Data Processing Agreement

Last updated: 11 April 2023

This Data Processing Agreement (the “Agreement”) forms part of the Terms of Service (the “Principal Agreement”), between AskBeat (the “Vendor”) and the AskBeat User (the “Company”) (together as the “Parties”)

WHEREAS

(A) Company acts as a Data Controller.

(B) Company wishes to subcontract certain Services, which imply the processing of personal data, to Vendor.

(C) Vendor acts as a Data Processor.

(D) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(E) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

• "Company Personal Data" means any Personal Data Processed by a Processor on behalf of Controller pursuant to or in connection with the Principal Agreement;
• "Controller" means an entity, which determines the purposes and means of the processing of personal data: Company;
• "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
• "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
• "GDPR" means EU General Data Protection Regulation 2016/679;
• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as long as this information falls within the data protection laws;
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
• "Processing" means any operation or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means;
• "Processor" means an entity that processes Personal Data on behalf of Controller: Vendor or Sub-processor;
• "Services" means the services provided by Vendor to Company pursuant to the Principal Agreement;
• "Sub-processor" means an entity appointed by Vendor to process Personal Data on behalf of Company, with respect to providing the Services in connection with the Agreement and the Principal Agreement;
• "Supervisory Authority means an independent public authority which is established by a Member State.

For more details on GDPR definitions, please click here and refer to Article 4.

2. Processing of Company Personal Data

Vendor shall:

• comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
• not Process Company Personal Data other than on the relevant documented instructions, unless required to do so by Data Protection Laws to which Vendor is subject; in such a case, Vendor shall inform Company of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Company:

• instructs Vendor (and authorizes Vendor to instruct each Sub-processor) on how to process Company Personal Data;
• warrants and represents that it will use the Services according to the acceptable use as set forth in Section 4 of the Principal Agreement; and
• warrants and represents that it complies with all obligations as a Controller arising from all applicable Data Protection Laws with respect to processing Personal Data, including but not limited to notifying Data Subjects about Vendor’s processing activities.

The parties agree that this Agreement and the Principal Agreement, constitute the Company’s complete and final documented instructions to Vendor, in relation to the processing of Company Personal Data.

3. Vendor Personnel

Vendor shall ensure that all persons (including Employees, Agents or Sub-processors) authorized to process Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security

Vendor shall implement appropriate technical and organizational measures to ensure an appropriate level of security for protecting Company Personal Data from unauthorized access, use or disclosure, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5. Sub-processing

Company authorizes Vendor to appoint (and permit each Sub-processor appointed to appoint) Sub-processors with respect to providing the Services to Company. Sub-processors are available upon request at privacy@askbeat.com

Vendor shall give Company prior written notice of any intended changes concerning the addition or replacement of Sub-processors, including full details of the processing to be undertaken by each Sub-processor, thereby giving Company the opportunity to object to such changes.

Company shall notify Vendor, in written and within 5 calendar days of receipt of notice, of the objection and provide reasoning for the objection. In the case of an objection, Vendor shall work with Company in good faith to resolve the disagreement. If the parties do not manage to resolve the disagreement within 10 calendar days of objection receipt, both parties retain the right to terminate the Principal Agreement and the provision (by Vendor) or use (by Company) of the Services.

Where a Vendor engages a Sub-processor for carrying out specific processing activities on behalf of Company, the same data protection obligations as set out in this Agreement between Company and Vendor shall apply for Sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the General Data Protection Regulation.

6. Data Subject Rights

Vendor shall assist Company, by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Company’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

Vendor shall:

1. respond, in a timely manner, if receives a ‘shop/redact’, ‘customers/redact’ or ‘a customers/data_request’ request from Shopify, without further authorization from Company;
2. provide Data Subjects with an opt out link, as clearly set forth in Section 9 of the Vendor’s Privacy Policy, incorporated in the Principal Agreement by reference, without further authorization from Company;
3. promptly notify Company if receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;
4. promptly notify Company if a Sub-processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data.

7. Personal Data Breach

Vendor shall notify Company without undue delay upon Vendor or any Sub-processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Vendor shall cooperate with Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Vendor shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, Vendor.

9. Deletion or return of Company Personal Data

Vendor shall promptly and in any event within 60 days of the date of cessation of the Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data. Vendor may optionally provide written notice to Company before and/or upon Company Personal Data deletion is completed.

Company may in its absolute discretion by written notice to Vendor, and prior to Company Personal Data deletion, require Vendor (a) to return a complete copy of all Company Personal Data to Company and (b) delete and procure the deletion of all other copies of Company Personal Data processed by any Processor.

Notwithstanding the foregoing, Processors may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processors shall ensure the confidentiality of all such Company Personal Data and that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

Vendor may retain electronic copies of files containing Company Personal Data created by automatic back-up procedures, that may not be immediately deleted. This Company Personal Data, within the back-up, is not further processed by Vendor and it is held on Vendor’s systems until it is permanently deleted within 30 days of back-up creation. The same applies for the cases of ‘shop/redact’ and/or ‘customers/redact’ requests from Shopify, as outlined in Section 6 of this Agreement.

10. Audit rights

Vendor shall, in accordance with Article 28 of the GDPR, make available to Company all information necessary to demonstrate compliance with the obligations laid down in this Agreement, and shall allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company.

Vendor shall, upon Company’s written notice to Vendor, made at least 30 days in advance, provide Company with all information necessary for such inspection.

11. General terms

Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

Notices. All notices and communications, given under this Agreement, must be in writing and shall be delivered by Parties via email: Company should communicate with Vendor at privacy@askbeat.com and Vendor should communicate with Company at [store email] as set forth in Section 2.1 of the Vendor’s Privacy Policy, incorporated in the Principal Agreement by reference.

Order of precedence. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.

Amendments. Vendor may modify or supplement this Agreement, by written notice to Company: (i) if required to do so by a Supervisory Authority or other government or regulatory entity; and (ii) if necessary to comply with applicable Data Protection Laws.

Severability. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Governing law and jurisdiction. This Agreement is governed by the laws of the country stipulated for this purpose in the Principal Agreement. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the choice of jurisdiction stipulated in the Principal Agreement.