Data Transfer Agreement

This agreement binds the Customer (also referred to as “Controller”) and THE COCKTAIL AMÉRICA, S.A DE C.V (referred to as “Provider” or “Manager”) for the services rendered by the Provider that imply access to Customer data. 

Purpose
The purpose of this agreement is to establish the conditions that apply to the transfer of personal data in the provision of services by the Provider to the Customer. All this in accordance with the Customer’s instructions and with the purposes and instructions indicated by them for the processing of personal data by the Provider in rendering the service. 

The Provider is configured as Manager in order to access one or more personal databases for which the Customer is the Controller.

Both parties agree to be bound by the terms of this agreement and will process the data in accordance with the principles established in the Federal Law on the Protection of Data Held by Private Parties and other regulations that regulate or modify it.  

Purpose of the transfer of personal data

The personal data will be processed by the Manager for the purpose set forth in the service proposal or agreement signed between both parties. Under the scope thereof, the Manager is authorised to process personal data on behalf of the Controller for the time necessary to undertake the service. 

Data Manager Obligations 

The Manager will be obliged to: 

- Only treat personal data in accordance with the Controller’s instructions.
- Refrain from processing personal data for purposes other than those instructed by the Controller.
- Implement security measures in accordance with the Law, the Regulations and other applicable provisions.
- Maintain confidentiality regarding the personal data processed.
- Delete the personal data processed once the legal relationship with the Controller is over or return them to the Controller following their instructions, as long as there is no legal provision that requires the conservation of the personal data.
- Refrain from transferring personal data unless the Controller so determines, the communication derives from subcontracting, or when required by the Competent Authority.
- Ensure that all their workers who have to access the Controller’s databases comply with their obligation of professional secrecy and absolute confidentiality and reserve on the personal data that they must access to render the agreed services. 
- Support the Controller to guarantee the data subject the full and effective exercise of their rights. The Manager will not respond directly to the data subject unless required to do so by the law applicable to their management or the parties expressly agree that it is the Manager who must respond.
- Comply with the provisions of the corresponding privacy notice.

Data Controller Obligations 

The Controller will be obliged to: 

- Suitably notify the Manager about any change in the legislation that the Controller considers may affect the processing of personal data or this agreement. 
- Guarantee the Manager that all the personal data in the database subject to treatment have been obtained in a lawful manner and in accordance with current legislation.

Prohibition on passing on data to third parties and subcontracting

The passing on of personal data held by the Controller to third parties is prohibited, even for the purposes of data conservation or for making backup copies thereof.

It is similarly forbidden to subcontract the services to be rendered by the Manager without the express written authorisation of the Controller. 

For said authorisation to be granted, the Manager must inform the Controller, prior to subcontracting, of the services that have to be subcontracted, with whom and the purpose of said subcontracting. 
Subcontractor processing of data shall comply with the instructions provided by the Controller in the terms provided in this agreement. 

If subcontracting is authorised, it will be the responsibility of the Manager to sign the mandatory agreements for access to personal data with the subcontracted entities or persons. And if the subcontracting involves making an international transfer, it must meet the appropriate legal requirements, and must be formalised in the aforementioned data access agreements.

At the time of signing this agreement, the subcontracting provided for in Annex 1 in the section “Providers of system infrastructure” is authorised.  

Security measures

By signing this agreement, the Manager undertakes to adopt the necessary technical, human and organisational measures to guarantee the security of the personal data being processed, thus avoiding their adulteration, loss, consultation, use or unauthorised or fraudulent access. In addition to the security measures provided for in the Manager's security documents, the security measures provided for in Annex 1 are always applied by default. 
The security measures must avoid the risks to which the data are exposed, taking into account the probability that these might occur and the impact that they may have on the data subjects. These security measures must be recorded in writing, both by the Manager and the Controller, in security policies that must apply to the processing of data. 
The Manager will periodically evaluate the effectiveness of the security measures to verify whether new security measures are necessary based on the risks to which the personal data may be exposed. 

Termination of the agreement 
This agreement will be terminated at the end of the provision of the service from which it derives. 
Once the agreement is concluded, the Manager must finish all its activities associated with the processing of personal data derived from the service. 

Furthermore, the Manager must follow the Controller’s instructions to immediately return or delete all the information with personal data that they processes on behalf of the Controller.

Responsibility
If the Manager fails to comply with the conditions established in this agreement and transfers the data provided by the Controller for the provision of the contracted services to third parties, the Manager will be considered liable and shall answer for all infractions incurred personally. 

Annex 1 - Default security measures on the information systems from which data are processed

Providers that facilitate systems infrastructure

The data being located within the European Economic Area, the Provider contracts the services of Google WorkSpace for its systems infrastructure.

Security measures on communications

All communications with the Provider's platforms are made with the secure HTTPS protocol to maintain data privacy at all times.

Logical access controls

Authentication systems through credential verification at different levels, with one sole credential per user. 
The systems are designed to detect unauthorised access to them.

Employee confidentiality

All the Provider's personnel accept a code of conduct based on the company's policies, in which they undertake to maintain certain levels of ethics, confidentiality and professional behaviour, as well as proper treatment of personal data.