Effective date: January 01, 2020
This Data Processing Addendum (“DPA“) including its Exhibit attached hereto, forms a part of Terms of Service Agreement between GoMage Inc. (“Company“, “GoMage“, “Sellbery“, “us“, “our“, “we“) and the customer (“Customer“) for the purchase of online services (“Services“) from GoMage Inc. and reflect the parties agreement with regards to Processing of Personal Data.
The terms “Personal Data“, “Controller“, “Data Subject“, “Processor” and “Processing” shall have the meaning given to them in the Regulation 2016/679 of the European Parliament.
- “Customer Data” means any Personal Data that Company processes on behalf of Customer via the Service.
- “Data Protection Laws” means all Personal Data protection and processing laws that apply to Customer Data, including data protection laws and regulations applicable to a party’s processing of Customer Data under our Terms of Service, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
- “EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“); and (ii) in respect of the United Kingdom (“UK“) any applicable national legislation that replaces or converts in domestic law the GDPR.
- “Non-EU Data Protection Laws” means the California Consumer Privacy Act (“CCPA“); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA“).
- “Security Incident” means any breach of security that leads to destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data in systems managed by us.
- “Service Data” means any data relating to the Customer’s use, support and/or operation of the Service which Customer generates using our Services.
Roles and Responsibilities
- Parties’ roles. The parties acknowledge and agree that with regard to the processing of Customer Data, Customer is Data Controller and Company is Data Processor acting on behalf of Customer, as further described in Exhibit A.
- Purpose limitation. Company shall process Customer Data only in accordance with Customer’s instructions as set forth in this DPA, as necessary to comply with applicable law.
- Prohibited data. This DPA will not apply to sensitive data. In no case Company will be liable for sensitive data voluntarily provided by the Customer, whether in connection with a Security Incident or otherwise.
- Customer compliance. Customer represents and warrants that (i) it has all notices and policies required to inform Data Subject about the Processing and their rights provided by Data Protection laws; (ii) it has collected all consents and confirmations required for processing of Customer Data by Company pursuant to this DPA; and it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to Company.
- Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data.
- Security Measures. Company shall maintain and implement appropriate organizational and technical security measures designed to protect Customer Data from Security Incidents and preserve the security and confidentiality of Customer Data.
- Confidentiality of processing. Any person who is authorized by the Company to Process Customer Data (including employees, contractors) shall be bound by non-disclosure obligation.
- Updates of security. Customer is solely liable to review the information made available by Company regarding security making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws.
- Customer acknowledges that the security measures adopted by Company may update or modify the adopted security measures provided that it will not lower the overall security of the Service provided to Customer.
Audits and reports
Company shall respond to all requests for information made by Customer to confirm our compliance with this DPA. This includes but is not limited to provision of information regarding security measures implemented, conducting of due diligence, and answering to audit questionnaires, provided that Customer shall not exercise this right more than once per calendar year. Such requests can be sent to firstname.lastname@example.org.
Customer Data is processed at Company’s operating offices and in any other places where the parties involved in the Processing are located. It may be necessary to transfer collected Personal Data to countries outside of the European Union for Processing purposes. This is the Service provider we use to store Customer Data:
Amazon Web Services, Inc.
410 Terry Ave North
Seattle , WA 98109-5210 , US
Retention and Deletion of Data
Customer Data shall be processed and stored for as long as required for performance of the contract between Company and Customer until such a contract has been fully performed or terminated. Upon expiration of the contract, Customer Data shall be deleted, unless it should be retained according to applicable Data Protection Laws, or due to a request from an authorized authority, prosecution body or court.
Data Subject Rights and Cooperation
- Data subject requests. Company shall provide reasonable assistance to Customer when it comes to compliance with its Customer Data protection obligations. It includes assistance in responding to Data Subject requests made under Data Protection Laws. If a Data Subject request is received by the Company, it shall be redirected to Customer. Company shall not respond to such request unless we receive Customer’s prior authorization, or we will are legally required to do so. For the avoidance of doubt, nothing in this DPA shall prohibit, prevent or restrict us from responding to a Data Subject request where we are the Data Controller in relation to such Data Subject.
- Official requests and court orders. If a data protection authority, court or other legal body entitled to Data Protection Laws demands from the Company Customer Data, we shall attempt to redirect such request to the Customer. Information about this Customer’s contact information may be disclosed to the respective authority. If the request is made by a data protection authority, court or other entitled legal body and such request cannot be redirected, then Customer shall be promptly informed about the response given by the Company to the respective authority.
- Data protection impact assessment. Company shall reasonably assist Customer in the conducting of a data protection impact assessment by providing all reasonably requested information regarding the Company’s Services to allow Customer to carry out the procedures required by Data Protection Laws.
- If Customer Data originates from and is protected by the laws of California, the following shall apply. The definitions of: “Data Controller” includes “Business”; “Data Processor” includes “Service Provider”; “Data Subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under CCPA.
- Company’s obligations regarding Data Subject requests apply to the Consumer’s rights under the CCPA.
- For California consumers, the Company may de-identify or aggregate Customer Data as part of performing the Service specified in this DPA and the Agreement.
- Any claims brought under or in connection with this DPA shall be subject to our Terms of Service.
- This DPA shall continue to be effective (1) for the term of carrying of Processing of Customer Data by Company or (2) until termination of contractual relationships between the parties and shall remain in effect for as long as Company carries out Customer Data processing operations on behalf of Customer.2. This DPA shall replace all previous data processing agreements, clauses or similar documents concluded between Company and Customer in connection with the Company’s Services.
- Except for any changes made by this DPA, the Terms of Service remain unchanged and in full force and effect.
- No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
- This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Terms of Service, unless required otherwise by applicable Data Protection Laws.
EXHIBIT A – Details of Data Processing
- Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
- Nature of the processing: Company provides software that synchronizes the process of listing and uploading the Customer’s products on multiple marketplace platforms, order and shipment, and refund between Customers web marketplace accounts and online shops, as more particularly described in the Terms of Service.
- Duration of processing: Company will process Customer Data as outlined in Section VI of this DPA.
- Categories of data subjects: Customer’s clients.
- Types of Customer Data: By synchronizing the process of listing and uploading the Customer’s products on multiple marketplace platforms, order and shipment, and approved refunds of Customer third party accounts the Company’s Services redirect certain Personal Data. The extent of such Customer Data is typically controlled and determined by the Customer through third party services. It includes following types of personal data (1) Identification and contact data (name, surname, address, phone number, email address); (2) financial information (credit card details, account details, payment information); (3) product order details and (4) communication (messages). For avoidance of doubts, the Company does not collect or process any Sensitive Data in connection with the provision of the Service.
Security Incident response. Upon becoming aware of a security incident, Company shall: (i) notify Customer within 48 hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident.