent to that imposed on Thumbmark under this DPA, including audit rights enabling Thumbmark or its mandated auditor to verify the Subprocessor’s compliance with the contract and Applicable Data Protection Law. Thumbmark shall exercise such audit rights on Customer’s behalf and make the results available to Customer upon request. Customer shall bear the reasonable costs of any audit conducted specifically at Customer’s request; and
(b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
6.4 Opportunity to Object
When a new Subprocessor is engaged during the term of the Terms, Thumbmark shall notify Customer at least thirty (30) days before the new Subprocessor begins Processing Customer Personal Data (including the name, location, and activities of the new Subprocessor). Thumbmark shall send such notification to the email address associated with the Customer’s account.
Customer may object to a new Subprocessor by terminating the affected Services on written notice to Thumbmark within thirty (30) days of receiving Thumbmark’s notification. This termination right is Customer’s sole and exclusive remedy if Customer objects to a new Subprocessor. Thumbmark shall refund any prepaid fees covering the period after the effective date of termination. If Customer does not object within the thirty (30) day period, Customer is deemed to have authorised the new Subprocessor.
7. DATA SUBJECT RIGHTS
7.1 Service Controls
Taking into account the nature of the Processing, the Service Controls are the technical and organisational measures by which Thumbmark assists Customer in fulfilling Customer’s obligations to respond to Data Subject requests under Applicable Data Protection Law. Customer may use the Service Controls to retrieve, correct, delete, export, or restrict Processing of Customer Personal Data.
7.2 Forwarding of Requests
If Thumbmark receives a Data Subject request regarding Customer Personal Data, Thumbmark shall promptly forward the request to Customer. Customer solely authorises Thumbmark to respond to any such Data Subject to confirm that Thumbmark has forwarded the request to Customer.
7.3 Scope of Assistance
The Parties agree that Customer’s use of the Service Controls, and Thumbmark forwarding Data Subject requests to Customer in accordance with Section 7.2, represent the primary means of Thumbmark’s assistance under this Section 7. Where a Data Subject request requires functionality that the Service Controls are designed to provide but do not yet support, Thumbmark shall provide the necessary assistance at its own cost. Where requests require Thumbmark’s active involvement beyond the intended scope of the Service Controls, Thumbmark shall provide reasonable assistance at Customer’s cost.
8. PERSONAL DATA BREACH
8.1 Notification
Thumbmark shall notify Customer in writing without undue delay upon becoming aware of a Personal Data Breach. “Becomes aware” means when Thumbmark has a reasonable degree of certainty that a security incident has led to Customer Personal Data being compromised.
8.2 Content
The notification shall include, to the extent reasonably available:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
(b) Thumbmark’s designated contact;
(c) a description of the likely consequences; and
(d) measures taken or proposed to address the breach.
8.3 Phased Notification
Thumbmark may provide information in connection with the Personal Data Breach to Customer in phases as it becomes available.
8.4 Cooperation
Thumbmark shall (a) take reasonable measures and actions to remedy or mitigate the effects of the Personal Data Breach; (b) cooperate with Customer in investigating and mitigating the Personal Data Breach; and (c) promptly provide Customer with all information and assistance reasonably necessary to enable Customer to notify the relevant authorities and, where required, affected Data Subjects, in accordance with Customer’s instructions.
8.5 No Assessment
Notification shall not be construed as an acknowledgement of fault or liability. Customer is solely responsible for determining whether a breach is notifiable under Applicable Data Protection Law.
8.6 Unsuccessful Security Incidents
An unsuccessful security incident shall not be subject to this Section 8. An unsuccessful security incident is one that results in no unauthorised access to, loss of, destruction of, or disruption to the availability of, Customer Personal Data or to any of Thumbmark’s equipment or facilities storing Customer Personal Data. Examples include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial-of-service attacks that do not result in any disruption to the availability of Customer Personal Data, packet sniffing (or other unauthorised access to traffic data that does not result in access to Customer Personal Data), or similar incidents.
