Effective Date: September 2020
This Data Processing Addendum (the “Addendum”) forms a part of the UserGems Order Form and Services Agreement or other agreement executed by the Parties (the “Agreement”) between ShelfFlip, Inc. d/b/a UserGems (“Company”) and ________ (“Customer” and together with Company, the “Parties”).
1. SUBJECT MATTER AND DURATION
a) Subject Matter. This Addendum reflects the Parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Company’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control. For purposes of Data Protection Laws, Company is the “data processor” and Customer is the “data controller”.
b) Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign this Addendum if it is completed after the effective date of the Agreement. Company will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Company’s obligations and Customer’s rights under this Addendum will continue in effect so long as Company Processes Customer Personal Data.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) “Customer Personal Data” means Personal Data Processed by Company on behalf of Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A attached hereto.
b) “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”), and the EU General Data Protection Regulation 2016/679 (“GDPR”).
c) “Personal Data” shall have the meaning assigned to the terms “personal data” and/or “personal information” under Data Protection Laws.
d) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
e) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
f) “Services” means any and all products and services that Company provides and/or performs under the Agreement.
g) “Subprocessor(s)” means Company’s authorized contractors, agents, vendors and third-party service providers (i.e., sub-processors) that Process Customer Personal Data.
3. DATA USE AND PROCESSING
a) Documented Instructions. Company and its Subprocessors shall Process Customer Personal Data solely for the purpose of providing the Services to Customer, and solely to the extent necessary to provide the Services to Customer, in each case, in accordance with the Agreement, this Addendum and Data Protection Laws. Company will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law.
b) Authorization to Use Subprocessor. To the extent necessary to fulfill Company’s contractual obligations under the Agreement or any Order Form, Customer hereby authorizes Company to engage Subprocessors. Any Subprocessor Processing of Customer Personal Data shall be consistent with Customer’s documented instructions and comply with Data Protection Laws.
c) Company and Subprocessor Compliance. Company shall (i) enter into a written agreement with Subprocessors regarding such Subprocessor’s Processing of Customer Personal Data that imposes on such Subprocessors (and their sub-processors) confidentiality obligations and data protection and security requirements for Customer Personal Data that are at least as restrictive as the obligations in this Addendum; and (ii) remain responsible to Customer for Company’s Subprocessors’ (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.
d) Right to Object to Subprocessor. A list of approved Subprocessors is set forth on Exhibit A. Prior to engaging any new Subprocessors that Process Customer Personal Data, Company will notify Customer via email and allow Customer 30 days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the Parties will work together in good faith to resolve the grounds for the objection for no less than 30 days, and failing any such resolution, Customer may terminate the part of the Services performed under the Agreement that cannot be performed by Company without use of the objectionable Subprocessor. Company shall refund any pre-paid fees to Customer in respect of the terminated part of the Services.
e) Personal Data Inquiries and Requests. Company agrees to provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
f) Sale of Customer Personal Data Prohibited. Company shall not sell Customer Personal Data as the term "sell" is defined by the CCPA. Company shall not disclose or transfer Customer Personal Data to a Subprocessor or other parties that would constitute “selling” as the term is defined by the CCPA.
g) Data Protection Impact Assessment and Prior Consultation. Company agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Company requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
h) Demonstrable Compliance. Company agrees to keep records of its Processing in compliance with Data Protection Laws and provide any necessary records to Customer to demonstrate compliance upon reasonable request.
4. CROSS-BORDER TRANSFERS OF PERSONAL DATA
a) Cross-Border Transfers of Personal Data. Customer authorizes Company and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States. Where required, cross-border transfers of Customer Personal Data must be supported by an approved adequacy mechanism.
b) Standard Contractual Clauses. Customer acknowledges that Company processes Customer Personal Data in a country that has not been designated under GDPR as providing an adequate level of protection for personal data and Company and Customer agree that the European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors (“Model Clauses”) support the transfer of Customer Personal Data, the terms of which are herein incorporated by reference. Pursuant to clause 5(h) of the Model Clauses, Customer agrees that Company may engage new Subprocessors in accordance with Section 3(b) – (d) of this Addendum. The optional clauses are expressly not included. Each party’s signature to this Addendum shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents.
5. INFORMATION SECURITY PROGRAM
a) Company agrees to implement appropriate technical and organizational measures to protect Customer Personal Data (the “Information Security Program”). At a minimum, such measures shall include:
(i) Pseudonymisation of Customer Personal Data where appropriate, and encryption of Customer Personal Data in transit and at rest;
(ii) The ability to ensure the ongoing confidentiality, integrity, availability of Company’s Processing and Customer Personal Data;
(iii) A process for regularly testing, assessing and evaluating the effectiveness of the Company’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
6. SECURITY INCIDENTS
a) Security Incident Procedure. Company will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
b) Notice. Company agrees to provide prompt written notice without undue delay (and in any event within 48 hours) to Customer’s Designated POC if it verifies that a Security Incident has taken place. Such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
a) Right to Audit; Permitted Audits. In addition to any other audit rights described in the Agreement, Customer and its regulators shall have the right, upon at least 30 days’ prior written notice, to an on-site audit (at a date and time mutually agreed upon) of Company’s architecture, systems, policies and procedures relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator: (i) following any notice from Company to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data; (ii) as required by governmental regulators; and (iii) for compliance purposes, once annually.
b) Audit Terms. Any audits described in this Section shall be: (i) conducted by Customer or its regulator, or through a third-party independent contractor selected by one of these parties and paid for by Customer; (ii) conducted during reasonable times; (iii) to the extent possible, conducted upon reasonable advance notice (but no less than 30 days’ prior notice) to Company; and (iv) of reasonable duration and shall not unreasonably interfere with Company’s day-to-day operations.
c) Third Parties Auditor. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Company’s and Company’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.
d) Audit Results. Upon Company’s request, after conducting an audit, Customer shall notify Company of the manner in which Company does not comply with any of the applicable security, confidentiality or privacy obligations or Data Protection Laws herein. Upon such notice, Company shall make any reasonable necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six 6 months of Company’s notice of completion of any necessary changes. To the extent that a Company audit and/or Customer audit identifies any material security vulnerabilities, Company shall remediate those vulnerabilities within a commercially reasonable amount of time of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time.
8. DATA STORAGE AND DELETION
a) Data Storage. Company will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.
b) Data Deletion. Company will abide by the following with respect to deletion of Customer Personal Data:
(i) Within a reasonable amount of time after the Agreement’s expiration or termination, or sooner if requested by Customer, Company will securely destroy (per subsection (iii) below) all copies of Customer Personal Data (including automatically created archival copies).
(ii) Upon Customer’s request, Company will promptly return to Customer a copy of all Customer Personal Data within 30 days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above.
(iii) Customer Personal Data shall be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media.
(iv) Upon Customer’s request, Company will provide a “Certificate of Deletion” certifying that Company has deleted all Customer Personal Data. Company will provide the “Certificate of Deletion” within 30 days of Customer’s request.
9. LIMITATION OF LIABILITY
a) The Limitation of Liability provision set forth in the Agreement will apply to this Addendum.
10. CONTACT INFORMATION
a) Company and the Customer agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:
● Company Designated POC: ________________
● Customer Designated POC: ________________