DATA PROCESSING AGREEMENT
Last Updated: September 18, 2022
This Data Processing Agreement (“DPA”) only applies to the extent that Personal Data or Personal Information (as defined below) is processed by Shelfy on behalf of the Merchant. This DPA is an integral part of the SaaS Agreement executed between the parties (“Agreement”). Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Agreement.
For the purpose of this DPA the Merchant shall be the “Controller” or the “Business” as applicable and Shelfy shall be the “Processor” or the “Service Provider” as applicable.
- “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, as may be amended as well as all regulations promulgated thereunder from time to time.
- “Merchant Data” means any and all Personal Data Processed through the Services by Shelfy on behalf of Merchant, as detailed in ANNEX I.
- The terms “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider,” “Sale” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such term defined in the CCPA.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations, including, where applicable, the Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations (“Israeli Law”), the EU Data Protection Law, the UK Data Protection Law, Swiss Data Protection Laws, and the CCPA, as all may be amended or superseded from time to time.
- “EEA” means the European Economic Area.
- “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing; and (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- “Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) processed by Shelfy pursuant to the Agreement, including by way of access to the data, and may include, inter alia, demographic data, device information, IDs, cookies, browsing URLs, events, and geo localization data.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
- “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here: Standard Contractual Clauses.
- “Swiss Data Protection Laws” or “FADP” shall mean the Swiss Federal Act on Data Protection of June 19, 1992, SR 235.1, and any other applicable data protection or privacy laws of the Swiss Confederation as amended, revised, consolidated, re-enacted or replaced from time to time, and to the extent applicable to the processing of Personal Data under the Agreement.
- “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner
- “UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and GDPR, as incorporated into UK law as the UK GDPR, as amended (“UK GDPR“), and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
- “UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of CCPA, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.
2. Relationship of the Parties
- The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Merchant Data, Shelfy is acting as a Data Processor and Merchant is acting as a Data Controller. For the purpose of the CCPA (and to the extent applicable), Merchant is the Business and Shelfy is the Service Provider. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law.
- The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
3. Representations and Warranties
- The Merchant represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data, as well as all applicable provisions. The Merchant further represents and warrants that Special Categories of Personal Data ata shall not be Processed or shared in connection with the performance of the Services, unless agreed in writing by Shelfy.
- Shelfy represents and warrants that it: (i) shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Merchant, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Merchant’s written instructions including the Agreement and this DPA; (ii) in the event Shelfy is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Personal Data other than as instructed by Merchant, it shall inform the Merchant of such requirement prior to Processing such Personal Data, unless prohibited under applicable law; and (iii) shall provide reasonable cooperation and assistance to Merchant in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of Personal Data and to consult with the supervisory authority (as applicable).
- Shelfy shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.
- As between the parties, the Merchant undertakes, accepts and agrees that the Data Subjects do not have a direct relationship with Shelfy and that Shelfy relies on Merchant’s lawful basis (as required under Data Protection Law). In the event consent is needed under Data Protection Law, the Merchant shall ensure that it obtains a proper act of consent from Data Subjects and present all necessary and appropriate notices in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process Merchant Data and enable the lawful transfer and Processing of Merchant Data to and by Shelfy, as well as where applicable, provide the Data Subjects with the ability to opt out. In the event Data Subject consent is required under Data Protection Law, Merchant shall be fully responsible to support and transmit to Shelfy, the parameter of consent, or opt-out, as applicable. The Merchant shall maintain a record of all consents obtained from a Data Subject, including the time and date on which consent was obtained, the information presented to the Data Subject in connection with their giving consent, and details of the mechanism used to obtain consent, as well as a record of the same information in relation to all withdrawals of consent by Data Subject. Merchant shall make these records available to Shelfy promptly upon request.
4. Rights of Data Subjects and Parties Cooperation Obligations
- It is agreed that where Shelfy receives a request from a Data Subject or an applicable authority in respect of Merchant Data Processed by Shelfy, where relevant, Shelfy will direct the Data Subject or the applicable authority to the Merchant in order to enable the Merchant to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
- Where applicable, Shelfy shall assist the Merchant in ensuring that Merchant Data Processed is accurate and up to date, by informing the Merchant without delay if Shelfy becomes aware of the fact that the Merchant Data it is processing is inaccurate or has become outdated.
5. Do Not Sell Personal Information
It is hereby agreed that any sharing of Personal Data between the parties is made solely in order to fulfill a Business Purpose and Shelfy does not receive or process any Personal Data in consideration for the Service. Thus, such Processing of Personal Data shall not be considered as a “Sale” of Personal Information under the CCPA.
- The Merchant acknowledges that Shelfy may transfer Merchant Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Merchant hereby authorizes Shelfy to engage and appoint such Sub-Processors to Process Merchant Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Shelfy may continue to use those Sub-Processors already engaged by Shelfy, as listed in Annex III, or to engage an additional or replace an existing Sub-Processor to process Merchant Data, subject to the provision of a 30 day prior notice of its intention to do so to the Merchant. In case the Merchant has not objected to the adding or replacing of a Sub-Processor within five (5) days of Shelfy ‘s notice, such Sub-Processor shall be considered approved by the Merchant. In the event the Merchant objects to the adding or replacing of a Sub-Processor, Shelfy may, under Shelfy’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the
- Shelfy shall, where it engages any Sub-Processor, impose, through a legally binding contract between Shelfy and the Sub-Processor, data protection obligations similar to those set out in this DPA. Shelfy shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law.
