BuyerAssist
Data Processing Addendum
Last Modified: June 26, 2023
1. Background
a) This Data Processing Addendum (DPA) is an addendum to and forms part of the Master Subscription and Services Agreement, the BuyerAssist Terms of Service, the Master Services Agreement – Boomerang, and another agreement under which BuyerAssist provides services (“BuyerAssist Services”) to Customer.
b) Each such agreement referred to in a) above is a Main Agreement. Customer refers to the party in the Main Agreement other than BuyerAssist. For purposes of processing Customer Data, BuyerAssist refers to the BuyerAssist entity that is a party to the Main Agreement and such entity’s affiliates that are under common control with, controlled by or controlling that entity.
c) Capitalized terms used in this DPA have the meaning set forth herein. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Main Agreement. Terms that are not capitalized are interpreted in accordance with applicable data protection and privacy laws.
d) This DPA does not change the terms of the Main Agreement but only supplements the Main Agreement for purposes of personal data processing.
e) This DPA applies to processing European personal data (that is, any personal data subject to the GDPR). GDPR (General Data Protection Regulation) means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
f) To the extent California consumers’ personal information is processed, Annex 4 applies.
g) This DPA is subject to the governing law and jurisdiction provisions in the Main Agreement unless and to the extent required otherwise by applicable data protection and privacy laws.
h) This DPA becomes effective and remains in effect for as long as personal data is processed as per the Main Agreement.
2. Scope of Application
a) While providing BuyerAssist Services, it may be necessary for BuyerAssist to process personal data for Customer (Customer Data, see Annex 1). BuyerAssist is the data processor of such personal data and Customer is the data controller.
b) In case of contradictions between this DPA and the provisions of other agreements, in particular the Main Agreement, the provisions of this DPA prevail. The provisions of the Standard Contractual Clauses attached in Annex 3 prevail, where applicable, over this DPA to the extent of any discrepancy between the two.
c) This DPA does not apply to Service Data which means any data relating to the Customer’s use, support and/or operation of BuyerAssist Services and BuyerAssist websites, including information relating to activity logs, use patterns, cookie data or other information regarding use of BuyerAssist Services and BuyerAssist websites. To the extent any Service Data is considered personal data under applicable data protection and privacy laws, BuyerAssist is responsible as a data controller, and processes such data in accordance with its privacy notice available at https://buyerassist.io/privacy-notice and applicable data protection and privacy laws.
3. Subject, Scope and Duration of Processing
a) BuyerAssist processes Customer Data exclusively on behalf of Customer and on Customer instructions in terms of GDPR article 28 (1).
b) Annex 1 to this DPA contains a comprehensive list of the types of Customer Data that BuyerAssist may process, in which manner, for what purposes, and to which categories of data subjects such data relate.
4. Scope of Customer’s Authority to Issue Instructions
a) Instructions related to processing Customer Data must be documented. Customer’s instructions are exclusively included in the Main Agreement and this DPA or given via the authorized use of BuyerAssist Services.
b) BuyerAssist must inform Customer immediately if in BuyerAssist’s reasonable opinion Customer’s instructions conflict with this DPA, an earlier instruction or applicable data protection laws.
c) Customer hereby instructs BuyerAssist to process Customer Data and, in particular, to transfer Customer Data to any country or territory as reasonably necessary for the provision of BuyerAssist Services in accordance with the Main Agreement and this DPA.
5. Obligations and Legal Status of Customer as Data Controller
a) Customer is responsible for its compliance with applicable laws and the lawful processing of Customer Data in relation to the data subjects as well as for safeguarding the rights of data subjects to the extent that applicable data protection laws do not impose direct responsibility on BuyerAssist.
b) As between the parties, Customer is and remains the owner of Customer Data and the holder of all rights relating to Customer Data.
6. Security of Processing
a) BuyerAssist takes appropriate technical and organizational measures to ensure a suitable level of protection for Customer Data corresponding to the risk of the respective data processing. This must be in consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims of the processing as well as the varying likelihood and severity of risk to the rights and freedoms of data subjects.
b) Customer has assessed the security measures offered by BuyerAssist to meet the standards required by applicable data protection and privacy laws as at the effective date hereof. Such technical and organizational measures are specified in Annex 2 to this DPA and/or in the Main Agreement and BuyerAssist will maintain those (or effectively similar) measures during the term. All changes to technical and organizational measures must be reasonably documented by BuyerAssist.
