Last Updated: December 16th 2024
Drop Station Inc. d/b/a Station empowers podcasts on our platform (“Podcasts”) to start a “Station” which is a community and membership service by directly connecting with their audience to provide additional content, highlight content and monetize their business with paid memberships, marketing and campaigns.
The purpose of this Agreement is to define the terms under which Podcasts will process Member Data on behalf of Drop Station Inc. Podcasts, acting as Data Processors, will process personal data provided by Drop Station to fulfill their membership, marketing and business services, including engaging with their audience for additional content, marketing activities, and interactive media experiences;
To facilitate these services to be fulfilled, Drop Station Inc. provides the personal data of “members” that ‘Join a Station’ (“Member Data”) to Podcasts. “Member Data” consists of personal information provided by individuals subscribing to Drop Station Inc.'s podcast membership services or “Joining a Station”, as specified in Drop Station Inc.'s privacy policy.
Podcasters then process Member Data in order to provide Members any and all products or services as part of that Podcaster’s community and membership business on Station (collectively known as “Services”). Station requires all Podcasters to agree to this Data Processing Agreement (“Data Processing Agreement”) to ensure that Podcasters respect the privacy rights of Members when processing Member Data.
This Data Processing Agreement is an extension of Drop Station’s Terms of Service and Privacy Policy and will outline certain requirements for Podcasters to process Member Data during and beyond their relationship with Station to comply with the requirements set forth in the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") as well as other applicable privacy laws and regulations concerning the processing of personal data;
The DPA shall prevail to the extent necessary to ensure compliance with Data Protection Legislation. All other provisions of the Terms of Service and Privacy Policy remain in full effect unless explicitly modified by this DPA.The terms of this DPA only apply if the Podcast is based in the European Economic Area (“EEA’), in the United Kingdom (“UK”); or where, in the course of providing services to the Podcast under the Terms of Service.
This Data Processing Agreement is between Drop Station and Podcasters, taking effect from the moment a Station account is created and applies exclusively to the Member Data collected by Station and provided to Podcasters for the purpose of running their community and podcast business with Station.
Drop Station Inc. ("Data Controller") and the Podcasters ("Data Processor") agree to set forth the terms and conditions governing the processing of personal data to ensure the protection and privacy of individuals ("Members") whose data is processed through the Drop Station platform;
1. Introduction
For the purposes of this Agreement, the following terms shall have the meanings set forth below:
• "Agreement" means this Data Processing Agreement, including its preamble and all subsequent clauses.
• "Effective Date" refers to the date the Podcaster account is created and this Agreement becomes binding.
• "Controller" or "Drop Station" means Drop Station Inc., a corporation organized and existing under the laws of the State of Delaware, with its principal place of business in the State of Tennessee.
• "Data Processor" or “Podcaster” means the Podcaster utilizing the Drop Station platform to manage podcast memberships and related activities.
• "Data Protection Legislation" includes, but is not limited to, the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC), and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts, or consolidates any of them.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is being processed.
• "Personal Data" means any information relating to a Data Subject that is processed through the Drop Station platform, as further defined in the Station Privacy Policy.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction.
• "Good Industry Practice" means exercising the same skill, expertise, and judgment and using facilities and resources of a similar quality as would be expected from a person who: (a) is skilled and experienced in providing the services in question, seeking in good faith to comply with their contractual obligations and seeking to avoid liability arising under any duty of care that might reasonably apply; (b) takes all proper and reasonable care and is diligent in performing their obligations; (c) complies with the Data Protection Legislation and adheres to recognized security standards such as ISO/IEC 27001.
• "Appropriate Technical and Organizational Measures" means those measures aimed at ensuring a level of security appropriate to the risk, including the measures detailed in Section 6. Security Measures, below.
• "Subprocessor" means any third party appointed by Drop Station to process Personal Data on behalf of the Data Processor, as further defined in Section 7. Sub-Processing.
2. Introduction
This Data Processing Agreement ("Agreement") outlines the terms and conditions under which Personal Data will be processed by Podcasters ("Data Processors") on behalf of Drop Station Inc. ("Drop Station" or "Controller") in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and other applicable data protection laws. Drop Station provides a community and membership platform enabling Podcasters to foster communities, manage memberships, market to their audience and monetize them. This Agreement ensures that both Drop Station and Podcasters uphold the privacy and protection of Data Subjects' Personal Data while utilizing the Drop Station platform within GDPR-regulated regions.
