logo
❮     Go back

DATA PROCESSING ADDENDUM (“DPA”)

  1. GENERAL PROVISIONS
    1. This Data Processing Addendum (“DPA”), along with our Terms of Service (“Terms of Service” or “ToS”), Data Protection Policy and any additional addendums (“Additional Addendums”), constitute the agreement (“Agreement”) established by and between XOPERO SOFTWARE S.A. with its principal office in Gorzów Wielkopolski, Poland, address: 3 Franciszka Walczaka Street, 66-400 Gorzów Wielkopolski, Poland (referred to as ”XOPERO”, “we” or “us”, “Company” or “Processor”) and any person or entity being a Client (referred to as “Client”, “you” or “Controller”) collectively “parties”, individually “party”.
    2. This DPA is in addition to and forms an integral part of the Terms of Service and/or any other specific general agreement related to the cooperation between the Parties, - understood as the "Master Agreement".
    3. For the purposes of this DPA, the Client may exercise the role of Controller or Processor and XOPERO exercises the role of Processor or Sub-Processor, as applicable.
    4. YOU ACKNOWLEDGE AND AGREE THAT: (I) YOU HAVE READ, UNDERSTOOD AND ACCEPTED THIS DPA, (II) YOU HEREBY REPRESENT AND WARRANT THAT YOU ARE AUTHORIZED TO ENTER THIS DPA, (III) IF YOU ARE THE AGENT OR EMPLOYEE OF AN ENTITY, YOU REPRESENT AND WARRANT THAT (IV) THE INDIVIDUAL ACCEPTING THIS DPA IS DULY AUTHORIZED TO ACCEPT THIS DPA ON SUCH ENTITY’S BEHALF AND TO BIND SUCH ENTITY AND (V) SUCH ENTITY HAS FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS DPA AND PERFORM ITS OBLIGATIONS HEREUNDER.
    5. This DPA is effective between on the day of conclusion of the Master Agreement (the “Effective Date”).
  2. SUBJECT MATTER
    1. The Parties conclude this DPA by virtue of which, the Controller entrusts the Processor to process any viable personal data. The entrusting of the personal data to the Processor occurs in order to perform the Master Agreement.
    2. The Processor may process the given data only within the scope and with the purpose named in the Master Agreement and with the purpose and within the scope necessary to maintain the services stipulated in the Master Agreement.
    3. The Processor will not retain, use, sell or disclose Personal Data of the Client for any purpose other than for the specific purpose of accessing the Software and/or Services under the Master Agreement and any instructions provided by Client.
    4. Categories of data subjects whose personal data is transferred - The Client may submit Personal Data in the course of using Services and/or Software, the extent of which is determined and controlled by the Client in its sole discretion, which may include, but is not limited to Personal Data relating to the following categories of Data Subject:
      1. Client’s end users including Client’s customers, employees and contractors.
    5. Categories of personal data transferred – the Client may submit or authorize other third parties to submit Personal Data to XOPERO’s Software and/or Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
      1. Client’s customers’ first name, last name, phone number, email address, shipping and billing address, customer order information, purchase history, products purchased, store credit, tags, and notes;
      2. Client’s employees’ first name, last name, employment details such as job;
      3. title, telephone number, business address and email address;
      4. any other Personal Data submitted by, sent to, or received by the Client and/or its end users.
    6. The parties do not anticipate the transfer of sensitive data.
    7. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis) is depending upon the use of the Software and/or Services by the Client under the Master Agreement.
    8. Nature of the processing - Personal Data will be Processed in accordance with the Master Agreement (including this DPA) and may be subject to the following Processing activities:
      1. the creation of copies of Client Content for storage and back-up purposes;
      2. enabling the Client to restore such copies of such Client Content at the Client’s discretion;
      3. as necessary to provide access to XOPERO’s Services and/or Software and as set out in the Master Agreement and otherwise in accordance with instructions from the Client; and
      4. the disclosure in accordance with the Master Agreement (including this DPA) and/or as compelled by applicable laws.
    9. Purpose(s) of the data transfer and further processing - XOPERO will process Personal Data as necessary to provide access to Software and/or Services pursuant to the Master Agreement, and as further instructed by the Client in its use of the Software and/or Services.
    10. The period for which the personal data will be retained - XOPERO will process Personal Data in accordance with the duration specified in the Master Agreement, unless otherwise agreed individually; the Sub-Processors will process Personal Data as necessary to provide access to Software and/or Services pursuant to the Master Agreement, and as further instructed by Client.
  3. DECLARATIONS AND OBLIGATIONS
    1. The Processor represents that it has infrastructure, resources, experience, knowledge and well-skilled staff capable to perform its obligations in accordance with current provisions of law. In particular, the Processor states that they are familiar with the processing and protecting of personal data rules resulting from the regulation(EU) no 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing personal data and on the free movement of such data and the repeal of Directive 95/46/WE (General Data Protection Regulation hereinafter referred to as “GDPR”).
    2. Each party will comply with applicable Data Protection Laws, esp. GDPR.
    3. The Processor is obliged to:
      1. process the given personal data merely by virtue of the Master Agreement and this DPA with the exception that they are obliged to do it by law; in case the processing of the personal data by the Processor results from the regulations of law, they inform the Controller by electric means - before the beginning of processing - about this compulsion of law, if the law allows to give such information due to public interest;
      2. process the given personal data with accordance to GDPR and this DPA;
      3. introduce the suitable technical and organizational measures to ensure a level of security appropriate to the risk represented by the violation of the rights or freedom of natural persons, whose personal data will be processed;
      4. support the Controller in implementing the duty to respond to request made by data subject, in respect of their exercising the law as established in GDPR, chapter 3. The cooperation between the Processor and the Controller within the scope mentioned above shall occur in the form and at the time convenient for the administrator, allowing them also to carry out with their duties;
      5. help the Controller, within the scope of:
        • providing safety processing of personal data by implementation of appropriate technical and organizational measures;
        • reporting any violation of personal data protection to regulatory authority and informing subject data about those violations.
  4. TECHNICAL AND ORGANISATIONAL MEASURES
    1. The Processor implements and uses the appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk represented by the violation of the rights or freedom of natural persons, whose personal data will be processed under and in terms of the agreement.
    2. While assessing, if the level of security, referred above, is appropriate, the Processor is obligated to take into account the risk connected with the processing, in particular resulting from accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or any unlawful access to the transmitted, stored or processed personal data.
    3. While implementing the technical and organizational measures, the Processor:
      1. follows the Controller’s guideline in respect of safety measures of the personal data processing with accordance to the current provisions of law;
      2. shall take into account current technical knowledge, the background, nature, scope, objectives of the processing and the risk of violation of rights or freedom of natural persons whose personal data will be processed under and in terms of the addendum.
    4. On every request made by Controller, the Processor is obligated to make the documentation (procedures, internal code) available concerning the processing of the personal data not later than 7 days after the request was submitted.
  5. SUB-PROCESSING
    1. The Controller agrees to further entrusting, by the Processor, of processing of personal data to other entities in the respect of and with a purpose with accordance to the Master Agreement.
    2. The Processor ensures that they will use the services provided only by the processing entities which providing sufficient guarantees to implement appropriate technical and organizational measures, so that the processing will meet the GDPR requirements as well as the current provisions of law on the protection of personal data.
    3. The Processor is fully accountable to the Controller for standing by the contractual obligations resulting from the DPA concluded by and between The Processor and a further processing entity. If a further processing entity will fail to perform the obligations concerning the protection of personal data, the Processor will be held accountable to the Controller for not standing by the contractual obligations.
    4. The list of sub-processors is available on XOPERO website.
    5. If the Controller chooses to provide the Services exclusively using infrastructure in the European Economic Area, only entities identified as located in the EU for the Administrator will apply.
    6. The Processor is authorized to change the list of entities referred to in point 4 above by making the appropriate modification on the website. The Administrator has the right to object to any such modification at any time. However, if the Processor has notified the Controller of the change being made, an effective objection may be filed within 7 days of such notification.
  6. AUDITS
    1. The Controller shall be entitled at any time to audit the compliance of the processing of personal data by the Processor with this DPA and Master Agreement and applicable laws; in particular, the Controller may verify the compliance and adequacy of technical and organizational safeguards for the processing of personal data implemented by the Processor.
    2. The audit shall first be performed by the Controller issuing a summons to the Processor to provide the necessary clarifications within 7 days. If the Processor fails to respond within this period, or responds incompletely, the Controller will be entitled to conduct a direct audit under the terms set forth below.
    3. The Controller shall inform the Processor at least 7 days prior to the planned date of the audit of its intention to conduct the direct audit. If, for important reasons, in the opinion of the Processor, the audit cannot be carried out on the indicated date, the Processor should inform the Controller of this fact by e-mail indicating the justification for such assessment. In such case, the Parties shall jointly agree on a later audit date.
    4. The direct audit may be performed by the Controller or external entities contracted by the Controller to perform the audit on business days from 8 a.m. to 4 p.m.
    5. The Processor shall be obliged to cooperate with the persons performing the audit, in particular to provide them with access to the premises and documents covering personal data and information on the manner of processing personal data, ICT infrastructure and IT systems, as well as to persons having knowledge of the personal data processing processes carried out by the Processor.
    6. After the audit, a representative of the Processor shall prepare a post-audit protocol, which shall be signed by representatives of both Parties. The Processor undertakes, within the time agreed with the Controller, to comply with the post-audit recommendations contained in the protocol, aimed at removing the deficiencies and improving the security of personal data processing.
    7. The costs associated with the audit shall be borne by the Party that ordered the audit, without the right to claim reimbursement of such costs or payment of additional remuneration.
  7. BREACH DETECTION
    1. The Processor is obliged to implement and adhere to procedures for data breach detection and implement proper corrective measures.
    2. After noticing a breach of personal data entrusted to the Processor by the Controller, the Processor, without undue delay and possibly not later than 48 hours after the breach detection, shall notify the Controller about the situation.
    3. The Processor shall, without Any undue delay, shall take all the reasonable action in order to minimize and fix the negative consequences of the breach.
    4. The Processor is obliged to document every breach of personal data entrusted to him, including the circumstances of the breach, its consequences and the corrective measures that were undertaken.
  8. DURATION OF THE AGREEMENT AND THE LIABILITY PRINCIPLES
    1. The Agreement is concluded for a fixed-term and expires with the termination of the Master Agreement.
    2. In the event of termination of the Master Agreement, this DPA shall terminate along with it.
    3. The Controller has a right to terminate this DPA with the immediate effect due to compelling reasons, including the Processor and further processing subject’s violation of GDPR regulations and other mandatory law or the DPA regulations, especially when:
      1. any Regulatory Office for the compliance with the principles of personal data processing shall ascertain that the Processor or further processing subject violates the principles of personal data processing;
      2. final and legally binding decision of the common court of law demonstrates, that the Processor or the further processing subject does not adhere to the principles of personal data processing.
    4. In case of violation of the mandatory law or this DPA regulations due to reasons attributable to the Processor and resulting in the Controller’s obligation to pay the compensation or administrative penalty payment, the Processor is obliged to reimburse such expenses incurred.
  9. FINAL PROVISIONS
    1. If any part of this DPA is found void and unenforceable, it will not affect the validity of the balance of this DPA, which shall remain valid and enforceable according to its terms.
    2. Parties may not assign this contract, or any part of it, to any other party. Any attempt to do so is void.
    3. Any changes to this DPA should be made in the same (or higher) form, under pain of void.
❮     Go back