1Introduction
This Data Processing Agreement ("DPA") supplements the Rollick Terms of Service and Privacy Policy. It governs the processing of personal data by Rollick Inc. ("Processor") on behalf of its users ("Data Subjects") in compliance with the General Data Protection Regulation (EU 2016/679) ("GDPR"), UK GDPR, and the Swiss Federal Act on Data Protection.
2Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below:
- "Personal Data" — Any information relating to an identified or identifiable natural person.
- "Processing" — Any operation performed on personal data, including but not limited to collection, storage, use, disclosure, and deletion.
- "Controller" — The entity that determines the purposes and means of processing. In the context of this DPA, the Controller is the User, for their own data.
- "Processor" — Rollick Inc., which processes data on behalf of users to provide the platform.
- "Sub-Processor" — A third party engaged by Rollick to process personal data.
3Scope of Processing
The following describes the scope, nature, and purpose of data processing under this DPA:
- Subject Matter: Provision of the Rollick entertainment shopping platform.
- Duration: For the term of the user's account plus the retention periods specified in the Privacy Policy.
- Nature and Purpose: Account management, transaction processing, marketplace facilitation, customer support, security, and legal compliance.
- Types of Personal Data: Identity data, contact data, financial data, usage data, and device data (as detailed in Privacy Policy Section 1).
- Categories of Data Subjects: Registered users, marketplace buyers and sellers, and website visitors.
4Processor Obligations
Rollick shall:
- Process personal data only on documented instructions from the Controller (i.e., as necessary to provide the services described in the Terms of Service).
- Ensure that persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Security Policy).
- Not engage sub-processors without prior notice and opportunity to object.
- Assist the Controller in responding to data subject rights requests.
- Delete or return all personal data upon account closure, subject to legal retention requirements.
- Make available all information necessary to demonstrate compliance and allow audits.
5Sub-Processors
Current Sub-Processors:
- Amazon Web Services — Cloud hosting (United States)
- Stripe — Payment processing (United States)
- PayPal — Payment processing (United States)
- Google LLC — Analytics (United States)
- Twilio/SendGrid — Email delivery (United States)
- Zendesk — Customer support (United States)
Rollick will notify users of any new sub-processor via email at least 30 days before engagement. Users may object to a new sub-processor within 14 days of notification.
If Rollick cannot accommodate the objection, the user may terminate their account. All sub-processors are bound by data processing agreements with equivalent protections.
6International Data Transfers
Rollick is based in the United States. For EEA, UK, and Swiss users, data transfers to the US are protected by:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor)
- Supplementary measures including encryption in transit and at rest
Rollick does not transfer data to countries without adequate data protection unless SCCs or other lawful safeguards are in place.
EU-US Data Privacy Framework certification: In progress.
7Data Subject Rights
Rollick will assist in fulfilling data subject requests for:
- Access (Article 15 GDPR)
- Rectification (Article 16 GDPR)
- Erasure (Article 17 GDPR)
- Restriction (Article 18 GDPR)
- Data Portability (Article 20 GDPR)
- Objection (Article 21 GDPR)
Requests should be directed to [email protected]. Rollick will respond within 30 days, or within 72 hours for urgent matters.
8Security Measures
Rollick implements the following technical and organizational measures to protect personal data:
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access Control: Role-based with principle of least privilege
- Monitoring: 24/7 intrusion detection and automated alerting
- Testing: Quarterly penetration testing and weekly vulnerability scanning
- Incident Response: Documented plan with 72-hour notification commitment
See Security Policy for full details.
9Data Breach Notification
In the event of a personal data breach, Rollick will notify affected data subjects and the relevant supervisory authority without undue delay, and within 72 hours of becoming aware.
Notification will include:
- The nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken to address and mitigate the breach
See Privacy Policy Section 7 for full breach notification policy.
10Audit Rights
Data subjects and their representatives may:
- Request information about Rollick's data processing practices
- Request evidence of compliance with this DPA
Rollick will provide relevant audit reports, certifications, or summaries upon reasonable request. On-site audits may be conducted with 30 days' advance notice, during business hours, subject to confidentiality obligations.
11Term & Termination
This DPA is effective for the duration of the user's Rollick account.
Upon account closure, Rollick will delete personal data within 30 days, except where retention is required by law.
Provisions relating to data protection, confidentiality, and liability survive termination.
12Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited by contract.