7. Sub-processors
a) Customer hereby authorizes BuyerAssist to appoint sub-processors in accordance with this section and subject to any restrictions herein or in the Main Agreement.
b) BuyerAssist can continue using those sub-processors already engaged by BuyerAssist as at the date of this DPA, subject to BuyerAssist meeting the obligations set out in this section. Current sub-processors are: AWS, Fullstory, Mixpanel, Segment.
c) Prior to engaging new or replacement sub-processors BuyerAssist will notify Customer. Customer is entitled to object to any change notified by BuyerAssist within a reasonable time (which reasonable time may be set by BuyerAssist in such notification) and for materially important reasons. If Customer fails to object to such change within such reasonable time, Customer is deemed to have consented to such change. Where a materially important reason for such objection exists and an amicable resolution fails, BuyerAssist may terminate the Main Agreement.
d) If BuyerAssist engages sub-processors, BuyerAssist (i) remains liable under this DPA for the acts and omissions of sub-processors and (ii) ensures that BuyerAssist’s obligations on data protection resulting from the Main Agreement and this DPA are binding on sub-processors. Without prejudice to the foregoing, with respect to each sub-processor, BuyerAssist will:
i. before the sub-processor processes Customer Data, carry out adequate due diligence to ensure that the sub-processor is capable of providing the level of protection for Customer Data as required herein and in the Main Agreement;
ii. ensure that the arrangement is governed by a written contract including terms which offer similar level of protection for Customer Data as those set out in this DPA and meet the requirements of article 28 (3) of GDPR; and
iii. if that arrangement involves a transfer of Customer Data to a location or recipient outside of the European Economic Area or a location or recipient not offering an adequate level of protection, in accordance with GDPR, ensure that the Standard Contractual Clauses attached in Annex 3 (or other instrument providing appropriate safeguards in accordance with GDPR) are incorporated into the agreement, where required, in the name and on behalf of Customer, which authorization Customer hereby grants to BuyerAssist.
8. Data Subject Rights
a) If a data subject contacts BuyerAssist to exercise the data subject’s legal rights, BuyerAssist will not respond to such request but forward such request to Customer without undue delay. BuyerAssist may only respond to data subject requests after a prior written approval by Customer or as required by laws to which BuyerAssist is subject. In such a case BuyerAssist will, to the extent permitted by applicable laws, inform Customer of that legal requirement before responding to the request.
b) Taking into account the nature of processing, BuyerAssist will assist Customer by implementing appropriate technical and organizational measures, as is reasonable, for the fulfilment of Customer’s obligations to respond to data subject requests.
c) BuyerAssist will rectify, delete or block Customer Data on Customer’s instructions.
d) If a data subject has a right to data portability with respect to Customer Data, BuyerAssist will ensure that Customer can obtain such data in a structured, common and machine-readable format.
9. Data Breach
a) BuyerAssist will inform Customer of any data breach affecting Customer Data without undue delay and, in any event, so as to facilitate the parties’ compliance with applicable law (such as notification timelines set by GDPR, article 33 (1)). BuyerAssist must inform Customer, where possible, about the type of breach, the categories and the number of data subjects, the data affected, and the number of data sets affected.
b) BuyerAssist will without undue delay take all necessary and reasonable measures to remedy the data breach and, where applicable, mitigate any negative effects. BuyerAssist will inform Customer as soon as reasonably possible about such measures and keep Customer informed as reasonably practicable.
c) BuyerAssist will document data breaches to support Customer to evidence compliance with any relevant legal obligations to notify (e.g. articles 33 and 34 GDPR).
10. Return and deletion of Customer Data
a) BuyerAssist is prohibited from actively processing Customer Data after termination of the Main Agreement.
b) At the choice and request of Customer, all Customer Data must be either completely and irretrievably deleted (or otherwise obliterated such that it cannot be recovered or reconstructed) or returned to Customer within a reasonable time after Customer request.
c) BuyerAssist may retain Customer Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws.
d) BuyerAssist will keep confidential such Customer Data that BuyerAssist retains in accordance with subsections b) and c) after cessation of processing. Customer Data referred to in section c) will only be processed as necessary for the purposes specified in the applicable laws requiring its storage and for no other purpose.
e) On Customer’s reasonable request BuyerAssist must provide a written confirmation that BuyerAssist has complied with this section.
