Niantic Controller-Processor Data Processing Agreement
Effective Date: April 6, 2021
Niantic and you, the party agreeing to these terms (“Customer”), have entered into an agreement for access to and use of the Niantic Developer Platform and/or the Niantic SDK (collectively herein, the “Niantic Developer Platform”), as amended from time to time (the “License Agreement”). This Niantic Controller-Processor Data Processing Agreement (the “DPA”) is entered into between you and Niantic, together with any attachments and appendices, and is incorporated by reference into the License Agreement.
For the purposes of this DPA:
“Affiliate” shall mean, as to any entity, any other entity that, directly or indirectly, controls, is controlled by or is under common control with such entity.
“Applicable Law” shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this DPA is subject and which is applicable to a party’s information protection and privacy obligations. For the avoidance of doubt, Applicable Law shall include without limitation the General Data Protection Regulation (Regulation 2016/679) and the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”).
“Data Subject” shall mean any individual about whom Personal Information may be Processed under this DPA.
“Personal Information” shall mean any information that identifies an individual or directly or indirectly relates to an identifiable individual.
“Process” or “Processing” shall mean the collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, access, disclosure, transfer, storage, deletion, combination, destruction, or other use of Personal Information.
“Service Provider” shall mean individually and collectively Customer and any entity that, directly or indirectly, controls, is controlled by, or is under common control with Service Provider.
“Special Personal Information” shall mean any of the following types of Personal Information: (i) social security number, taxpayer identification number, passport number, driver’s license number, Transportation Security Administration pre-check or redress number, or other government-issued identification number; or (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account; (iii) credit history; (iv) information related to personal corporate expense transactions; or (v) information on race, religion, ethnicity, sexual orientation, medical or health information, genetic or biometric information, political or philosophical beliefs, trade union membership, background check information, judicial data such as criminal records or information on other judicial or administrative proceedings.
With respect to Personal Information provided by Niantic, or otherwise Processed by Service Provider on Niantic’s behalf, Service Provider shall, and shall ensure that any person engaging in Processing Personal Information on its behalf, shall:
- Process Personal Information only as instructed and permitted by Niantic as documented in writing, in compliance with Applicable Law, and not Process Personal Information for any other purpose, including for its own commercial benefit, unless Niantic has provided its prior written agreement. Service Provider warrants that it does not and will not sell Personal Information Processed on behalf of or disclosed to it by Niantic under this DPA, and that Service Provider does not and will not retain, use, or disclose any Personal Information Processed on behalf of or disclosed to it by Niantic under this DPA for any purpose other than for the specific business purpose of performing the services for Niantic specified in this DPA and the License Agreement. For the purposes of clarity, Service Provider is prohibited from selling, retaining, using, or disclosing personal information Processed on behalf of or disclosed to it by Niantic under this DPA in any manner that does not comport with these terms. “Selling” for purposes of this paragraph means, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Niantic's Personal Information to another for monetary or other valuable consideration. These terms shall not restrict Service Provider’s ability to comply with applicable law, cooperate with law enforcement agencies concerning conduct or activity that Service Provider believes in good faith may violate applicable law, or exercise or defend legal claims. Service Provider certifies its understanding of these terms and will comply with them;
- Take all security measures required by GDPR Article 32. Namely, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- Not disclose or transfer Personal Information to, or allow access by, any third party (including affiliates and subcontractors) without the express prior written agreement of Niantic, except where such disclosure, transfer or access is mandated by Applicable Law (subject to Service Provider providing Niantic with prompt written notice of such requirement to transfer or disclose, unless such notice is prohibited by Applicable Law). For the avoidance of doubt, any intended changes to third parties (including affiliates and subcontractors) used by the Service Provider which will process any Personal Information in connection with the License Agreement must be notified in advance in writing to Niantic and any such intended changes are subject to Niantic’s prior written consent under this clause. If Niantic approves Service Provider’s disclosure and/or transfer granting access of Personal Information to a third party, such third party shall, prior to any such disclosure, have entered into an agreement at least as restrictive as this DPA. Such agreement shall be provided to Niantic promptly upon request. Service Provider shall remain accountable and responsible for all actions by such third parties with respect to the disclosed or transferred Personal Information;
- Notify Niantic without undue delay unless specifically prohibited by Applicable Law, if Service Provider receives: (i) any requests from an individual with respect to Personal Information Processed, including but not limited to opt-out requests, requests for access and/or rectification, blocking, erasure and all requests to exercise data subject rights under Applicable Law, and shall not respond to any such requests unless expressly authorized to do so by Niantic; (ii) any complaint relating to the Processing of Personal Information, including allegations that the Processing infringes on a Data Subject’s rights under Applicable Law; or (iii) any order, demand, warrant, or any other document purporting to compel the production of Personal Information under Applicable Law. Service Provider shall cooperate with Niantic with respect to any action taken relating to such request, complaint, or order or other document;
