This Data Processing Addendum (the "Addendum" or “DPA”) forms part of your agreement with Provider (as defined below) for the provision of our services wherein we act as a Processor to process Customer Personal Data (“Agreement”).
The terms used in this Addendum shall have the meanings set forth in this Addendum and capitalized terms not defined herein shall have the meaning set forth in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum. Each reference to the Addendum in this Addendum means this Addendum including its Schedules and Appendices.
If you have any questions or concerns with respect to this Agreement or the services you may contact us at legal@paddle.com.
In the course of providing the services to Customer pursuant to the Agreement, Provider may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data.
1. DEFINITIONS
Affiliate Entity means any corporation, partnership, limited liability company or other form of legal entity, which directly or indirectly controls, is controlled by or is under joint control, from time to time.
Applicable Data Protection Laws means:
California Privacy Acts means the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”).
Customer Personal Data means any Personal Data Processed by Provider (or a Sub-processor) on behalf of Customer pursuant to or in connection with the Agreement;
EU GDPR means the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law
Provider means Paddle.com Inc. of 3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803, USA
Sub-processor means any person (including any third party, but excluding an employee of Provider or any of its subcontractors) appointed by or on behalf of Provider to Process Personal Data on behalf of Customer under the Agreement;
Security Documentation means the security documents located at www.profitwell.com/security as amended from time to time, or as otherwise made available by the Processor to the Controller.
Services means the services provided by Provider subject to the terms and conditions of the applicable Agreement in which Provider acts as Processor for the Customer.
Standard Contractual Clauses mean:
UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Processing", "Processor", and "Supervisory Authority" shall have the same meaning as in the UK GDPR, and shall be construed accordingly.
2. EFFECTIVENESS
2.1 Legal Authority. Customer represents to Provider that he or she has the legal authority to bind Customer and is lawfully able to enter into contracts.
2.2 Termination. This Addendum will terminate upon the earliest of: (i) termination of the Agreement as permitted hereunder or by the terms of the Agreement (and without prejudice to the survival of accrued rights and liabilities of the parties and any obligations of the parties which either expressly or by implication survive termination); (ii) as earlier terminated pursuant to the terms of this Addendum or (iii) as agreed by the parties in writing.
3. PROCESSING OF PERSONAL DATA
3.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller, Provider is a Data Processor and that Provider will engage Sub-processors pursuant to the requirements set forth in clause 5 "Sub-processors" below.
3.2 Customer Authority. Customer represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the instruction set forth in clause 3.4 below on behalf of itself.
3.3 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws. Customer's instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. In addition, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Personal Data provided by the Customer shall not contain information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric, data concerning health or data concerning an individual's sex life or sexual orientation ("Special Categories of Data").
3.4 Provider's Processing of Personal Data.
3.5 Details of the Processing. The subject-matter of Processing of Customer Personal Data by Provider is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects Processed under this Addendum, as required by article 28(3) of theEU GDPR and UK GDPR (and, possibly, equivalent requirements of other Applicable Data Protection Laws), are further specified in Exhibit A to this Addendum, as may be amended by the parties from time to time.
4. PROVIDER PERSONNEL
Throughout the term of this Addendum, Provider shall restrict its personnel from Processing Customer Personal Data without authorization by Provider and shall limit the Processing to that which is needed for the specific individual's job duties in connection with Provider's provision of the Services under the Agreement. Provider will impose appropriate contractual obligations on its personnel, including relevant obligations regarding confidentiality, data protection and data security.
5. SUB-PROCESSORS
5.1 Appointment of Sub-Processors. The Customer acknowledges and agrees that: (i) Affiliated Entities of the Provider may be used as Sub-processors; and (ii) the Provider and its Affiliated Entities respectively may engage Sub-processors in connection with the provision of the Services.
5.2 List of Current Sub-processors and Notification of New Sub-processors. When requested by the Customer, the Provider shall make available to Customer an up-to-date list of all Sub-processors used for the processing of Customer Personal Data.
5.3 Objection Right for New Sub-processors. Provider shall give Customer written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. If, within 14 days of receipt of that notice, Customer notifies Provider in writing of any objections (on reasonable grounds) to the proposed appointment, then (i) Provider shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and (ii) where such a change cannot be made within 14 days from Provider's receipt of Customer's notice, notwithstanding anything in the Agreement, Customer may by written notice to Provider with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor.
