This Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the Loop Terms of Service and Order Form (the “Agreement”) by and between Merchant and Company.
a. Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Merchant Personal Data in connection with Company’s execution and performance of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Annexes conflicts with the Agreement, this Addendum shall control.
b. Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. Company will Process Merchant Personal Data until the relationship terminates as specified in the Agreement.
a. "Business", "Controller" or “Data Controller” shall mean an entity that determines the purposes and means of Processing of Personal Data.
b. “Merchant Personal Data” means Personal Data Processed by Company on behalf of Merchant under the Agreement.
c. “Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Merchant Personal Data are subject. Data Protection Laws may include, but are not necessarily limited to, the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act (the “VCDPA”); the Colorado Privacy Act (the “CPA”); the Connecticut Data Protection Act (the “CTDPA”); the Utah Consumer Privacy Act (the “UCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Personal Information Protection and Electronic Documents Act 2000; the Privacy Act 1988 (“Privacy Act”); the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time), together with any applicable codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions.
d. “Data Subject” or “Consumer” means a natural person to whom any Merchant Personal Data pertains.
e. “Personal Data” means any data or information that: (i) is linked or reasonably linkable to an identified or identifiable natural person; or (ii) information that is otherwise defined as “personal data”, “personal information” or similar designation under applicable Data Protection Laws.
f. “Process”, “Processes”, or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
g. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Merchant Personal Data attributable to Company.
h. “Sell”, "Selling", "Share", and "Sharing" shall have the meaning assigned to such terms in Data Protection Laws.
i. “Company” or “Processor” shall mean an entity that Processes Personal Data on behalf of a Business or Controller.
j. “Services” means the services that Company performs under the Agreement.
k. “Sub processor(s)” means Company’s authorized vendors and third-party service providers that Process Merchant Personal Data.
a. Documented Instructions. Company shall Process Merchant Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work or Order Form, and any instructions agreed upon by the parties. Company will, unless legally prohibited from doing so, inform Merchant in writing if it reasonably believes that there is a conflict between Merchant’s instructions and applicable law or if it otherwise seeks to Process Merchant Personal Data in a manner that is inconsistent with Merchant’s instructions.
b. Authorization to Use Sub processors. To the extent necessary to fulfill Company’s contractual obligations under the Agreement, Merchant hereby authorizes Company to engage Sub processors from an agreed list as set out in Annex III to this DPA.
c. Company and Sub processor Compliance. Company shall (i) enter into a written agreement with Sub processors regarding such Sub processors’ Processing of Merchant Personal Data that imposes on such Sub processors data protection requirements for Merchant Personal Data that are consistent with this Addendum; and (ii) remain responsible to Merchant for Company’s Sub processors’ failure to perform their obligations with respect to the Processing of Merchant Personal Data.
d. Right to Object to Subprocessors. Where required by Data Protection Laws, Company will notify Merchant via email prior to engaging any new Sub processors that Process Merchant Personal Data and allow Merchant ten (10) days to object. If Merchant has legitimate objections to the appointment of any new Sub processor, the parties will work together in good faith to resolve the grounds for the objection.
e. Confidentiality. Any person authorized to Process Merchant Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
f. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Company agrees to provide reasonable assistance and comply with reasonable instructions from Merchant related to any requests from Data Subjects exercising their rights in Merchant Personal Data granted to them under Data Protection Laws. Further, Company shall make available to Merchant all reasonably relevant information and reasonably cooperate with Merchant in enabling Data Subjects to exercise their legal rights. Company will inform Merchant if Company receives an inquiry, subpoena or request for information, inspection or audit from a competent authority, relating to the Processing (except where Company is prohibited by law from making such disclosure). Company will inform Merchant if Company receives requests directly from Data Subjects and will not act on or answer them without Merchant's prior written consent unless otherwise required by Data Protection Laws.
g. U.S. States Data Protection Law Compliance. Merchant will have the right to: (i) take reasonable and appropriate steps to help ensure that Company uses Merchant Personal Data in a manner consistent with Merchant's obligations under and as required by Data Protection Laws; and (ii) take reasonable and appropriate steps to stop and remediate unauthorized use of such Merchant Personal Data under and as required by applicable Data Protection Laws. Company will notify Merchant in writing promptly if it determines that it can no longer meet its obligations under applicable Data Protection Laws. For the purposes of compliance with the Data Protection Laws related to the Processing of Merchant Personal Data designated as “personal information” or similar designation under applicable Data Protection Laws in the United States, Company acknowledges and confirms that it is a Service Provider and/or a Processor of Merchant, and that it does not receive any Merchant Personal Data as consideration for any Services. Without limiting the foregoing, Company is prohibited from: (i) Selling Merchant Personal Data; (ii) Sharing any Merchant Personal Data for cross-context behavioral advertising; (iii) retaining, using, or disclosing Merchant Personal Data outside of the direct business relationship between the parties hereto; or (iv) to the extent prohibited by Data Protection Laws, combining Merchant Personal Data with other information that Company receives from or on behalf of another person or persons, or collects from its own interaction with the Consumer. Company certifies that it understands the rules, restrictions and requirements in this Section 3(g) and will comply with them.
h. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Company agrees to provide reasonable assistance at Merchant’s expense to Merchant where, in Merchant’s judgement, the type of Processing performed by Company requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
i. Demonstrable Compliance. Company agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Merchant’s reasonable request.
j. Service Optimization. Where permitted by Data Protection Laws, Company may Process Merchant Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
k. Aggregation and De-Identification. Company may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Merchant or any Data Subject to whom Merchant Personal Data relates (“Aggregated Data”); and (ii) use Aggregated Data for its lawful business purposes.
a. Company shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Merchant Personal Data.
a. Notice. Upon becoming aware of a Security Incident, Company agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Merchant’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Merchant to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
a. Cross-Border Transfers of Merchant Personal Data. Merchant authorizes Company and its Sub processors to transfer Merchant Personal Data across international borders, including from the European Economic Area, Switzerland, the United Kingdom and/or Australia to the United States, subject to the remainder of this Section 6.
b. Transfers of Merchant Personal Data originating in the EEA, Switzerland, and/or the UK.
i. If Merchant Personal Data originating in the European Economic Area is transferred to Company in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the unchanged version of the standard contractual clauses promulgated by Commission Implementing Decision (EU) 2021/914, Module Two (Transfer Controller to Processor) (the “Standard Contractual Clauses”), as can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN
ii. If Merchant Personal Data originating in Switzerland is transferred to Company in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Standard Contractual Clauses, as supplemented by the following: a new Clause 1(e) is added the Standard Contractual Clauses which shall read: "To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the parties' processing of personal data that is subject to the applicable data protection laws of Switzerland. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to such laws.
iii. If Merchant Personal Data originating in the United Kingdom, is transferred to Company in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws,, the parties agree that the transfer shall be governed by the Standard Contractual Clauses plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at https://ico.org.uk/media/for- organisations/documents/4019539/international-data-transfer-addendum.pdf (the “UK Addendum”).
iv. The following options in the Standard Contractual Clauses are selected by the parties: (i) the optional text in Clause 7 is deleted; (ii) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must submit the request for specific authorization in accordance with Section 3(d) of the Addendum; (iii) the optional text in Clause 11 is deleted; and (iv) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
v. Each party’s signature to this Addendum all be considered a signature to the Standard Contractual Clauses and/or the UK Addendum (as applicable), to the extent that the Standard Contractual Clauses and/or the UK Addendum apply hereunder.
vi. the Annexes to this Addendum provide the information required by Annexes I, II, and III of the Standard Contractual Clauses and by the UK Addendum as set out in Annex I.B to this Addendum. The Standard Contractual Clauses may also be annexed to this Addendum if appropriate.
vii. If the Standard Contractual Clauses or UK Addendum are deemed invalid by a governmental or judicial entity with jurisdiction over Merchant Personal Data (e.g., the EU Court of Justice) or if such entity imposes additional rules and/or restrictions regarding such transfers, the parties agree to work in good faith to find an alternative and/or modified approach with respect to such transfers which is in compliance with Data Protection Laws.
viii. Where the European Commission or other relevant supervisory authority issues new, updated or replacement Standard Contractual Clauses, or the UK Addendum is updated or replaced, then either party may notify the other in writing thereof and the parties shall replace the Standard Contractual Clauses or UK Addendum as appropriate and make any other necessary amendments to this Addendum.
c. Transfers of Merchant Personal Data originating in Australia. If Merchant Personal Data originating in Australia is transferred by Merchant to Company in a country outside of Australia, Company shall Process such Merchant Personal Data in accordance with the Privacy Act’s Australian Privacy Principles.
a. Where Data Protection Laws afford Merchant an audit right, Merchant (or its appointed representative) may carry out an audit of Company’s policies, procedures, and records relevant to the Processing of Merchant Personal Data. Any audit must be: (i) conducted during Company’s regular business hours; (ii) with reasonable advance notice to Company; (iii) carried out in a manner that prevents unnecessary disruption to Company’s operations; and (iv) subject to reasonable confidentiality agreements and procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.
a. At the expiry or termination of the Agreement, Company will delete all Merchant Personal Data (excluding any backup or archival copies which shall be deleted in accordance with Company’s data retention schedule), except where Company is required to retain copies under applicable laws, in which case Company will isolate and protect that Merchant Personal Data from any further Processing except to the extent required by applicable laws.
a. Merchant’s Obligations. Merchant represents and warrants that: (i) it has complied and will comply with all applicable Data Protection Laws; (ii) it has provided Data Subjects whose Merchant Personal Data will be Processed in connection with the Agreement with a privacy notice that clearly and accurately describes Merchant’s and its processors’ practices with respect to the Processing of Merchant Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Merchant Personal Data as contemplated by the Agreement; and (iv) Company’s Processing of Merchant Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Merchant and any third party.
b. Account Data. Merchant agrees that Company may Process Account Data in accordance with the Loop privacy notice available at: https://www.loopreturns.com/privacy-notice. “Account Data” means Personal Data relating to use by an authorized user of the Services that is designated by Merchant (e.g., a Merchant employee or representative) (“Authorized User”). For example, Account Data includes Authorized Users’ login credentials and related usage data Processed in connection with Authorized Users’ the use of the Services. Account Data is not Merchant Personal Data.
A. LIST OF PARTIES
Data Exporter: Merchant
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.
Activities relevant to the data transferred under these Clauses: Providing Personal Data to Company in order to enable Company to provide the Services.
Role: Controller.
Data Importer: Company
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.
Activities relevant to the data transferred under these Clauses: Processing Personal Data on behalf of Merchant in order to provide the Services to Merchant.
Role: Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Data exporter’s customers.
Categories of personal data transferred: Personal data that is transferred under the Agreement may include, but is not necessarily limited to, name, email address, and order details.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties’ knowledge, no sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.
Nature of the processing: collection, recording, retrieval, consultation, use, as necessary for provision of the Services to Merchant. Purpose(s) of the data transfer and further processing: Provision of the Services, as set out in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Agreement and the Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: See Annex III.
C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
D. ADDITIONAL DATA TRANSFER IMPACT ASSESSMENT QUESTIONS
Data importer agrees that the responses to the data transfer impact assessment questions below are true, complete, and accurate.
What countries will personal data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from? United States.
Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Standard Contractual Clauses? For example, FISA Section 702. If yes, please list these laws: As of the effective date of the Addendum, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending.
Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain: No.
Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain: No.
E. DATA TRANSFER IMPACT ASSESSMENT OUTCOME
Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Standard Contractual Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Company uses the following measures:
a. Company maintains an inventory of what personal data it keeps, where it stores it and who has access to it.
b. Data minimization and encryption. Personal data is not stored unless required; Company encrypts personal data whether it is at rest (data-at-rest encryption) or in transit (data-in-transit encryption).
c. Administrative safeguards. Including an access control policy, password policy, and removable media policy.
d. Technical safeguards. Based on current technology standards, Company has a security stack that is designed for the purpose of meeting the current challenges of the cybersecurity landscape.
e. Physical safeguards. Physical security measures are used in order to prevent unauthorized access to personal data.
f. Staff training, competence and behavior. Company provides education to its team members as to the importance of data protection and information security. All new employees undertake an onboarding process before being allowed to work with personal data. This involves data protection training, familiarization with this information security policy and the Company Tech Use and Confidentiality Policy.
g. Testing of security arrangements. The security posture is continuously examined using third party tools. This includes, but is not limited to, periodic Penetration Testing, Dynamic and Static Analysis, Phishing Simulation, Business Continuity Simulations, Breach Simulations, and Awareness Exams.
h. A security incident response plan. Company has a detailed incident response plan that is designed to meet all threat scenarios and risks.
i. Security oriented processes. Company has implemented a security oriented approach to all system development, human resources, and business operations. Company has implemented a Secure Development Lifecycle process, partner vetting, and other security measures designed to verify that all of Company’s channels of activity are aligned with its security goals.
LIST OF SUBPROCESSORS
The controller has authorised the use of the following sub-processors:
1. Amazon Web Services - Application server and database hosting
2. MongoDB Atlas - No-SQL database hosting
3. Elastic Cloud - Provides scalable computing capacity in Amazon Web Services
4. Mailgun - Generates emails from the Loop returns application
5. Fivetran - Database ETL (extract, transmit, load)
6. Signal Sciences - Web application firewall
7. RLM Logistics - Enterprise Resource Management (ERP) software used to send and receive customer order information for the purpose of Return Merchandise Authorizations (RMA)
8. Google Cloud Platform - A serverless data warehouse used for data analytics; Google Cloud Platform offers several services, Loop is using Big Query specifically
9. Segment by Twillio - Provides user experience tracking
10. Snowflake - A serverless data warehouse used for data analytics
UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, in force 21 March 2022
Part 1: Tables
Table 1: Parties
Start Date: As set out in the Addendum
The Parties: As set out in Annex I
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs: The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.
Module: 2
In Operation: Yes
Clause 7 (Docking Clause): No
Clause 11 (Option): No
Clause 9a (Prior Authorisation or General Authorisation): General
Clause 9a (Time period): 10 days
Is personal data received from the Importer combined with personal data collected by the Exporter?: No
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex I Part A: List of Parties: ANNEX I
Annex I Part B: Description of Transfer: ANNEX I
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: ANNEX II
Annex III: List of Sub processors: ANNEX III
Table 4: Ending this Addendum when the Approved Addendum Changes
Which Parties may end this Addendum as set out in Section 19: Importer or Exporter
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
In this article