Data Processing Agreement
Last Updated on February 16, 2024
1. Scope, Order of Precedence, and Term
1.1 This Data Processing Agreement (“DPA”) is an addendum to and is incorporated by reference into the Customer Terms of Service and Privacy Policy (“Agreement”) between Placeholder d.o.o. (“The Company”) and the Customer. The Company and Customer are individually a “party” and, collectively, the “parties.”
1.2 This DPA applies where and only to the extent that The Company processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the appropriate jurisdiction, including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data. Provisions specifically applicable for Californian residents, California Consumer Privacy Act (CCPA) are specified in Schedule 4 of this DPA and are hereby incorporated in the Agreement. Provisions specifically applicable for International Data Transfers from the UK (International Data Transfer Agreement (IDTA)) are specified in Schedule 5 of this DPA and are hereby incorporated in the Agreement.
1.3 The duration of the Processing covered by this DPA shall be in accordance with the duration of the Agreement. We may amend the Agreement and/or this DPA from time to time. Your continued use of our services after any change of the Agreement/DPA shall constitute your consent to such changes.
2. Definitions
2.1 The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
2.2 The following terms have the definitions given to them in the CCPA: “Business,” “Sell,” “Service Provider,” and “Third Party.”
2.3 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. “Controller” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Business” or “Third Party,” as context requires. Customer is the Controller.
2.4 “Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement as it relates to the Customer, including Regulation 2016/679 (General Data Protection Regulation) (“GDPR”), and Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”).
2.5 “Data Subject” means an identified or identifiable natural person.
2.6 “De-identified Data” means a data set that does not contain any Personal Data. Aggregated data is De-identified Data. To “De-identify” means to create De-identified Data from Personal Data.
2.7 “EEA” means the European Economic Area.
2.8 “Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.9 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Personal Data” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Personal Information,” as context requires.
2.10 “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2.11 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.12 “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Service Provider,” as context requires. Company is the data Processor.
2.13 “Sensitive Data” means the following types and categories of data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health, including protected health information governed by the Health Insurance Portability and Accountability Act; data concerning a natural person’s sex life or sexual orientation; government identification numbers (e.g., SSNs, driver’s license); payment card information; nonpublic personal information governed by the Gramm Leach Bliley Act; an unencrypted identifier in combination with a password or other access code that would permit access to a data subject’s account; and precise geolocation.
2.14 “Subprocessor” means a Processor engaged by a party who is acting as a Processor.
3. Description of the Parties’ Personal Data Processing Activities and Statuses of the Parties
3.1 Point 8 describe the purposes of the parties’ Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing.
3.2 Schedules 1-3 list the parties’ statuses under relevant Data Protection Law.
4. International Data Transfer
4.1 With respect to Personal Data of Data Subjects located in the EEA, Switzerland, or the United Kingdom that Customer transfers to The Company or permits The Company to access, the parties agree that by executing this DPA they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this DPA. The parties agree that, with respect to the elements of the Standard Contractual Clauses that require the parties’ input, Schedules 1-3 contain all the relevant information.The Customer allows The Company to transfer the data to EU, the European Economic Area (EEA) and/or any other country, which provides adequate protection (as listed by The European Commission).
5. Data Protection Generally
5.1 Compliance. The parties will comply with their respective obligations under Data Protection Law and their privacy notices.
5.2 Customer Processing of Personal Data. Customer represents and warrants that it has the consent or other lawful basis necessary to collect Personal Data in connection with the Services.
5.3 Cooperation.
5.3.1 Data Subject Requests. The parties will provide each other with reasonable assistance to enable each to comply with their obligations to respond to Data Subjects’ requests to exercise rights that those Data Subjects may be entitled to under Data Protection Law.
5.3.2 Governmental and Investigatory Requests. Customer will promptly notify The Company if Customer receives a complaint or inquiry from a regulatory authority indicating that The Company has or is violating Data Protection Law.
5.3.3 Other Requirements of Data Protection Law. Upon request, the parties will provide relevant information to each other to fulfill their respective obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.
5.4 Confidentiality. The parties will ensure that their employees, independent contractors, agents, and representatives are subject to an obligation to keep Personal Data confidential and have received training on data privacy and security that is commensurate with their responsibilities and the nature of the Personal Data.
5.5 De-identified, Anonymized, or Aggregated Data. The parties may create De-identified Data from Personal Data and Process the De-identified Data for any purpose.
6. Data Security
Sensitive personal information stored by The Company is encrypted encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer’s software application and The Company using TLS v1.2. or newer version of TLS.
7. The Company’s Obligations as a Processor, Subprocessor, or Service Provider
7.1 The Company will have the obligations set forth in this Section 7 if it Processes Personal Data in its capacity as Customer’s Processor or Service Provider; for clarity, these obligations do not apply to The Company in its capacity as a Controller, Business, or Third party.
7.2 Scope of Processing.
7.2.1 The Company will Process Personal Data to provide Services to Customer under the Agreement, and comply with applicable law. The Company will notify Customer if the law changes and those changes cause The Company not to be able to comply with the Agreement.
7.3 Data Subjects’ Requests to Exercise Rights. The Company will promptly inform Customer if The Company receives a request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law. Customer will be responsible for responding to such requests. The Company will not respond to such Data Subjects except to acknowledge their requests. The Company will provide Customer with commercially reasonable assistance, upon request, to help Customer to respond to a Data Subject’s request.
7.4 The Company’s Subprocessors.
7.4.1 Existing Subprocessors. Customer agrees that The Company may use the Subprocessors listed at Schedule 3.
7.4.2 Use of Subprocessors. Customer grants The Company general authorization to engage Subprocessors if The Company and a Subprocessor enter into an agreement that requires the Subprocessor to meet obligations that are no less protective than this DPA.
7.4.3 Notification of Additions or Changes to Subprocessors. The Company will notify Customer of any additions to or replacements of its Subprocessors via email or other contact methods and make that list available on Customer’s request by listing it on Schedule 3. The Company will provide Customer with at least 30 days to object to the addition or replacement of Subprocessors in connection with The Company’s performance under the Agreement, calculated from the date The Company provides notice to Customer. If Customer reasonably objects to the addition or replacement of The Company’s Subprocessor, The Company will immediately cease using that Subprocessor in connection with The Company’s Services under the Agreement, and the parties will enter into good faith negotiations to resolve the matter. If the parties are unable to resolve the matter within 15 days of Customer’s reasonable objection (which deadline the parties may extend by written agreement), Customer may terminate the Agreement and/or any statement of work, purchase order, or other written agreements. The parties agree that The Company has sole discretion to determine whether Customer’s objection is reasonable; however, the parties agree that Customer’s objection is presumptively reasonable if the Subprocessor is a competitor of Customer and Customer has a reason to believe that competitor could obtain a competitive advantage from the Personal Data The Company discloses to it, or Customer anticipates that The Company’s use of the Subprocessor would be contrary to law applicable to Customer.
7.4.4 Liability for Subprocessors. The Company will be liable for the acts or omissions of its Subprocessors to the same extent as The Company would be liable if performing the services of the Subprocessor directly under the DPA, except as otherwise set forth in the Agreement.
7.5 Personal Data Breach. The Company will notify Customer without undue delay of a Personal Data Breach affecting Personal Data The Company Processes in connection with the Services. Upon request, The Company will provide information to Customer about the Personal Data Breach to the extent necessary for Customer to fulfill any obligations it has to investigate or notify authorities, except that The Company reserves the right to redact information that is confidential or competitively sensitive. Notifications will be delivered to the email address linked to the Customer in Customer’s shop. Customer agrees that email notification of a Personal Data Breach is sufficient. The Company agrees that it will notify Customer if it changes its contact information. Customer agrees that The Company may not notify Customer of security-related events that do not result in a Personal Data Breach.
7.6 Deletion and Return of Personal Data. Upon deactivation of the Services, all Personal Data shall be deleted in up to 10 days, save that this requirement shall not apply to the extent The Company is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data The Company shall securely isolate and protect from any further processing, except to the extent required by applicable law.
