Data Processing Addendum
This Data Processing Addendum (the “DPA”) may be incorporated into the Agreement depending on the nature of the Services that You use and the data that we process on Your behalf. If there is a conflict between this DPA and those of the Agreement, this DPA shall control. Unless otherwise defined herein, capitalized terms have the meanings ascribed to such terms in the Agreement. If any provisions of this DPA are found to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
1. INTRODUCTION
In connection with its performance of the Services, Provider may receive and process one or more categories of Client Data or Personal Information. This DPA shall apply to the extent that Provider Processes this data. As to the processing of any Personal Information, except as noted below, Client shall be the Controller and Provider shall be the Processor or “Service Provider” as that term is defined by the CPRA.
2. DEFINITIONS
“Aggregate Data” means information that relates to a group or category of Data Subjects, transactions on the Software, or other Client Data which does not identify Client or is reasonably capable of identifying Client, and from which any Personal Information has been Deidentified.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, including any amendments made by the California Privacy Rights and Enforcement Act (“CPRA”).
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.
“Client Data” means the data of Client that is collected or processed by Provider in connection with performing the Services.
“Data Breach” means the unauthorized acquisition of Client Data or Personal Information stored by Provider that compromises the security, confidentiality, or integrity of the data.
“Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the Personal Information in question, including, where applicable, EU Data Protection Law, UK Data Protection Law, the FADP, the CCPA, the TDPSA, and other applicable US state laws.
“Data Subject” means the individual to whom Personal Information relates.
“Deidentified” means processing Personal Information do that it can no longer reasonably be linked to an identified or identifiable individual, or a device linked to that individual, such that this information cannot be restored, deduced or derived.
“EU Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Information and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
“FADP” shall mean the Swiss Ordinance to the Federal Act on Data Protection and any revisions thereto.
“Personal Information” means any information relating to an identified or identifiable individual where such information is protected similarly as Personal Information or personally identifiable information under applicable Data Protection Law that Provider receives from Client, Client’s Customers, or its End Users or that it collects in connection with providing the Services.
“Process” or “Processing” refers to any operation or set of operations which is performed on Personal Information, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Information.
“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Information on behalf of the Controller.
“Software” means the software we provide to you as part of the Services.
“Sub-Processor” means any person appointed by, or on behalf of, Processor to Process Personal Information on behalf of the Controller in connection with the Terms.
“TDPSA” means the Texas Data Privacy and Security Act, Tex. Bus. & Com. Code Ann. § 541.001, et seq.
“UK Data Protection Law” means the United Kingdom’s General Data Protection Regulations as implemented by the UK Data Protection Act of 2018 (“UK GDPR”).
The terms Client, Distributor, Services, and Supplier shall have the same definition as in our Terms of Service at https://ordermygear.com/terms/.
The terms Customer, End User, Individual Shoppers, Software, and Store shall have the same definition as in our Privacy Policy at https://ordermygear.com/privacy/.
3. OBLIGATIONS OF CONTROLLER
As the Controller, Client will ensure that it is in compliance with applicable Data Protection Laws regarding the sharing of Personal Information with Provider and its processing of said data in accordance with this Agreement.
4. SECURITY
A. Security Measures. Provider shall implement and maintain appropriate technical and organizational security measures to preserve the security and confidentiality of the Client Data and Personal Information in accordance with applicable Data Protection Laws.
B. Updates to Security Measures. Client acknowledges that the security measures are subject to technical progress and development and that Provider may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Client or will not cause Provider not to be in compliance with applicable Data Protection Laws.
C. Client Responsibilities. Notwithstanding the above, Client agrees to secure its user authentication credentials, protect the security of Client Data and Personal Information, and take appropriate steps to securely transmit and maintain regular backups of any of its Client Data and Personal Information.
5. CONFIDENTIALITY
A. As used in this DPA, “Confidential Information” means all trade secrets, data, information about pricing, forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (A) the disclosing party has taken reasonable measures to keep such information confidential; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information. Confidential Information shall not include any information which (A) was publicly known prior to the time of disclosure, or becomes publicly known after disclosure by memorialized through no action or inaction of the receiving party in violation of this Agreement; (B) is already in the possession of the receiving party at the time of disclosure; (C) is obtained by the receiving party from a third party without a breach of such third party’s obligations of confidentiality; or (D) is independently developed by the receiving party without use of or reference to the Confidential Information.
B. The receiving party will only use and disclose the Confidential Information as reasonably necessary to deliver or use the Services. Any other use or disclosure to a third-party is prohibited unless expressly permitted in writing by the disclosing party. The receiving party agrees to hold the Confidential Information in strict confidence and use reasonable measures to protect it as confidential. The receiving party shall be permitted to disclose Confidential Information to third-parties only to the extent required by law, provided that the receiving party gives the disclosing party prompt written notice of such requirement and upon the request of the disclosing party, cooperates in good faith and at the expense of the disclosing party in any reasonable and lawful actions which the disclosing party takes to resist such disclosure or limit the information to be disclosed.
C. Client Data shall remain the property of Client and be considered the Client’s Confidential Information.
6. PROCESSING OF DATA
A. The processing of any Personal Information by Provider in its role as a Processor pursuant to the Agreement shall be: (i) done in accordance with all applicable laws and regulations and solely pursuant to the lawful instructions of Client, (ii) any such personal information shall be treated as Confidential Information and processed subject to this DPA, (iii) at Client’s direction, Provider will delete or return all Personal Information to Client as requested after the Term, unless retention of the Personal Information is required by law, (iv) Provider shall make available to Client, on reasonable request, all information in Provider’s possession necessary to demonstrate its compliance with the requirements of this Section or applicable Data Protection Laws, (v) Provider shall allow, and cooperate with, reasonable data privacy assessments by Client or the Client’s designated assessor to the extent required by applicable law or regulation, (vi) Provider shall engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of Provider with respect to the applicable Personal Information. Provider is prohibited from (i) selling or sharing the Personal Information, (ii) retaining, using, or disclosing the Personal Information for any purpose other than to provide the Services (iii) retaining, using, or disclosing the information outside of the direct business relationship between the Provider and the Client, or (d) combining the Personal Information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the individual data subject, except as permitted by applicable law.
B. Provider offers Services that allow Distributors to purchase goods from Suppliers that the Distributors then sell to Customers. Part of this Service involves connecting Suppliers with Distributors so that the Suppliers can offer them relevant products and promotional offers. Notwithstanding anything to the contrary in this DPA, Provider is hereby authorized to share information about Distributors with Suppliers, including the name, account number, address, and email associated with the Distributor and their browsing, transaction, and impression history on the Software. Notwithstanding any other provision of this DPA, Provider shall be the Controller and determine the purposes and means of the processing of this information. Suppliers agree to treat this information as Confidential Information as defined in this DPA and may only disclose it as provided in the DPA or with their employees or independent service providers in connection with their use of the Services. For clarity, this information relates to End Users of the Software and does not include the Personal Information of Individual Shoppers.
C. If the Provider believes that an instruction of the Client infringes applicable Data Protection Laws, it shall immediately inform the Client without delay. If Provider cannot process Personal Information in accordance with the instructions due to a legal requirement under any applicable Data Protection Laws, Provider will (i) promptly notify the Client of that legal requirement before the relevant Processing to the extent permitted by applicable Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as the Client issues new instructions with which Provider is able to comply. If this provision is invoked, Provider will not be liable to the Client for any failure to perform the applicable Services until the Client issues new instructions regarding the Processing.
D. Notwithstanding anything to the contrary in this DPA, Client hereby authorizes Provider to use Aggregate Data for any legal business purpose, including for distribution to Affiliates and third parties.
E. Provider may also share the Client Data and Personal Information with Affiliates as necessary to provide Client with the Services. In any such case, the Affiliate will process the data as the “Provider” in accordance with this DPA.
7. DATA BREACH
A. In the event of a Data Breach, Provider will notify Client of the incident upon becoming aware of it within seven (7) business days of becoming aware of the incident. Provider will provide a description of the nature of the incident and affected data.
B. Provider will reasonably cooperate with Client to mitigate any harm caused by a Data Breach, and will take all steps that Provider determines are reasonably necessary or appropriate to isolate, investigate, and remediate the effects of such occurrence, ensure the protection of Data Subjects that are affected or likely to be affected by such occurrence, prevent the recurrence of any such Data Breach, and comply with applicable laws.
C. Provider may determine that responding to a Data Breach requires Provider to communicate directly with Data Subjects or reset End Users’ login credentials. Provider will undertake such actions in its sole discretion.
D. Except in the event a Data Breach is directly caused by Provider’s action or omission, Provider will provide reasonable additional assistance under this Section as reasonably requested by Client, at Client’s expense.
E. Client shall be responsible for determining whether any notification to Data Subjects, regulators, law enforcement authorities, or other third parties is required in response to any Breach of Security, and for providing any such notifications. Provider may also make such notifications if it determines that it is appropriate in its sole discretion. Client may request that Provider notify affected Data Subjects who are End Users of a Data Breach, in which case Provider will provide such notice solely using the contact information which End Users have provided in connection with the Services.
F. To the extent a Data Breach results directly from Provider’s actions or omission, Provider will promptly reimburse Client for all reasonable documented costs actually incurred by Client in notifying affected Data Subjects and providing credit monitoring to Data Subjects to the extent that notification and/or credit monitoring are required by applicable law or the Parties agree in good faith that notification and/or credit monitoring is appropriate under the circumstances. The Parties agree that credit monitoring is not appropriate unless the Data Breach has materially compromised Data Subjects’ government-issued identification numbers or financial account numbers.
8. DATA SUBJECT RIGHTS
Provider will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Client to respond to any request from Data Subjects seeking to exercise their rights under applicable Data Protection Laws with respect to Personal Information (including access, rectification, restriction, deletion or portability of Personal Information, as applicable), to the extent permitted by the law. If such request is made directly to Provider, Provider will promptly inform Client and will advise Data Subjects to submit their request to the Client. Client shall be solely responsible for responding to any Data Subjects’ requests. Client shall reimburse Provider for reasonable costs arising from this assistance.
9. SUB-PROCESSORS
A. Authorized Sub-processors. Client agrees that Provider may engage Sub-processors to process Personal Information on Client’s behalf in connection with Services. Provider shall enter into a written agreement with any Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Information to the standard required by applicable Data Protection Laws and that are no less protective than the terms of this DPA. Provider will remain responsible for any acts or omissions of the Sub-processor that cause Provider to breach any of its obligations under this DPA. Provider shall, exercising reasonable care, evaluate an organization’s data protection practices before allowing the organization to act as a Sub-processor.
B. Objections to Sub-Processors. Upon Client’s request, Provider shall make available to Client an up-to-date list of the Sub Processors it has appointed. If Client objects to any Sub-processors, the Client’s sole and exclusive remedy shall be to terminate the Agreement and ending further processing of Personal Information on its behalf.
10. DELETION OR RETRIEVAL OF PERSONAL INFORMATION
Provider shall, within thirty (30) days after written request by Client, delete or return all Personal Information to the Client unless Provider is required to maintain a copy of the Personal Information pursuant to applicable Data Protection Laws or in order to complete a transaction pursuant to which the data was collected (e.g., to complete a payment). Client must inform and instruct Provider on return of data in advance of terminating the agreement, as well a bear any reasonable costs arising with the return or deletion of Personal Information.
If Client terminates the Agreement without prior written notification to Provider, Provider may permanently delete all Personal Information in its possession subject to the terms of the Agreement.
11. AUDITS AND REQUESTS
Once per rolling twelve (12) month period, Client may, at its own cost and upon reasonable and timely advance agreement, during regular business hours and without interrupting Provider’s business operations, conduct an audit of Client’s business operations to demonstrate Client’s compliance with this DPA in relation to the Processing of the Personal Information, or have the same conducted by a qualified third party which shall be approved in advance by Provider, subject to their agreement to keep Provider’s information confidential and to use it solely in connection with the audit.
Provider shall, upon Client’s written request and within a reasonable period of time, provide Client with all information necessary for such audit, to the extent that such information is within Provider’s control and Provider is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party and provided that Client not exercise this right more than once per year.
12. THIRD PARTY REQUESTS
Provider agrees to notify Client promptly if it receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of Personal Information transferred pursuant to the Terms; such notification shall include information about the Personal Information requested, the requesting authority, the legal basis for the request and the response provided; or becomes aware of any direct access by public authorities to personal information collected or received pursuant to the Terms in accordance with the laws of the country of destination; such notification shall include all information available to Provider. If Provider is prohibited from notifying the Client under the laws of the country of destination, Provider agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Provider agrees to document its best efforts in order to be able to demonstrate them on request of the Client.
13. TRANSFER OF EU, UK, AND SWISS PERSONAL INFORMATION TO OTHER COUNTRIES
Before commencement of any transfer of Personal Information from the EEA, the UK and/or Switzerland to any third party located in a country outside the EEA, the UK and/or Switzerland, that the European Union deems to have inadequate protection, Client shall inform Provider of such transfer and the Parties may enter into, as applicable, the EU Standard Contractual Clauses (Module 2 – Transfer from Controller to Processor), the Switzerland Data Processing Addendum, and/or the UK Data Processing Addendum.
