Data Protection Addendum

Last updated: 9th of September

THIS DATA PROTECTION ADDENDUM (“DPA”) forms part of the Agreement and is entered into by and between: (1) Swap Commerce Ltd (“Swap”); and (2) the entity or other person who is a counterparty to the Agreement into which this DPA is incorporated and forms a part (“Merchant”), together the “Parties” and each a “Party”.

1. DEFINITIONS AND INTERPRETATION

1.1 In this DPA, the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:

“Anonymised Data” means Merchant Personal Data Processed in a manner that it is no longer considered to be Personal Data under Applicable Data Protection Laws.

“Applicable Data Protection Laws” means Applicable Laws relating to privacy, data protection and data security that are applicable to Swap’s Processing of Merchant Personal Data under the Agreement (including the GDPR).

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Subject” means the identified or identifiable natural person to whom Merchant Personal Data relates.

“Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Merchant Personal Data and the Processing thereof.

“GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); and/or (ii) the UK General Data Protection Regulation (“UK GDPR”).

“Merchant Personal Data” means any Personal Data Processed by Swap or its Sub-Processor on behalf of Merchant to provide the Services under the Agreement.

“Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar term defined in Applicable Data Protection Laws.

“Personal Data Breach” means a breach of Swap’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Merchant Personal Data in Swap’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Merchant Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).

“Personnel” means a person’s employees, agents, consultants, contractors or other staff.

“Process”, and grammatical inflections thereof, means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body that Processes Personal Data on behalf of a Controller.

“Restricted Transfer” means the disclosure, grant of access or other transfer of Merchant Personal Data to any person located in: (i) in the context of the EU GDPR, any country or territory outside the European Economic Area (“EEA”) which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK GDPR, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.

“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.

“Sub-Processor” means any third party appointed by or on behalf of Swap to Process Merchant Personal Data.

“Supervisory Authority” (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (or its successor).

“UK Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).

1.2 Unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meaning given to them in the Agreement.

2. PROCESSING OF MERCHANT PERSONAL DATA

2.1 Details and roles. The Parties acknowledge and agree that the details of Swap’s Processing of Merchant Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.

2.2 General. Swap shall not Process Merchant Personal Data other than: (a) on Merchant’s instructions set out in the Agreement and this DPA; or (b) as required by Applicable Laws, provided that in such circumstances, Swap shall inform Merchant in advance of the relevant legal requirement requiring such Processing if and to the extent Swap is: (i) required to do so by Applicable Data Protection Laws; and (ii) permitted to do so in the circumstances. Merchant instructs and authorises Swap to Process Merchant Personal Data for the purposes set out in the Agreement (as further described in Annex 1 (Data Processing Details) to the DPA). The Agreement is a complete expression of such instructions, and Merchant’s additional instructions will be binding on Swap only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if Swap receives an instruction from Merchant that, in its reasonable opinion, infringes Applicable Data Protection Laws, Swap shall notify the Merchant.

3. TECHNICAL AND ORGANIZATIONAL MEASURES; ASSISTANCE

3.1 Personnel. Swap shall enter into written confidentiality agreements with all Swap Personnel who Process Merchant Personal Data that are not subject to professional or statutory obligations of confidentiality.

3.2 Security. Swap shall implement and maintain technical and organisational measures in relation to Merchant Personal Data designed to protect Merchant Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access as described in Annex 2 (Security Measures) (the “Security Measures”). Swap may modify these Security Measures from time to time to reflect its then-current security standards and practices; provided that such modifications do not materially decrease the overall security of Services and/or relevant Merchant Personal Data.

3.3 Data Subject Rights. Swap, taking into account the nature of the Processing of Merchant Personal Data, shall provide Merchant with such assistance as may be reasonably necessary and technically feasible to assist Merchant in fulfilling its obligations to respond to Data Subject Requests. If Swap receives a Data Subject Request, Merchant will be responsible for responding to any such request. Swap shall: (a) promptly notify Merchant if it receives a Data Subject Request; and (b) not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Merchant, except as required by Applicable Data Protection Laws.

3.4 DPIAs and Consultations. Swap shall, taking into account the nature of the Processing and the information available to it, provide reasonable assistance to Merchant with any data protection impact assessments and prior consultations with Supervisory Authorities required by Applicable Data Protection Laws, in each case solely in relation to Processing of Merchant Personal Data by Swap.

4. PERSONAL DATA BREACHES

4.1 Notifications. Swap shall notify Merchant without undue delay upon Swap’s confirmation of a Personal Data Breach affecting Merchant Personal Data. Swap shall provide Merchant with information (insofar as such information is within Swap’s possession and knowledge and does not otherwise compromise the security of any confidential, proprietary or commercially sensitive information or any Personal Data Processed by Swap) to allow Merchant to meet its obligations under Applicable Data Protection Laws to report the Personal Data Breach. Swap’s notification of or response to a Personal Data Breach shall not be construed as Swap’s acknowledgement of any fault or liability with respect to the Personal Data Breach. As between the Parties, Merchant is solely responsible for complying with Applicable Laws (including notification laws), and fulfilling any third-party notification obligations, related to any Personal Data Breaches.

4.2 Consultation with Swap. If Merchant determines that a Personal Data Breach suffered by Swap or a Sub-Processor affecting Merchant Personal Data must be notified to any Supervisory Authority, any other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws or otherwise, to the extent such notice directly or indirectly refers to or identifies Swap, where permitted by applicable laws, Merchant agrees to: (a) notify Swap in advance; and (b) in good faith, consult with Swap and consider any clarifications or corrections Swap may reasonably recommend or request to any such notice, which: (i) relate to Swap’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with Applicable Laws.

5. SUB-PROCESSING

5.1 General authorisation. Merchant generally authorises Swap to appoint Sub-Processors in accordance with this Section 5. Information about Swap’s Sub-Processors, including their functions and locations, is as shown here (the “Sub-Processor List”). Without limitation, Merchant authorises Swap engagement of the Sub-Processors listed on the Sub-Processor List as of the Effective Date of the relevant Order Form.

5.2 Notification. Swap shall give Merchant prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor by updating the Sub-Processor List. If, within ten (10) days of receipt of that notice, Merchant notifies Swap in writing of any objections to the proposed appointment (made in good faith based upon evidenced concerns that the use of that proposed Sub-Processor would cause Merchant to be in material and unavoidable breach of Applicable Data Protection Laws): (a) Swap shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and (b) where: (i) such a change cannot be made within thirty (30) days from Swap’s receipt of Merchant’s notice; (ii) no commercially reasonable change is available; and/or (iii) Merchant declines to bear the cost of the proposed change, then Swap may terminate the Agreement without liability to Merchant beyond reimbursing any pre-paid fees on a pro-rated basis. If Merchant does not object to Swap’s appointment of a Sub-Processor during the objection period referred to in this Section 5.2, Merchant shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.

5.3 Swap Responsibilities. With respect to each Sub-Processor, Swap shall maintain a written contract between Swap and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Merchant Personal Data as those set out in this DPA. Swap shall remain liable for any breach of this DPA caused by a Sub-Processor (subject to any limitations and/or exclusions in the Agreement).

6. DATA TRANSFERS

6.1 General. Each Party shall comply with Applicable Data Protection Laws with respect to Restricted Transfers. Without limiting the foregoing, Merchant instructs Swap to make all Restricted Transfers, including to Sub-Processors, necessary to provide the Services.

6.2 Additional documents. To the extent compliance with Section 6.1 requires the Parties to enter into additional documents, such as the SCCs and/or the UK Addendum, the Parties agree to work together in good faith to negotiate and promptly enter into such additional documents that are necessary to comply with Applicable Data Protection Laws.

7. AUDITS

7.1 Information provision and audits. Swap shall make available to Merchant on reasonable request, such information as Swap (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. Subject to Sections 7.2 to 7.4, in the event that Merchant (acting reasonably) is able to provide documentary evidence that such information is not sufficient in the circumstances to demonstrate Swap’s compliance with this DPA, Swap shall allow for and contribute to audits by Merchant or an auditor mandated by Merchant in relation to the Processing of Merchant Personal Data by Swap.

7.2 Merchant responsibilities. Merchant shall give Swap reasonable notice of any audit to be conducted under Section 7.1 (which shall in no event be less than fourteen (14) days’ notice, unless a shorter notice period is specifically required under Applicable Data Protection Laws relevant to the audit concerned) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Swap’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Swap’s other customers or the availability of Swap’s services to such other customers).

7.3 Audit plans. Prior to conducting any audit, Merchant must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Swap will review the proposed audit plan and provide Merchant with any feedback, concerns or questions (for example, any request for information that could compromise Swap security, privacy, employment or other relevant policies). Swap will work cooperatively with Merchant to agree on a final audit plan.

7.4 Limitations. Swap need not give access to its premises for the purposes of any audit under this Section 7: (a) where a third-party audit report or certification (e.g., SOC 2 Type 2, ISO 2700x, NIST or similar audit report or certification) is provided in lieu of such access (acceptance of which for this purpose not to be unreasonably withheld, delayed or conditioned by Merchant); (b) to any individual unless they produce reasonable evidence of their identity; (c) to any auditor whom Swap has not approved in advance (acting reasonably); (d) to any individual who has not entered into a non-disclosure agreement with Swap on terms acceptable to Swap (acting reasonably); (e) outside normal business hours at those premises; or (f) on more than one occasion in any calendar year during the term of the Agreement, except for any audits which Merchant is required to carry out under Applicable Data Protection Laws or by a Supervisory Authority. Nothing in this DPA shall require Swap to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers. Nothing in this Section 7 shall be construed to obligate Swap to breach any duty of confidentiality.

8. RETURN AND DELETION

8.1 General. Upon expiration or earlier termination of the Agreement, Swap shall return and/or delete all Merchant Personal Data in Swap’s care, custody or control in accordance Merchant’s instructions as to the post-termination return and deletion of Merchant Personal Data expressed in the Agreement. To the extent that deletion of any Merchant Personal Data contained in any back-ups’ maintained by or on behalf of Swap is not technically feasible within the timeframe set out in Merchant’s instructions, Swap shall: (a) securely delete such Merchant Personal Data in accordance with any relevant scheduled back-up deletion routines (e.g., those contained within Swap’s relevant business continuity and disaster recovery procedures); and (b) pending such deletion, put such Merchant Personal Data beyond use.

8.2 Permitted retention. Notwithstanding the foregoing, Swap may retain Merchant Personal Data where required by Applicable Laws, provided that Swap shall: (a) maintain the confidentiality of all such Merchant Personal Data, and (b) Process the Merchant Personal Data only as necessary for the purpose(s) and duration specified in the Applicable Law requiring such retention. Swap may also retain any Anonymised Data created from Merchant Personal Data.

9. MERCHANT’S RESPONSIBILITIES

9.1 Security. Merchant agrees that, without limiting Swap’s obligations under Section 3.2 (Security), Merchant is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Merchant Personal Data; (b) securing the account authentication credentials, systems and devices Merchant uses to access the Services; (c) securing Merchant’s systems and devices that Swap uses to provide the Services; and (d) backing up Merchant Personal Data.

9.2 Compliance. Merchant shall ensure that: (a) there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Swap of Merchant Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Merchant from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and (b) all Data Subjects have: (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Swap of Merchant Personal Data.

9.3 Restricted Data. Merchant shall not provide or otherwise make available to Swap any Merchant Personal Data that contains any: (a) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA); (b) health insurance information; (c) biometric information; (d) passwords to any online accounts; (e) any payment card information subject to the Payment Card Industry Data Security Standard; (f) credentials to any financial accounts; (g) Personal Data of children under 18 years of age; or (h) any information that falls within any special categories of personal data (as defined in GDPR) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Data”).

10. VARIOUS

10.1 Incorporation and Application. This DPA shall be incorporated into and form part of the Agreement. This DPA: (a) applies only if and to the extent Applicable Data Protection Laws govern Swap’s Processing of Merchant Personal Data in performance of the Service(s) as a ‘processor’, ‘service provider’ or similar role defined under Applicable Data Protection Laws; and (b) does not apply to Swap’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics, its own information and systems security purposes supporting the operation of the Services, nor its own legal, regulatory or compliance purposes.

10.2 Costs. Except to the extent prohibited by Applicable Data Protection Laws, Merchant shall compensate Swap at Swap’s then-current professional services rates for, and reimburse any costs reasonably incurred by Swap in the course of providing, cooperation, information, or assistance requested by Merchant pursuant to Sections 3.3 (Data Subject Rights), 3.4 (DPIAs and Consultations) and 7 (Audits) of this DPA (provided that Swap shall bear its own costs in the event that any audit or inspection conducted in accordance with that Section 7 reveals any material non-compliance by Swap with this DPA and/or Applicable Data Protection Laws), in each case, beyond providing self-service features included as part of, or in connection with, the Services.

10.3 LIABILITY. The total aggregate liability of either Party towards the other Party, whether in contract, tort (including for negligence), breach of statutory duty (howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and Loss agreed by the Parties in the Agreement.

10.4 Updates. Swap may amend this DPA from time to time by notice to the Merchant to address requirements of Applicable Data Protection Laws. If Merchant does not agree to such amendment, Merchant must and shall stop using the Services. Merchant’s continued use of the Services after any amendment constitutes Merchant’s binding acceptance of such amendment to the DPA.

Annex 1

Swap Details:

Name:

Swap Commerce Ltd

Address:

86-90 Paul Street, London, EC2A 4NE, United Kingdom

Contact Details for Data Protection:

Role: Legal Counsel

Email: privacy [at] swap-commerce [dot] com

Swap Activities:

Swap provides Swap’s Platform, the Global Product, and the Return Product, and other Services to Merchants who link their shops to Swap and to Consumers.

Role:

Processor

Merchant Details:

Name:

As set out in the Order Form

Address:

As set out in the Order Form

Contact Details for Data Protection:

As set out in the Order Form

Merchant Activities:

Merchant wishes to use Swap’s Platform to enable itself and its Consumers to take advantage of the Global Product and/or Return Product, as well as any other Services offered by Swap.

Role:

Controller – in respect of any Processing of Merchant Personal Data in respect of which Merchant is a Controller in its own right.

Processor – in respect of any Processing of Merchant Personal Data in respect of which Merchant is itself acting as a Processor on behalf of any other person (including, where applicable, its affiliates or Merchant’s own customers for whom Merchant is a Processor).

Details of Processing:

Categories of Data Subjects:

Merchant’s Staff and Consumers

Categories of Personal Data:

Merchant’s Staff:

Name, contact details, Access Credentials

Consumers:

Name, contact details, delivery address, details of Goods purchased and/or returned, transaction details, payment details

Sensitive Data, and associated additional restrictions/safeguards:

Categories of Sensitive Data:

None (see Section 9.3).

Additional safeguards for Sensitive Data:

N/A

Frequency:

Ongoing – as initiated by Merchant in and through its use, or use on its behalf, of the Services.

Nature of the Processing:

Processing operations required to provide the Services in accordance with the Agreement.

Purpose of the Processing:

Merchant Personal Data will be Processed: (i) as necessary to provide the Services as initiated by Merchant in its use thereof, and (ii) to comply with any other reasonable instructions provided by Merchant in accordance with the terms of this DPA.

Duration of Processing / Retention Period:

For the period determined in accordance with the Agreement and DPA, including Section 8 of the DPA.

Transfers to (sub-)processors:

Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List.

Annex 2

Security Measures

Swap agrees to implement and maintain the following security measures:

1. Organisational management and staff responsible for the development, implementation and maintenance of Swap’s information security program.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Swap’s organisation, monitoring and maintaining compliance with Swap’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3. Data security controls which include at a minimum logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Merchant Personal Data.

4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.

5. Password controls designed to manage and control password strength, expiration and usage.

6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.

7. Physical and environmental security of production resources relevant to the Services is maintained by the relevant Sub-Processor(s) engaged from time-to-time by Swap to host those resources. Swap takes steps to ensure that such Sub-Processors provide appropriate assurances and certifications that evidence such physical and environmental security – including security of data centre, server room facilities and other areas containing Merchant Personal Data designed to: (a) protect information assets from unauthorised physical access, (b) manage, monitor and log movement into and out of Sub-Processor facilities, and (c) guard against environmental hazards such as heat, fire and water damage.

8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Swap’s possession.

9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Swap’s technology and information assets.

10. Incident management procedures designed to allow Swap to investigate, respond to, mitigate and notify of events related to Swap’s technology and information assets.

11. Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.

12. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.