DATA PROCESSING ADDENDUM
Effective Date: May 25, 2018
THIS DATA PROCESSING ADDENDUM (this “DPA”) supplements and is a part of the Master Services Agreement or other written or electronic agreement (in either case, the “Agreement”) for the purchase of services (identified in the Agreement as either “Services” or otherwise, and hereinafter defined as “Services”) entered into between Route App Inc.(“Company”, “we”, “us” and “our”), and the entity that has offered our services pursuant to the Agreement (“Merchant-Customer”, “you” and “your”). Certain words and phrases in this DPA have special meanings that are provided either where they first appear as indicated by bold text, or in Section 6, as indicated by text link where they first appear. This English language version controls regardless of any translation.
1. SCOPE AND PURPOSE.
1.1 Merchant-Customer Personal Data. Our Company, Route App Inc., tracks and insures e-commerce orders. The tracking and insurance services are offered as add-on features (“Features”) on retailer websites. Prior to offering the Features to your customers on your website (“Consumer-Customers”), you entered into our Agreement and allowed us to collect from you certain data related to your end users, including but not limited to your personnel, such as their name, email address and payment information (“Merchant-Customer Personal Data”). We act as the controller of Merchant-Customer Personal Data.
1.2 Consumer-Customer Personal Data. After you offered our Features to your Consumer-Customers and used the add-on Features for your legitimate business purposes, you also collected data from these Consumer-Customers including whatever personal data you feel is needed for your business, some or all of which you may store on our System pursuant to the Agreement (“Consumer-Customer Personal Data”). You act as the controller of the Consumer-Customer Personal Data you collected, which is stored on our System separate from Merchant-Customer Personal Data. However, given the nature of the Features that we provide to Consumer-Customers and the different ways in which you, and we, may interact with Consumer-Customers, our role with respect to Consumer-Customer Personal Data differs depending upon the circumstances. We act as:
(a) the processor when you store Consumer-Customer Personal Data in our System that you collect directly from Consumer-Customers who receive our services involuntarily; (b) a joint controller, along with you, when you store Consumer-Customer Personal Data in our System from Consumer-Customers who affirmatively choose to enroll in our services; and
(c) an independent controller for Consumer-Customer Personal Data provided to us directly by Consumer-Customers (notwithstanding the nature of such Consumer-Customers’ interactions with you, if any), including but not limited to information provided to us by the Consumer-Customer’s use of our online and mobile resources (e.g. our mobile application).
1.3 Purpose; GDPR and CCPA. The two-fold purpose of this DPA is to supplement the Agreement by establishing the parties’ respective rights and obligations under the GDPR and CCPA with regard to: (a) the Merchant-Customer Personal Data for which we act as controller; and (b) the Consumer-Customer Personal Data for which Consumer-Customers are the data subjects, and for which our roles vary and are set forth in Section 1.2.
2. OUR CONTROLLER OBLIGATIONS.
When we act as the controller of Merchant-Customer Personal Data, or as the joint or independent controller of Consumer-Customer Personal Data, we process it in furtherance of our legitimate interests such as issuing your end user’s or Consumer-Customer’s log-in credentials, accepting and processing payments, securing and improving our System, providing the Features you agreed to in our Agreement to your website Consumer-Customers, and detecting and preventing fraud. We do not sell any personal data to third parties, use it for any purpose other than as stated in the preceding sentence, nor do we use it for automated decision making. We share Merchant-Customer and Consumer-Customer Personal Data with other parties for the reasons described in our general privacy statement, which you can read about here – https://route.com/privacy/.
We afford access to the data subject information and related rights described in our privacy statement. To the extent Merchant-Customer or Consumer-Customer Personal Data includes the personal information of your workforce or personal information that you collect directly from your Consumer-Customers, it is
Confidential ∙ Page 1 of 4
DATA PROCESSING ADDENDUM
entirely your responsibility to ensure you have a legitimate interest or other appropriate lawful basis to collect it, and to further ensure that the notices and other required portions of this DPA are provided to those affected individuals.
We do, however, make a variation from the above described terms (including the privacy statement terms to which we linked) if the Merchant-Customer or Consumer-Customer Personal Data we share/transfer is strictly limited to business contact information. Business contact information is exempt from all or substantially all of the requirements of certain data privacy laws including the CCPA. Therefore, in order to effectively manage our privacy and data security program without undue burden while still balancing data subject rights and freedoms, for purposes of the GDPR we follow its Article 24, assess the risk to the affected data subjects and, where appropriate, modify the measures we take for business contact information such as excluding it from individual/natural person data subject requests and accepting from our processors/transferees summary statements (including sometimes via email confirmation) regarding their compliance with GDPR Article 28 or equivalent obligations.
3. YOUR CONTROLLER OBLIGATIONS.
As between Company and you, you are solely responsible for all controller obligations with respect to Merchant-Customer that you collect directly from your workforce and Consumer-Customer Personal Data that you collect directly from your Consumer-Customers That means you will, among other things, determine your legitimate interests or other lawful bases for processing of such Merchant-Customer and Consumer-Customer Personal Data, provide all required notices, and manage and respond to all data subject attempts to exercise their rights. To the extent your Merchant-Customer or Consumer-Customer data subjects make any claim that you failed to do the foregoing, or any investigation or action is commenced against us as a result of your processing, sharing or transferring of Merchant-Customer or Consumer-Customer Personal Data (except if caused by our failure to fulfill our obligations under Section 4 of this DPA) you will indemnify, defend and hold us and our agents and representatives harmless.
When you store Merchant-Customer or Consumer-Customer Personal Data on our systems, it is automatically transferred outside of both your home jurisdiction and the overall European Economic Area to the United States. Those transfers occur under Article 46 of the GDPR including when the destination is the U.S.
4. OUR PROCESSOR OBLIGATIONS.
We act as your processor when you use the feature of our System that allows you to store Consumer-Customer Personal Data on our Systems in the circumstances described in Section 1.2(a). The subject-matter of our processing is the Consumer-Customer Personal Data you provide to us. The duration of our processing is at your discretion, generally commensurate with the duration of your contractual relationship with us. The nature and purpose of our processing is limited to storage for retrieval by you except where data is anonymized and aggregated and used to improve the Services. We do not typically conduct read-access to Consumer-Customer Personal Data in connection with the provision of the System. The types of personal data processed are determined by you, as are the categories of data subjects who become your Customer-Consumers. All of our processing of Customer-Consumer Personal Data further adheres to the following obligations:
4.1 Appropriate measures. We will implement appropriate technical and organizational measures in such a manner that our processing on your behalf will meet the requirements of applicable law.
4.2 Appointment of Subprocessors. We will not engage another processor (sometimes called a “subprocessor”) without your prior specific or general written authorization. In the case of general written authorization, we will inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes.
4.3 Processing Governed by Law and Contract. Our processing will be governed by this DPA under EU or Member State law. Your rights and obligations as controller are set forth in the Agreement and this DPA. In addition to the general statement above, we specifically will:
(a) process Consumer-Customer Personal Data, for which we qualify as a processor under Section 1.2(a), only on your documented instructions including with regard to transfers to a third country
Confidential ● Page 2 of 4
DATA PROCESSING ADDENDUM
or an international organization, unless our actions are required by applicable law to which we are subject; in such a case we will inform your before processing, unless prohibited by that law;
(b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required under GDPR Article 32;
(d) respects the conditions referred to in Sections 4.2 and 4.4 for engaging another processor;
(e) taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligation to respond to requests for exercising the data subject’s rights under applicable law;
(f) assist you in ensuring compliance with your obligations under GDPR Articles 32 to 36, taking into account the nature of processing and the information available to us;
(g) at your election, delete or return all Consumer-Customer Personal Data, for which we qualify as a processor under Section 1.2(a), to you at end of our relationship under the Agreement, and delete existing copies unless applicable law requires storage of the personal data; and
(h) make available to you all information necessary to demonstrate our compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
We will immediately inform you if, in our opinion, an instruction you gave us infringes the GDPR.
4.4 Obligations of Subprocessors. If we engage a subprocessor to carry out specific processing activities on your behalf, the same obligations in this DPA will be imposed on that other processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. If the subprocessor breaches those obligations, we will be responsible to you.
4.5 End User Requests. We will, to the extent legally permitted, promptly notify you if a Consumer-Customer seeks to exercise its data subject access and related rights under applicable law through us instead of you, and we will reasonably cooperate with you to fulfil your obligations provided that you are responsible for any reasonable costs arising therefrom.
4.6 Breach Notification. We will notify you without undue delay after becoming aware that there has been a breach of the security of our systems leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Consumer-Customer Personal Data, for which we qualify as a processor under Section 1.2(a), transmitted, stored or otherwise processed by us. Such notification will include that information a processor must provide to a controller under GDPR Article 33(3) to the extent such information is reasonably available to Company.
5. PRECEDENCE; BINDING CONTRACT.
Conflicts between the Agreement and/or our general Privacy Statement on the one hand, and this DPA on the other hand, with respect to a party’s rights or obligations governing, related to, or arising out of Participant Personal Data and End User Personal Data shall be resolved in favor of this DPA. By continuing to use the Platform following the Effective Date of this DPA, Participant will have affirmatively manifested its intent to be bound to the terms and subject to the conditions of this DPA.
6. GLOSSARY; INTEPRETATION.
“Business contact information” means data that may otherwise be considered personal data, but is corporate or business in nature such as an email address using only a corporate domain, business telephone number, business street address, name and business title and is used solely for the purpose of issuing credentials to the System and/or communicating or facilitating communication with the data
subject in relation to the Agreement.
“CCPA” means the California Consumer Privacy Act and its implementing regulations, as each are amended from time to time.
“Agreement” means (pg. 1) means the Company Terms
Confidential ● Page 3 of 4
and Conditions of Use found here – https://route.com/terms-and-conditions/.
“Controller” has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Business” as defined in the CCPA.
“Customer” means either a Consumer-Customer or a Merchant-Customer. “Consumer-Customer” means an individual who has downloaded and used the Route App; or made a purchase from one of our merchants and: does not use the Route App, but actively chose to obtain Route-provided shipping protection services from a merchant; or automatically received Route-provided shipping protection services as no-cost benefit from a merchant. “Merchant-Customer” means a business entity that operates an ecommerce platform and to whom we provide the Route merchant technologies and services under a separate contract.
“Data subject” has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Consumer” as defined in the CCPA.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and all national legislation implementing or supplementing it, as the foregoing are amended from time to time.
DATA PROCESSING ADDENDUM
“Legitimate interests” has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Business purpose” as defined in the CCPA.
“Personal Data” has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Personal information” as defined in the CCPA. “Consumer-Customer Personal Data” has the meaning given to it in Section 1.2. “Merchant-Customer Personal Data” has the meaning given to it in Section 1.1.
“System” means the systems, IT and other infrastructure, software, and other resources owned and/or operated by Company.
“Process”/”Processing” has the meaning given to it in the GDPR with substantially the same meaning under the CCPA.
“Processor” has the meaning given to it in the GDPR except that, for purposes of the CCPA, that term and its meaning are, wherever used in this DPA, substituted with the term “Service provider” as defined in the CCPA.
“Sell” has the meaning given to it in the CCPA.
“Participant Personal Data” has the meaning given to it in Section 1.1.
END OF DATA PROCESSING ADDENDUM Confidential ● Page 4 of 4