Data Processing Addendum
Last Updated: January 18, 2019
This Data Processing Addendum (“DPA”) supplements the Terms of Services (the “Agreement”) by and between you and myVBO, LLC, dba ZiftrShop, on behalf of itself and its affiliates (“ZiftrShop”).
In this DPA:
- “Applicable Law” means all laws, regulations and other legal requirements applicable to either (i) ZiftrShop or its affiliates in their role as service provider processing data or (ii) you, as the case may be. Applicable Law includes all laws, regulations and other legal requirements of any jurisdiction relating to privacy, data security, communications secrecy, Personal Data Breach notification, or the Processing of Personal Data, such as, to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). For the avoidance of doubt, each party is only responsible for the Applicable Law applicable to it.
- “Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies).
- “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Subprocessor” means any ZiftrShop affiliate or subcontractor engaged by ZiftrShop for the Processing of Personal Data.
- Scope and Roles
- Scope. This DPA applies to the Personal Data that ZiftrShop receives from you, or otherwise Processes for or on behalf of you, through the services that ZiftrShop provides under the Agreement for which you are an administrator (the “Services”).
- Your Responsibilities
- You acknowledge that you are the administrator for the account(s) specified in the Agreement and, therefore, are considered to be a “controller” under the GDPR and that ZiftrShop is a “processor”.
- You will comply with all Applicable Laws applicable to your Processing of Personal Data and will obtain any consents required under Applicable Laws for ZiftrShop to provide the Services.
- Your Instructions
- ZiftrShop will Process the Personal Data only as described under the Agreement, unless obligated
to do otherwise by Applicable Law. In such case, ZiftrShop shall inform you of that legal
requirement before Processing, unless that legal requirement prohibits providing such information on
important grounds of public interest. For the avoidance of doubt, the details of the Processing are
- Subject matter of the Processing: The subject matter of the Processing is the Personal Data Processed by ZiftrShop on behalf of you. See the Agreement for details.
- Duration of the Processing: The duration of the Processing under this DPA is the term of the Agreement, subject to any applicable deletion or retention provisions. See the Agreement for details.
- Purpose and nature of the Processing: To provide of the Services.
- Type(s) of Personal Data Processed: Personal Data provided by you to ZiftrShop for Processing, which, depending on the Services may include business contact data, credit card information, and authentication credentials.
- Categories of data subjects: The data subjects whose Personal Data you provide to ZiftrShop for Processing, which may include current and prospective employees and yourself, if you are an individual.
- The Agreement and this DPA (each as may be amended from time to time), along with your configuration of any settings or options in the Services (as you may be able to modify from time to time, depending on the Services), constitute your complete and final instructions to ZiftrShop regarding the Processing of Personal Data, including for purposes of the Standard Contractual Clauses available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 (“Standard Clauses”). You shall not instruct ZiftrShop to Process Personal Data in violation of Applicable Law, and ZiftrShop shall promptly inform you if, in ZiftrShop’s opinion, any instruction from you violates Applicable Law.
- ZiftrShop will Process the Personal Data only as described under the Agreement, unless obligated to do otherwise by Applicable Law. In such case, ZiftrShop shall inform you of that legal requirement before Processing, unless that legal requirement prohibits providing such information on important grounds of public interest. For the avoidance of doubt, the details of the Processing are as follows:
ZiftrShop may subcontract the collection or other Processing of Personal Data only in compliance with Applicable Law and any additional conditions for subcontracting set forth in the Agreement. Prior to a Subprocessor’s Processing of Personal Data, ZiftrShop will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on ZiftrShop under this DPA. Upon written request from you to ZiftrShop at https://www.ziftrshop.com/helpdesk, ZiftrShop will provide a current list of Subprocessors for the services you obtain under the Agreement. ZiftrShop remains responsible for its Subprocessors and liable for their performance under the Agreement and this DPA.
- ZiftrShop will assist you in ensuring your compliance with the security obligations of the GDPR and other Applicable Law, as relevant to ZiftrShop’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to ZiftrShop, by complying with the following paragraph and, if available in the Services, by providing configurable security options.
- To protect the Personal Data, ZiftrShop shall implement appropriate technical and organizational measures as described here https://www.ziftrshop.com/policy/data-protection, without prejudice to ZiftrShop’s right to make future updates to the measures that do not lower the level of protection of Personal Data.
- You are solely responsible for reviewing the available security documentation and evaluating for yourself whether the Services and related security will meet your needs, including your security obligations under Applicable Law. You agree that the security commitments in this DPA will provide a level of security appropriate to the risk in respect of the Personal Data.
- ZiftrShop will ensure that the persons ZiftrShop authorizes to Process the Personal Data are subject to a written confidentiality agreement covering such data or are under an appropriate statutory obligation of confidentiality.
- Personal Data Breach Notification
ZiftrShop will comply with the Personal Data Breach-related obligations directly applicable to it under the GDPR and other Applicable Law. Taking into account the nature of Processing and the information available to ZiftrShop, ZiftrShop will assist you in complying with those obligations applicable to you by informing you of a confirmed Personal Data Breach without undue delay.