3. Scope And Role Of The Parties
Drop Station ("Drop Station") and the Podcasters ("Data Processors") acknowledge and agree to the following roles and responsibilities in relation to the processing of Personal Data during their engagement:
a. Roles of Drop Station: Drop Station shall act as the primary platform provider for the Podcasters, delivering the technical infrastructure and tools required to facilitate community engagement, memberships, and associated activities. As the data controller, Drop Station will determine the purposes and means of processing Personal Data as part of its platform functionality.
b. Roles of Podcasters: Podcasters will act as data processors who utilize the Drop Station platform to directly engage with their audience. This includes starting communities, offering memberships, delivering additional content, marketing their brand, and monetizing activities through contests, events, and related campaigns. Podcasters shall process Personal Data solely in accordance with the instructions and guidelines provided by Drop Station and in compliance with GDPR requirements.
c. Purpose of Data Processing Activities: The main purpose of the data processing activities by the Podcasters is to facilitate the management, marketing and engagement of their podcast audience, which includes creating, managing and monetizing communities, providing exclusive content, conducting marketing campaigns, administering contests and organizing events. This processing seeks to enhance audience interaction, provide value-added services, and explore monetization opportunities.
d. Responsibilities of Drop Station: Drop Station is responsible for ensuring that the platform’s technical and organizational measures meet GDPR compliance, including maintaining the security, confidentiality, and integrity of the Personal Data processed on its platform. Drop Station shall also monitor compliance with data protection principles and provide the necessary support and resources to enable Podcasters to fulfill their data protection responsibilities.
e. Responsibilities of Podcasters: Podcasters are responsible for taking appropriate measures to protect Personal Data, as required by GDPR. This includes ensuring that Personal Data is processed lawfully, fairly, and in a transparent manner and implementing necessary security measures to protect the data. Podcasters must also comply with Drop Station’s data processing instructions and immediately notify Drop Station of any data breaches or non-compliance issues.
f. Collaboration and Coordination: Drop Station and Podcasters agree to work collaboratively to ensure GDPR compliance. This includes coordinating responses to Data Subject requests and regulatory inquiries, ensuring timely remediation of data protection issues, and providing appropriate training and guidance to personnel involved in data processing.
g. Records of Processing Activities: The Podcaster shall maintain a detailed record of all categories of processing activities carried out on behalf of Drop Station, including the purposes of processing, data categories, data subjects, Sub-processors engaged, and any transfers of personal data to third countries. These records shall be made available to Drop Station upon request, in compliance with GDPR Article 30.
4. Processing Instructions
1. The Podcaster agrees to process the Personal Data solely based on the documented instructions of Drop Station Inc., unless required to do so by applicable law to which the Podcaster is subject. In such a case, the Podcaster shall inform Drop Station of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
2. The Podcaster shall ensure that any person authorized to process Personal Data has committed to confidentiality or is under an appropriate statutory obligation of confidentiality.
3. The Podcaster shall not engage in any processing activities beyond those necessary to provide the services defined by Drop Station’s platform, including but not limited to starting communities, memberships, providing additional content, highlighting content, monetizing with paid memberships, marketing, contests, selling associated products, events, and campaigns.
4. The Podcaster must comply with Drop Station’s limitations on processing, refraining from using the Personal Data for any purposes other than those instructed by Drop Station.
5. If the Podcaster believes that any instructions may breach GDPR or other applicable data protection laws, they must immediately inform Drop Station and await further instructions.
5. Confidentiality
The Podcaster acknowledges that during the performance of their activities, they will have access to and process Personal Data.
The Podcaster agrees to treat all Personal Data as strictly confidential and shall not disclose or transfer such data to any third party, except as expressly permitted by Drop Station, in accordance with prevailing data protection laws and this Agreement.
The Podcaster shall ensure that access to Personal Data is limited to its employees, agents, or subcontractors who need such access for the purpose of their involvement with Drop Station and who are bound by confidentiality obligations equivalent to those set forth in this Agreement.
The Podcaster agrees to implement appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services, and to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. The Podcaster shall immediately inform Drop Station if they become aware of any potential or actual breaches of confidentiality or unauthorized access to Personal Data. The duty of confidentiality shall survive the termination of this Agreement.
