Data Processing Agreement
DATA PROCESSING AGREEMENT
(HEREAFTER REFERRED TO AS ‘DPA’)
This Data Processing Agreement (“DPA”), forms an integral part of the Agreement by and between STORETODOOR TECHNOLOY INC. (hereinafter referred to as “Data Processor”) and the undersigned Customer of STORETODOOR TECHNOLOY INC. (hereinafter referred to as “Data Controller”) and shall be effective on the later date set down below (“Effective Date“).
DPA is incorporated by reference into STORETODOOR TECHNOLOY INC.‘s Privacy Policy and Terms of Service or any other agreement governing your use of STORETODOOR TECHNOLOY INC. Services (the “Agreement”). The DPA is between you, the Merchant, the Customer (“you”, “your”, “Merchant”, “Customer“), and STORETODOOR TECHNOLOY INC. Inc. or our Affiliate (“STORETODOOR TECHNOLOY INC.,” “we,” “us,” “our”) and reflects the Parties’ agreement with regard to the Processing of Personal Data by STORETODOOR TECHNOLOY INC. on your behalf. Both parties are referred to as the “Parties” and each individually as a “Party”.
The Data Controller and the Data Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party”.
The terms, “Controller“, “Processor”, “Processing”, “Data Subject“, “Personal Data“, “Personal Data Breach“, and “Supervisory Authority“ shall (where applicable) have the same meaning as in the MDPA and the GDPR (as defined hereunder).
‘SERVICES AGREEMENT’ – shall mean the services agreement entered into between the Data Controller and the Data Processor dated (“Effective Date”);
WHEREAS:
A. The Data Processor performs services on behalf of the Data Controller (“Services”) in accordance with the Services Agreement;
B. In providing the Services, the Data Processor collects, uses or otherwise processes personal data within the meaning of the Data Protection Laws (as defined hereunder) for which the Data Controller is responsible as provided under the said Data Protection Laws;
C. This DPA regulates the data protection obligations of the Parties when processing the Data Controller’s Personal Data under the Services Agreement and will ensure that such Processing will only take place on behalf of and under the instructions of the Controller and in accordance with the Data Protection Laws, including but not limited to the GDPR.
NOW, THEREFORE, THE PARTIES AGREE AS FOLLOWS:
1. PROCESSING OF PERSONAL DATA
a. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data performed on your behalf, (i) you (the Merchant, the Customer) are the Controller of Personal Data, (ii) STORETODOOR TECHNOLOY INC. is the Processor of that Personal Data, (iii) for the purposes of the CCPA/CPRA (and to the extent applicable), you are the “Business” and STORETODOOR TECHNOLOY INC. is the “Service Provider” (as such terms are defined in the CCPA/CPRA), with respect to Processing of Personal Data described in this Section 2.1. The terms “Controller” and “Processor” below hereby signify you (the Merchant, the Customer) and STORETODOOR TECHNOLOY INC., respectively.
b. Your Processing of Personal Data. By using the Services, and providing instructions to us (the Processor), we will comply with all applicable Data Protection Laws. You (the Controller) will establish and have the required legal bases in order to collect, Process and transfer to us the Personal Data, and to authorize us to undertake Processing activities on your behalf, including the pursuit of ‘business purposes’ as defined under the CCPA/CPRA.
c. Our Processing of Personal Data. When Processing on your behalf under the Agreement, we will Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement, the Privacy Policy, and this DPA; (ii) Processing for you as part of your provision of the Services to your end customers; (iii) Processing to comply with your reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement, regarding the manner in which the Processing shall be performed; (iv) rendering Personal Data fully anonymous, non-identifiable and non-personal in accordance with applicable standards recognized by Data Protection Laws and guidance issued thereunder; (v) Processing as required under the laws applicable to us (the Processor), and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that we will inform you of the legal requirement before Processing, unless the law or order prohibits us from informing you on important grounds of public interest.
We will inform you as soon as possible if, in our opinion, your instruction for the Processing of Personal Data infringes applicable Data Protection Laws. To the extent that we are unable to comply with your instruction(s), we (i) will inform you, providing relevant details of the issue, (ii) may temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend your access to the Services, and (iii) if the Parties do not agree on a resolution to the issue in question and the associated costs, you may, as your sole remedy, terminate the Agreement and this DPA with respect to the affected Processing. Notwithstanding the foregoing, you will pay all amounts owed or invoiced before the date of termination. In this circumstance, you will have no further claims against us (including, without limitation, requesting refunds for Service) pursuant to the termination of the Agreement and the DPA as described in this paragraph.
d. Details of the Processing. The subject-matter of Processing of Personal Data by Processor is the performance of the Service pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA and the Privacy Policy.
e. CCPA/CPRA Standard of Care; No Sale of Personal Information. We will not have, derive, or exercise any rights or benefits regarding Personal Information Processed on your behalf, nor will we combine the Personal Information Processed on your behalf with any information we process on behalf of any other parties, by way of logical separation, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to us, as stipulated in the Agreement, the Privacy Policy, and this DPA. We certify that we understand the rules, requirements and definitions of the CCPA/CPRA and agree to refrain from selling and/or sharing (as such term is defined in the CCPA/CPRA) any Personal Information Processed hereunder without your prior written consent or instruction, nor taking any action that would cause any transfer of Personal Information to or from us under the Agreement or this DPA to qualify as “selling” or “sharing” such Personal Information under the CCPA/CPRA.
2. DATA SUBJECT REQUESTS
a. Data Subject Request Procedures. As between the Parties, you have sole discretion and responsibility in responding to the rights asserted by any individual in relation to consumer Personal Data (“Data Subject Request“). We will, to the extent legally permitted, notify you or refer Data Subjects or Consumers to you, if we receive a Data Subject Request. Taking into account the nature of the Processing, we will assist you by implementing appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfillment of your obligation to respond to a Data Subject Request under Data Protection Laws. We may advise Data Subjects on available features for self-exercising their Data Subject Requests through the Services (where possible and appropriate), and/or refer Data Subject Requests received, and the Data Subjects making them, directly to you for your treatment of such requests.
b. Fees for Assisting with Data Subject Requests. Where assisting you in responding to Data Subject Requests requires extraordinary efforts on our part (as determined by us), you will pay for such extraordinary assistance performed by us at STORETODOOR TECHNOLOY INC.‘s standard consulting services rates or such rates as you and STORETODOOR TECHNOLOY INC. may agree to in writing.
c. Disclaimer of Liability. Notwithstanding anything to the contrary in the Agreement or this DPA, STORETODOOR TECHNOLOY INC. will not be liable for any claim made by a Data Subject arising from or related to STORETODOOR TECHNOLOY INC.‘s acts or omissions, to the extent that STORETODOOR TECHNOLOY INC. was acting in accordance with your instructions.
3. CONFIDENTIALITY
We will ensure our personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality.
4. SECURITY & AUDITS
a. Controls for the Protection of Personal Data. We will maintain industry-standard technical and organizational measures for the protection of Personal Data Processed according to this DPA (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Security Measures), as may be amended from time to time. Upon your reasonable request, we will reasonably assist you, at your cost and subject to the provisions of Section 10.1 below, in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to us.
b. Audits and Inspections.
To the extent required by applicable Data Processing Laws and upon your written request, we will contribute to audits or inspections by making audit reports available to you. These reports are STORETODOOR TECHNOLOY INC.‘s confidential information. Upon your written request, and no more frequently than once annually, we will provide documentation or complete a written data security questionnaire of reasonable scope and duration regarding our Processing of Personal Data. All documentation provided, including any response to a security questionnaire, is STORETODOOR TECHNOLOY INC.‘s confidential information.
The audit rights set forth in the paragraph above, shall only apply to the extent that the Agreement does not otherwise provide you with audit rights that meet the relevant requirements of Data Protection Laws (including, where applicable, article 28(3)(h) of the GDPR or the UK GDPR).
c. Adequacy of Measures. You acknowledge and agree that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, STORETODOOR TECHNOLOY INC.‘s Security Measures are appropriate to ensure the security of the Personal Data.