- Shelfy shall remain responsible to the Merchant for the performance of the Sub-Processor’s obligations in accordance with this DPA. Shelfy shall notify the Merchant of any failure by the Sub-Processor to fulfill its contractual obligations.
7. Technical and Organizational Measures
- Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Shelfy hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Merchant Data as required under Data Protection Laws to ensure lawful processing of Merchant Data and safeguard Merchant Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
- The security measures are further detailed in Annex II.
8. Security Incident
- Shelfy will notify the Merchant upon becoming aware of any confirmed Security Incident involving the Merchant Data in Shelfy’s possession or control. Shelfy’s notification regarding or response to a Security Incident under this Section 10 shall not be construed as an acknowledgment by Shelfy of any fault or liability with respect to the Security Incident. Shelfy will, in connection with any Security Incident affecting the Merchant Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Merchant and provide the Merchant with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Merchant in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Merchant informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Merchant and assist Merchant with its obligation to notify the affected individuals in the case of a Security Incident.
- Shelfy notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by Shelfy of any fault or liability with respect to the Security Incident.
9. Audit Rights
Shelfy shall make available, solely upon prior reasonable written notice and no more than once per year, to a reputable auditor nominated by the Merchant, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Merchant Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Shelfy may object to an auditor appointed by the Merchant in the event Shelfy reasonably believes the auditor is not suitably qualified or independent, is a competitor of Shelfy or otherwise unsuitable (“Objection Notice”). The Merchant will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Shelfy. Merchant shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Shelfy’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Shelfy immediately.
10. Data Transfer
- Transfers from the EEA, the UK or Switzerland to non-adequate third countries. Where the GDPR, UK GDPR or the Swiss FADP is applicable, if the Processing of Personal Data by Shelfy (or by a Sub-Processor) includes transfer of Personal Data (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Personal Data under is in place.
- If Shelfy or its Sub-processor relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:
- transfer of Personal Data from the EEA the terms set forth in Annex IV shall apply.
- transfer of Personal Data from the UK, the terms set forth in Annex V shall apply; and
- transfer of Personal Data from Switzerland, the terms set forth in Annex VI shall apply.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Terms shall remain in full force and effect.
Details of Processing and Transferring of Merchant Data
This Annex includes certain details of the Processing and Transferring of Personal Data as required by Article 28(3) GDPR and the Standard Contractual Clauses.
Categories of data subjects whose personal data is processed or transferred:
Merchants and End Users
Categories of personal data processed and transferred:
Contact Information (e.g., name, email, and other applicable contact information), Career (optional), Online Identifiers (e.g., IP), authentication and security credentials, Payment Details and Direct Marketing, Shopping history.
Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:
Nature of the processing and transfer:
To provide the Service.
Purpose(s) for which the Personal Data is processed or transferred on behalf of the Merchant:
To provide the Service.
Duration of the processing:
For as long as is necessary to provide the Service by Shelfy; provided there is no legal obligation to retain the Personal Data past termination.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing
Hosting server providers as detailed in Annex III
Technical and Organizational Measures
Please review Shelfy’s Information Security Policy to learn more regarding the technical and organizational measures implemented by it in order to ensure an appropriate level of security for its Processing of Personal Data.
Measures and assurances regarding U.S. government surveillance have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:
- encryption both in transit and at rest;
- As of the date included in the “Last Updated” header above, Shelfy has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
- No court has found Shelfy to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- Shelfy will not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
- Shelfy will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
- Shelfy will notify the Merchant (if required and as applicable) if it can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
List of Sub-Processors
Description of the processing
GCP (US, Europe)
EU INTERNATIONAL TRANSFERS AND SCC
- The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
- Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Merchant as the data controller of the Personal Data and Shelfy is the data processor of the Personal Data.
- The Parties agree that for the purpose of transfer of Personal Data between Merchant (as Data Exporter) and the Shelfy (as Data Importer), the following shall apply:
- Clause 7 of the Standard Contractual Clauses shall not be applicable.
- In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.
- In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Merchant is established (where applicable).
- In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
- Annex I.A of the Standard Contractual Clauses shall be completed as follows:
- “Data Exporter“: Merchant
- “Data Importer“: Shelfy
- Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.
- Data Exporter and Data Importer Contact details: As detailed in the Agreement.
- Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Annex I.B of the Standard Contractual Clauses shall be completed as follows:
- The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
- The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.
- The sub-processor which personal data is transferred are listed in Annex III.
- Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
- Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
- Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.
UK INTERNATIONAL TRANSFERS AND SCC
- The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
- This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.
- Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
- This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
- Amendments to the UK Standard Contractual Clauses:
- Part 1: Tables
- Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV
- Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV
- Table 3 Appendix Information:
- Part 1: Tables
Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.
Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: shall be completed as set forth in Annex II above.
Annex III: List of Sub processors: shall be completed as set forth in Annex III above.
- Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.
SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:
- The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
- The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.
- All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
- References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
- In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.
- The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner