Direct Commerce - Data Processing Agreement

This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Master Services Agreement between Direct Commerce Inc. (“DCI”) and DCI Customers (“Customer”), collectively DCI and Customer are “Parties.” 

1. DCI acts as a Data Processor for customers pursuant to a Master Services Agreement (“MSA”) and Statements of Work (“SOW”) (collectively “Services Agreement”).
2. DCI will process Customers’ personal data.
3. DCI does not disclose any one customer’s personal data to any other customer.
4. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the California Consumer Privacy Act of 2018, and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
5. The Parties wish to make clear their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation.

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1. “Agreement” means this Data Processing Agreement and all Schedules.
2. “Personal Data” means any Customer Personal Data Processed for Customer by DCI pursuant to or in connection with the Services Agreement.
3. “Contracted Processor” means a Sub-processor.
4. “CCPA” means the California Consumer Privacy Act of 2018 as set forth in California Civil Code Sec. 1798.100 et seq.
5. “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time.
6. “EEA” means the European Economic Area.
7. “EU or European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.
8. “GDPR” means EU General Data Protection Regulation 2016/679.
9. “Data Subject” means the individual to whom Personal Data relates.
10. “Data Transfer” means:
1. A transfer of Personal Data between Customer and DCI; or
2. An onward transfer of Personal Data from DCI to a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
11. “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws. 
12. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
13. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
14. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of DCI or Customer.
15. “Services” means the services provided pursuant to the Services Agreement (MSA and SOWS) between the Parties.
16. “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021; as may be amended, superseded or replaced.
17. “Sub-processor” means any person engaged by or on behalf of DCI to assist in fulfilling DCI’s obligations with respect to the processing of Personal Data in connection with the Services Agreement.
18. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the CCPA or GDPR, as the case may be, and their cognate terms shall be construed accordingly.

1. Processing of Personal Data Responsibilities.

1. DCI shall:
1. Comply with all applicable Data Protection Laws in the Processing of Personal Data.
2. Not Process Personal Data other than on the agreed documented instructions.
3. If DCI instructs a sub-processor to process Personal Data; the sub-processor shall be subject to the terms and conditions of this Agreement.
4. DCI will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches. Notwithstanding any provision to the contrary, DCI may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
2. Customer Responsibilities.
1. Compliance with Laws. Within the scope of the Agreement and in its use of the services, Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to DCI. In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which you acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring Customer has the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Services Agreement and this DPA; (iv) ensuring that Customer’s Instructions to DCI regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Services Agreement, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Customer will inform DCI without undue delay if it is not able to comply with its responsibilities under this ‘Compliance with Laws’ section or applicable Data Protection Laws.

1. Processor Personnel.

DCI shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Service Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Customer and DCI, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

1. Security.

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DCI shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in CCPA and Article 32(1) of the GDPR.
2. In assessing the appropriate level of security, DCI shall take account in particular of the risks that are presented by processing, in particular from a Personal Data Breach.
3. Customer is ultimately responsible for independently determining whether the data security provided for in the Services Agreement adequately meets its obligations under applicable Data Protection Laws. Customer is also responsible for its secure use of the Subscribed Service, including protecting the security of Personal Data in transit to and from the Subscribed Service (including to securely backup or encrypt any such Personal Data).

1. Sub-processing.

1. DCI shall not appoint (or disclose any Personal Data to) any Sub-processor unless required or authorized by the Customer.

1. Data Subject Rights.
1. Taking into account the nature of the Processing, the Parties shall assist each other by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of DCI’s obligations, as reasonably understood by the Parties, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
2. If notified of a request pursuant to Data Protection Laws, DCI shall:
1. Promptly notify Customer if it receives a request from anyone under any Data Protection Law in respect of Personal Data; and
2. Ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which DCI or Customer are subject, in which case DCI shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before responding to the request.

1. Personal Data Breach.

1. DCI shall notify Customer without undue delay upon DCI becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
2. DCI shall co-operate with Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

1. Additional Provisions for California Personal Information.

1. Scope. The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information.
2. Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the Parties acknowledge and agree that Customer is a Business and DCI is a Service Provider for the purposes of the CCPA.
3. Responsibilities. The Parties agree that DCI will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscribed Services under the Services Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA.

1. Deletion or Return of Customer Personal Data.

1. Subject to this section 9, DCI shall promptly and in any event within the time set forth in the Services Agreement of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.

1. Data Transfer.

1. DCI may transfer Data to Customer’s authorized users, as directed by Customer.  DCI may not transfer or authorize the transfer of Data to any third party without the prior written consent of Customer. 

1. General Terms.

1. Confidentiality. All information about this Agreement and information it receives about or from the other Party and its business in connection with this Agreement is confidential (“Confidential Information”). Confidential Information must not be used or disclose to anyone without the prior written consent of the other Party, except to the extent that (a) disclosure is required by law; or (b) the relevant information is already in the public domain.
2. Notices. All notices and communications given under this Agreement must be in writing and be delivered personally, sent by post or email to the address or email address set out below the signature block of this Agreement, or such other address as notified from time to time by the Party changing address.
3. Limitation of Liability. Each Party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the ‘Limitation of Liability’ section of the Services Agreement and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). For the avoidance of doubt, DCI’s liability shall be limited to direct damages that are covered by DCI insurance and not include consequential damages.
4. Entire Agreement. This Agreement constitute the entire and final agreement between the Parties with regard to the subject matter hereof.  No waiver, consent, modification or change of terms of this Agreement will bind a Party unless agreed upon in writing and signed by both Parties, and then such waiver, consent, modification or change will be effective only in the specific instance and for the specific purpose given.  
5. Governing Law.  This Agreement shall be governed by and construed in accordance with the laws of the State of California, except for the conflict of laws provision.  In connection with this Agreement, the Parties consent to the personal jurisdiction of, and venue in, the courts located in San Francisco, California.
6. Term. The term and duration of this Agreement shall be the same as the Services Agreement between the Parties.
7. Incorporation of Service Agreement.  In as much as any term or condition in the Agreement conflicts with the Services Agreement between the Parties, this Agreement shall apply; all none conflicting provisions in the Services Agreement shall otherwise be incorporated herein.
8. Counterparts.  This Agreement may be executed and delivered in one or more counterparts (including facsimile, PDF or other electronic counterparts), with the same effect as if the Parties had signed the same document.  Each counterpart so executed shall be deemed to be an original, and all such counterparts shall be construed together and shall constitute one Agreement.