11. Cross Border Data Transfer Mechanism
If any Customer Data transfer between Customer and Buyer Assist requires execution of Standard Contractual Clauses in order to comply with the Applicable Laws (where Customer is the Data Exporter), the terms and conditions of Appendix 3 (Standard Contractual Clauses - Cross Border Transfer Mechanisms – Module two « Controller to Processor ») will apply.
12. Audit
a) To the extent that the Main Agreement does not otherwise give the information and audit rights meeting the relevant requirements of data protection and privacy laws (including, where applicable, article 28(3)(h) GDPR), BuyerAssist will upon reasonable request make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the processing of Customer Data. BuyerAssist will not unreasonably withhold or delay agreement to an auditor selected by Customer.
b) Audits will be subject to customary confidentiality undertakings or professional duty of confidentiality. Customer will give BuyerAssist reasonable notice of any audit or inspection and will take (and ensure that auditors take) all reasonable endeavors to minimize disruption to BuyerAssist’s business, including e.g. carrying out the audits during normal business hours.
c) Customer will not carry out more than one audit per year of the Main Agreement term unless (i) Customer reasonably considers it necessary because of genuine and demonstrable concerns as to BuyerAssist’s compliance with this DPA or applicable data protection and privacy laws; or (ii) Customer is required or requested to carry out an audit by data protection and privacy laws, a supervisory authority or any similar regulatory authority responsible for enforcement of such laws; or (iii) if an earlier audit has identified non-conformity with this DPA or applicable data protection and privacy laws.
d) All costs and expenses arising from audits are borne by Customer.
e) Nothing herein limits any rights mandated by law, such as supervisory authority and data subject rights, including in accordance with the Standard Contractual Clauses.
13. Other BuyerAssist Obligations
a) If Customer is required to provide information to a supervisory authority relating to processing of Customer Data, or to otherwise cooperate with a public authority, BuyerAssist will support Customer by providing such information reasonably available to it or otherwise reasonably cooperating with Customer. This applies in particular to information and documents relating to technical and organizational measures taken in line with article 32 GDPR.
b) To the extent necessary and reasonable, BuyerAssist will support Customer with data protection impact assessments as well as with any subsequent consultation (if applicable) with the supervisory authorities in the meaning of articles 35 and 36 GDPR.
c) Without prejudice to anything in this DPA, BuyerAssist is responsible for its and its sub-processors’ compliance with applicable laws relating to this DPA.
d) Customer will reimburse to BuyerAssist the reasonable cost and expenses arising out of BuyerAssist’s support to Customer in accordance with this section.
14. General
a) For the avoidance of doubt, any claim or remedies the Customer may have against BuyerAssist, any of its Affiliates and their respective employees, agents and sub-processors arising under or in connection with this DPA, including: (i) for breach of this DPA; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon Customer; or (iii) under applicable laws, rules, regulations or directives, including any claims relating to damages paid to a data subject, will be subject to any limitation of liability provisions that apply under the Main Agreement.
b) Any claims against BuyerAssist or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their authorized representative effective as at the date last executed below.
Annex 1:
Purposes and scope of the processing, type of data and categories of data subjects – All BuyerAssist Services (excluding the Boomerang Services)
For purposes of the Standard Contractual Clauses in Annex 3, this Annex 1 serves as Appendix 1.
Annex 1:
Purposes and scope of the processing, type of data and categories of data subjects – Boomerang Services only
For purposes of the Standard Contractual Clauses in Annex 3, this Annex 1 serves as Appendix 1.
Annex 2: Technical and organizational measures
For purposes of the Standard Contractual Clauses in Annex 3, this Annex 2 serves as Appendix 2.
This Annex 2 may be replaced by BuyerAssist security policy by appending or referencing and incorporating such policy herein:
https://buyerassist.io/data-security-standards
Annex 3: Standard Contractual Clauses
1.Definitions
a. “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following:
(i) UK Standard Contractual Clauses; and (ii) 2021 Standard Contractual Clauses.
b. “UK Standard Contractual Clauses” means Standard Contractual Clauses for Data Controller to Data Processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”); and
c. “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
- UK Standard Contractual Clauses. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by reference) and the UK Data Controller to Data Processor SCCs will apply where BuyerAssist is a Data Processor. The indemnification clause will not apply. Annex 1 serves as Appendix 1 of the UK Controller to Processor SCCs. Annex 2 serves as Appendix 2 of the UK Data Controller to Data Processor SCCs.
