Exhibit 1
DATA PROCESSING ADDENDUM BETWEEN JOINT CONTROLLERS
This Data Processing Addendum (“DPA”) is entered into between CPS Graphics Inc. d/b/a Tambourine, registered at 100 W. Cypress Creek Rd. #550, Fort Lauderdale, FL 33309 (“Tambourine”), and the contracting party using the Services and the Tambourine Technology as set forth in the Master Services Agreement (“Agreement”) (the “Client”). Tambourine and Client are collectively referred to as “Joint Controllers” or the “Parties,” and individually as a “Party.” This DPA, the Agreement, and any applicable Service Agreement executed by Client shall together constitute the agreement between the Parties (the “Agreement”).
THE FOLLOWING HAS BEEN AGREED:
- 1. DEFINITIONS.
Capitalized terms not specified herein have the definitions set forth in the Agreement.
“Joint Processing” the Personal Data Processing activities for which purposes and means are jointly determined by the Joint Controllers, as described in Annex I. In the event of any changes to the Joint Processing, the Parties shall promptly amend this DPA to reflect such changes.
“U.S. Data Protection Laws” any U.S. federal and state privacy laws effective as of the Effective Date of this DPA, and any implementing regulations, interpretative guidance and amendments thereto.
“Personal Data” means any information that is linked or reasonably linked to an identified or identifiable natural person, household, or device, that relates to a consumer or business-to-business customer of Client, and that is protected as personal data or personally identifiable information under U.S. Data Protection Laws.
“Security Incident” means the unauthorized access to or unauthorized acquisition of computerized data maintained by a Party that compromises the security, confidentiality, or integrity of Personal Data, and includes the terms “security breach”, “breach of security”, “breach of system security”, and “breach of the security of the system” as those terms are defined under applicable U.S. Data Protection Laws.
“Controller,” “Data Controller,” “Data Processor,” “Data Subject,” “Process,” “Processing,” “Processor,”, “Profiling”, “Targeted Advertising” “Sale”, “Sell”, “Selling” and “Sensitive Information,” whether used in singular or plural, shall bear the respective meanings given to them in applicable U.S. Data Protection Laws.
“Tambourine Technology” shall have the meaning as set forth in the Agreement.
“Services” shall have the meaning as set forth in the Agreement.
- 2. PURPOSE OF THE DPA AND PROCESSING.
- 2.1 The purpose of this DPA is to determine the respective obligations of the Joint Controllers in order to ensure compliance with U.S. Data Protection Laws when carrying out the Joint Processing.
- 2.2 The nature and purpose of the Joint Processing is related to the Services, including the processing of Personal Data to provide digital marketing services for events and weddings via the Tambourine Technology, as more specifically set forth in the Agreement and Service Agreement. Each Party makes Personal Data available to the other Party only for the limited and specified purposes set forth in this DPA, and each Party shall use the Personal Data received from the other Party only for those limited and specified purposes.
- 2.3 The Parties do not currently collect Sensitive Information in connection with the Joint Processing. In the event either Party begins to collect Sensitive Information, the Parties shall promptly amend this DPA to address the additional requirements under applicable U.S. Data Protection Laws for the Processing of Sensitive Information.
- 3. OBLIGATIONS OF THE JOINT CONTROLLERS.
- 3.1 Compliance with U.S. Data Protection Laws by each Joint Controller. The Joint Controllers recognize that they have full knowledge of the obligations that apply to them pursuant to the applicable U.S. Data Protection Laws in their role of Joint Controllers for the Joint Processing described in Annex I.
- (a) For this reason, the Joint Controllers undertake to:
- respect and comply with these obligations under applicable U.S. Data Protection Laws;
- document their compliance and make documentation available to the other Party upon prior advance written request of 30 days regarding such compliance;
- inform the other Party of any proven or potential error, irregularity, omission or Security Incident to which the DPA applies; and
- update the conditions for carrying out the Joint Processing when needed, having regards to the changes in applicable U.S. Data Protection Laws.
- (b) Each Party undertakes to ensure its own compliance and the compliance of its personnel (where applicable) with the following obligations:
- Processing Personal Data for the sole purposes of the Joint Processing;
- ensuring the confidentiality of Personal Data Processed under this DPA;
- ensuring that the persons authorized to Process the Personal Data:
- (A) only access the Personal Data necessary for the fulfillment of their duties according to their roles and to the needs of this DPA;
- (B) are subject to adequate confidentiality obligations; and
- (C) have received appropriate training in U.S. Data Protection Laws.
- communicating to the other Party, upon written request and without delay, all the information and documents demonstrating compliance with its obligations under U.S. Data Protection Laws;
- communicating to the other Party immediately if it can no longer comply with U.S. Data Protection Laws;
- posting and reviewing annually a transparent Privacy Policy/Notice that complies with applicable U.S. Data Protection Laws and revising this Privacy Policy/Notice as required under U.S. Data Protection Laws. Such Privacy Policy/Notice must include notifications about what Personal Data is collected, used, stored, and transferred under this DPA and data subject rights as applicable under U.S. Data Protection Laws;
- defining and adopting the internal procedures that are necessary for complying with its obligations; and
- ensuring, where appropriate, the deletion of Personal Data at the end of the retention period.
- 3.2 Obligation of Information. Each Joint Controller shall provide to Data Subjects the information required by applicable U.S. Data Protection Laws according to the conditions and deadlines prescribed by U.S. Data Protection Laws.
- 3.3 Data Subject Rights and Requests.
- (a) In this section, the term “rights” shall mean any right granted to Data Subjects under applicable U.S. Data Protection Laws. In compliance with applicable U.S. Data Protection Laws, a Data Subject may exercise their rights against each Joint Controller or against both Joint Controllers.
- (b) Each Party shall be individually responsible for responding to requests from Data Subjects to exercise their rights under applicable U.S. Data Protection Laws with respect to the Personal Data for which it is the Controller. Where a Party receives a Data Subject request that relates to Personal Data controlled by the other Party, the receiving Party shall promptly, and in any event within five (5) business days, redirect the Data Subject to the appropriate Party or notify the other Party of the request so that it may respond directly.
- (c) The Parties shall coordinate to ensure Data Subject requests relating to Joint Processing are fulfilled within the time periods required by applicable U.S. Data Protection Laws.
- (d) Each Party shall provide the other Party with reasonable cooperation and assistance in connection with the handling of all Data Subject requests, whether arising from independent or Joint Processing, to the extent such cooperation is necessary for the other Party to fulfill its obligations under applicable U.S. Data Protection Laws.
- (e) Each Party shall implement and maintain systems and processes to recognize and honor opt-out preference signals, including Global Privacy Control (“GPC”) signals and any other universal opt-out mechanism (“UOO”) recognized under applicable U.S. Data Protection Laws. Upon receipt of a valid opt-out preference signal from a Data Subject, each Party shall: (i) treat the signal as a valid request to opt out of the Sale, Profiling, Targeted Advertising, or Sharing of Personal Data, as applicable; (ii) process such opt-out request in accordance with the requirements and timeframes set forth in applicable U.S. Data Protection Laws; and (iii) ensure that any Data Processors acting on its behalf likewise honor such signals. Neither Party shall require Data Subjects to verify their opt-out preference signal requests as a condition of honoring such requests, unless verification is expressly permitted under applicable U.S. Data Protection Laws.
- 3.4 Security Incident Notification.
- (a) In the event that a Party discovers or reasonably suspects a Security Incident affecting Personal Data under this Agreement, such Party (the “Notifying Party”) shall notify the other Party without undue delay, and in any event within forty-eight (48) hours of the Notifying Party’s confirmation of a Security Incident.
Such notice shall include to the extent available at the time of notification:
- a description of the nature of the Security Incident, including the categories and approximate number of consumers affected;
- the categories and approximate number of Personal Data records affected;
- a description of the likely consequences of the Security Incident;
- a description of measures taken or proposed to address the Security Incident; and
- the name and contact details of the Party’s privacy point of contact.
- (b) The Notifying Party shall cooperate with the other Party as reasonably requested in connection with investigating, remedying and mitigating the effects of the Security Incident, including by providing information, taking the relevant remedial actions and access reasonably necessary for the other Party to fulfill its legal obligations.
- 3.5 Data Security.
- (a) Each Party shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Personal Data from unauthorized access, acquisition, use, disclosure, destruction, or modification. Such safeguards shall be appropriate to the nature and scope of the Processing activities and the sensitivity of the Personal Data involved.
- (b) In addition to Section 3.5(a), each Party’s security measures shall include as necessary for the scope and sensitivity of the Personal Data Processed, at a minimum: (i) encryption of Personal Data in transit and at rest; (ii) access controls limiting access to Personal Data to authorized personnel on a need-to-know basis; (iii) regular testing and assessment of the effectiveness of security measures; (iv) employee training on data security and privacy obligations; and (v) incident response and disaster recovery procedures.
- (c) Upon reasonable request and no more frequently than once per calendar year, each Party shall provide the other Party with a copy of an independent security assessment or audit, subject to reasonable confidentiality obligations or other security information as required by regulators or law.
- 3.6 Cooperation with Regulatory Authorities.
The Joint Controllers shall inform each other of any requests, inquiries, investigations, enforcement actions, or any similar measures taken by any regulatory authority (including but not limited to state Attorney General, the Federal Trade Commission, or state privacy agencies) or any other governmental authority regarding the Joint Processing.
- 4. DATA PROCESSORS.
- 4.1 Conditions to contract with a Data Processor.
- (a) Each Party may subcontract all or part of its obligations, subject to prior notice to the other Party. Any change in subprocessors shall enter into effect in the absence of objection by the other Party within 15 calendar days from receipt of the above-mentioned prior notice. All contractual agreements with the subprocessors and the performance of the contractual relationship must include substantially similar terms to this DPA, including without limitation that they comply with the requirements of applicable U.S. Data Protection Laws.
- (b) In the case of subprocessing, the Parties shall be granted control, audit and inspection rights by the subprocessors in accordance with this DPA. The Parties undertake to ensure that each of their subprocessors respects the obligations provided for in this DPA, in particular by expressly including the same obligations in the contract binding this or these subprocessors and by carrying out a regular audit or having it carried out to verify the compliance of these subprocessors.
- (c) Each Party shall remain fully liable to the other Party for the performance by subprocessors of its (their) obligations.
- 5. DATA MINIMIZATION AND RETENTION.
- 5.1 Each Party shall limit its Processing of Personal Data received from the other Party to what is reasonably necessary and proportionate to achieve the purposes set forth in Annex I.
- 5.2 Each Party shall retain Personal Data received from the other Party only for as long as reasonably necessary to fulfill the purposes for which it was disclosed, unless a longer retention period is required or permitted by applicable law. Upon the expiration or termination of the Agreement, or upon the disclosing Party’s written request, the receiving Party shall, at the disclosing Party’s election, return or securely delete all Personal Data received from the disclosing Party, except to the extent retention is required by applicable law or regulation, and shall provide written certification of such return or deletion upon request.
- 6. LIMITATION OF LIABILITY.
- 6.1 Each Party’s liability arising out of or related to this DPA, whether in contract, tort, or otherwise, shall be subject to the limitations and exclusions of liability set forth in the Agreement.
- 7. TERM AND TERMINATION.
- 7.1 This DPA shall become effective on the effective date of the Agreement and shall remain in effect for the duration of the Agreement.
- 8. AMENDMENTS.
- 8.1 This DPA may be amended or modified only by a written instrument signed by authorized representatives of both Parties. Notwithstanding the foregoing, if any U.S. Data Protection Laws is enacted, amended, or interpreted in a manner that requires modifications to this DPA, the Parties shall negotiate in good faith to amend this DPA to comply with such requirements.
- 9. MISCELLANEOUS.
- 9.1 This DPA is part of and incorporated into the Agreement. The Agreement, including this DPA and any exhibits attached hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and representations, whether oral or written, relating thereto. In the event of a conflict between the terms of this DPA and the Agreement, the terms and conditions of this DPA shall prevail.
ANNEX I – MAIN OBLIGATIONS OF JOINT PROCESSING
JOINT CONTROLLERS PROCESSING | |
Subject Matter | The Joint Controllers shall cooperate on the basis of the Agreement and SOW between Client and Tambourine. |
Nature and purpose of Joint Processing | The nature and purpose of the Joint Processing is related to providing digital marketing services for events and weddings via the Tambourine Technology as more specifically set forth in the Agreement and SOW. |
Categories of Personal Data | Contact Data (e.g. customer name, company name, email, phone number, and address) Usage/Analytics Data (e.g. login history, pages viewed, meta data, browsing history, device data, search queries) |
Sensitive Personal Data | None |
Categories of Data Subjects | Users of the Tambourine Technology, both consumers and business-to-business. |
Master Services Agreement & Addendums:
Last Update: 5/21/2026