5. DATA INCIDENT MANAGEMENT AND NOTIFICATION
We maintain security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, will notify you without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by us on your behalf (a “Data Incident“). We will make reasonable efforts to identify and take steps that we deem necessary and reasonable in order to remediate and/or mitigate the cause of such a Data Incident to the extent the remediation and/or mitigation is within our reasonable control. The obligations herein shall not apply to incidents that are caused by you, your Secondary Users, or anyone who uses the Services on your behalf. You will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident which directly or indirectly identifies STORETODOOR TECHNOLOY INC. (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without STORETODOOR TECHNOLOY INC.‘s prior written approval, unless, and solely to the extent that, you are compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, you will provide us with reasonable prior written notice to provide us with the opportunity to object to such disclosure and in any case you will limit the disclosure to the minimum scope required.
6. RETURN AND DELETION OF PERSONAL DATA
Following termination of the Agreement and subject thereto (and at your option communicated to us in writing), we will delete or return to you the Personal Data we Processed on your behalf along with any copies of such Personal Data unless applicable laws require otherwise. To the extent authorized or required by applicable law, we may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.
7. CROSS-BORDER DATA TRANSFERS
a. Transfers from the EEA, the United Kingdom and Switzerland to countries that offer adequate data protection. Personal Data may be transferred from EU Member States, the three other EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA“), the United Kingdom (“UK“) and Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decisions“), as applicable, without any further safeguard being necessary.
b. Transfers from the EEA, the United Kingdom and Switzerland to other countries. If our Processing of Personal Data includes a transfer (either directly or via onward transfer) from the EEA (“EEA Transfer“), the UK (“UK Transfer“), and/or Switzerland (“Swiss Transfer“) to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as we may adopt for the lawful transfer of personal data (as defined in the GDPR, the UK GDPR, as relevant) outside the EEA, the UK or Switzerland, as applicable, then (i) the terms set forth in the Standard Contractual Clauses (EEA Cross Border Transfers) shall apply to any such EEA Transfer; (ii) the terms set forth in Annex III (UK Cross Border Transfers) shall apply to any such UK Transfer (“UK Addendum“); (iii) the terms set forth in Annex IV (Swiss Cross Border Transfers) shall apply to any such Swiss Transfer; and (iv) the terms set forth in Annex V (Additional Safeguards) shall apply to any such transfers.
To the extent that the processing of Personal Data is subject to UK or Swiss Data Protection Laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 3 shall also apply.
c. Personal Data Subject to U.S. Data Privacy Laws. To the extent that the processing of Personal Data is subject to U.S. Data Protection Laws, the U.S. Addendum set out in Schedule 4 of this DPA shall apply.
Standard Contractual Clauses. The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 2 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Personal Data falling within the scope of the GDPR from Merchant (as data exporter) to STORETODOOR TECHNOLOY INC. (as data importer).
8. AUTHORIZED AFFILIATES
a. Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Merchant, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by the Merchant, the Customer‘s obligations under this DPA, if and to the extent that Processor Processes Personal Data on the behalf of such Authorized Affiliates, thus qualifying them as the “Controller“. All access to and use of the Service by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Merchant.
b. Communication. Merchant shall remain responsible for coordinating all communication with Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
9. OTHER PROVISIONS
a. Data Protection Impact Assessment and Prior Consultation. Upon your reasonable request, we will provide you, at your cost, with reasonable cooperation and assistance needed to fulfill your obligations under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to your use of the Service, to the extent you do not otherwise have access to the relevant information, and to the extent such information is available to us. We will provide, at your cost, reasonable assistance in the cooperation or prior consultation with a relevant Supervisory Authority in the performance of your tasks relating to this Section 10.1, to the extent required under the GDPR or the UK GDPR, as applicable.
b. Modifications. You acknowledge and agree that STORETODOOR TECHNOLOY INC. may amend this DPA from time to time by posting the relevant amended and restated DPA on our website, available here, and such amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA as posted to STORETODOOR TECHNOLOY INC.‘s website constitutes your agreement to, and acceptance of, the amended DPA. If you do not agree to any changes to the DPA, do not continue to use the Services.
10. GLOSSARY
Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Laws.
Data Processor: STORETODOOR TECHNOLOY INC.
Effective Date Sep 25, 2024