- Cease Processing and return, archive, or destroy Personal Information in its possession, in accordance with Niantic’s instructions, upon termination or expiration of this DPA or immediately upon Niantic’s request;
- Hold Personal Information in strict confidence and require employees and personnel who will be provided access or will otherwise Process Personal Information to protect all Personal Information in accordance with the requirements of this DPA and ensure such employees and personnel are bound by obligations of confidentiality (including during the term of their employment and thereafter);
- Maintain appropriate access controls including, but not limited to, limiting access to Personal Information to the minimum number of employees and personnel who require such access in order to provide the goods and/or services to Niantic;
- Provide employees and personnel who will be provided access or will otherwise Process Personal Information with appropriate training regarding information security and the protection of Personal Information;
- Provide to Niantic, its authorized representatives, and such independent inspection body as Niantic may appoint, on reasonable notice: (i) access to Service Provider’s information, processing premises, and records; (ii) reasonable assistance and cooperation of Service Provider’s relevant staff; and (iii) reasonable facilities at Service Provider’s premises for the purpose of auditing Service Provider’s compliance with its obligations under this DPA;
- Make available to Niantic all information necessary to demonstrate compliance with Applicable Law;
- Immediately inform Niantic if, in its opinion, an instruction from Niantic infringes Applicable Law;
- Immediately notify Niantic of a possible or actual unauthorized access or disclosure, unauthorized, unlawful or accidental loss, destruction, acquisition of or damage to Personal Information, or any other breach of Applicable Law or this DPA in relation to the Processing of Personal Information by any current or former employee, contractor or agent of Service Provider or by any other person or third party (“Security Incident”); cooperate fully with Niantic to investigate, remediate, and mitigate the effects of the Security Incident, and take all necessary measures to limit further unauthorised disclosure of or unauthorised processing of Personal Information in connection with the Security Incident, and assist Niantic in relation to Niantic’s obligations to provide notice to the competent supervisory authorities and data subjects where required by law. The Service Provider shall provide reasonable details of the Security Incident to Niantic in accordance with this clause which includes without limitation: (i) a description of the Security Incident; (ii) likely consequences of the Security Incident; (iii) the number of data subjects affected, number of records affected and the types of records affected; and (iv) the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate possible adverse effects of the Security Incident ; and
- Encrypt, using industry standard encryption tools, all Special Personal Information that Service Provider: (i) transmits or sends wirelessly or across public networks; (ii) stores on laptops or storage media; and (iii) stores on portable devices, where technically feasible. Service Provider shall safeguard the security and confidentiality of all encryption keys associated with encrypted Special Personal Information.
- Take any other steps required by law to assist Niantic in complying with any notification, registration, obligations related to the performance of privacy impact assessments and consultation with supervisory authorities regarding privacy impact assessments, data subjects’ requests, or other obligations applicable to Niantic under Applicable Law. In the event there are any changes in Applicable Law or the interpretation thereof by any court of law or other regulatory or governing body having jurisdiction, which require changes to this DPA, Service Provider promptly will negotiate in good faith with Niantic to address any required changes.
- process the Personal Information in accordance with the specific duration, subject matter, nature and purpose of processing and type of Personal Information and categories of data subjects as set out in Attachment 1.
To the extent that Customer’s use of the Niantic Developer Platform requires transfer of Personal Information originating within the European Economic Area, the United Kingdom or Switzerland (“EEA”) to outside the EEA, the parties will ensure the transfer is in compliance with Applicable Law. To that end, the Standard Contractual clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU are hereby incorporated by reference, provided that Annexes 1 and 2 of the Standard Contractual Clauses shall be deemed completed as set forth in Attachment 2 to this DPA.
Service Provider shall provide reasonable assistance and cooperation to Niantic to assess and confirm that transferring Personal Information to Service Provider on the basis of the Standard Contractual Clauses ensures that Personal Information remains subject to an essentially equivalent level of protection as in the EEA. The Supplier shall provide all information reasonably requested by Niantic necessary to conduct this assessment, including without limitation details regarding any Law Enforcement Requests (as defined below) it has received unless prohibited by Applicable Law.
In addition to the Standard Contractual Clauses, the Service Provider shall put in place supplementary measures as required by Applicable Law to ensure that Personal Information remains subject to an essentially equivalent level of protection as in the EEA. If, in Niantic’s opinion, at any time an essentially equivalent level of protection of Personal Information cannot be achieved by means of the Standard Contractual Clauses and such supplementary measures, Niantic shall be entitled to suspend or terminate any transfer of Personal Information to Service Provider, unless Niantic is satisfied a derogation or alternative method of transferring Personal Information to Service Provider is available under Applicable Law.