- Assistance Responding to Data Subjects
Taking into account the nature of the Processing, ZiftrShop will assist you by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to honor requests by individuals (or their representatives) to exercise their rights under the GDPR and other Applicable Law (such as rights to access their Personal Data). Support for such requests, beyond Service functionality and assistance available under a support agreement, is subject to ZiftrShop’s reasonable charges.
- Assistance with DPIAs and Consultation with Supervisory Authorities
Taking into account the nature of the Processing and the information available to ZiftrShop, ZiftrShop will provide reasonable assistance to and cooperation with you for your performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving ZiftrShop and related consultation with supervisory authorities by providing you with access to documentation for the Services. Additional support for data protection impact assessments or relations with regulators is available at your expense and will require mutual agreement on fees, the scope of ZiftrShop’s involvement, and any other terms that the parties deem appropriate.
- Data Transfers
- You agree and will ensure that you and your affiliates are entitled to transfer the Personal Data to ZiftrShop so that ZiftrShop and its Subprocessors may lawfully Process the Personal Data in accordance with the Agreement and this DPA.
- You authorizes ZiftrShop and its Subprocessors to make international transfers of the Personal Data in accordance with Applicable Law and this DPA.
- ZiftrShop has self-certified to the EU-U.S. and EU-Swiss Privacy Shield Frameworks, as administered by the U.S. Department of Commerce and detailed at https://www.privacyshield.gov (“Privacy Shield”). ZiftrShop will immediately notify you if any of the following are no longer true: (a) ZiftrShop’s certification remains active and in effect; (b) ZiftrShop’s certification is sufficient to cover the Processing of Personal Data contemplated herein; and (c) ZiftrShop complies with the Privacy Shield with respect to the Personal Data.
- To the extent that the Privacy Shield does not apply to ZiftrShop’s international transfers, the Standard Clauses part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, with respect to Personal Data that is transferred outside the European Economic Area (“EEA”), either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data. The Standard Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.
- Return or Destruction
- ZiftrShop will, at your choice, return to you and/or destroy all Personal Data after the end of the provision of services relating to Processing except to the extent Applicable Law requires storage of the Personal Data. If ZiftrShop has not received your election within 30 days of termination or expiration of the relevant portion of the MSA, ZiftrShop may assume that you have selected deletion.
- Nothing will oblige ZiftrShop to delete Personal Data from files created for security, backup and business continuity purposes sooner than required by ZiftrShop’s data retention processes. If you require earlier deletion of such Personal Data, and such deletion is commercially feasible, you must first pay ZiftrShop’s reasonable charges for such deletion, which may include costs for business interruptions associated with such a request.
- ZiftrShop will allow for and contribute to audits, including inspections, conducted by you or
another auditor mandated by you, as follows:
- If the requested audit scope is addressed in an ISO or similar audit report issued by a third party auditor within the prior twelve (12) months and ZiftrShop provides such report to you confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
- In the event an audit report is not provided, any audit, whether by you or a third party, must be limited to no more than once per twelve (12) month period, and you will (i) conduct the audit only on an agreed date during normal business hours (9:00 am - 5:00 pm local time); (ii) limit your audit to only one business day; and (iii) pay ZiftrShop’s then-current audit fee.
- If a third party is to conduct the audit, you will provide at least thirty (30) days’ advance notice. The third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). ZiftrShop will not unreasonably withhold its consent to a third-party auditor requested by you, unless such third-party auditor is a competitor or another customer of ZiftrShop’s. Any third-party auditor must execute a written confidentiality agreement acceptable to ZiftrShop.
- You must promptly provide ZiftrShop with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than your Personal Data) is confidential information of ZiftrShop.
- Nothing herein will require ZiftrShop to disclose or make available:
- any data of any other customer of ZiftrShop;
- ZiftrShop’s internal accounting or financial information;
- any trade secret of ZiftrShop;
- any information that, in ZiftrShop’s reasonable opinion, could (i) compromise the security of ZiftrShop systems or premises; or (ii) cause ZiftrShop to breach its obligations under Applicable Law or its security and/or privacy obligations to you or any third party; or
- any information sought for any reason other than the good faith fulfilment of your obligations under the Standard Clauses or Applicable Law.
- In addition, to the extent required by Applicable Law, including where mandated by your Supervisory Authority, you or your Supervisory Authority may perform, at your expense, a broader audit, including inspections of the data center facility that Processes Personal Data. ZiftrShop will contribute to such audits by providing you or your Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services.
- You must provide ZiftrShop with any audit reports generated in connection with this DPA, unless prohibited by Applicable Law. You may use the audit reports only for the purposes of meeting your regulatory audit requirements and/or confirming compliance with the terms of this DPA.
- You agree that any audit conducted in accordance with this Section 11 satisfies ZiftrShop’s audit obligations under Clause 5 of the Standard Clauses.
- ZiftrShop will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, as follows: