This Data Processing Addendum (the “DPA”), is between OrderMyGear LLC (“OMG”) and its affiliate, Bright Stores LLC (“Bright Stores”) (collectively, “Provider”) and Customer (hereinafter “Client”).
This DPA is made subject to the Terms of Service (the “Terms”) available at https://www.ordermygear.com/terms/. In the event of a conflict between this DPA and the Terms, the terms of this DPA shall control. Capitalized words in this DPA have the same meaning as in the Terms unless otherwise defined herein. If any provisions of this DPA are found to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
1. INTRODUCTION
In connection with its performance of the Services, Provider may receive and process one or more categories of Personal Data from Client or its End Users. As to this data, Client shall be the Controller and Provider shall be the Processor. As to Personal Data covered by the CCPA, Provider shall be a “Service Provider” as that term is defined by the CCPA.
2. DEFINITIONS
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, including any amendments made by the California Privacy Rights and Enforcement Act (“CPRA”).
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Breach” means the unauthorized acquisition of Personal Data stored by Provider that compromises the security, confidentiality, or integrity of the data.
“Data Protection Law” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law, UK Data Protection Law, the FADP, and the CCPA.
“Data Subject” means the individual to whom Personal Data relates.
“EU Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
“FADP” shall mean the Swiss Ordinance to the Federal Act on Data Protection and any revisions thereto.
“Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Law that BMI receives from Client or its End Users or that it collects in connection with providing the Services.
“Process” or “Processing” refers to any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
“Services” means any services to be performed by Provider for Client as identified in a separate agreement between the Parties. Services may include access to the Provider Store, Hosting, Support, and Professional Services.
“Sub-Processor” means any person appointed by, or on behalf of, Processor to Process Personal Data on behalf of the Controller in connection with the Terms.
“UK Data Protection Law” means the United Kingdom’s General Data Protection Regulations as implemented by the UK Data Protection Act of 2018 (“UK GDPR”).
3. OBLIGATIONS OF CONTROLLER
As the Controller, Client will ensure that:
A. Client is in compliance with applicable Data Protection Laws regarding the sharing of Personal Data with Provider for the processing of said data in accordance with this Agreement;
B. No additional agreements have been established that would prohibit Provider from Processing the Personal Data; and
C. Client shall inform Provider without undue delay if it becomes aware that Provider’s Processing of Personal Data may be unlawful or prohibited by any applicable Data Protection Laws.
4. OBLIGATIONS OF PROCESSOR
Provider shall process Personal Data only for the purposes described in (i) a written agreement between Provider and Client; (ii) only in accordance with Client’s documented lawful instructions; and (iii) in compliance with applicable Data Protection Laws. Provider will not collect, retain, use, or disclose Personal Data it accesses, receives, or creates pursuant to the Terms for any purpose other than for the purposes set out in the Terms. Provider acknowledges that Client is disclosing or making available Customer Data to Provider only for the limited and specified purposes of the Services. Provider will not sell or share Customer Data unless permitted pursuant to this DPA.
If the Provider believes that an instruction of the Client infringes applicable Data Protection Laws, it shall immediately inform the Client without delay. If Provider cannot process Personal Data in accordance with the instructions due to a legal requirement under any applicable Data Protection Laws, Provider will (i) promptly notify the Client of that legal requirement before the relevant Processing to the extent permitted by applicable Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Client issues new instructions with which Provider is able to comply. If this provision is invoked, Provider will not be liable to the Client for any failure to perform the applicable Services until the Client issues new instructions regarding the Processing.
Provider shall not sell or disclose for valuable consideration Personal Data provided by Client or Processed on its behalf. Provider shall not release, disclose, disseminate, make available, transfer or otherwise communicate Personal Data provided by Client or Processed on Client’s behalf to any third party, except for Sub-processors, except as allowed by applicable Data Protection Laws.
5. SECURITY
A. Security Measures – Provider shall implement and maintain appropriate technical and organizational security measures to preserve the security and confidentiality of the Personal Data in accordance with applicable Data Protection Laws.
B. Updates to Security Measures – Client acknowledges that the security measures are subject to technical progress and development and that Provider may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Client or will not cause Provider not to be in compliance with applicable Data Protection Laws.
C. Client Responsibilities – Notwithstanding the above, Client agrees to secure its user authentication credentials, protect the security of Personal Data when in transit to and from Provider or its Services, and take appropriate steps to securely transmit and backup any Personal Data uploaded to Provider or its Services.
6. CONFIDENTIALITY
Provider shall take reasonable steps to limit access to Personal Data to only authorized personnel. Provider shall ensure that any personnel authorized to process Customer Data on its behalf, including employees, affiliates and sub-processors, is subject to confidentiality obligations, whether contractual or statutory, with respect to that Personal Data, that are the same or substantially similar to those set forth in this DPA.
7. DATA BREACH
In the event of a Data Breach, Provider will notify Client of the incident upon becoming aware of it within three (3) business days of becoming aware of the incident. Provider will provide a description of the nature of the incident and affected data. Provider shall take such steps as Provider in its discretion deems necessary and reasonable to remediate the incident.
8. DATA SUBJECT RIGHTS
Provider will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Client to respond to any request from Data Subjects seeking to exercise their rights under applicable Data Protection Laws with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Provider, Provider will promptly inform Client and will advise Data Subjects to submit their request to the Client. Client shall be solely responsible for responding to any Data Subjects’ requests. Client shall reimburse Provider for reasonable costs arising from this assistance.
9. SUB-PROCESSORS
A. Authorized Sub-processors. Client agrees that Provider may engage Sub-processors to process Personal Data on Client’s behalf in connection with Services. Provider shall enter into a written agreement with any Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by applicable Data Protection Laws and remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Provider to breach any of its obligations under this DPA. Provider shall, exercising reasonable care, evaluate an organization’s data protection practices before allowing the organization to act as a Sub-processor.
B. Objections to Sub-Processors. Upon Client’s request, Provider shall make available to Client an up-to-date list of the Sub Processors it has appointed. If Client objects to any Sub-processors, the Client’s sole and exclusive remedy shall be to terminate their Account, thus terminating the Agreement and ending further processing of Personal Data on its behalf.
10. DELETION OR RETRIEVAL OF PERSONAL DATA
Provider shall, within thirty (30) days after written request by Client, delete or return all Personal Data to the Client unless Provider is required to maintain a copy of the Personal Data pursuant to applicable Data Protection Laws or in order to complete a transaction pursuant to which the data was collected (e.g., to complete a payment). Client must inform and instruct Provider on return of data in advance of terminating the agreement, as well a bear any additional cost arising with the return or deletion of Personal Data.
If Client terminates the Agreement without prior written notification to Provider, Provider may permanently delete all Personal Data in its possession subject to the terms of the Agreement.
11. AUDITS AND REQUESTS
Provider shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA. Once per rolling twelve (12) month period, Client may, at its own cost and upon reasonable and timely advance agreement, during regular business hours and without interrupting Provider’s business operations, conduct an audit of Client’s business operations to demonstrate Client’s compliance with this DPA in relation to the Processing of the Personal Data, or have the same conducted by a qualified third party which shall be approved in advance by Provider.
Provider shall, upon Client’s written request and within a reasonable period of time, provide Client with all information necessary for such audit, to the extent that such information is within Provider’s control and Provider is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party and provided that Client not exercise this right more than once per year.
12. THIRD PARTY REQUESTS
C. PROVIDER agrees to notify Controller promptly if it receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of Personal Data transferred pursuant to the Terms; such notification shall include information about the Personal Data requested, the requesting authority, the legal basis for the request and the response provided; or becomes aware of any direct access by public authorities to personal information collected or received pursuant to the Terms in accordance with the laws of the country of destination; such notification shall include all information available to Provider. If Provider is prohibited from notifying the Controller under the laws of the country of destination, Provider agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Provider agrees to document its best efforts in order to be able to demonstrate them on request of the Controller.