5.4 Sub-processing Agreement; Provider has or shall enter into a written agreement with each Sub-processor (the "Sub-processing Agreement") containing data protection obligations not less protective than those in the Agreement and/or this Addendum with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Provider shall be liable for the acts and omissions of its Sub-processors to the same extent Provider would be liable if performing the services of each Sub-processor directly under the terms of this Addendum.
6. SECURITY
6.1 Adequate Measure. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall in relation to the Customer Personal Data implement and maintain throughout the term of this Addendum, the technical and organisational measures set forth in Exhibit B (the "Security Measures"). Customer acknowledges and agrees that it has reviewed and assessed the Security Measures and deems it appropriate for the protection of Customer Personal Data.
6.2 Personal Data Breach Risk. In assessing the appropriate level of security, Provider shall take account of the risks that are presented by Processing, in particular from an incident of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data ("Personal Data Breach").
7. DATA SUBJECT RIGHTS
7.1 Correction, Blocking and Deletion. Provider shall comply with any commercially reasonable request by Customer to correct, amend, block, or delete Customer Personal Data, as required by Applicable Data Protection Laws, to the extent Provider is legally permitted to do so.
7.2 Measures to assist with Data Subject Rights. Taking into account the nature of the Processing, Provider shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Provider's provision of such assistance.
7.3 Response to Requests: Provider
8. PERSONAL DATA BREACH
8.1 Notification of Data Breach. Provider shall, to the extent permitted by law, notify Customer without undue delay upon Provider or any Sub-processor becoming aware of a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Data Protection Laws.
8.2 Assistance. Provider shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Provider shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with regulatory authorities or other competent data privacy authorities, which Customer reasonably considers to be required of it by Article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Law & Regulation, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Provider or the Sub-processors.
10. RETURN OR DESTRUCTION OF PERSONAL DATA.
10.1 Return or Deletion. Subject to the provisions of clause 10.2 below, at Customer's election, made by written notice to Provider following 30 days of the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), Provider shall, and shall procure that all Sub-processors: (a) return a complete copy of all Customer Personal Data to Customer in such format and manner requested by Customer and reasonably acceptable to Provider; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by Provider or any Sub-processor. Provider shall comply with any such written request within 30 days of the Cessation Date.
10.2 Retention of Copies. Provider and each Sub-processor may retain Customer Personal Data to the extent required by applicable European Union law or the law of an EU Member State and only to the extent and for such period as required by such laws and always provided that Provider shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in such law requiring its storage and for no other purpose.
11. AUDIT
11.1 Report on Compliance. Subject to the provisions of clause 11.3 below, at Customer's written request, Provider will provide Customer all information necessary to demonstrate compliance with this Addendum. The information provided will constitute Confidential Information of the Provider under the confidentiality provisions of the Agreement or a non-disclosure agreement, as applicable.
11.2 Audit. Provider shall allow for and contribute to audits, including inspections, by any Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Provider or Sub-processors in accordance with clauses 11.1 and 11.3 to this Addendum
11.3 Process. The parties agree that the audits described in clause 11.2 above and/or in the Standard Contractual Clauses shall be carried out in accordance with the following specifications:
11.4 Following the Audit:
12. TRANSFER OF DATA
12.1 Standard Contractual Clauses. Where Personal Data relating to an EU or UK Data Subject is transferred outside of the EEA it shall be processed only by entities which: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place.
12.2 Applicability. Clause 12.1 shall not apply to a cross border transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant cross border to take place without breach of applicable Data Protection Law and Regulation (a "Restricted Transfer").
12.3 Transfers between Customer and Provider. The Standard Contractual Clauses apply to (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliated Entities of Customer, if any, established within the UK and the European Economic Area that are recipients of the Services. For the purpose of the Standard Contractual Clauses and this clause 12, the Customer and its Affiliated Entities shall be deemed to be "Data Exporters" and the following terms shall apply:
12.4 Sub-processors. Provider warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor, it shall ensure that one of the following is in place: (i) the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Customer, or a relevant intermediate Sub-processor, on the one hand and Sub-processor on the other hand; (ii) that Sub-processor enters into an agreement incorporating the Standard Contractual Clauses with Provider or that (iii) Provider's entry into the Standard Contractual Clauses under clause 12.1 above as agent for and on behalf of that Sub-processor, will have been duly and effectively authorized (or subsequently ratified) by that Sub-processor.