9. AUDIT AND COMPLIANCE
9.1 Compliance Assistance
Taking into account the nature of Processing and the information available to Thumbmark, Thumbmark shall provide reasonable assistance to Customer with the completion of data protection or privacy impact assessments under Applicable Data Protection Laws (notably by making available existing documentation, certifications, and Processing information) and prior consultations with supervisory authorities or other regulatory authorities under Applicable Data Protection Law, if available.
Thumbmark shall cooperate, on request, with the competent supervisory authority or regulatory authority in the performance of its tasks to the extent such cooperation relates to the Processing of Customer Personal Data.
9.2 Demonstrating Compliance
Thumbmark shall make available to Customer information necessary to demonstrate compliance with this DPA. To the extent Thumbmark maintains independent certifications or audit reports (such as SOC 2 Type II or ISO/IEC 27001), these shall be the primary means of demonstrating compliance and shall be made available upon written request, subject to confidentiality obligations. Where no such certifications are available, Thumbmark shall make available relevant documentation describing its technical and organisational measures.
9.3 Additional Audits
Where the documentation or certifications provided under Section 9.2 are not reasonably sufficient to verify compliance with a specific obligation, Customer may request an audit subject to:
(a) frequency: no more than once per rolling twelve-month period, except following a confirmed Personal Data Breach;
(b) notice: the reasonable start date, scope, duration, and security and confidentiality controls applicable to the audit shall be discussed and agreed in writing in advance between the Parties;
(c) conduct: during normal business hours, minimising disruption;
(d) auditor: bound by confidentiality; Thumbmark may object to an auditor on reasonable grounds relating to the auditor’s qualifications, independence, or confidentiality (including where the auditor is a competitor of Thumbmark);
(e) scope: limited to compliance with this DPA; and
(f) cost: all costs borne by the Customer.
9.4 Remediation
Material non-compliance shall be remediated within a reasonable timeframe agreed by the Parties.
Assistance exceeding Thumbmark’s statutory obligations under this Section 9 may be charged at Thumbmark’s then-current professional services rates.
10. INTERNATIONAL TRANSFERS
10.1 Data Location
The locations of Processing are described in Schedule 2 and Schedule 4. Transfers of Customer Personal Data to a Third Country take place only in accordance with the Documented Instructions and this Section 10.
10.2 Standard Contractual Clauses
The Standard Contractual Clauses will only apply to Customer Personal Data subject to the GDPR that is transferred, either directly or via onward transfer, to any Third Country (each a “Data Transfer”).
(a) When Customer is acting as a Controller, the Processor-to-Controller Clauses (Module 4) shall apply to the Data Transfer. Thumbmark is the data exporter (Processor within the EEA) and Customer is the data importer (Controller outside the EEA).
(b) When Customer is acting as a Processor, the Processor-to-Processor Clauses (Module 3) shall apply to the Data Transfer. Taking into account the nature of the Processing, Customer agrees that it is unlikely that Thumbmark will know the identity of Customer’s controllers because Thumbmark has no direct relationship with Customer’s controllers. Customer shall fulfil Thumbmark’s obligations to Customer’s controllers under the Processor-to-Processor Clauses.
(c) The Standard Contractual Clauses will not apply to a Data Transfer if Thumbmark has adopted an alternative recognised compliance standard for lawful transfers (such as binding corporate rules for processors approved under the GDPR).
10.3 Module Selections
The applicable Module, pre-populated selections, and Annex information are set out in Schedule 5. In the event of any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail to the extent of the conflict. Nothing in this DPA varies or modifies the Standard Contractual Clauses.
10.4 Subprocessor Transfers
Where Thumbmark engages a Subprocessor established in a Third Country, Thumbmark shall ensure an appropriate transfer mechanism under GDPR Chapter V is in place before any Customer Personal Data is transferred to that Subprocessor. The transfer mechanism relied upon for each Subprocessor is identified in Schedule 4.
11. DELETION AND RETURN
11.1 Upon Termination
Upon termination or expiry of the Terms, Customer may request the return of Customer Personal Data within thirty (30) days in a commonly used machine-readable format. After this period (or earlier written confirmation), Thumbmark shall delete all Customer Personal Data within ninety (90) days.
11.2 Certification
Upon request, Thumbmark shall confirm deletion in writing.
11.3 Legal Retention
Thumbmark may retain Customer Personal Data where required by applicable law, subject to this DPA.
11.4 Derived Outputs
Aggregated statistical outputs, calibrated parameters, and other outputs derived by Thumbmark from Customer Personal Data, to the extent permitted by the Documented Instructions and which do not constitute Personal Data (i.e. from which no individual Data Subject can be identified, either directly or indirectly), are not Customer Personal Data and are not subject to deletion.
12. LIABILITY
12.1 Processing Per Instructions
Thumbmark shall not be liable and Customer shall indemnify Thumbmark against third-party claims arising from: (a) Processing in accordance with Documented Instructions; or (b) Customer’s failure to comply with Applicable Data Protection Law or this DPA.
12.2 Data Subject Liability
Nothing limits either Party’s liability to Data Subjects under Applicable Data Protection Law.
13. GENERAL
13.1 Governing Law
This DPA is governed by the law, and subject to the jurisdiction specified in the Terms.
13.2 Amendments
Thumbmark may modify this DPA in accordance with the procedure for amending the Terms.
13.3 Term
This DPA remains in force for as long as Thumbmark Processes Customer Personal Data.
13.4 Termination
This DPA may not be terminated independently of the Terms. Termination of the Terms shall be governed by the Terms. Termination shall not affect any rights or obligations accrued prior to termination, including the obligations in Sections 4, 5, 11, and 12.
13.5 Severability
Invalid provisions shall not affect the remaining provisions.
SCHEDULE 1: DOCUMENTED INSTRUCTIONS
Customer instructs Thumbmark to carry out the following Processing:
Instruction 1 — Fingerprint Generation and Delivery
Collection of browser fingerprinting data from Data Subjects’ devices, immediate pseudonymisation into one-way hashed fingerprint data and visitor ID, and delivery of the visitor ID and associated metadata to Customer through the API. This includes replication of derived outputs (hashed fingerprint data and visitor IDs) to Thumbmark's edge endpoints globally, to enable low-latency API responses.
Instruction 2 — Service Quality and Security
Customer instructs Thumbmark to retain necessary raw (unhashed) fingerprinting data components for a maximum of ninety (90) calendar days from collection and to Process such data as necessary to ensure the accuracy, reliability, integrity, and security of the service output delivered to Customer. This includes verification, calibration, debugging, performance monitoring, regression testing, and security testing in connection with the Services. Raw data shall be automatically and irreversibly deleted upon expiry of the retention period. Customer may instruct a shorter retention period by written notice. The safeguards applicable to raw data during the retention period are described in Schedule 3, Section B.
Instruction 3 — Deletion
(a) Pseudonymised fingerprint data and visitor IDs: retained for the duration of the Terms and automatically deleted after 90 consecutive days of inactivity of the end-user (i.e. the Data Subject whose Personal Data is linked to the hashed fingerprint data or visitor ID), or within 90 days of termination of the Terms, whichever occurs first.
(b) Raw data: automatically deleted upon expiry of the 90-day retention period from collection, or within 90 days of termination of the Terms, whichever is earlier.
(c) All Customer Personal Data: deleted or returned per Section 11 of this DPA.
