Termos de Serviços

Última atualização: 13 de setembro de 2021

Sub-Processor
Facebook
Youtube
Instagram
Tubular
Slack
Azure
G Suite
Google Trends
Clean Cloud
Maker
Github
Webflow
Office 365
Hubspot
Monday
Miro
Mixpanel
Adobe Premiere
Sendgrid
Databricks
Datadog
Figma
AWS
Unsplash
Notion
SEMrush
Linktree
Databox
Amazon Web Services
Location
Purpose
Data delivery
Data delivery
Data delivery
Services & Support
Services & Support
Services & Support
Security and Privacy
Services & Support
Content delivery network
Services & Support
Services & Support
Infrastructure
Services and Security
Services & Support
Infrastructure
Services & Support
Services & Support
Services & Support
Infrastructure
Services & Support
Services
Infrastructure
Services & Support
Services
Services & Support
Infrastructure
Services & Support
Services & Support
Hosting and Infrastructure
United States
United States
United States
Brazil
United States
France
United States
United States
Brazil
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
Brazil
Australia
United States
United States

Winnin insights Data Processing Agreement

Last Modified: October 01, 2021

This Winnin Data Processing Agreement and its Annexes ( "DPA") reflects the partiesagreement with respect to Processing of Personal Data by Winnin Inc. and itssubsidiaries (jointly "Winnin Inc.") on behalf of you in connection with the WinninInsights Subscription Services under the Winnin Insights Terms of Service and PrivacyPolicy between you and us (also referred to in this DPA as the "Agreement").

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement. In case of any conflict orinconsistency with the terms of the Agreement, this DPA will take precedence over theterms of the Agreement to the extent of such conflict or inconsistency.

We update these terms from time to time. If you have an active Winnin Insightssubscription, we will let you know when we do via email or throughout Winnin InsightsPlatform. You can find archived versions of the DPA here, if any.

The term of this DPA will follow the term of the Agreement. Terms not otherwise definedin this DPA will have themeaning as set forth in the Agreement.

1. Whereas

a) Winnin acts as a data Controller.
b) You wish to contract Winnin Insights Platform, which imply the processingof personal data, to the Data Processor.
c) The Parties seek to implement a data processing agreement that complieswith the requirements of the current legal framework in relation to dataprocessing.
d) The Parties wish to lay down their rights and obligations.

2. Definitions and Interpretations

Unless otherwise defined herein, capitalized terms and expressions used in thisAgreement shall have the following meaning:

-   “Agreement” means this Data Processing Agreement and all Schedules;
-   “Company Personal Data” means any Personal Data Processed by a ContractedProcessor (including data of its employees, contractors, collaborators,customers, prospects, suppliers and subcontractors) on behalf of Company
pursuant to or in connection with the Principal Agreement;
-   “Contracted Processor” means a Subprocessor;
-   “Controller” means the natural or legal person, public authority, agency or otherbody which, alone or jointly with others, determines the purposes and means ofthe Processing of Personal Data. Winnin Inc. acts as a Data Controller.
-   “Data Protection Laws” means all applicable worldwide legislation relating to dataprotection and privacy which applies to the respective party in the role ofProcessing Personal Data in question under the Agreement, including withoutlimitation EU General Data Protection Regulation (GDPR) and the BrazilianGeneral Law of Data Protection (LGPD).
-   “Data Subject” means the individual designated as User of Winnin InsightsPlatform by the Company and to whom Personal Data relates.
-   “Instructions” means the written, documented instructions issued by a Controllerto a Processor, and directing the same to perform a specific or general actionwith regard to Personal Data (including, but not limited to, depersonalizing,blocking, deletion, making available).
-   "Permitted Affiliates" means any of your Affiliates that (i) are permitted to use theSubscription Services pursuant to the Agreement, but have not signed their ownseparate agreement with us and are not a “Company” as defined under theAgreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii)are subject to European Data Protection Laws and Brazilian Data ProtectionLaws.
-   “Personal Data” means any information relating to an identified or identifiableindividual where such information is contained within Company Personal Dataand is protected similarly as personal data, personal information or personallyidentifiable information under applicable Data Protection Laws.
-   “Data Transfer” means: (I) a transfer of Company Personal Data from theCompany to a Contracted Processor; or (II) an onward transfer of CompanyPersonal Data from a Contracted Processor to a Subcontracted Processor, orbetween two establishments of a Contracted Processor, in each case, wheresuch transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions ofData Protection Laws);- “Processing” means any operation or set of operations which is performed on
Personal Data, encompassing the collection, recording, organization, structuring,storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment or
combination, restriction or erasure of Personal Data. The terms “Process”,“Processes” and “Processed” will be construed accordingly.
-   “Processor” means a natural or legal person, public authority, agency or otherbody which Processes Personal Data on behalf of the Controller.
-   “Subprocessor” means any person appointed by or on behalf of the Processor toprocess Personal Data on behalf of the Company in connection with theAgreement.

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “PersonalData”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have thesame meaning as in the GDPR and LGPD, and their cognate terms shall be construedaccordingly.

3. Customer obligations

a. Compliance with Laws. Within the scope of the Agreement and in its use of theservices, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Dataand the Instructions it issues to us.

In particular but without prejudice to the generality of the foregoing, you acknowledgeand agree that you will be solely responsible for: (i) the accuracy, quality, and legality ofCompany Personal Data and the means by which you acquired Personal Data; (ii)complying with all necessary transparency and lawfulness requirements under
applicable Data Protection Laws for the collection and use of the Personal Data,including obtaining any necessary consents and authorizations (particularly for use byYou for marketing purposes); (iii) ensuring you have the right to transfer, or provideaccess to, the Personal Data to us for Processing in accordance with the terms of theAgreement (including this DPA); (iv) ensuring that your Instructions to us regarding theProcessing of Personal Data comply with applicable laws, including Data ProtectionLaws; and (v) complying with all laws (including Data Protection Laws) applicable to anyemails or other content created, sent or managed through the Subscription Services,including those relating to obtaining consents (where required) to send emails, thecontent of the emails and its email deployment practices. You will inform us without undue delay if it is not able to comply with its responsibilities under this subsection (a) orapplicable Data Protection Laws.

b. Controller Instructions. The Parties agree that the Agreement (including this DPA),together with your use of the Winnin Insights Subscription Service in accordance withthe Agreement, constitute your complete and finalInstructions to us in relation to theProcessing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between us and you.

4. Winnin obligations

a. Compliance with Instructions. We will only Process Personal Data for the purposesdescribed in this DPA or as otherwise agreed within the scope of your lawful Instructions,except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industrythat are not generally applicable to us.

b. Conflict of Laws. If we become aware that we cannot Process Personal Data inaccordance with your Instructions due to a legal requirement under any applicable law, wewill (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing andmaintaining the security of the affected Personal Data) until such time as you issue newInstructions with which we are able to comply. If this provision is invoked, we will not beliable to you under the Agreement for any failure to perform the applicable Winnin InsightsSubscription Services until such time as you issue new lawful Instructions with regard to theProcessing.

c. Security. We will implement and maintain appropriate technical and organizationalmeasures to protect Personal Data from Personal Data Breaches, as described underAnnex 2 to this DPA ("Security Measures"). Notwithstanding any provision to thecontrary, we may modify or update the Security Measures at our discretion provided that
such modification or update does not result in a material degradation in the protectionoffered by the Security Measures.

d. Confidentiality. We will ensure that any personnel whom we authorize to ProcessPersonal Data on our behalf is subject to appropriate confidentiality obligations (whethera contractual or statutory duty) with respect to that Personal Data.