Third Party Access Requests
Unless prohibited by Applicable Law, Service Provider shall:
- inform Niantic without undue delay of any request, order or similar demand by a court, competent authority, law enforcement or other government or public body (“Law Enforcement Request”) relating to the processing of Personal Information under the License Agreement (including this DPA) and provide the Niantic with the opportunity to object to any such Law Enforcement Request; and
- take all reasonable actions to prevent the disclosure of any Personal Information processed by Service Provider under the License Agreement (including this DPA) in response to a Law Enforcement Request without the express prior written consent of Niantic. In the event that it is not legally possible to resist the disclosure of Personal Information in response to a Law Enforcement Request, Niantic shall be entitled to suspend the transfer of such Personal Information and/or terminate the License Agreement immediately on written notice to Service Provider; and
- upon request from Niantic, provide Niantic with the greatest possible amount of relevant information on any Law Enforcement Requests Service Provider has received (in particular the number of requests, type of Personal Information requests, the requesting authority or authorities, whether such requests have been challenged and the outcome of such challenges etc.).
If Service Provider is prohibited by Applicable Law from notifying Niantic in accordance with Clause 3.1 above, Service Provider shall use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information and as soon as possible to Niantic.
The Service Provider warrants that it has not, and shall not, create any measures, mechanisms or business processes which could be used by any law enforcement, government or public body or any third party to access Personal Information.
Niantic may from time to time add new components to the Niantic SDK and/or modify the Niantic SDK available on the Niantic Developer Platform. As a result, Niantic may subject your continued use of the Niantic Developer Platform to your acceptance of additional or amended terms, including amendments to this DPA. In case of a conflict between this DPA and additional terms applicable to a given component of the Niantic SDK, this DPA will control.
TERM AND TERMINATION
This DPA shall be effective as of the date on which Service Provider clicked to accept or the parties otherwise agreed to this DPA. Notwithstanding anything to the contrary in the License Agreement, the obligations pursuant to this DPA shall survive termination of the License Agreement for as long as you hold or process Personal Information.
The liability of the parties under or in connection with these Controller Terms will be subject to the exclusions and limitations of liability in the License Agreement.
These Controller Terms shall be governed by the laws of the jurisdiction specified in the License Agreement. Notwithstanding the foregoing and anything to the contrary in the License Agreement, if Applicable Laws require application of the laws of another jurisdiction to these Controller Terms, such laws shall govern.
The parties agree that Affiliates of Niantic are intended third party beneficiaries of this DPA and that the provisions of this DPA are intended to inure to the benefits of such Affiliates. Without limiting the foregoing, such Affiliates will be entitled to enforce all processing and transfer provisions of this DPA as if each was a signatory to this DPA.
Each party warrants that the execution and performance of its obligations under this DPA does not conflict with or violate any other instrument, contract, agreement, or other commitment or arrangement to which it is a party or by which it is bound, and that it knows of no other fact or circumstance that prevents it from entering into this DPA.
Categories of Data Subjects
Depending on the nature of the access to or use of the Niantic Developer Platform, Data Subjects may include individuals who are customers or users of the products or services of Service Provider.
Nature and purpose of the Processing
The Personal Information will be transferred for the purpose of facilitating Data Exporter’s use of the Niantic Developer Platform, assisting the Data Importer to provide Localization Services, and contributing to Niantic’s “3D Map of the World”.
Type of Personal Information
Personal data shall include Data Subjects’ localization data.
Special categories of Personal Data (if relevant)
The personal data transferred concern the following categories of sensitive data: Not applicable.
Duration of Processing
The personal data will be transferred from time to time, for the duration of the Data Exporter’s use of the Niantic Developer Platform.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is: Niantic, Inc.
The data importer is: Service Provider
The personal data transferred concern the following categories of data subjects (please specify): Unless as otherwise set forth in the License Agreement, Data Subjects may include individuals who are customers or users of the products or services of Data Exporter.
Categories of data
The personal data transferred concern the following categories of data (please specify): localization data.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify): None.
The personal data transferred will be subject to the following basic processing activities (please specify): The personal data will be transferred for the purpose of assisting the Data Importer to provide Localization Services and contribution to Niantic’s “3D Map of the World”, as described in the License Agreement, from time to time.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
In addition to, and without limiting, the security measures in accordance with this DPA and the Agreement, as amended, Data Importer shall implement and maintain the following measures and safeguards:
Service Provider’s security measures shall include, at a minimum:
- Preventing unauthorized persons from gaining access to Personal Information Processing systems (physical access control);
- Preventing Personal Information Processing systems being used without authorization (logical access control);
- Ensuring that persons entitled to use a Personal Information Processing system gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Information cannot be read, copied, modified or deleted without authorization (data access control);
- Ensuring that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Information by means of data transmission facilities can be established and verified (data transfer control);
- Ensuring the establishment of an audit trail to document whether and by whom Personal Information have been entered into, modified in, or removed from Personal Information Processing (entry control);
- Ensuring that Personal Information are Processed solely in accordance with Niantic’s instructions (control of instructions);
- Ensuring that Personal Information are protected against accidental destruction or loss (availability control); and
- Ensuring that Personal Information collected for different purposes can be processed separately (separation control).