- The 2021 Standard Contractual Clauses. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses Module Two (Data Controller to Data Processor) will apply where Customer is a Data Controller and BuyerAssist is a Data Processor
(i) in Clause 7, the docking clause will not apply;
(ii) in Clause 9, Option 2 (‘General written authorization’) will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (sub-processors) of this Data Processing Agreement;
(iv) in Clause 17, the 2021 Standard Contractual Clauses will be governed by Delaware law.
(v) in Clause 18(b), disputes will be resolved before the courts of Delaware.
(vi) In Annex I, Part A: Data Exporter: Customer and authorized affiliates of Customer. Contact Details: Customer’s account owner email address. Data Exporter Role: Data Controller Signature & Date: By entering into the Main Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
(vii) Data Importer: BuyerAssist.io, Inc. Contact Details: BuyerAssist Privacy Team – infosec@buyerassist.io Data Importer Role: Data Processor Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
(viii) In Annex I, Part C: The Berlin Data Protection Authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit) will be the competent supervisory authority.
2.To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this Addendum, the provisions of the Standard Contractual Clauses will prevail.
Annex 4: California Data Protection Provisions
Customer and BuyerAssist hereby agree as follows:
- The term “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder, in each case, as amended from time to time. The terms “Aggregate Consumer Information”, “Business”, and “Business Purpose”, “Commercial Purpose”, “Deidentified”, “Sell”, “Service Provider” and “Share” shall have the respective meanings given in the CCPA. The term “Personal Information” means any information collected, accessed, obtained, received, used, disclosed or otherwise processed by BuyerAssist in relation to BuyerAssist’s provision of services to Customer under the Agreement to the extent such information constitutes “personal information” as defined in the CCPA.
- BuyerAssist (a) acknowledges that Personal Information is disclosed by Customer only for the limited and specified purposes described in the Agreement, namely, the Services; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer may take reasonable and appropriate steps to ensure that BuyerAssist’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall promptly notify Customer of any determination made by BuyerAssist that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
- BuyerAssist shall not (a) Sell or Share Personal Information; (b) retain, use or disclose any Personal Information for any purpose other than for the Business Purpose of providing the services specified in the Agreement as described in Section 2(a), including retaining, using or disclosing Personal Information for a Commercial Purpose other than such Business Purpose; (c) retain, use or disclose Personal Information outside of the direct business relationship between BuyerAssist and Customer; or (d) combine the Personal Information received pursuant to the Agreement with “personal information” (as defined in the CCPA) received from another source or BuyerAssist’s own interactions with the Consumer to whom the Personal Information pertains, except to the extent the CCPA expressly permits a Service Provider to do so.
- It is the parties’ intent that BuyerAssist shall act as Customer’s Service Provider. The parties acknowledge and agree that BuyerAssist’s access to Personal Information is not part of the consideration exchanged by the parties in respect of the Agreement.
- To the extent the Agreement permits BuyerAssist to create or use aggregated, anonymized or deidentified Personal Information, such use shall be permitted only to the extent any such data constitutes Aggregate Consumer Information or Deidentified data, and BuyerAssist has complied with all requirements under the CCPA applicable thereto to the same extent that would be required if BuyerAssist were a Business with respect to such information.
- If BuyerAssist engages any other party to assist it in processing Personal Information on behalf of Customer, or if any other party engaged by BuyerAssist engages another party to assist in such processing, BuyerAssist shall notify Customer of that engagement, and the engagement shall be pursuant to a written contract binding the other party to observe all the requirements set forth in this Amendment.
- BuyerAssist shall promptly take such actions and provide such information as Customer may request to help Customer fulfill requests of individuals to exercise their rights under the CCPA and other applicable privacy laws, including, without limitation, requests to access, correct, delete, opt out of the Sale or Sharing of or receive information about Personal Information pertaining to them. BuyerAssist shall promptly notify Customer of any such requests received directly from individuals.
- BuyerAssist agrees to cooperate with Customer to further amend the Agreement as may be necessary to address compliance with the CCPA or other applicable privacy laws.
- BuyerAssist shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information to protect it from unauthorized or illegal access, destruction, use, modification or disclosure.