12.5 Conflict. In the event of any conflict or inconsistency between the body of this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13. California Privacy Acts
13.1 To the extent that the California Privacy Acts are applicable, then, notwithstanding anything to the contrary herein the Parties acknowledge:
- In the context of the transfer of personal information to Customer to Provider; Provider is a service provider for the Customer. Customer shall disclose Personal Data to the Provider solely for: (i) a valid business purpose of providing the Services; and (ii) Provider to perform the business purpose, and (iii) for the avoidance of doubt, the transmission of personal information is not for the purposes of cross-context behavioural advertising .
- Provider is prohibited from: (i) selling personal information; (ii) retaining, using, or disclosing personal information for a commercial purpose other than providing the Services; and (iii) retaining, using, or disclosing the personal information outside of the provisions of the Agreement.
- Both parties certify that they understand and will comply with the restrictions set forth in this clause 13.
For the purposes of this clause 13, the terms “personal information,” “consumer”, “service provider,” “business purpose”, “sale,” “cross-context behavioural advertising”, “share” and “sell” are as defined in Section 1798.140 of the California Privacy Acts.
14. JURISDICTION AND GOVERNING LAW.
14.1 Law. Save for as specified in relation to the Standard Contractual Clauses, this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of England and Wales.
14.2 Jurisdiction. With respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity the parties submit to the jurisdiction of the competent courts established in England and Wales.
15. INDEMNIFICATION; LIMITATION OF LIABILITY.
If one party is held liable for a violation of this Addendum or, if applicable, any provision of the Standard Contractual Clauses, committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred in accordance with the provisions of the "Indemnification" clause of the Agreement. Each party's liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' clause of the Agreement. For the avoidance of doubt, Provider's total liability for all claims from the Customer or any third party arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.
PROCESSOR / DATA IMPORTER:
Name: Paddle.com Inc.
Address: 3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803, USA
Contact: privacy@paddle.com
Activities relevant to the data transferred under these Clauses: Customer receives the Services described in the Terms.
Role (controller/processor): Processor
DESCRIPTION OF TRANSFER
Duration of the Processing: The duration of data processing shall be for the term agreed between data exporter and Provider in the Agreement or an applicable Order Form.
Nature and Purpose of the Processing: The scope and purpose of processing of the data subjects' personal data is to facilitate the provision of Provider's and its Subsidiaries' Services.
Types of Customer Personal Data: The personal data transferred includes e-mail, user ID, name, phone number, last 4 digits of the card number, language, address, IP address, documents, and other data in an electronic form provided in the context of Provider's Services, which shall not include any Special Categories of Data.
Categories of Data Subjects: Data subjects include the Customer's representatives and end users including employees, contractors, collaborators, and Customer's customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of Provider's Services. The data subjects exclusively determine the content of data submitted to Provider.
Frequency of Transfer: Continuous
Competent Supervisory Authority: Where the EU GDPR applies, the competent supervisory authority shall be the Irish Data Protection Commissioner. Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner's Office.
1. PERSONNEL
Data Importer's personnel will not process customer data without authorization. Personnel are obligated to maintain the confidentiality of any customer data and this obligation continues even after their engagement ends.
2. DATA PRIVACY CONTACT
Paddle.com Inc.
Attn: Michael Cox
3811 Ditmars Blvd, #1071 Astoria, New York, 11105-1803 USA
3. TECHNICAL AND ORGANIZATION MEASURES
The Data Importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
3.1 Organization of Information Security.
a. Security Roles and Responsibilities. The Data Importer has appointed Michael Cox as the security officer responsible for coordinating and monitoring the security rules and procedures.
b. Duty of Confidentiality. The Data Importer's personnel with access to customer data are subject to confidentiality obligations.
3.2 Risk Management. The Data Importer conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems, including conducting penetration testing. The Data Importer implements measures, as needed, to address vulnerabilities discovered in a timely manner.
3.3 Storage. The Data Importer's database servers are hosted in a data center operated by a third party vendor, that has been qualified per the Data Importer's vendor management procedure. The Data Importer maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.
3.4 Asset Management.
a. Asset Inventory. The Data Importer maintains an inventory of all media on which customer data is stored. Access to the inventories of such media is restricted to authorized personnel.
b. Asset Handling.
i. The Data Importer employees are required to utilize encryption to store data in a secure manner and are required to use two-factor authentication to access the networks.
ii. The Data Importer imposes restrictions on printing customer data and has procedures for disposing of printed materials that contain customer data.
iii. The Data Importer's personnel must obtain authorization prior to storing customer data on portable devices, remotely accessing customer data, or processing customer data outside the Data Importer's facilities.
3.5 Software Development and Acquisition. For the software developed by Data Importer, Data Importer follows secure coding standards and procedures set out in its standard operating procedures.
3.6 Change Management. Data Importer implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for the Data Importer's software, information systems or network architecture. These change management procedures include appropriate segregation of duties.
3.7 Third Party Provider Management. In selecting third party providers who may gain access to, store, transmit or use customer data, Data Importer conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
3.8 Human Resources Security. The Data Importer informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.
3.9 Physical and Environmental Security.
a. Physical Access to Facilities. The Data Importer limits access to facilities where information systems that process customer data are located to identified authorized individuals who require such access for the performance of their job function. Data Importer terminates the physical access of individuals promptly following the date of the termination of their employment or services or their transfer to a role no longer requiring access to customer data.
b. Physical Access to Components. The Data Importer maintains records of the incoming and outgoing media containing customer data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of customer data they contain.
c. Protection from Disruptions. The Data Importer uses commercially reasonable systems and measures to protect against loss of data due to power supply failure or line interference.
d. Component Disposal. The Data Importer uses commercially reasonable processes to delete customer data when it is no longer needed.
3.10 Communications and Operations Management.
a. Security Documents. The Data Importer maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel.
b. Data Recovery Procedures.
i. On an ongoing basis, the Data Importer maintains multiple copies of customer data from which it can be recovered.
ii. The Data Importer stores copies of customer data and a data recovery procedures in a different place from where the primary computer equipment processing the customer data is located.
iii. The Data Importer has procedures in place governing access to copies of customer data.
iv. The Data Importer has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.
c. Encryption; Mobile Media. The Data Importer uses HTTPS encryption on all data connections. The Data Importer restricts access to customer data in media leaving its facilities.
d. Event Logging. The Data Importer logs the use of our data-processing systems. We maintain logs for at least 30 days.
3.11 Access Control.
a. Records of Access Rights. The Data Importer maintains a record of security privileges of individuals having access to customer data.
b. Access Authorization.
i. The Data Importer maintains and updates a record of personnel authorized to access systems that contain customer data.
ii. The Data Importer deactivates authentication credentials of employees or contract workers immediately upon the termination of their employment or services.
iii. The Data Importer identifies those personnel who may grant, alter, or cancel authorized access to data and resources.
c. Least Privilege.
i. Technical support personnel are only permitted to have access to customer data when needed for the performance of their job function. ii. The Data Importer restricts access to customer data to only those individuals who require such access to perform their job function.
d. Integrity and Confidentiality.
i. The Data Importer instructs its personnel to disable administrative sessions when leaving the Data Importer's premises or when computers are unattended.
ii. The Data Importer stores passwords in a way that makes them unintelligible while they are in force.
e. Authentication.
i. The Data Importer uses commercially reasonable practices to identify and authenticate users who attempt to access information systems. ii. Where authentication mechanisms are based on passwords, the Data Importer requires that the passwords are renewed regularly. iii. Where authentication mechanisms are based on passwords, the Data Importer requires the password to be at least eight characters long. iv. The Data Importer ensures that de-activated or expired identifiers are not granted to other individuals. v. The Data Importer maintains commercially reasonable procedures to deactivate passwords that have been corrupted or inadvertently disclosed or pursuant to a number of failed login attempts. vi. The Data Importer uses commercially reasonable password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
f. Network Design. The Data Importer has controls to avoid individuals assuming access rights they have not been assigned to gain access to customer data they are not authorized to access.
3.12 Network Security.
a. Network Security Controls. Data Importer's information systems have security controls designed to detect and mitigate attacks by using logs and alerting.
b. Antivirus. Data Importer implements endpoint protection on its hosting environments, including antivirus; which are continuously updated with critical patches or security releases in accordance with Data Importer's server change control procedures.
3.13 Information Security Incident Management.
a. Record of Breaches. The Data Importer maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
b. Record of Disclosure. The Data Importer tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time.