6. Security Measures
The Podcaster must implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized access, accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The security measures shall be consistent with the requirements of GDPR and other applicable privacy laws and regulations. These measures shall include, but are not limited to, the following:
a. Access Control: Implement measures to restrict access to Personal Data only to authorized personnel who require such access to perform their duties. Ensure proper identity management, authentication, and authorization mechanisms are in place.
b. Data Minimization: Collect and process only the Personal Data that is necessary for the specific purpose related to the Drop Station platform activities.
c. Data Encryption: Use encryption techniques to protect Personal Data both in transit and at rest, where feasible.
d. Incident Management: Establish procedures to detect, respond to, and recover from data security incidents and breaches. Promptly notify Drop Station of any data breach involving Personal Data in accordance with GDPR requirements.
e. Regular Audits: Periodically review and update security measures to ensure ongoing protection of Personal Data and compliance with applicable regulatory requirements.
f. Training and Awareness: Provide regular data protection and privacy training to employees and contractors to ensure awareness of GDPR obligations and security best practices.
g. Physical Security: Ensure that physical access to systems and devices handling Personal Data is properly controlled and limited to authorized individuals only.
7. Sub-Processing
Drop Station may engage Sub-processors to assist in the provision of the Drop Station platform services under this Agreement. The following conditions shall apply to any such engagements:
a. Any Sub-processor utilized by Drop Station will be subject to obligations that provide at least the same level of data protection as those outlined in this Agreement, including compliance with GDPR, other applicable data protection laws, and the security measures specified herein.
b. Drop Station shall maintain an up-to-date list of Sub-processors engaged in the processing of Personal Data, which will be made available to the Podcaster upon request.
c. Prior to onboarding any new Sub-processor, Drop Station will notify the Podcaster of the intended changes and provide the opportunity to object to the Sub-processor's appointment within thirty (30) days after such notice has been provided. If the Podcaster raises any objections, Drop Station will endeavor to address the Podcaster's concerns through reasonable measures.
d. In the event that a Sub-processor fails to fulfill its data protection obligations, Drop Station will remain fully liable to the Podcaster for the performance of the Sub-processor's obligations.
e. Podcaster’s Sub-processors: The Podcaster shall not engage any Sub-processor without Drop Station’s prior written consent. The Podcaster shall ensure that any approved Sub-processor is bound by data protection obligations equivalent to those in this Agreement. The Podcaster shall remain fully liable to Drop Station for the performance of any Sub-processor’s obligations.
8. Data Subject Rights
The Podcaster shall assist Drop Station in responding to any requests from Data Subjects to exercise their rights under the GDPR and other applicable data protection laws in a timely manner and to the extent reasonably practicable. Such assistance from the Podcaster shall include, but not be limited to:
a. Promptly notifying Drop Station of any Data Subject request received directly by the Podcaster, without responding to such request unless authorized to do so by Drop Station.
b. Providing Drop Station with all relevant information and co-operation required to comply with Data Subject requests, including but not limited to access, rectification, erasure, restriction of processing, data portability, and object to the processing of Personal Data.
c. Ensuring the secure transmission of any Personal Data necessary to fulfill the Data Subject request between the Podcaster and Drop Station.
d. Incorporating appropriate technical and organizational measures to facilitate the exercise of Data Subject rights effectively and securely.
e. Keeping records of all Data Subject requests and measures taken to address such requests for compliance and auditing purposes.
f. Data Portability: The Podcaster shall implement measures to ensure that personal data can be provided to Drop Station or another Data Processor in a structured, commonly used, and machine-readable format upon Drop Station’s request, facilitating data portability as required under GDPR Article 20.
The Podcaster shall ensure that such data is transmitted securely and without hindrance.The Podcaster shall ensure compliance with the obligations outlined in this clause and acknowledges that failure to comply may subject both the Podcaster and Drop Station to legal and regulatory consequences.
9. Data Retention And Deletion
a. Retention Periods: The Podcaster shall retain Personal Data processed under this Agreement for as long as the Podcaster's account remains active on the Drop Station platform and for a period of ninety (90) days following the termination or expiration of the Podcaster's use of the Drop Station platform to facilitate relationships and marketing for Drop Station.
b. Data Deletion Requirements Post-Association:
Upon termination or expiration of the Podcaster's use of the Drop Station platform, the Podcaster shall:
• b.1 Delete or anonymize all Personal Data associated with the Podcaster's audience and communities, unless such retention is required by law or legitimate business purposes clearly detailed in other sections of this Agreement.
• b.2 Remove any associations between the Personal Data and the terminated Podcaster's communities (their Station), while retaining the Personal Data to facilitate relationships and marketing directly for Drop Station.
• b.3 Certify in writing to Drop Station that all such Personal Data has been deleted or anonymized in compliance with the GDPR and other applicable privacy laws.
c. Ongoing Obligations: The Podcaster must ensure that any retained Personal Data is securely stored and protected in compliance with GDPR and must take all reasonable steps to ensure it is not used for any purposes other than those explicitly allowed under this Agreement.
10. International Data Transfers
The Podcaster shall not transfer Personal Data outside the European Union (EU) and United Kingdom (UK) unless such transfer is necessary to perform the services under this Agreement and is done in compliance with the GDPR and other applicable data protection laws. In the event that such data transfer is required, the Podcaster shall ensure that:
a. The transfer is to a country which the European Commission or the UK government has decided ensures an adequate level of protection, or
b. The Podcaster has provided appropriate safeguards in accordance with Article 46 of the GDPR (or its UK equivalent) such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or any other legally recognized transfer mechanisms, and the data subjects have enforceable rights and effective legal remedies, or
c. A derogation for specific situations under Article 49 of the GDPR (or its UK equivalent) applies, such as the explicit consent of the data subject, the transfer being necessary for the performance of a contract between the data subject and the Data Controller, or other such grounds as permissible under the law.
Furthermore, the Podcaster shall:
• Implement SCCs: Where appropriate, enter into Standard Contractual Clauses (SCCs) as approved by the European Commission for data transfers to third countries.
• Notify Podcasters: Inform Drop Station Inc. of any data transfers outside the EU/UK prior to initiating such transfers.
• Maintain Documentation: Keep records of all data transfers, including the mechanisms used and the safeguards implemented, and provide this documentation to Drop Station upon request.
Drop Station Inc. reserves the right to request additional information or documentation to verify compliance with this clause and may object to data transfers that do not meet the stipulated requirements.
11. Data Breach Notification
In the event of a data breach, the Podcaster shall promptly notify Drop Station without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach. If it is not possible to notify Drop Station within 72 hours, the Podcaster shall provide the notification as soon as possible thereafter. The notification to Drop Station shall include the following information:
a. A description of the nature of the data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
b. The name and contact details of the Podcaster's data protection officer or other contact point where more information can be obtained.
c. A description of the likely consequences of the data breach.
d. A description of the measures taken or proposed to be taken by the Podcaster to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
e. The Data Processor shall assist Drop Station Inc. in complying with any obligations to notify relevant supervisory authorities of the Security Breach within the required timeframes as stipulated by Data Protection Legislation, including providing all necessary information and support to facilitate such notifications.
The Podcaster shall cooperate fully with Drop Station in investigating the breach, preparing any notifications required by law or regulation, and taking any other actions required to reduce or mitigate the impact of the breach. The Podcaster shall also maintain records of the data breach and remedial actions taken and make them available to Drop Station upon request.
12. Audits And Compliance
Drop Station reserves the right to conduct audits to assess the Podcaster’s compliance with the terms set forth in this Agreement, GDPR, and other applicable privacy laws and regulations. These audits may be performed by Drop Station or its designated representatives and will be conducted during regular business hours with reasonable advance notice. Drop Station may also request documentation and other information necessary to demonstrate compliance. The Podcaster agrees to cooperate fully with any such audit and provide access to relevant records, data, and personnel as required. If any audit reveals non-compliance, the Podcaster agrees to promptly take corrective action as instructed by Drop Station. Furthermore, the Podcaster shall permit Drop Station to review and assess the security measures in place to protect Personal Data. Drop Station may initiate an audit to verify the effectiveness of these security measures and ensure that they align with the required standards. If the audit uncovers any deficiencies, the Podcaster shall implement appropriate measures to address them within a reasonable timeframe.
13. Indemnification
The Podcaster (the Podcaster) agrees to indemnify, defend, and hold harmless Drop Station and its affiliates, and their respective officers, directors, employees, agents, successors, and assigns from and against any and all claims, demands, actions, causes of action, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or related to:
a. Any breach or alleged breach by the Podcaster of any of its representations, warranties, or obligations under this Agreement;
b. Any non-compliance by the Podcaster with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) or its UK equivalent;
c. Any unauthorized use, disclosure, or processing of Personal Data by the Podcaster;
d. Any claim by a data subject related to the actions or omissions of the Podcaster in connection with the processing of Personal Data; and
e. Any gross negligence or willful misconduct by the Podcaster.
This indemnification obligation shall not apply to the extent that such claims, demands, actions, or proceedings arise from the negligence or willful misconduct of Drop Station.
14. Limitation Of Liability
Neither party shall be liable to the other party, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, revenue, business opportunities, goodwill, anticipated savings, or data. Notwithstanding anything to the contrary in this Agreement, the aggregate liability of either party arising out of or in connection with this Agreement, whether in contract, tort, or under any other theory of liability, shall not exceed the total fees paid or payable by the Podcaster to Drop Station under this Agreement during the twelve (12) months preceding the event giving rise to the claim. This limitation of liability does not exclude or limit the liability of either party for fraud, gross negligence, death or personal injury caused by its negligence, or any other liability to the extent that such liability cannot be limited or excluded under applicable law.
15. Termination
a. Cessation of Data Processing: Upon termination of this Agreement, the Podcaster shall immediately cease all processing of Personal Data and shall promptly return or securely delete all Personal Data including derived data held in any form or medium.
b. Certification of Deletion: The Podcaster shall, within thirty (30) days after termination, provide a written certification to Drop Station confirming the return or secure deletion of all Personal Data.
c. Continued Confidentiality: The Podcaster's obligations regarding the protection of Personal Data and confidentiality shall survive termination of this Agreement.
d. Cooperation: The Podcaster agrees to cooperate fully with Drop Station as necessary to transition the processing activities to another Podcaster or to Drop Station itself, including any data extraction, format conversion, or other necessary tasks to preserve data integrity.
16. Miscellaneous
a. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws principles. Any disputes arising out of or in connection with this Agreement shall be resolved exclusively in the state or federal courts located in California. However, the Parties acknowledge that GDPR's supervisory authorities have jurisdiction over data protection matters, irrespective of the governing law specified herein.
b. Amendments: This Agreement may be amended only in writing and when signed by duly authorized representatives of both parties. No modification, alteration, or waiver of any provisions hereof shall be valid unless made in writing and signed by both parties hereto.
c. Severability: If any provision of this Agreement is found to be unenforceable or invalid, such provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and enforceable.
d. Reference to Drop Station’s Privacy Policy and Terms of Service: The Podcaster acknowledges and agrees that their processing of Personal Data is subject to Drop Station’s Privacy Policy and Terms of Service, which are incorporated herein by reference. The Podcaster agrees to adhere to these policies at all times.
e. Neither party shall be liable for any failure or delay in performing its obligations under this Agreement if such failure or delay is due to circumstances beyond its reasonable control, including but not limited to acts of God, war, terrorism, labor disputes, or governmental actions. The affected party shall notify the other party of the force majeure event promptly and take all reasonable steps to mitigate its effects
17. Data Protection Officer (DPO)
The Podcaster shall appoint a Data Protection Officer (DPO) or equivalent representative responsible for overseeing data protection compliance. The Podcaster shall provide Drop Station Inc. with the DPO’s contact details and promptly notify Drop Station Inc. of any changes to this information.
18. Data Protection Impact Assessments (DPIAs)
a. Assistance with DPIAs: The Podcaster agrees to assist Drop Station Inc. in conducting Data Protection Impact Assessments (DPIAs) as required under GDPR Article 35. This includes providing necessary information about processing activities, access to relevant systems, and support in identifying and mitigating data protection risks.
b. DPIA Documentation: The Podcaster shall contribute to the documentation of DPIAs, ensuring that all processing activities are thoroughly assessed for potential impacts on Data Subjects' privacy.
c. Timely Completion: Both Parties shall collaborate to ensure that DPIAs are completed in a timely manner, particularly before the commencement of any high-risk processing activities, to maintain compliance and protect Data Subjects’ rights.
19. Data Subject Interaction
The Podcaster shall not directly communicate with Data Subjects regarding their personal data unless explicitly authorized by Drop Station Inc. All data subject requests and communications related to personal data must be directed to Drop Station Inc., which will coordinate the appropriate response. If authorized, the Podcaster may assist Drop Station in responding to Data Subject requests in a manner consistent with this Agreement and Data Protection Legislation.
20. Data Localization
The Podcaster shall comply with all applicable data localization laws and regulations that require personal data to be stored or processed within specific jurisdictions. In cases where such requirements exist, the Podcaster shall implement the necessary measures to ensure compliance, including selecting appropriate data centers and ensuring data transfers adhere to the provisions outlined in this Agreement and Data Protection Legislation.
