Data Processing Agreement

Last update: May 5, 2022

1). DATA PROCESSING ADDENDUM

  1. This Data Processing Addendum ("DPA"), along with our Terms of Service ("Terms of Service" or "ToS"), Privacy Policy and any additional addendums ("Additional Addendums"), constitute the agreement ("Agreement") established by and between XOPERO SOFTWARE S.A. with its principal office in Gorzów Wielkopolski, Poland, address: ul. Zbigniewa Herberta 3, 66-400 Gorzów Wielkopolski, Poland (referred to as "XOPERO", "we" or "us" or "Company") and any person or entity registering as a Partner (referred to as "Client" and "you") collectively "parties", individually "party".

  2. This DPA is supplemental to, and forms an integral part of, the Terms of Service understood as the "Master Agreement".

  3. For the purposes of this DPA, the Client may exercise the role of Controller or Processor and XOPERO exercises the role of Processor or Sub-Processor, as applicable.

  4. YOU ACKNOWLEDGE AND AGREE THAT: (I) YOU HAVE READ, UNDERSTOOD AND ACCEPTED THIS AGREEMENT, (II) YOU HEREBY REPRESENT AND WARRANT THAT YOU ARE AUTHORIZED TO ENTER THIS AGREEMENT, (III) IF YOU ARE THE AGENT OR EMPLOYEE OF AN ENTITY, YOU REPRESENT AND WARRANT THAT (IV) THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON SUCH ENTITY'S BEHALF AND TO BIND SUCH ENTITY AND (V) SUCH ENTITY HAS FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS HEREUNDER.

2). SUBJECT MATTER

  1. The Parties conclude this DPA by virtue of which, the Controller entrusts the Processor to process any viable personal data.

  2. The entrusting of the personal data to the Processor occurs in order to perform the Master Agreement.

  3. The Processor may process the given data only within the scope and with the purpose named in the Master Agreement and with the purpose and within the scope necessary to maintain the services stipulated in the Master Agreement.

  4. The Processor will not retain, use, sell or disclose Personal Data of the Client for any purpose other than for the specific purpose of accessing the Software and/or Services under the Master Agreement and any instructions provided by Client.

  5. Categories of data subjects whose personal data is transferred:

    1. The Client may submit Personal Data in the course of using Services and/or Software, the extent of which is determined and controlled by the Client in its sole discretion, which may include, but is not limited to Personal Data relating to the following categories of Data Subject:

  • Client's end users including Client's customers, employees and contractors.

  • Categories of personal data transferred.

    1. The Client may submit or authorize other third parties to submit Personal Data to XOPERO's Software and/or Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

    • Client's customers' first name, last name, phone number, email address, shipping and billing address, customer order information, purchase history, products purchased, store credit, tags, and notes.

    • Client's employees' first name, last name, employment details such as job

    title, telephone number, business address and email address.

    • Any other Personal Data submitted by, sent to, or received by the Client and/or its end users.

    1. The parties do not anticipate the transfer of sensitive data.

    2. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis) is depending upon the use of the Software and/or Services by the Client under the Master Agreement.

    3. Nature of the processing:

      1. Personal Data will be Processed in accordance with the Master Agreement (including this DPA) and may be subject to the following Processing activities:

    • The creation of copies of Client Content for storage and back-up purposes;

    • Enabling the Client to restore such copies of such Client Content at the Client's discretion;

    • As necessary to provide access to XOPERO's Services and/or Software and as set out in the Master Agreement and otherwise in accordance with instructions from the Client; and

    • The disclosure in accordance with the Master Agreement (including this DPA) and/or as compelled by applicable laws.

  • Purpose(s) of the data transfer and further processing:

    1. XOPERO will process Personal Data as necessary to provide access to Software and/or Services pursuant to the Master Agreement, and as further instructed by the Client in its use of the Software and/or Services.

  • The period for which the personal data will be retained:

    1. XOPERO will process Personal Data in accordance with the duration specified in the Master Agreement, unless otherwise agreed individually,

    2. the Sub-Processors will process Personal Data as necessary to provide access to Software and/or Services pursuant to the Master Agreement, and as further instructed by Client.

    3).DECLARATIONS AND OBLIGATIONS

    1. The Processor represents that it has infrastructure, resources, experience, knowledge and well-skilled staff capable to perform its obligations in accordance with current provisions of law. In particular, the Processor states that they are familiar with the processing and protecting of personal data rules resulting from the regulation(EU) no 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing personal data and on the free movement of such data and the repeal of Directive 95/46/WE (General Data Protection Regulation hereinafter referred to as "GDPR").