We take reasonable steps to ensure the reliability of any employee, agent or contractorof any Contracted Processor who may have access to the Company Personal Data,ensuring in each case that access is strictly limited to those individuals who need toknow / access the relevant Company Personal Data, as strictly necessary for thepurposes of the Principal Agreement, and to comply with Applicable Laws in the contextof that individual’s duties to the Contracted Processor, ensuring that all such individualsare subject to confidentiality undertakings or professional or statutory obligations ofconfidentiality

e. Personal Data Breaches. We will notify you without undue delay after it becomesaware of any Personal Data Breach and will provide timely information relating to thePersonal Data Breach as it becomes known or reasonably requested by you. At yourrequest, we will promptly provide you with such reasonable assistance as necessary to
enable you to notify relevant Personal Data Breaches to competent authorities and/oraffected Data Subjects, if you are required to do so under Data Protection Laws.

f. Deletion or Return of Personal Data. We will delete or return all Customer Data,including Personal Data (including copies thereof) Processed pursuant to this DPA, ontermination or expiration of your Winnin Insights Subscription Service in accordancewith the procedures and timeframes set out in the Agreement, save that thisrequirement shall not apply to the extent we are required by applicable law to retainsome or all of the Company Personal Data, or to Company Personal Data it hasarchived on back-up systems, which data we will securely isolate and protect from anyfurther Processing and delete in accordance with its deletion practices. You may requestthe deletion of your Winnin Insights account after expiration or termination of yoursubscription by sending a request. You may retrieve your ata from your account bycontacting us on dpo@winnin.com.

5. Sub-Processors

You agree that we may engage Sub-Processors to Process Personal Data on yourbehalf. We have currently appointed, as Sub-Processors, the Winnin Inc. and thirdparties listed in Annex 3 to this DPA. We will notify you if we add or removeSub-Processors to Annex 3 on a regular basis.

Where we engage Sub-Processors, we will impose data protection terms on theSub-Processors that provide at least the same level of protection for Personal Data asthose in this DPA (including, where appropriate, the Standard Contractual Clauses), tothe extent applicable to the nature of the services provided by such Sub-Processors.

We will remain responsible for each Sub-Processor’s compliance with the obligations ofthis DPA and for any acts or omissions of such Sub-Processor that cause us to breachany of its obligations under this DPA

6. Data Transfers

You acknowledge and agree that we may access and Process Personal Data on aglobal basis as necessary to provide the Winnin Insights Subscription Service inaccordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Winnin Inc. and to other jurisdictions where Winnin Affiliates and
Sub-Processors have operations. We will ensure such transfers are made in compliancewith the requirements of Data Protection Laws.

7. General Provisions

a. Amendments. Notwithstanding anything else to the contrary in the Agreement andwithout prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA,we reserve the right to make any updates and changes to this DPA.

b. Severability. If any individual provisions of this DPA are determined to be invalid orunenforceable, the validity and enforceability of the other provisions of this DPA will notbe affected.

c. Limitation of Liability. Each party and each of their Affiliates' liability, taken inaggregate, arising out of or related to this DPA (and any other DPAs between theparties) and the Standard Contractual Clauses (where applicable), whether in contract,tort or under any other theory of liability, will be subject to the limitations and exclusions
of liability set out in the 'Limitation of Liability' section of the Agreement and the WinninInsights Software Agreement and any reference in such sections to the liability of aparty means aggregate liability of that party andall of its Affiliates under the Agreement(including this DPA).

d. Governing Law. This DPA will be governed by and construed in accordance with the‘Contacting Entity; ‘Applicable Law; Notice’ sections of the Jurisdiction Specific Terms,unless required otherwise by Data Protection Laws.

8. Parties to this DPA

a. Permitted Affiliates. By signing the Agreement, you enter into this DPA on behalf ofyourself and, to the extent required under applicable Data Protection Laws, in the nameand on behalf of your Company and Permitted Affiliates, thereby establishing a separateDPA between us, your Company and each such Permitted Affiliate subject to theAgreement and the ‘General Provisions’ and ‘Parties to this DPA’ sections of this DPA.
Company and Each Permitted Affiliate agrees to be bound by the obligations under thisDPA and, to the extent applicable, the Agreement. For the purposes of this DPA only,and except where indicated otherwise, the terms “Company”, “you” and “your” willinclude you, the Company you are acting on behalf of and such Permitted Affiliates.

b. Authorization. The legal entity agrees to this DPA as You represent that it isauthorized to agree to and enter into this DPA for and on behalf of itself and, asapplicable, each of its Permitted Affiliates.

c. Remedies.Except where applicable Data Protection Laws require a Permitted Affiliateto exercise a right or seek any remedy under this DPA against us directly by itself, theparties agree that (i) solely the entity you are acting on behalf of that is the contractingparty to the Agreement will exercise any right or seek any remedy any Permitted Affiliatemay have under this DPA on behalf of its Affiliates, and (ii) the Company you are acting on behalf of that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combinedmanner for itself and all of its Permitted Affiliates together. The Company that you areacting on behalf of that is the contracting entity responsible for coordinating allcommunication with us under the DPA and will be entitled to make and receive anycommunication related to this DPA on behalf of its Permitted Affiliates.

d. Other rights. The parties agree that you will, when reviewing our compliance with thisDPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonablemeasures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Company you are acting on behalf of that is the
contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

9. Governing Law and Jurisdiction

This Agreement is governed by Brazilian law. Any dispute arising in connection with thisAgreement, which the Parties will not be able to resolve amicably, will be submitted tothe exclusive jurisdiction of the Central Court of Judicial District of Rio de Janeiro,Brazil, to the exclusion of all other jurisdictions, no matter how privileged they might be.

Annex 1 - Details of Processing

This Annex forms part of the DPA.

A. Nature and Purpose of Processing

We will Process Personal Data as necessary to provide the Winnin Insights SubscriptionServices pursuant to the Agreement, as further specified in the Order Form, and asfurther instructed by you in your use of the Winnin Insights Subscription Services.

B. Duration of Processing

Subject to the 'Deletion or Return of Personal Data' section of this DPA, we will ProcessPersonal Data for the duration of the Agreement, unless otherwise agreed in writing orrequired by law.

C. Categories of Data Subjects

You may submit Personal Data in the course of using the Winnin InsightsSubscription Service, the extent of which is determined and controlled by you inyour sole discretion, and which may include, but is not limited to Personal Datarelating to the following categories of Data Subjects:

Your Contacts and other end users including your employees, contractors,collaborators, customers, prospects, suppliers and subcontractors designated asUsers of Winnin Insights Platform.

D. Categories of Personal Data

You may submit Personal Data to the Winnin Insights Subscription Services, theextent of which is determined and controlled by you in your sole discretion, andwhich may include but is not limited to the following categories of Personal Data:

-   Contact Information, such as: name, email, telephone, country, company and title(as defined in the Agreement).
-   Any other Personal Data submitted by, sent to, or received by you, or your endusers, via the Winnin Insights Subscription Service, such as: searchs terms;

watched videos; redirection to third party websites from our software, IP addressand the user's entire path on our platform.

E. Special Categories of Data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

F. Processing operations

Personal Data will be Processed in accordance with the Agreement (includingthis DPA) and may be subject to the following Processing activities:

a. Storage and other Processing necessary to provide, maintain and improve theWinnin Insights Subscription Services provided to you; and/or
b. Disclosure in accordance with the Agreement (including this DPA) and/or ascompelled by applicable laws.


Annex 2 - Security Measures

This Annex forms part of the DPA.

We currently observe the Security Measures described in this Annex 2. All capitalizedterms not otherwise defined herein shall have the meanings as set forth in theAgreement.

a) Access Control:
i)  Preventing Unauthorized Product Access
Outsourced processing: We host our Service with outsourced cloud infrastructureproviders. Additionally, we maintain contractual relationships with vendors in order toprovide the Service in accordance with our DPA. We rely on contractual agreements,privacy policies, and vendor compliance programs in order to provide a safeenvironment.

Physical and environmental security: We host our product infrastructure withmulti-tenant, outsourced infrastructure providers. The physical and environmentalsecurity controls are audited for SOC 2 Type II and ISO 27001 compliance, amongother certifications.

Authentication: We implement a uniform password policy for our customer products.Users who interact with the products via the user interface must authenticate beforeaccessing non-public customer data.

Authorization: User Data is stored in multi-tenant storage systems accessible to Uservia only application user interfaces and application programming interfaces. Users arenot allowed direct access to the underlying application infrastructure. The authorizationmodel in each of our products is designed to ensure that only the appropriatelyassigned individuals can access relevant features, views, and customization options.
Authorization to data sets is performed through validating the user’s permissionsagainst the attributes associated with each data set.

ii)  Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for theinternal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent networktraffic using unauthorized protocols from reaching the product infrastructure. Thetechnical measures implemented differ between infrastructure providers and includeVirtual Private Cloud (VPC) implementations, security group assignment, and traditionalfirewall rules.

Static code analysis: Security reviews of code stored in our source code repositories isperformed, checking for coding best practices and identifiable software flaws.

iii)    Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to UserData via controlled interfaces. The intent of providing access to a subset of employeesis to provide effective User support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.

All Winnin Inc. employees are required to conduct themselves in a manner consistentwith company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available onevery one of its login interfaces and for free on every user site hosted on Winnin Insights Platform. Our HTTPS implementation uses industry standard algorithms andcertificates.

At-rest: We store user passwords following policies that follow industry standard
practices for security. We have implemented technologies to ensure that stored data is
encrypted at rest.

c) Input Control
Detection: We designed our infrastructure to log basic information about the systembehavior, traffic received, system authentication, and other application requests. Internalsystems aggregated log data and alert appropriate employees of malicious, unintended,or anomalous activities. Our personnel, including security, operations, and supportpersonnel, are responsive to known incidents.d) Availability ControlInfrastructure availability: The infrastructure providers use commercially reasonableefforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum ofN+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancyand fail-over protections during a significant processing failure. User data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed toreplicate data between no less than 1 primary and 1 secondary database. All databasesare backed up and maintained using at least industry standard methods.

Our products are designed to ensure redundancy and seamless failover. The serverinstances that support the products are also architected with a goal to prevent singlepoints of failure. This design assists our operations in maintaining and updating theproduct applications and backend while limiting downtime.


Annex 3- List of Sub-Processors

Sub-Processor
Facebook
Youtube
Instagram
Tubular
Slack
Azure
G Suite
Google Trends
Clean Cloud
Maker
Github
Webflow
Office 365
Hubspot
Monday
Miro
Mixpanel
Adobe Premiere
Sendgrid
Databricks
Datadog
Figma
AWS
Unsplash
Notion
SEMrush
Linktree
Databox
Amazon Web Services
Location
Purpose
Data delivery
Data delivery
Data delivery
Services & Support
Services & Support
Services & Support
Security and Privacy
Services & Support
Content delivery network
Services & Support
Services & Support
Infrastructure
Services and Security
Services & Support
Infrastructure
Services & Support
Services & Support
Services & Support
Infrastructure
Services & Support
Services
Infrastructure
Services & Support
Services
Services & Support
Infrastructure
Services & Support
Services & Support
Hosting and Infrastructure
United States
United States
United States
Brazil
United States
France
United States
United States
Brazil
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
Brazil
Australia
United States
United States

Acordo de tratamento de dados do Winnin Insights

Última atualização: 28 de março de 2022

Este Acordo de Tratamento de Dados do Winnin Insights e seus Anexos ("DPA")refletem o acordo estabelecido entre as partes sobre o Tratamento de Dados Pessoais realizado pela Winnin Inc. e suas subsidiárias (conjuntamente "Winnin") em seu nome em relação a Assinatura do Winnin Insights conforme os Termos de Serviço e a Política de Privacidade acordados entre você e nós (também referido neste DPA como o“Acordo”).O presente DPA complementa e integra o Acordo, entrando em vigor a partir de sua publicação. Em caso de conflitos ou incoerência com os termos do Acordo, este DPA prevalecerá sobre os termos do Acordo no que tange ao conflito ou à inconsistência.Nós atualizamos estes termos de tempos em tempos. Se você tiver uma assinatura ativa do Winnin Insights, informaremos sobre as atualizações por e-mail ou por notificação na Plataforma.

1. Considerando que:

a) Você deseja contratar a Plataforma Winnin Insights, o que implica no tratamento de dados pessoais, pelo  Operador de Dados;
b) Winnin atua como um Controlador de Dados;
c) As Partes desejam implementar um acordo de tratamento de dados que cumpra os requisitos do atual enquadramento jurídico em relação ao tratamento de dados;
d) As Partes almejam estabelecer seus direitos e obrigações.

2. Termos e Definições

Exceto se de outra forma estabelecido neste instrumento, os termos e expressões utilizados neste Acordo deverão ter o seguinte significado: 

- “Acordo” significa este Acordo de Tratamento de Dados e todos os seus Anexos.

- “Dados Pessoais da Empresa” significa quaisquer Dados Pessoais tratados ​​por um Operador Contratado (incluindo dados de seus funcionários, contratados, colaboradores, clientes, clientes potenciais, fornecedores e subcontratados) em nome da Empresa de acordo ou em conexão com o Contrato Principal;

- “Operador Contratado” significa um sub operador, pessoa física ou jurídica, que se submete a fiscalização do Controlador de Dados;

- "Controlador de Dados" significa a pessoa física ou jurídica, autoridade pública, agência ou outro órgão que, isoladamente ou em conjunto com outros, determine as finalidades e meios do Tratamento de Dados Pessoais. Winnin. atua como um Controlador de Dados.

- "Leis de Proteção de Dados" significa toda a legislação mundial aplicável relacionada à proteção de dados e privacidade que se aplica à respectiva parte na função de Tratamento de Dados Pessoais em questão nos termos do Contrato, incluindo, sem limitação, o Regulamento Geral de Proteção de Dados da UE (GDPR) e a Lei Geral de Proteção de Dados do Brasil (LGPD).

- “Titular dos Dados” significa o indivíduo designado como Usuário da Plataforma Winnin Insights pela Empresa e a quem os Dados Pessoais se referem.

- "Instruções" significa as instruções escritas e documentadas emitidas por um Controlador de Dados para um Operador, direcionando este último para executar uma ação específica ou geral em relação aos Dados Pessoais (incluindo, mas não se limitando, anonimação, bloqueio, exclusão, disponibilização) .

- “Dados pessoais" significa qualquer informação relacionada a uma pessoa  informação relacionada a pessoa natural identificada ou identificável.

- "Transferência de dados” significa:
(I) transferência da Empresa Controladora dos dados para uma Operador contratado
(II) uma transferência progressiva de Dados Pessoais da Empresa de um Operador Contratado para um Operador subcontratado, ou entre dois estabelecimentos de um Operador Contratado, em cada caso, onde tal transferência seria proibida pelas Leis de Proteção de Dados (ou pelos termos dos acordos de transferência de dados estabelecidos local para abordar as restrições de transferência de dados das Leis de Proteção de Dados);

- “Tratamento de dados” significa qualquer operação ou um conjunto de operações realizadas com os Dados Pessoais, abrangendo, mas não se limitando, à coleta, registro, organização, estruturação, armazenamento, adaptação ou alteração, recuperação, consulta, uso, divulgação por transmissão, disseminação ou disponibilização, alinhamento ou combinação, restrição ou eliminação de Dados pessoais. 

- “Suboperador” significa qualquer pessoa nomeada por ou em nome do Operador para realizar o tratamento dos Dados Pessoais em nome da Empresa em conexão com o Contrato.Os termos "Comissão”, “Controlador”, “Titular dos Dados”, “Estado Membro”, “Dados Pessoais”, “Violação de Dados Pessoais”, "Tratamento” e “Autarquia Supervisora” terão o mesmo significado que na GDPR e na LGPD, e esses termos devem ser interpretados em conformidade com estas legislações.

3. Obrigações do Cliente

a. Conformidade com as Leis:
No escopo do Acordo e no uso do serviço, você será responsável por cumprir todas as exigências previstas nas Leis de Proteção de Dados aplicáveis em relação ao Tratamento de Dados Pessoais e às Instruções contidas nestas normas que são aplicáveis  a nós.Em particular, mas sem prejudicar a generalidade do já exposto, você reconhece e concorda que será o único responsável: (i) pela precisão, qualidade e legalidade dos Dados Pessoais da Empresa e os meios pelos quais você adquiriu Dados Pessoais; (ii) por cumprir todas as exigências necessárias de transparência e licitude previstas nas Leis de Proteção de Dados aplicáveis para a coleta e o uso dos Dados Pessoais, obtendo, inclusive, todos os consentimentos e autorizações necessários (especialmente para uso pelo Cliente para fins de marketing); (iii) por garantir que você tenha o direito de transferir ou fornecer acesso aos Dados Pessoais para nós para fins de Tratamento nos termos do Acordo (incluindo este DPA); (iv) por garantir que suas Instruções para nós sobre o Tratamento de Dados Pessoais cumpram as leis aplicáveis, inclusive as Leis de Proteção de Dados; e (v) por cumprir com todas as leis (inclusive as Leis de Proteção de Dados) aplicáveis a quaisquer e-mails ou outros conteúdos criados, enviados ou gerenciados pelos Serviços de Assinatura, inclusive aqueles relacionados à obtenção de consentimentos (quando exigidos) quanto ao envio de e-mails, ao conteúdo dos e-mails e às suas práticas de implantação de e-mail. Você nos informará imediatamente se não for capaz de cumprir suas responsabilidades previstas nesta seção (a) ou nas Leis de Proteção de Dados aplicáveis.

b. Instruções do Controlador. As Partes concordam que o Acordo (incluindo este DPA), junto com o uso do Serviço de Assinatura do Winnin Insights pelo cliente, constituem as suas Instruções completas e definitivas para nós em relação ao Tratamento de Dados Pessoais, e instruções adicionais fora do escopo das Instruções requererão acordo prévio e por escrito entre nós e você.

c. Segurança. Você é responsável, de maneira independente, por determinar se a segurança de dados oferecida no Serviço de Assinatura atende adequadamente as obrigações previstas nas Leis de Proteção de Dados aplicáveis. Você também é responsável pelo seu uso seguro do Serviço de Assinatura, incluindo a segurança dos Dados Pessoais em trânsito de entrada ou saída do Serviço de Assinatura (incluindo o backup seguro ou a criptografia de tais Dados Pessoais).

4. Obrigações da Winnin

a. Cumprimento das Instruções. Nós apenas trataremos Dados Pessoais para fornecer os Serviços de Assinatura do Winnin Insights ou conforme acordado de outra forma dentro do escopo das suas Instruções lícitas, salvo se exigido de outra forma pelas leis aplicáveis. Nós não somos responsáveis pelo cumprimento de nenhuma Lei de Proteção de Dados aplicável a você ou ao seu mercado que não seja diretamente aplicável a nós.

b. Conflito de leis. Ao ficarmos cientes de que não podemos realizar o Tratamento de Dados Pessoais conforme as suas Instruções devido a uma exigência legal prevista em qualquer lei aplicável, nós (i) comunicaremos você imediatamente sobre tal exigência legal obedecendo ao limite permitido pela lei aplicável; e (ii) quando necessário, interromperemos todo o Tratamento (exceto o mero armazenamento e manutenção da segurança dos Dados Pessoais afetados), até o momento em que você emitir novas Instruções para que possamos cumprir. Caso a presente disposição seja invocada, nós não seremos responsabilizados perante a você nos termos do Acordo por não prestar os Serviços de Assinatura do Winnin Insights aplicáveis até o momento em que você emitir novas Instruções lícitas sobre o Tratamento.

c. Segurança. Nós implementaremos e manteremos medidas técnicas e organizacionais adequadas para proteger os Dados Pessoais contra Violações de Dados Pessoais, conforme descrito no Anexo 2 deste DPA (“Medidas de Segurança”). Não obstante alguma disposição em contrário, nós poderemos modificar ou atualizar as Medidas de Segurança ao nosso exclusivo critério, desde que tal modificação ou atualização não gere um prejuízo material à proteção oferecida pelas Medidas de Segurança. 

d. Confidencialidade. Nós garantiremos que todo o pessoal autorizado por nós para realizar o Tratamento de Dados Pessoais em nosso nome estará sujeito às devidas obrigações de confidencialidade (seja por previsão em contrato ou na Lei) em relação a estes Dados Pessoais.Nós tomamos medidas razoáveis ​​para garantir a confiabilidade de qualquer funcionário, agente ou contratado de qualquer Operador Contratado que possa ter acesso aos Dados Pessoais da Empresa, garantindo em cada caso que o acesso seja estritamente limitado aos indivíduos que precisam saber / acessar os Dados Pessoais da Empresa, conforme estritamente necessário para os fins do Contrato Principal e para cumprir as Leis Aplicáveis ​​no contexto dos deveres desse indivíduo para com o Operador Contratado, garantindo que todos esses indivíduos estejam sujeitos a compromissos de confidencialidade ou obrigações profissionais ou legais de confidencialidade.

e. Violações de Dados Pessoais. Nós notificaremos você prontamente após termos ciência de qualquer Violação de Dados Pessoais e forneceremos oportunamente informações relativas à Violação de Dados Pessoais quando estas forem conhecidas ou razoavelmente solicitadas por você. Mediante sua solicitação, nós prestaremos prontamente a assistência razoável necessária para dar condições a você de comunicar Violações de Dados Pessoais relevantes às autoridades competentes e/ou aos Titulares de Datos afetados, caso você precise fazê-lo nos termos das Leis de Proteção de Dados.

f. Exclusão ou devolução de Dados Pessoais. Nós excluiremos ou devolveremos todos os Dados do Cliente, incluindo Dados Pessoais (incluindo cópias deles) Tratados nos termos deste DPA, na ocasião de rescisão ou expiração do seu Serviço de Assinatura do Winnin Insights conforme os procedimentos e prazos estipulados no Acordo, ressalvando que esta exigência não se aplicará aos casos em que nós formos obrigados pela lei aplicável a reter os Dados Pessoais do Cliente no todo ou em parte, ou aos Dados Pessoais do Cliente arquivados nos sistemas de backup, dados estes que nós isolaremos e protegeremos de quaisquer tratamentos posteriores, excluindo-os de acordo com as práticas de exclusão. Você pode solicitar a exclusão da sua conta do Winnin Insights após a expiração ou encerramento da sua assinatura, bem como recuperar seus dados de sua conta entrando em contato conosco em dpo@winnin.com.

5. Suboperadores

Você concorda que nós podemos contratar Suboperadores para o Tratamento de Dados Pessoais em seu nome. No momento, nós nomeamos como Suboperadores os terceiros listados no Anexo 3 deste DPA. Nós notificaremos você caso adicionemos ou removamos Suboperadores do Anexo 3 regularmente.

Ao contratar Suboperadores, nós impomos termos de proteção de dados aos Suboperadores que garantam, no mínimo, o mesmo grau de proteção para os Dados Pessoais dos termos do presente DPA, observada a natureza dos serviços prestados por tais Suboperadores. Nós continuaremos responsáveis por cada Suboperador no que tange ao cumprimento das obrigações previstas neste DPA e por todas as ações e omissões de tais Suboperadores que nos façam violar quaisquer das obrigações previstas neste DPA.

6. Transferência de dados

Você concorda e reconhece que nós podemos acessar e Tratar Dados Pessoais em escala global conforme for necessário para prestar o Serviço de Assinatura do Winnin Insights, conforme o Acordo e, em particular, que os Dados Pessoais poderão ser transferidos e Tratados pela Winnin e em outras jurisdições nas quais os Afiliados e Suboperadores da Winnins tenham operações. Nós garantiremos que tais transferências sejam feitas de acordo com as exigências das Leis de Proteção de Dados.

7. Disposições Gerais

a. Emendas:
Não obstante a qualquer outra disposição em contrário no Acordo  e sem prejuízo das seções "Conformidade com as Instruções" ou "Segurança" deste DPA, nos reservamos o direito de fazer quaisquer atualizações e alterações neste DPA. 

b. Autonomia das Cláusulas: Se alguma cláusula individual deste DPA for considerada inválida ou inexequível, a validade e aplicabilidade das outras cláusulas deste DPA não serão afetadas.

c. Limitação de Responsabilidade: A responsabilidade de cada parte e de cada uma de suas Afiliadas, considerada em conjunto, decorrente ou relacionada a este DPA (e quaisquer outros DPAs entre as partes) e as Cláusulas Contratuais Padrão (quando aplicável), seja em contrato, ato ilícito ou sob qualquer outra teoria de responsabilidade, estará sujeito às limitações e exclusões de responsabilidade estabelecidas na seção 'Limitação de Responsabilidade' do Acordo e no Contrato de Software Winnin Insights e qualquer referência em tais seções à responsabilidade de uma parte significa responsabilidade agregada de cada parte e todas as suas Afiliadas nos termos do Contrato (incluindo este DPA).

d. Lei Aplicável: Este DPA será regido e interpretado de acordo com as seções de termos e definições; Lei aplicável; "Avisos" dos Termos Específicos da Jurisdição, a menos que seja exigido de outra forma pelas Leis de Proteção de Dados.

8. Partes deste DPA

a. Afiliados Autorizadas:
​​​​Ao assinar o Acordo, você celebra este DPA em seu nome e, observado o limite permitido pelas Leis de Proteção de Dados aplicáveis, em nome da sua Empresa e de seus Afiliados Autorizados, estabelecendo, portanto, um DPA em separado entre nós, sua Empresa e cada um desses Afiliados Autorizados sujeitos ao Acordo e às seções deste DPA intituladas “Disposições Gerais” e “Partes deste DPA”. A Empresa e cada Afiliado Autorizado aceita as obrigações previstas neste DPA e, observado o limite aplicável, no Acordo. Apenas para os fins deste DPA e salvo quando indicado de outra forma, os termos “Empresa”, “você” e “seu” incluirão você, a Empresa em nome da qual você assumiu estes compromissos e tais Afiliados Autorizados.

b. Autorização: A pessoa jurídica está de acordo com o presente DPA, na medida em que Você  declara ter autorização para aceitá-lo e celebrá-lo em seu próprio nome e, conforme o caso, em nome de cada um de seus Afiliados Autorizados.

c. Recursos: ​​Salvo quando as Leis de Proteção de Dados aplicáveis exigirem que um Afiliado Autorizado exerça um direito ou busque diretamente por si mesmo, qualquer recurso jurídico nos termos deste DPA contra nós, as partes acordam que (i) apenas a entidade a qual você está representando é a  parte contratante do Acordo e que poderá exercer, qualquer direito ou buscará qualquer recurso jurídico que qualquer Afiliado Autorizado possa ter nos termos deste DPA, em nome dos seus Afiliados; e (ii) a Empresa em nome da qual você está agindo é a parte contratante do Acordo e que poderá exercer qualquer um dos direitos previstos neste DPA, não separadamente para cada Afiliado Autorizado individualmente, mas de forma conjunta para si e para todos os seus Afiliados Autorizados em grupo. A pessoa jurídica a qual você está representando é a parte contratante responsável por coordenar toda a comunicação conosco nos termos do DPA, tendo direito de enviar e receber qualquer comunicação relacionada a este DPA em nome de seus Afiliados Autorizados.  

d. Outros direitos: As partes concordam que você, ao analisar a nossa conformidade com este DPA, tomará todas as medidas razoáveis para limitar qualquer impacto sobre nós e nossos Afiliados concentrando em uma única auditoria várias solicitações a serem conduzidas em nome da Empresa que você está representando, que for a parte contratante do Acordo e de todos os seus Afiliados Autorizados.

9. Legislação Aplicável e Jurisdição

Esse acordo é regido pelas Leis Brasileiras. Qualquer disputa que  decorrente do presente Acordo, que as Partes não sejam capazes de resolver amigavelmente, será submetida à jurisdição exclusiva do Tribunal Central da Comarca do Rio de Janeiro, Brasil, com exclusão de todas as outras jurisdições, não importa o quão privilegiadas elas possam ser.

Anexo 1 - Detalhes do tratamento

Esse Anexo faz parte do DPA.

A. Natureza e objetivo do tratamento 
Nós realizamos o Tratamento de Dados Pessoais necessários para fornecer os Serviços de Assinatura do Winnin Insights de acordo com o especificado no Formulário de inscrição e conforme instruído por você no uso dos Serviços de Assinatura do Winnin Insights.

B. Duração do tratamento
Sujeito à seção 'Exclusão ou Devolução de Dados Pessoais' deste DPA, nós realizaremos o Trataremos de Dados Pessoais durante a vigência do Acordo, a menos que de outra forma acordado por escrito ou exigido por lei.

C. Categoria dos Titulares dos Dados
Você pode submeter os Dados Pessoais durante o uso do Serviço de Assinatura do Winnin Insights, cuja extensão é determinada e controlada por você a seu exclusivo critério, e que pode incluir, mas não está limitado a Dados Pessoais relacionados às seguintes Categorias de Titulares dos Dados:

Seus Contatos e outros usuários finais, incluindo seus funcionários, contratados, colaboradores, clientes, clientes potenciais, fornecedores e subcontratados designados como Usuários da plataforma Winnin Insights.

D. Categoria de Dados Pessoais 
Você pode submeter os dados pessoais durante o uso do Serviço de Assinatura Winnin Insights, cuja extensão é determinada e controlada por você a seu exclusivo critério, que pode incluir, mas não está limitado a Dados relacionados às seguintes categorias de assuntos:

- Informações de contato, como: nome, e-mail, telefone, país, empresa e cargo (conforme definido no Contrato).  

- Quaisquer outros Dados pessoais preenchidos, enviados ou recebidos por você, ou seus usuários finais, por meio do Serviço de assinatura do Winnin Insights, como por exemplo: termos de pesquisa; vídeos assistidos; redirecionamento para sites de terceiros de nosso software, endereço de IP e todo o caminho do usuário em nossa plataforma.

E. Categoria Especial de Dados pessoais (se aplicável)
As partes não prevêem a transferência de categorias especiais de dados.

F. Tratamento das operações
Os dados pessoais serão tratados de acordo com o Contrato de Serviços e esse DPA e pode estar sujeitos às seguintes atividades de tratamento:

a. Armazenamento e outro tratamento necessário para fornecer, manter e melhorar os Serviços de assinatura do Winnin Insights fornecidos a você; e/ou

b. Confidencialidade de acordo com o Contrato (incluindo esse DPA) e/ou compilado de leis aplicáveis.

Anexo 2 - Medidas de Segurança

Este Anexo faz parte do DPA.

No momento, nós seguimos as Medidas de Segurança descritas neste Anexo. Todos os termos em maiúsculas não definidos de outra forma neste documento terão os mesmos significados definidos nos Termos Principais

a. Controle de acesso:

i) Impedindo o acesso não autorizado ao produto
Tratamento terceirizado: nós hospedamos o nosso Serviço com fornecedores de infraestrutura em nuvem terceirizados. Além disso, mantemos relacionamentos contratuais com fornecedores a fim de prestar o Serviço de acordo com o nosso DPA. Confiamos nos acordos contratuais, nas políticas de privacidade e nos programas de conformidade dos fornecedores para proteger os dados tratados ou armazenados por eles.

Segurança física e ambiental: nós hospedamos a infraestrutura do nosso produto com fornecedores de infraestrutura de multilocação terceirizados. Os controles físicos e ambientais de segurança são auditados quanto ao cumprimento dos padrões SOC 2 Tipo II e ISO 27001, entre outras certificações.

Autenticação: nós implementamos uma política uniforme de senhas para os produtos dos nossos clientes. Os clientes que interagem com os produtos via a interface de usuário devem passar por autenticação antes de acessar dados de clientes que não são públicos

Autorização: os Dados do Cliente são armazenados em sistemas de armazenamento de multilocação acessíveis aos Clientes somente por meio de interfaces de usuários de aplicativos e interfaces de programação de aplicativos. Os Clientes não têm acesso direto à infraestrutura de aplicativos subjacente. O modelo de autorização de cada um dos nossos produtos é projetado para garantir que somente pessoas devidamente autorizadas consigam acessar recursos, visualizações e opções de impersonação pertinentes. A autorização a conjuntos de dados é feita pela validação das permissões do usuário de acordo com os atributos associados a cada conjunto de dados.

ii)  Impedindo o uso não autorizado ao produto

Nós implementamos controles de acesso e recursos de detecção que são padrão do mercado para as redes internas que dão suporte ao nosso produto.

Controles de acesso: os mecanismos de controle de acesso a redes são projetados para impedir que tráfego de rede com protocolos não autorizados alcance a infraestrutura dos produtos. As medidas técnicas implementadas variam conforme os fornecedores de infraestrutura e incluem implementações de Nuvem Privada Virtual (VPC, na sigla em inglês), atribuições de grupos de segurança e regras de firewall tradicionais.

Análise de código estático: as análises de segurança de códigos armazenados nos nossos repositórios de código-fonte são feitas para verificar as práticas recomendadas de programação e falhas identificáveis em software.

iii)    Limitação de privilégios e requisitos de autorização

Acesso ao produto: Um subconjunto de nossos funcionários têm acesso aos produtos e aos Dados do usuário por meio de interfaces controladas. A intenção de fornecer acesso a um subconjunto de funcionários é fornecer suporte efetivo ao usuário, para solucionar problemas potenciais, detectar e responder a incidentes de segurança e implementar segurança de dados.

Todos os funcionários da Winnin Inc. devem se comportar de maneira consistente com as diretrizes da empresa, requisitos de não divulgação e padrões éticos.

b) Controle de transmissão

Em trânsito: nós disponibilizamos criptografia HTTPS (também chamada de SSL ou TLS) em todas as nossas interfaces de login e gratuitamente em todos os sites de clientes. Nossa implementação HTTPS usa algoritmos e certificados que são padrão na indústria.

Em repouso: nós armazenamos as senhas dos usuários de acordo com políticas que seguem práticas de segurança padrão de mercado.  Implementamos tecnologias para garantir que os dados armazenados fiquem criptografados quando estiverem em repouso. 

c) Controle de entrada

Detecção: Nós projetamos nossa infraestrutura para registrar vastas informações sobre comportamento do sistema, tráfego recebido, autenticação do sistema e outras solicitações de aplicativos. Os sistemas internos agregam dados de registro e alertam determinados funcionários sobre atividades mal-intencionadas, não intencionais ou anômalas. Nossos funcionários, incluindo as equipes de segurança, de operações e de suporte, respondem a incidentes conhecidos.

d) Controle de disponibilidade

Disponibilidade da Infraestrutura: os fornecedores de infraestrutura produzem esforços comercialmente razoáveis para garantir um tempo de atividade mínimo de 99,95%. Os fornecedores mantêm um mínimo de redundância N+1 para os serviços de energia, rede e aquecimento, ventilação e ar condicionado.

Tolerância a falhas: há estratégias de backup e replicação criadas para garantir a redundância e proteções contra failover durante uma falha significativa do tratamento. É feito um backup dos dados do Cliente em diversos repositórios duráveis de dados e replicados em diversas zonas de disponibilidade.

Réplicas e backups online: Onde for viável, os bancos de dados de produção são projetados para replicar dados entre pelo menos 1 banco de dados primário e 1 banco de dados secundário. Todos os bancos de dados são armazenados em backup e mantidos usando pelos métodos padrão da indústria.

Anexo 3- Lista de Suboperadores

Winnin insights Data Processing Agreement

Last Modified: October 01, 2021

This Winnin Data Processing Agreement and its Annexes ( "DPA") reflects the partiesagreement with respect to Processing of Personal Data by Winnin Inc. and itssubsidiaries (jointly "Winnin Inc.") on behalf of you in connection with the WinninInsights Subscription Services under the Winnin Insights Terms of Service and PrivacyPolicy between you and us (also referred to in this DPA as the "Agreement").

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement. In case of any conflict orinconsistency with the terms of the Agreement, this DPA will take precedence over theterms of the Agreement to the extent of such conflict or inconsistency.

We update these terms from time to time. If you have an active Winnin Insightssubscription, we will let you know when we do via email or throughout Winnin InsightsPlatform. You can find archived versions of the DPA here, if any.

The term of this DPA will follow the term of the Agreement. Terms not otherwise definedin this DPA will have themeaning as set forth in the Agreement.

1. Whereas

a) Winnin acts as a data Controller.
b) You wish to contract Winnin Insights Platform, which imply the processingof personal data, to the Data Processor.
c) The Parties seek to implement a data processing agreement that complieswith the requirements of the current legal framework in relation to dataprocessing.
d) The Parties wish to lay down their rights and obligations.

2. Definitions and Interpretations

Unless otherwise defined herein, capitalized terms and expressions used in thisAgreement shall have the following meaning:

-   “Agreement” means this Data Processing Agreement and all Schedules;
-   “Company Personal Data” means any Personal Data Processed by a ContractedProcessor (including data of its employees, contractors, collaborators,customers, prospects, suppliers and subcontractors) on behalf of Company
pursuant to or in connection with the Principal Agreement;
-   “Contracted Processor” means a Subprocessor;
-   “Controller” means the natural or legal person, public authority, agency or otherbody which, alone or jointly with others, determines the purposes and means ofthe Processing of Personal Data. Winnin Inc. acts as a Data Controller.
-   “Data Protection Laws” means all applicable worldwide legislation relating to dataprotection and privacy which applies to the respective party in the role ofProcessing Personal Data in question under the Agreement, including withoutlimitation EU General Data Protection Regulation (GDPR) and the BrazilianGeneral Law of Data Protection (LGPD).
-   “Data Subject” means the individual designated as User of Winnin InsightsPlatform by the Company and to whom Personal Data relates.
-   “Instructions” means the written, documented instructions issued by a Controllerto a Processor, and directing the same to perform a specific or general actionwith regard to Personal Data (including, but not limited to, depersonalizing,blocking, deletion, making available).
-   "Permitted Affiliates" means any of your Affiliates that (i) are permitted to use theSubscription Services pursuant to the Agreement, but have not signed their ownseparate agreement with us and are not a “Company” as defined under theAgreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii)are subject to European Data Protection Laws and Brazilian Data ProtectionLaws.
-   “Personal Data” means any information relating to an identified or identifiableindividual where such information is contained within Company Personal Dataand is protected similarly as personal data, personal information or personallyidentifiable information under applicable Data Protection Laws.
-   “Data Transfer” means: (I) a transfer of Company Personal Data from theCompany to a Contracted Processor; or (II) an onward transfer of CompanyPersonal Data from a Contracted Processor to a Subcontracted Processor, orbetween two establishments of a Contracted Processor, in each case, wheresuch transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions ofData Protection Laws);- “Processing” means any operation or set of operations which is performed on
Personal Data, encompassing the collection, recording, organization, structuring,storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment or
combination, restriction or erasure of Personal Data. The terms “Process”,“Processes” and “Processed” will be construed accordingly.
-   “Processor” means a natural or legal person, public authority, agency or otherbody which Processes Personal Data on behalf of the Controller.
-   “Subprocessor” means any person appointed by or on behalf of the Processor toprocess Personal Data on behalf of the Company in connection with theAgreement.

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “PersonalData”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have thesame meaning as in the GDPR and LGPD, and their cognate terms shall be construedaccordingly.

3. Customer obligations

a. Compliance with Laws. Within the scope of the Agreement and in its use of theservices, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Dataand the Instructions it issues to us.

In particular but without prejudice to the generality of the foregoing, you acknowledgeand agree that you will be solely responsible for: (i) the accuracy, quality, and legality ofCompany Personal Data and the means by which you acquired Personal Data; (ii)complying with all necessary transparency and lawfulness requirements under
applicable Data Protection Laws for the collection and use of the Personal Data,including obtaining any necessary consents and authorizations (particularly for use byYou for marketing purposes); (iii) ensuring you have the right to transfer, or provideaccess to, the Personal Data to us for Processing in accordance with the terms of theAgreement (including this DPA); (iv) ensuring that your Instructions to us regarding theProcessing of Personal Data comply with applicable laws, including Data ProtectionLaws; and (v) complying with all laws (including Data Protection Laws) applicable to anyemails or other content created, sent or managed through the Subscription Services,including those relating to obtaining consents (where required) to send emails, thecontent of the emails and its email deployment practices. You will inform us without undue delay if it is not able to comply with its responsibilities under this subsection (a) orapplicable Data Protection Laws.

b. Controller Instructions. The Parties agree that the Agreement (including this DPA),together with your use of the Winnin Insights Subscription Service in accordance withthe Agreement, constitute your complete and finalInstructions to us in relation to theProcessing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between us and you.

4. Winnin obligations

a. Compliance with Instructions. We will only Process Personal Data for the purposesdescribed in this DPA or as otherwise agreed within the scope of your lawful Instructions,except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industrythat are not generally applicable to us.

b. Conflict of Laws. If we become aware that we cannot Process Personal Data inaccordance with your Instructions due to a legal requirement under any applicable law, wewill (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing andmaintaining the security of the affected Personal Data) until such time as you issue newInstructions with which we are able to comply. If this provision is invoked, we will not beliable to you under the Agreement for any failure to perform the applicable Winnin InsightsSubscription Services until such time as you issue new lawful Instructions with regard to theProcessing.

c. Security. We will implement and maintain appropriate technical and organizationalmeasures to protect Personal Data from Personal Data Breaches, as described underAnnex 2 to this DPA ("Security Measures"). Notwithstanding any provision to thecontrary, we may modify or update the Security Measures at our discretion provided that
such modification or update does not result in a material degradation in the protectionoffered by the Security Measures.

d. Confidentiality. We will ensure that any personnel whom we authorize to ProcessPersonal Data on our behalf is subject to appropriate confidentiality obligations (whethera contractual or statutory duty) with respect to that Personal Data.

We take reasonable steps to ensure the reliability of any employee, agent or contractorof any Contracted Processor who may have access to the Company Personal Data,ensuring in each case that access is strictly limited to those individuals who need toknow / access the relevant Company Personal Data, as strictly necessary for thepurposes of the Principal Agreement, and to comply with Applicable Laws in the contextof that individual’s duties to the Contracted Processor, ensuring that all such individualsare subject to confidentiality undertakings or professional or statutory obligations ofconfidentiality

e. Personal Data Breaches. We will notify you without undue delay after it becomesaware of any Personal Data Breach and will provide timely information relating to thePersonal Data Breach as it becomes known or reasonably requested by you. At yourrequest, we will promptly provide you with such reasonable assistance as necessary to
enable you to notify relevant Personal Data Breaches to competent authorities and/oraffected Data Subjects, if you are required to do so under Data Protection Laws.

f. Deletion or Return of Personal Data. We will delete or return all Customer Data,including Personal Data (including copies thereof) Processed pursuant to this DPA, ontermination or expiration of your Winnin Insights Subscription Service in accordancewith the procedures and timeframes set out in the Agreement, save that thisrequirement shall not apply to the extent we are required by applicable law to retainsome or all of the Company Personal Data, or to Company Personal Data it hasarchived on back-up systems, which data we will securely isolate and protect from anyfurther Processing and delete in accordance with its deletion practices. You may requestthe deletion of your Winnin Insights account after expiration or termination of yoursubscription by sending a request. You may retrieve your ata from your account bycontacting us on dpo@winnin.com.

5. Sub-Processors

You agree that we may engage Sub-Processors to Process Personal Data on yourbehalf. We have currently appointed, as Sub-Processors, the Winnin Inc. and thirdparties listed in Annex 3 to this DPA. We will notify you if we add or removeSub-Processors to Annex 3 on a regular basis.

Where we engage Sub-Processors, we will impose data protection terms on theSub-Processors that provide at least the same level of protection for Personal Data asthose in this DPA (including, where appropriate, the Standard Contractual Clauses), tothe extent applicable to the nature of the services provided by such Sub-Processors.

We will remain responsible for each Sub-Processor’s compliance with the obligations ofthis DPA and for any acts or omissions of such Sub-Processor that cause us to breachany of its obligations under this DPA

6. Data Transfers

You acknowledge and agree that we may access and Process Personal Data on aglobal basis as necessary to provide the Winnin Insights Subscription Service inaccordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by Winnin Inc. and to other jurisdictions where Winnin Affiliates and
Sub-Processors have operations. We will ensure such transfers are made in compliancewith the requirements of Data Protection Laws.

7. General Provisions

a. Amendments. Notwithstanding anything else to the contrary in the Agreement andwithout prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA,we reserve the right to make any updates and changes to this DPA.

b. Severability. If any individual provisions of this DPA are determined to be invalid orunenforceable, the validity and enforceability of the other provisions of this DPA will notbe affected.

c. Limitation of Liability. Each party and each of their Affiliates' liability, taken inaggregate, arising out of or related to this DPA (and any other DPAs between theparties) and the Standard Contractual Clauses (where applicable), whether in contract,tort or under any other theory of liability, will be subject to the limitations and exclusions
of liability set out in the 'Limitation of Liability' section of the Agreement and the WinninInsights Software Agreement and any reference in such sections to the liability of aparty means aggregate liability of that party andall of its Affiliates under the Agreement(including this DPA).

d. Governing Law. This DPA will be governed by and construed in accordance with the‘Contacting Entity; ‘Applicable Law; Notice’ sections of the Jurisdiction Specific Terms,unless required otherwise by Data Protection Laws.

8. Parties to this DPA

a. Permitted Affiliates. By signing the Agreement, you enter into this DPA on behalf ofyourself and, to the extent required under applicable Data Protection Laws, in the nameand on behalf of your Company and Permitted Affiliates, thereby establishing a separateDPA between us, your Company and each such Permitted Affiliate subject to theAgreement and the ‘General Provisions’ and ‘Parties to this DPA’ sections of this DPA.
Company and Each Permitted Affiliate agrees to be bound by the obligations under thisDPA and, to the extent applicable, the Agreement. For the purposes of this DPA only,and except where indicated otherwise, the terms “Company”, “you” and “your” willinclude you, the Company you are acting on behalf of and such Permitted Affiliates.

b. Authorization. The legal entity agrees to this DPA as You represent that it isauthorized to agree to and enter into this DPA for and on behalf of itself and, asapplicable, each of its Permitted Affiliates.

c. Remedies.Except where applicable Data Protection Laws require a Permitted Affiliateto exercise a right or seek any remedy under this DPA against us directly by itself, theparties agree that (i) solely the entity you are acting on behalf of that is the contractingparty to the Agreement will exercise any right or seek any remedy any Permitted Affiliatemay have under this DPA on behalf of its Affiliates, and (ii) the Company you are acting on behalf of that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combinedmanner for itself and all of its Permitted Affiliates together. The Company that you areacting on behalf of that is the contracting entity responsible for coordinating allcommunication with us under the DPA and will be entitled to make and receive anycommunication related to this DPA on behalf of its Permitted Affiliates.

d. Other rights. The parties agree that you will, when reviewing our compliance with thisDPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonablemeasures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Company you are acting on behalf of that is the
contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

9. Governing Law and Jurisdiction

This Agreement is governed by Brazilian law. Any dispute arising in connection with thisAgreement, which the Parties will not be able to resolve amicably, will be submitted tothe exclusive jurisdiction of the Central Court of Judicial District of Rio de Janeiro,Brazil, to the exclusion of all other jurisdictions, no matter how privileged they might be.

Annex 1 - Details of Processing

This Annex forms part of the DPA.

A. Nature and Purpose of Processing

We will Process Personal Data as necessary to provide the Winnin Insights SubscriptionServices pursuant to the Agreement, as further specified in the Order Form, and asfurther instructed by you in your use of the Winnin Insights Subscription Services.

B. Duration of Processing

Subject to the 'Deletion or Return of Personal Data' section of this DPA, we will ProcessPersonal Data for the duration of the Agreement, unless otherwise agreed in writing orrequired by law.

C. Categories of Data Subjects

You may submit Personal Data in the course of using the Winnin InsightsSubscription Service, the extent of which is determined and controlled by you inyour sole discretion, and which may include, but is not limited to Personal Datarelating to the following categories of Data Subjects:

Your Contacts and other end users including your employees, contractors,collaborators, customers, prospects, suppliers and subcontractors designated asUsers of Winnin Insights Platform.

D. Categories of Personal Data

You may submit Personal Data to the Winnin Insights Subscription Services, theextent of which is determined and controlled by you in your sole discretion, andwhich may include but is not limited to the following categories of Personal Data:

-   Contact Information, such as: name, email, telephone, country, company and title(as defined in the Agreement).
-   Any other Personal Data submitted by, sent to, or received by you, or your endusers, via the Winnin Insights Subscription Service, such as: searchs terms;

watched videos; redirection to third party websites from our software, IP addressand the user's entire path on our platform.

E. Special Categories of Data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

F. Processing operations

Personal Data will be Processed in accordance with the Agreement (includingthis DPA) and may be subject to the following Processing activities:

a. Storage and other Processing necessary to provide, maintain and improve theWinnin Insights Subscription Services provided to you; and/or
b. Disclosure in accordance with the Agreement (including this DPA) and/or ascompelled by applicable laws.


Annex 2 - Security Measures

This Annex forms part of the DPA.

We currently observe the Security Measures described in this Annex 2. All capitalizedterms not otherwise defined herein shall have the meanings as set forth in theAgreement.

a) Access Control:
i)  Preventing Unauthorized Product Access
Outsourced processing: We host our Service with outsourced cloud infrastructureproviders. Additionally, we maintain contractual relationships with vendors in order toprovide the Service in accordance with our DPA. We rely on contractual agreements,privacy policies, and vendor compliance programs in order to provide a safeenvironment.

Physical and environmental security: We host our product infrastructure withmulti-tenant, outsourced infrastructure providers. The physical and environmentalsecurity controls are audited for SOC 2 Type II and ISO 27001 compliance, amongother certifications.

Authentication: We implement a uniform password policy for our customer products.Users who interact with the products via the user interface must authenticate beforeaccessing non-public customer data.

Authorization: User Data is stored in multi-tenant storage systems accessible to Uservia only application user interfaces and application programming interfaces. Users arenot allowed direct access to the underlying application infrastructure. The authorizationmodel in each of our products is designed to ensure that only the appropriatelyassigned individuals can access relevant features, views, and customization options.
Authorization to data sets is performed through validating the user’s permissionsagainst the attributes associated with each data set.

ii)  Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for theinternal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent networktraffic using unauthorized protocols from reaching the product infrastructure. Thetechnical measures implemented differ between infrastructure providers and includeVirtual Private Cloud (VPC) implementations, security group assignment, and traditionalfirewall rules.

Static code analysis: Security reviews of code stored in our source code repositories isperformed, checking for coding best practices and identifiable software flaws.

iii)    Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to UserData via controlled interfaces. The intent of providing access to a subset of employeesis to provide effective User support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security.

All Winnin Inc. employees are required to conduct themselves in a manner consistentwith company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control
In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available onevery one of its login interfaces and for free on every user site hosted on Winnin Insights Platform. Our HTTPS implementation uses industry standard algorithms andcertificates.

At-rest: We store user passwords following policies that follow industry standard
practices for security. We have implemented technologies to ensure that stored data is
encrypted at rest.

c) Input Control
Detection: We designed our infrastructure to log basic information about the systembehavior, traffic received, system authentication, and other application requests. Internalsystems aggregated log data and alert appropriate employees of malicious, unintended,or anomalous activities. Our personnel, including security, operations, and supportpersonnel, are responsive to known incidents.d) Availability ControlInfrastructure availability: The infrastructure providers use commercially reasonableefforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum ofN+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancyand fail-over protections during a significant processing failure. User data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed toreplicate data between no less than 1 primary and 1 secondary database. All databasesare backed up and maintained using at least industry standard methods.

Our products are designed to ensure redundancy and seamless failover. The serverinstances that support the products are also architected with a goal to prevent singlepoints of failure. This design assists our operations in maintaining and updating theproduct applications and backend while limiting downtime.


Annex 3- List of Sub-Processors

Sub operador
Facebook
Youtube
Instagram
Tubular
Slack
Azure
G Suite
Google Trends
Clean Cloud
Maker
Github
Webflow
Office 365
Hubspot
Monday
Miro
Mixpanel
Adobe Premiere
Sendgrid
Databricks
Datadog
Figma
AWS
Unsplash
Notion
SEMrush
Linktree
Databox
Amazon Web Services
Localização
Finalidade
Fornecimento de dados
Fornecimento de dados
Fornecimento de dados
Serviços de suporte
Serviços de suporte
Serviços de suporte
Serviços e privacidade
Serviços e suporte
Armazenamento
Serviços e suporte
Serviços e suporte
Infraestrutura
Serviços e segurança
Serviços e segurança
Infraestrutura
Serviços e suporte
Serviços e suporte
Serviços e suporte
Infraestrutura
Serviços e suporte
Serviço
Infraestrutura
Serviços e suporte
Serviço
Serviços e suporte
Infraestrutura
Serviços e suporte
Serviços e suporte
Armazenamento e infraestrutura
Estados Unidos
Estados Unidos
Estados Unidos
Brasil
Estados Unidos
França
Estados Unidos
Estados Unidos
Brasil
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Estados Unidos
Brasil
Australia
Estados Unidos
Estados Unidos