Niantic Controller-Processor Data Processing Agreement

Effective Date: May 24, 2022

Niantic and you, the party agreeing to these terms (“Customer”), have entered into an agreement for access to and use of the Lightship SDK, the Lightship API and the Lightship Services (collectively herein, “Lightship”), as amended from time to time (the “License Agreement”). This Niantic Controller-Processor Data Processing Agreement (the “DPA”) is entered into between you and Niantic, together with any attachments and appendices, and is incorporated by reference into the License Agreement.

DEFINITIONS

For the purposes of this DPA:

“Affiliate” shall mean, as to any entity, any other entity that, directly or indirectly, controls, is controlled by or is under common control with such entity.
“Applicable Law” shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this DPA is subject and which is applicable to a party’s information protection and privacy obligations. For the avoidance of doubt, Applicable Law shall include without limitation the EU GDPR and the UK GDPR (each as defined below),and the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq.
“Data Subject” shall mean any individual about whom Personal Information may be Processed under this DPA.
“EU GDPR” means the General Data Protection Regulation (Regulation 2016/679).
“EU SCCs” means the Standard Contractual Clauses (Module Two, excluding Clause 7 (Docking), Clause 9 (a)(Option 2), Clause 11 (Option), and Clause 17 (Option 1)) approved by the European Commission in decision 2021/914/EC, .
“Personal Information” shall mean any information that identifies an individual or directly or indirectly relates to an identifiable individual.
“Process” or “Processing” shall mean the collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, access, disclosure, transfer, storage, deletion, combination, destruction, or other use of Personal Information.
“Service Provider” shall mean individually and collectively Customer and any entity that, directly or indirectly, controls, is controlled by, or is under common control with Service Provider.
**“Service Provider SCCs” **shall mean the EU SCCs, and the UK SCCs (where applicable).
“Special Personal Information” shall mean any of the following types of Personal Information: (i) social security number, taxpayer identification number, passport number, driver’s license number, Transportation Security Administration pre-check or redress number, or other government-issued identification number; or (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account; (iii) credit history; (iv) information related to personal corporate expense transactions; or (v) information on race, religion, ethnicity, sexual orientation, medical or health information, genetic or biometric information, political or philosophical beliefs, trade union membership, background check information, judicial data such as criminal records or information on other judicial or administrative proceedings.
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018.
“UK SCCs” means the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU.

DATA PROCESSING

With respect to Personal Information provided by Niantic, or otherwise Processed by Service Provider on Niantic’s behalf, Service Provider shall, and shall ensure that any person engaging in Processing Personal Information on its behalf, shall:

Process Personal Information only as instructed and permitted by Niantic as documented in writing, in compliance with Applicable Law, and not Process Personal Information for any other purpose, including for its own commercial benefit, unless Niantic has provided its prior written agreement. Service Provider warrants that it does not and will not sell Personal Information Processed on behalf of or disclosed to it by Niantic under this DPA, and that Service Provider does not and will not retain, use, or disclose any Personal Information Processed on behalf of or disclosed to it by Niantic under this DPA for any purpose other than for the specific business purpose of performing the services for Niantic specified in this DPA and the License Agreement. For the purposes of clarity, Service Provider is prohibited from selling, retaining, using, or disclosing personal information Processed on behalf of or disclosed to it by Niantic under this DPA in any manner that does not comport with these terms. “Selling” for purposes of this paragraph means, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Niantic’s Personal Information to another for monetary or other valuable consideration. These terms shall not restrict Service Provider’s ability to comply with applicable law, cooperate with law enforcement agencies concerning conduct or activity that Service Provider believes in good faith may violate applicable law, or exercise or defend legal claims. Service Provider certifies its understanding of these terms and will comply with them;
Take all security measures required by EU GDPR Article 32. Namely, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
Not disclose or transfer Personal Information to, or allow access by, any third party (including affiliates and subcontractors) without the express prior written agreement of Niantic, except where such disclosure, transfer or access is mandated by Applicable Law (subject to Service Provider providing Niantic with prompt written notice of such requirement to transfer or disclose, unless such notice is prohibited by Applicable Law). For the avoidance of doubt, any intended changes to third parties (including affiliates and subcontractors) used by the Service Provider which will process any Personal Information in connection with the License Agreement must be notified in advance in writing to Niantic and any such intended changes are subject to Niantic’s prior written consent under this clause. If Niantic approves Service Provider’s disclosure and/or transfer granting access of Personal Information to a third party, such third party shall, prior to any such disclosure, have entered into an agreement at least as restrictive as this DPA. Such agreement shall be provided to Niantic promptly upon request. Service Provider shall remain accountable and responsible for all actions by such third parties with respect to the disclosed or transferred Personal Information;
Notify Niantic without undue delay unless specifically prohibited by Applicable Law, if Service Provider receives: (i) any requests from an individual with respect to Personal Information Processed, including but not limited to opt-out requests, requests for access and/or rectification, blocking, erasure and all requests to exercise data subject rights under Applicable Law, and shall not respond to any such requests unless expressly authorized to do so by Niantic; (ii) any complaint relating to the Processing of Personal Information, including allegations that the Processing infringes on a Data Subject’s rights under Applicable Law; or (iii) any order, demand, warrant, or any other document purporting to compel the production of Personal Information under Applicable Law. Service Provider shall cooperate with Niantic with respect to any action taken relating to such request, complaint, or order or other document;
Cease Processing and return, archive, or destroy Personal Information in its possession, in accordance with Niantic’s instructions, upon termination or expiration of this DPA or immediately upon Niantic’s request;
Hold Personal Information in strict confidence and require employees and personnel who will be provided access or will otherwise Process Personal Information to protect all Personal Information in accordance with the requirements of this DPA and ensure such employees and personnel are bound by obligations of confidentiality (including during the term of their employment and thereafter);
Maintain appropriate access controls including, but not limited to, limiting access to Personal Information to the minimum number of employees and personnel who require such access in order to provide the goods and/or services to Niantic;
Provide employees and personnel who will be provided access or will otherwise Process Personal Information with appropriate training regarding information security and the protection of Personal Information;
Provide to Niantic, its authorized representatives, and such independent inspection body as Niantic may appoint, on reasonable notice: (i) access to Service Provider’s information, processing premises, and records; (ii) reasonable assistance and cooperation of Service Provider’s relevant staff; and (iii) reasonable facilities at Service Provider’s premises for the purpose of auditing Service Provider’s compliance with its obligations under this DPA;
Make available to Niantic all information necessary to demonstrate compliance with Applicable Law;
Immediately inform Niantic if, in its opinion, an instruction from Niantic infringes Applicable Law;
Immediately notify Niantic of a possible or actual unauthorized access or disclosure, unauthorized, unlawful or accidental loss, destruction, acquisition of or damage to Personal Information, or any other breach of Applicable Law or this DPA in relation to the Processing of Personal Information by any current or former employee, contractor or agent of Service Provider or by any other person or third party (“Security Incident”); cooperate fully with Niantic to investigate, remediate, and mitigate the effects of the Security Incident, and take all necessary measures to limit further unauthorised disclosure of or unauthorised processing of Personal Information in connection with the Security Incident, and assist Niantic in relation to Niantic’s obligations to provide notice to the competent supervisory authorities and data subjects where required by law. The Service Provider shall provide reasonable details of the Security Incident to Niantic in accordance with this clause which includes without limitation: (i) a description of the Security Incident; (ii) likely consequences of the Security Incident; (iii) the number of data subjects affected, number of records affected and the types of records affected; and (iv) the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate possible adverse effects of the Security Incident ; and
Encrypt, using industry standard encryption tools, all Special Personal Information that Service Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; and (iii) stores on portable devices, where technically feasible. Service Provider shall safeguard the security and confidentiality of all encryption keys associated with encrypted Special Personal Information.
Take any other steps required by law to assist Niantic in complying with any notification, registration, obligations related to the performance of privacy impact assessments and consultation with supervisory authorities regarding privacy impact assessments, data subjects’ requests, or other obligations applicable to Niantic under Applicable Law. In the event there are any changes in Applicable Law or the interpretation thereof by any court of law or other regulatory or governing body having jurisdiction, which require changes to this DPA, Service Provider promptly will negotiate in good faith with Niantic to address any required changes.
process the Personal Information in accordance with the specific duration, subject matter, nature and purpose of processing and type of Personal Information and categories of data subjects as set out in Attachment 1.

DATA TRANSFERS

To the extent that Service Provider’s use of Lightship requires transfer of Personal Information originating within the European Economic Area, the United Kingdom or Switzerland (“EEA”) to outside the EEA, the parties will ensure the transfer is in compliance with Applicable Law. To that end, the EU SCCs are hereby incorporated by reference and shall apply to all such transfers, provided that Annexes 1 and 2 of the EU SCCs shall be deemed completed as set forth in Attachments 3 and 4 to this DPA. The parties agree that the law of Belgium shall be the governing law for the purposes of Clause 17 of the EU SCCs, and the Belgian courts shall have jurisdiction for the purposes of Clause 18(b) of the EU SCCs.
With respect to transfers subject to the UK GDPR, the UK SCCs are hereby incorporated by reference and shall apply in addition to the EU SCCs, provided that Appendix 1 and 2 of the UK SCCs shall be deemed completed as set forth in Attachments 2 and 4 to this DPA. In the event of a conflict or inconsistency between the EU SCCs and the UK SCCs, the provisions which provide the most protection to data subjects shall prevail.
Service Provider shall provide reasonable assistance and cooperation to Niantic to assess and confirm that transferring Personal Information to Service Provider on the basis of the EU SCCs (and the UK SCCs where applicable) ensures that Personal Information remains subject to an essentially equivalent level of protection as in the EEA. The Supplier shall provide all information reasonably requested by Niantic necessary to conduct this assessment, including without limitation details regarding any Law Enforcement Requests (as defined below) it has received unless prohibited by Applicable Law.
In addition to the EU SCCs, the Service Provider shall put in place supplementary measures as required by Applicable Law to ensure that Personal Information remains subject to an essentially equivalent level of protection as in the EEA. If, in Niantic’s opinion, at any time an essentially equivalent level of protection of Personal Information cannot be achieved by means of the EU SCCs and such supplementary measures, Niantic shall be entitled to suspend or terminate any transfer of Personal Information to Service Provider, unless Niantic is satisfied a derogation or alternative method of transferring Personal Information to Service Provider is available under Applicable Law.
The Service Provider SCCs shall, as of the Effective Date of this DPA, supersede and replace any standard contractual clauses previously entered in to between the parties in connection with this DPA.

Third Party Access Requests

Unless prohibited by Applicable Law, Service Provider shall:
1. inform Niantic without undue delay of any request, order or similar demand by a court, competent authority, law enforcement or other government or public body (“Law Enforcement Request”) relating to the processing of Personal Information under the License Agreement (including this DPA) and provide the Niantic with the opportunity to object to any such Law Enforcement Request; and
2. take all reasonable actions to prevent the disclosure of any Personal Information processed by Service Provider under the License Agreement (including this DPA) in response to a Law Enforcement Request without the express prior written consent of Niantic. In the event that it is not legally possible to resist the disclosure of Personal Information in response to a Law Enforcement Request, Niantic shall be entitled to suspend the transfer of such Personal Information and/or terminate the License Agreement immediately on written notice to Service Provider; and
3. upon request from Niantic, provide Niantic with the greatest possible amount of relevant information on any Law Enforcement Requests Service Provider has received (in particular the number of requests, type of Personal Information requests, the requesting authority or authorities, whether such requests have been challenged and the outcome of such challenges etc.).
If Service Provider is prohibited by Applicable Law from notifying Niantic in accordance with Clause 4.1 above, Service Provider shall use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information and as soon as possible to Niantic.
The Service Provider warrants that it has not, and shall not, create any measures, mechanisms or business processes which could be used by any law enforcement, government or public body or any third party to access Personal Information.

AMENDMENTS

Niantic may from time to time add new components to Lightship and/or modify Lightship. As a result, Niantic may subject your continued use of Lightship to your acceptance of additional or amended terms, including amendments to this DPA. In case of a conflict between this DPA and additional terms applicable to a given component of Lightship, this DPA will control.

TERM AND TERMINATION

This DPA shall be effective as of the date on which Service Provider clicked to accept or the parties otherwise agreed to this DPA. Notwithstanding anything to the contrary in the License Agreement, the obligations pursuant to this DPA shall survive termination of the License Agreement for as long as you hold or process Personal Information.

MISCELLANEOUS

The liability of the parties under or in connection with this DPA will be subject to the exclusions and limitations of liability in the License Agreement.
This DPA shall be governed by the laws of the jurisdiction specified in the License Agreement. Notwithstanding the foregoing and anything to the contrary in the License Agreement, if Applicable Laws require application of the laws of another jurisdiction to this DPA, such laws shall govern.
The parties agree that Affiliates of Niantic are intended third party beneficiaries of this DPA and that the provisions of this DPA are intended to inure to the benefits of such Affiliates. Without limiting the foregoing, such Affiliates will be entitled to enforce all processing and transfer provisions of this DPA as if each was a signatory to this DPA.
Each party warrants that the execution and performance of its obligations under this DPA does not conflict with or violate any other instrument, contract, agreement, or other commitment or arrangement to which it is a party or by which it is bound, and that it knows of no other fact or circumstance that prevents it from entering into this DPA.

Attachment 1

Categories of Data Subjects

Depending on the nature of the access to or use of Lightship, Data Subjects may include individuals who are customers or users of the products or services of Service Provider.

Nature and purpose of the Processing

The Personal Information will be transferred for the purpose of facilitating Data Exporter’s use of Lightship, assisting the Data Importer to provide Lightship Services, and contributing to Niantic’s “3D Map of the World”, and other such activities specified in the License Agreement.

Type of Personal Information

Personal data as specified in the License Agreement.

Special categories of Personal Data (if relevant)

The personal data transferred concern the following categories of sensitive data: Not applicable.

Duration of Processing

The personal data will be transferred from time to time, for the duration of the Data Exporter’s use of the Niantic Developer Platform.

Attachment 2

APPENDIX 1 TO THE UK SCCs

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is: Niantic, Inc.

Data importer

The data importer is: Service Provider

Data subjects

The personal data transferred concern the following categories of data subjects (please specify): Unless as otherwise set forth in the License Agreement, Data Subjects may include individuals who are customers or users of the products or services of Data Exporter.

Categories of data

The personal data transferred concern the following categories of data (please specify): Personal Data as specified in the License Agreement from time to time.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): None.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): The personal data will be transferred for the purpose of assisting the Data Importer to provide Ligthship Services and contribution to Niantic’s “3D Map of the World”, and other such activities as described in the License Agreement, from time to time.

Attachment 3

ANNEX I TO THE EU SCCs

Data exporter(s):

Name: Niantic, Inc.

Address: As stated in the Niantic Business and Developer Services Privacy Policy

Contact person’s name, position and contact details: As above.

Activities relevant to the data transferred under these Clauses: The personal data will be transferred for the purpose of assisting the Data Importer to provide Lightship Services and contribution to Niantic’s “3D Map of the World”, and other such activities as described in the License Agreement, from time to time.

Signature and Date: These SCCs shall become binding upon the Customer’s acceptance of the terms of the License Agreement.

Role (controller/processor): Controller

Data importer(s):

Name: Service Provider

Address: Per the details provided by the Service provider upon registration for Lightship.

Contact person’s name, position and contact details: As above.

Signature and Date: These SCCs shall become binding upon the Customer’s acceptance of the terms of the License Agreement.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described in Attachment 1 to this DPA

Categories of personal data transferred

As described in Attachment 1 to this DPA

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal Data may be transferred on a continuous basis in accordance with the terms of the License Agreement and this DPA.

Nature of the processing

The data importer will process Personal Data in accordance with the License Agreement and this DPA.

Purpose(s) of the data transfer and further processing

As described in Attachment 1 to this DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As determined by the data exporter and communicated to the data importer.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As above

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority shall be the Belgian Data Protection Authority

Attachment 4

ANNEX II TO THE EU SCCs/ APPENDIX 2 TO THE UK SCCs

Description of the technical and organisational security measures implemented by the data importer:

In addition to, and without limiting, the security measures in accordance with this DPA and the Agreement, as amended, Data Importer shall implement and maintain the following measures and safeguards:

Data Importer’s security measures shall include, at a minimum:

Preventing unauthorized persons from gaining access to Personal Information Processing systems (physical access control);
Preventing Personal Information Processing systems being used without authorization (logical access control);
Ensuring that persons entitled to use a Personal Information Processing system gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Information cannot be read, copied, modified or deleted without authorization (data access control);
Ensuring that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Information by means of data transmission facilities can be established and verified (data transfer control);
Ensuring the establishment of an audit trail to document whether and by whom Personal Information have been entered into, modified in, or removed from Personal Information Processing (entry control);
Ensuring that Personal Information are Processed solely in accordance with Niantic’s instructions (control of instructions);
Ensuring that Personal Information are protected against accidental destruction or loss (availability control); and
Ensuring that Personal Information collected for different purposes can be processed separately (separation control).