    2. Each party will comply with applicable Data Protection Laws, esp. GDPR.

    3. The Processor is obliged to:

      1. process the given personal data merely by virtue of the agreement with the exception that they are obliged to do it by law; in case the processing of the personal data by the Processor results from the regulations of law, they inform the Controller by electric means - before the beginning of processing - about this compulsion of law, if the law allows to give such information due to public interest;

      2. process the given personal data with accordance to GDPR and the agreement;

      3. introduce the suitable technical and organisational measures to ensure a level of security appropriate to the risk represented by the violation of the rights or freedom of natural persons, whose personal data will be processed under and in terms of the agreement;

      4. support the Controller in implementing the duty to respond to request made by data subject, in respect of their exercising the law as established in GDPR, chapter 3. The cooperation between the Processor and the Controller within the scope mentioned above shall occur in the form and at the time convenient for the administrator, allowing them also to carry out with their duties;

      5. help the Controller, within the scope of :

    • providing safety processing of personal data by implementation of appropriate technical and organisational measures;

    • reporting any violation of personal data protection to regulatory authority and informing subject data about those violations.

    4).TECHNICAL AND ORGANISATIONAL MEASURES

    1. The Processor implements and uses the appropriate technical and organisational measures in order to ensure a level of security appropriate to the risk represented by the violation of the rights or freedom of natural persons, whose personal data will be processed under and in terms of the agreement.

    2. While assessing , if the level of security, referred above, is appropriate, the Processor is obligated to take into account the risk connected with the processing, in particular resulting from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or any unlawful access to the transmitted, stored or processed personal data.

    3. While implementing the technical and organisational measures, the Processor:

      1. follows the Controller's guideline in respect of safety measures of the personal data processing with accordance to the current provisions of law;

      2. shall take into account current technical knowledge, the background, nature, scope, objectives of the processing and the risk of violation of rights or freedom of natural persons whose personal data will be processed under and in terms of the agreement.

    4. On every request made by Controller, the Processor is obligated to make the documentation (procedures, internal code) available concerning the processing of the personal data not later than 7 days after the request was submitted .

    5).SUB-PROCESSING

    1. The Controller agrees to further entrusting, by the Processor, of processing of their personal data to other entities in the respect of and with a purpose with accordance to the Master Agreement.

    2. The Processor ensures that they will use the services provided only by the processing entities which providing sufficient guarantees to implement appropriate technical and organisational measures, so that the processing will meet the GDPR requirements as well as the current provisions of law on the protection of personal data.

    3. The Processor is fully accountable to the Controller for standing by the contractual obligations resulting from the DPA concluded by and between The Processor and a further processing entity. If a further processing entity will fail to perform the obligations concerning the protection of personal data, the Processor will be held accountable to the Controller for not standing by the contractual obligations.

    4. The list of sub-processors is in a form of Annex to the DPA and is available on XOPERO websire.

    6).BREACH DETECTION

    1. The Processor is obliged to implement and adhere to procedures for data breach detection and implement proper corrective measures.

    2. After noticing a breach of personal data entrusted to the Processor by the Controller, the Processor, without undue delay and possibly not later than 48 hours after the breach detection, shall notify the Controller about the situation.

    3. The Processor shall, without Any undue delay, shall take all the reasonable action in order to minimize and fix the negative consequences of the breach.

    4. The Processor is obliged to document every breach of personal data entrusted to him, including the circumstances of the breach, its consequences and the corrective measures that were

    7).DURATION OF THE AGREEMENT AND THE LIABILITY PRINCIPLES.

    1. The Agreement is concluded for a fixed-term and expires with the termination of the Master Agreement.

    2. The Controller can terminate the Agreement by giving 3-months notice.

    3. The Controller has a right to terminate the Agreement with the immediate effect due to compelling reasons, including the Processor and further processing subject's violation of GDPR regulations and other mandatory law or the Agreement regulations, especially when:

      1. Regulatory Office for the compliance with the principles of personal data processing shall ascertain that the Processor or further processing subject violates the principles of personal data processing;

      2. Final and legally binding decision of the common court of law demonstrates, that the Processor or the further processing subject does not adhere to the principles of personal data processing;

    4. In case of violation of the mandatory law or Agreement regulations due to reasons attributable to the Processor and resulting in the Controller's obligation to pay the compensation or administrative penalty payment, the Processor is obliged to reimburse all the expenses incurred.

    8).GENERAL PROVISIONS

    1. If any part of this DPA is found void and unenforceable, it will not affect the validity of the balance of this DPA, which shall remain valid and enforceable according to its terms.

    2. Parties may not assign this contract, or any part of it, to any other party. Any attempt to do so is void.

    3. Any changes to this contract should be made in the same (or higher) form, under pain of void.