SCHEDULE 2: DETAILS OF PROCESSING
Subject Matter | Browser fingerprinting and visitor identification API services. |
Duration | Duration of the Terms + applicable retention and deletion periods. |
Nature | Automated collection, pseudonymisation, API delivery, temporary raw data retention for service quality and security. |
Purpose | Generation of pseudonymised visitor IDs for Customer. Ensuring the accuracy, reliability, integrity, and security of the service output delivered to Customer. |
Data Subjects | End-users and visitors of Customer’s websites and digital services. |
Personal Data | Browser/device attributes (such as device type, screen resolution, OS, fonts, plugins, User Agent, canvas fingerprint, WebGL data, audio context, language, timezone). Connection data (such as network identifiers, HTTP headers). Session data (such as identifiers, timestamps). Derived data (such as hashed fingerprint data, confidence scores). |
Sensitive Data | None. |
Data Location | Routing is determined by the Data Subject’s geographic location at the time of the API call. Raw data components from all endpoints are stored centrally within the EEA. Pseudonymised outputs (pseudonymised fingerprinting data and visitor IDs) are replicated globally to enable low-latency API responses. All Processing occurs within the infrastructure of authorised Subprocessors listed in Schedule 4. Transfers to Customer in a Third Country are subject to Section 10. |
Transfer Mechanism | Where Customer is established within the EEA, no Chapter V transfer mechanism applies. Where Customer is established in a country recognised by the European Commission as providing an adequate level of protection (Article 45 GDPR), transfers are made on the basis of the relevant adequacy decision. In all other cases, the applicable Standard Contractual Clauses set out in Schedule 5 apply (Module 4 where Customer acts as Controller; Module 3 where Customer acts as Processor). |
Recipients | Customer (via API). Authorised Subprocessors listed in Schedule 4. No other recipients unless required by applicable law. |
SCHEDULE 3: TECHNICAL AND ORGANISATIONAL MEASURES
Section A: General Measures
Category | Measures |
|---|---|
Encryption | At rest (AES-256+) and in transit (TLS 1.2+). Key management. |
Access Control | RBAC with MFA. Least privilege. |
Network Security | Enterprise assets, including cloud infrastructure, are protected using industry standard security measures. Cloud environments are monitored and audited for security misconfigurations. A secure network architecture is documented, addressing segmentation, least privilege, and availability. |
Logging | Audit logs. Centralised management. Anomaly detection. |
Business Continuity | DR plan. Regular backup and recovery testing. |
Personnel | Confidentiality obligations. Security training. |
Vulnerability Mgmt | Assets are continuously monitored for vulnerabilities with issues actioned within defined remediation timelines (15/30/90/180 days for Critical, High, Medium, and Low severity). Access controls and security measures are subject to external testing that simulates an attacker (penetration testing) on an annual basis. |
Incident Response | An established programme and incident response capabilities are in place, with defined roles, policies, training, and communication plans, to effectively detect and respond to security incidents. |
Data Minimisation | Collection limited to necessary data. Immediate pseudonymisation. |
Application Security | A secure application development process is in place. Software is subject to Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Third-party code is analysed for existing vulnerabilities. |
Section B: Enhanced Measures for Raw Data
The following additional measures apply to raw (unhashed) data during the retention period specified in Instruction 2:
Category | Enhanced Measures |
|---|---|
Storage Isolation | Logically segregated storage for raw data. |
Access Restrictions | Named-individual access lists. Documented need required. Regular reviews. |
Automated Deletion | Automated enforcement of 90-day limit. Technical safeguards against override. |
Audit Trail | Complete access logging (identity, timestamp). Logs retained for 90 days. |
Minimisation | Aggregated or pseudonymised data used where feasible without compromising effectiveness. |
SCHEDULE 4: AUTHORISED SUBPROCESSORS
Authorised Subprocessors as of the Effective Date:
Entity Name | Amazon Web Services EMEA SARL |
Registered Address | 38 Avenue John F. Kennedy, L-1855 Luxembourg |
Contact Person | AWS Data Protection Officer, aws-EU-privacy@amazon.com |
Description of Processing | Cloud infrastructure services: compute (EC2), storage (S3), content delivery (CloudFront). Thumbmark deploys edge endpoints on AWS infrastructure to collect and process browser fingerprinting data into derived outputs and to store raw data centrally in the EEA. |
Data Processed | Raw fingerprinting data (transit and storage), fingerprint hashes, visitor IDs, and associated metadata. |
Location of Processing | Raw data is processed at the edge endpoint nearest to the Data Subject at the time of the API call; raw data is stored centrally in the EEA. Pseudonymised outputs are replicated globally to enable low-latency API responses. A current list of active endpoint and processing regions is available at www.thumbmarkjs.com/resources/infrastructure and upon request. Thumbmark shall notify Customer no less than 30 days before adding any new processing location. |
Transfer Mechanism | The Subprocessor is established within the EEA (Luxembourg). To the extent the Processing involves a transfer of Customer Personal Data within the meaning of Chapter V of the GDPR, such transfer takes place on the basis of an appropriate transfer mechanism as set out in the AWS GDPR Data Processing Addendum, as amended from time to time. |
AWS EMEA SARL’s own sub-processors (including AWS infrastructure entities operating specific regions) are listed at https://aws.amazon.com/compliance/sub-processors/.
SCHEDULE 5: STANDARD CONTRACTUAL CLAUSES
Where the Standard Contractual Clauses apply pursuant to Section 10.2, the Parties agree to the following modules, selections, and Annex information. The Standard Contractual Clauses are incorporated by reference into this DPA and are deemed entered into and signed by the Parties as of the Effective Date.
1. Parties and Roles
Data Exporter | Thumbmark Oy (Processor), Business ID 3570706-5, registered in Finland. |
Data Importer | The entity identified as “Customer” under the Terms (Controller or Processor, as applicable under Section 2.1). |
2. Applicable Module
Customer as Controller | Module 4 (Processor-to-Controller Clauses) applies. Thumbmark (data exporter, Processor) transfers Customer Personal Data to Customer (data importer, Controller) outside the EEA. |
Customer as Processor | Module 3 (Processor-to-Processor Clauses) applies. Thumbmark (data exporter, Processor) transfers Customer Personal Data to Customer (data importer, Processor acting on behalf of its own controller(s)) outside the EEA. |
3. Clause Options (all Modules)
Clause 7 (Docking clause) | Included. Additional data importers may accede to the Standard Contractual Clauses in accordance with Clause 7 by completing and signing all applicable Annexes. |
Clause 9(a) (Module 3: Sub-processor authorisation) | Option 2: General written authorisation, in accordance with Section 6 of this DPA. Thumbmark shall inform Customer of changes at least 30 days in advance, giving Customer the opportunity to object per Section 6.4. (Clause 9 does not apply to Module 4.) |
Clause 11 (Redress) | The optional language is not included. |
Clause 13(a) (Supervisory authority) | Module 3: The supervisory authority of the EU Member State in which the data exporter is established: the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Finland. Module 4: Not applicable (Clause 13 does not apply to Module 4). |
Clause 17 (Governing law) | The laws of Finland. Module 4, Clause 17: the laws of Finland (which allow for third-party beneficiary rights as required by Clause 3). |
Clause 18 (Forum) | The courts of Finland. |
4. Annex I.A — List of Parties
The data exporter and data importer are as identified in Section 1 above. The data exporter’s identity, address, and contact details (including those of its data protection officer or relevant contact person) are as set out in the Terms. The data importer is the Customer that accepted the Terms; the data importer’s identity, address, and contact details are those provided by the Customer on registration for its account, and the contact point for the data importer is the email address associated with that account. The activities relevant to the data transferred and the role of each party are as set out in Sections 1 and 2 above and in Schedule 2 (Details of Processing).
5. Annex I.B — Description of Transfer
The categories of data subjects, types of personal data, nature and purpose of processing, and retention period are as set out in Schedule 2 (Details of Processing) of this DPA, which is hereby incorporated by reference as Annex I.B to the Standard Contractual Clauses. The transfer takes place on a continuous basis, with Customer Personal Data transferred on each call to the API.
The contact details of the data exporter’s data protection officer (or, where not appointed, the relevant contact person) are as notified by Thumbmark to Customer from time to time.
6. Annex II — Technical and Organisational Measures
The technical and organisational measures implemented by the data exporter are as set out in Schedule 3 (Technical and Organisational Measures) of this DPA, which is hereby incorporated by reference as Annex II to the Standard Contractual Clauses.
7. Annex I.C — Competent Supervisory Authority
Module 3 (Processor to Processor): The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Finland, as the supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR.
Module 4 (Processor to Controller): Not applicable. Clause 13 and Annex I.C do not apply to Module 4.
8. Annex III — List of Sub-processors
Module 3: The list of sub-processors authorised by the data exporter is as set out in Schedule 4 (Subprocessors) of this DPA, which is hereby incorporated by reference as Annex III to the Standard Contractual Clauses.
Module 4: Not applicable.