13. INDEMNIFICATION, DEFEND, AND HOLD HARMLESS
Notwithstanding any provision in the DPA to the contrary, Provider will indemnify, defend and hold harmless Client, its affiliates, directors, officers, and employees (“Client Indemnified Person”) from and against any and all claims, suits, causes of action, fees, penalties, damages, or judgments (including reasonable attorneys’ fees) which may be imposed on or incurred by or instituted against any such Client Indemnified Person relating to or arising out of: 1) any access, use, disclosure, modification, or destruction of Protected Information that is not permitted under this DPA or applicable law and that is caused by the gross negligence or willful misconduct of Provider; or 2) Provider’s breach of this Agreement. Provider’s liability under this section shall be reduced proportionally to the extent that any act or omission of Client or a Client Indemnified Person contributed to such liability.
In addition, in the event of a Data Breach caused by the negligence or intentional misconduct of Provider or its sub-processors, Provider will bear the costs incurred by Client to the extent it is necessary for Client to comply with its obligations under applicable Data Protection Laws, which may include the following: 1) the reasonable cost of preparing and distributing notifications to affected individuals; 2) the reasonable cost of providing notice to government agencies, credit bureaus, and/or other required entities; and 3) the reasonable cost of providing affected individuals with credit monitoring services for a specific period not to exceed twelve (12) months, or longer if required by law.
The Parties acknowledge that any breach of its covenants or obligations set forth in this Agreement may cause irreparable harm for which monetary damages would not be adequate compensation and agrees that, in the event of such breach or threatened breach, a Party is entitled to seek equitable relief, including a restraining order, injunctive relief, specific performance and any other relief that may be available from any court, in addition to any other remedy to which the Party may be entitled at law or in equity. Such remedies will not be deemed to be exclusive but will be in addition to all other remedies available at law or in equity, subject to any express exclusions or limitations in this DPA to the contrary.
Provider’s defense obligations in this section are conditioned upon: (i) notice by Client within five (5) business days of it receiving notice of such claim (failure to meet this condition does not relieve Provider of its defense or indemnification obligation, except to the extent that such failure has materially prejudiced Provider’s ability to defend the claim). Provider has the right to participate in the defense with counsel of its choice and at its own expense but may not confess judgment, admit liability or take any other actions prejudicial to the defense. Further, Client may not settle a claim unless such settlement includes an unconditional release of Provider from all liability on all claims, or the Provider gives its prior written consent, which shall not be unreasonably withheld.
14. LIABILITY
IN NO EVENT SHALL EITHER PARTY BE LIABLE UNDER THIS AGREEMENT TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, NOMINAL, INDIRECT, STATUTORY, SPECIAL, EXEMPLARY OR PUNITIVE DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST PROFITS, DIMINUTION IN VALUE, LOSS OF USE, LOSS OF TIME, INCONVENIENCE, LOST BUSINESS OPPORTUNITIES, DAMAGE TO GOOD WILL OR REPUTATION, AND COSTS OF COVER, REGARDLESS OF WHETHER SUCH LIABILITY IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE, AND EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR SUCH DAMAGES COULD HAVE BEEN REASONABLY FORESEEN. EACH PARTY’S ENTIRE AGGREGATE LIABILITY FOR ANY CLAIMS, FINES, INDEMNIFICATION OBLIGATIONS, DAMAGES, OR JUDGMENTS RELATING TO SERVICES AND/OR THIS AGREEMENT, INCLUDING ATTORNEYS’ FEES (COLLECTIVELY, THE “LIABILITY”), SHALL NOT EXCEED THE GREATER OF (1) THE LIABLE PARTY’S INSURANCE COVERAGE FOR SAID LIABILITY OR (2) $1,000,000. THIS SECTION SHALL SURVIVE THE TERMINATION OF THE AGREEMENT.
15. TRANSFER OF EU, UK, AND SWISS PERSONAL DATA TO OTHER COUNTRIES
Before commencement of any transfer of Personal Data from the EEA, the UK and/or Switzerland to any third party located in a country outside the EEA, the UK and/or Switzerland, that the European Union deems to have inadequate protection, Client shall inform Provider of such transfer and the Parties may enter into, as applicable, the EU Standard Contractual Clauses (Module 2 – Transfer from Controller to Processor), the Switzerland Data Processing Addendum, and/or the UK Data Processing Addendum.