7.7 Audits.
7.7.1 The Company shall maintain records of its security standards/ a record of all categories of processing activities carried out on behalf of a controller. Upon Customer’s written request, The Company shall provide (on a confidential basis) copies of relevant external certifications, audit report summaries and/or other documentation reasonably required by Customer to verify The Company’s compliance with this DPA. The Company shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm The Company’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
7.7.2 To the extent the Standard Contractual Clauses apply and the Customer reasonably argues and establishes that the above documentation and/or other third party audit reports are not sufficient to demonstrate compliance with the obligations laid down in this DPA, the Customer may execute an audit as outlined under Clause 8.9 of the Standard Contractual Clauses accordingly, provided that in such an event, the parties agree: (a) Customer is responsible for all costs and fees relating to such audit (including for time, cost and materials expended by The Company); (b) a third party auditor must be mutually agreed upon between the parties to follow industry standard and appropriate audit procedures; (c) such audit must not unreasonably interfere with The Company’s business activities and must be reasonable in time and scope; and (d) the parties must agree to a specific audit plan prior to any such audit, which must be negotiated in good faith between the parties. For avoidance of doubt, nothing in this Section 7.7.2 modifies or varies the Standard Contractual Clauses, and to the extent a competent authority finds otherwise or any portion of Section 7.7.2 is otherwise prohibited, unenforceable or inappropriate in view of the Standard Contractual Clauses, the relevant portion shall be severed and the remaining provisions hereof shall not be affected; (e ) The audit and the information provided by The Company will not reveal any trade secrets, intellectual property or any other knowledge, which can give or gives The Company an edge over the competiton of The Company.
8. Processed Data
The Controller has authorized the Processor to process (and transfer if applicable) the following types or categories of Personal Data involved in the Processing: account information, customer information, partial payment information, user content, communications, cookies and other tracking technologies, IP addresses,usage of Services, and third party accounts.
Processing Activites: Customer discloses Personal Data to The Company to provide, operate, and maintain The Company Services; to improve, analyze, personalize The Company Services, data storing.
The Company retains Personal Data it collects or receives from Customer as a Processor for the duration of the Agreement and consistent with its obligations in this DPA.
Schedule I: International Data Transfers
1. Information for International Transfers
For the purposes of the Standard Contractual Clauses:
Clause 9, Module 2(a): The parties select Option 2. The time period is 5 days.
Clause 11(a): The parties do not select the independent dispute resolution option.
Clause 17, Module 2: The parties select Option 2. The Member State of the data exporter is: EU Member State Company is located in.
Clause 18(b), Module 2: The Parties agree that those shall be the courts of the EU Member State Company is located in.
Annex I(A): The data exporter is Customer. The data importer is The Company. Contact details for Customer is the email address(s) designated by Customer in Customer’s The Company account. Contact detail for The Company is: dpo@sealsubscriptions.com
Annex I(B): The parties agree that Schedule 1 describes the transfer.
Annex I(C): The competent supervisory authority is the supervisory authority of: Customer who acts as data exporter.
The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer.
Schedule II: Technical and Organizational Measures
The Company has implemented at minimum the measures as described in this Schedule II insofar as the respective measure contributes or is capable of contributing directly or indirectly to the protection of the Personal Data under the Data Processing Agreement entered into between the Parties. The technical and organizational security measures shall be subject to technical progress and future developments of Data Processor’s Service(s). As such, the Company shall be permitted to implement alternative adequate measures. In such event, the security level may not be lower than the measures memorialized here. Material changes are to be coordinated with the Data Controller and documented.
The technical and organizational security measures shall be also subject to change upon Customer’s written notice to Data Processor due to the requirements of Data Protection Laws.
|
Technical and Organizational Security Measure |
Evidence of Technical and Organizational Security Measure |
|---|---|
|
Measures of pseudonymisation and encryption of personal data |
Personal data is encrypted with Advanced Encryption Standard algorithms and access to the data is highly restricted. |
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
The company has backup mechanizms and utilizes redundancy mechanisms to protect the data. |
|
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing. |
The Company is regularly testing, assessing and evaluating the effectiveness of technical and organizational measured to ensure the security of the processing. The Company is also regularly testing and evaluating the user authentication and authorization systems, protection of data during transmission and the protection of data during storage. |
|
Measures for ensuring physical security of locations at which personal data are processed |
The Company data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with access restricted through badge controlled gates. |
|
Measures for ensuring events logging |
The company is regularly evaluating the systems which log necessary events. The Company regularly evaluates the data it is saving and is always minimizing the data stored and processed. |
|
Measures for allowing data portability and ensuring erasure |
Customer is able to export or delete Customer Content using the self-service features of the Services. |
|
Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer. |
The Company has systems in place, which allow the Customer to get help with the exports and transfer. In addition to that, the Company has a support team, which can always help the Customer with the export and the transfer. |
Schedule 3: Subprocessors
1.Subprocessors
Customer authorizes The Company to use these Subprocessors consistent with Section 7.4. Subprocessors are available upon request at dpo@sealsubscriptions.com
2. List of subprocessors
-
DigitalOcean LLC
-
Amazon.com, Inc
-
Alphabet Inc
-
Shopify Inc