This Data Processing Addendum ("DPA") serves as an extension of the Agreement, entered into separately between EComposer ("us" or "we") and the Customer ("Customer"), collectively referred to as the "Parties." It outlines additional responsibilities concerning processing Customer Personal Information in compliance with the California Consumer Privacy Act (CCPA) and European Union Data Protection Laws.
Unless otherwise defined herein, capitalized terms have the meanings specified in the Terms of Service governing products and services provided by EComposer ("Principal Agreement"). The Principal Agreement remains in full force and effect, except as modified below. References in this Agreement to the Principal Agreement pertain to the Principal Agreement as amended by this Agreement.
1.1 Unless otherwise defined herein, capitalized terms in this Agreement have the following meanings:
- Agreement: Refers to this Data Processing Agreement and all associated Schedules.
- Company Personal Data: Denotes Personal Data Processed by a Contracted - Processor on behalf of the Company under or related to the Principal Agreement.
- Contracted Processor: Signifies a Subprocessor.
- Data Protection Laws: Includes EU Data Protection Laws and, when applicable, the data protection or privacy laws of any other country.
- EEA: Stands for the European Economic Area.
- EU Data Protection Laws: Encompasses EU Directive 95/46/EC, as incorporated into domestic legislation of each Member State, and subsequent amendments, replacements, or supersedes, including the GDPR and related implementing laws.
- GDPR: Refers to the EU General Data Protection Regulation 2016/679.
- Data Transfer: Entails the transfer of Company Personal Data from the Company to a Contracted Processor or an onward transfer of Company Personal Data between Contracted Processors, in cases where such transfers would be prohibited by Data Protection Laws.
- Services: Represents the Shopify page building services provided by the Company.
- Subprocessor: Any individual appointed by or on behalf of Processor to process Personal Data on behalf of the Company concerning the Agreement.
1.2 Terms such as "Commission," "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" shall hold the same meanings as defined in the GDPR, with cognate terms interpreted accordingly.
2. Processing of Company Personal Data:
2.1.1 Comply with all applicable Data Protection Laws in processing Company Personal Data.
2.1.2 Not process Company Personal Data except in accordance with documented instructions provided by the Company.
2.2 The Company instructs Processor to process Company Personal Data.
2.3 The Customer acknowledges and consents to EComposer retaining a Subprocessor for cloud storage of data.
3. Processor Personnel:
Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor with access to Company Personal Data. Access must be strictly limited to individuals needing it for the purposes of the Principal Agreement. These individuals must comply with confidentiality undertakings or professional and statutory obligations of confidentiality.
4.1 Processor shall implement appropriate technical and organizational measures for the security of Company Personal Data, considering factors such as the state of the art, implementation costs, the nature of Processing, and the associated risks to individuals' rights and freedoms. This includes measures mentioned in Article 32(1) of the GDPR when deemed appropriate.
4.2 In determining security measures, Processor shall assess the risks associated with Processing, especially those stemming from Personal Data Breaches.
5.1 The Customer acknowledges that EComposer has appointed Amazon Web Services as a Subprocessor for cloud data storage.
5.2 Regarding Amazon Web Services, EComposer ensures that the Subprocessor offers a level of protection for Controller Personal Data at least equal to that established in this Agreement and meeting the requirements of Article 28(3) of the GDPR.
6. Data Subject Rights:
6.1 Processor shall assist the Company in implementing appropriate technical and organizational measures, to the extent possible, to fulfill the Company's obligations regarding Data Subject rights under Data Protection Laws.
6.2 Processor shall:
6.2.1 Promptly notify the Company of requests from Data Subjects regarding Company Personal Data under any Data Protection Law.
6.2.2 Not respond to such requests except based on documented instructions from the Company or as required by Applicable Laws, in which case Processor shall inform the Company of the legal requirement before responding.
7. Personal Data Breach:
7.1 Processor shall promptly notify the Company upon becoming aware of a Personal Data Breach affecting Company Personal Data. This notification will include sufficient information for the Company to meet its obligations under Data Protection Laws regarding reporting or informing Data Subjects of the breach.
7.2 Processor shall cooperate with the Company, following the Company's instructions, in investigating, mitigating, and remediating each Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation:
Processor shall reasonably assist the Company with data protection impact assessments and prior consultations with Supervisory Authorities, as required by Data Protection Laws, concerning the Processing of Company Personal Data by the Contracted Processors.
9. Deletion or Return of Company Personal Data:
Upon the Customer's request for the deletion of Company Personal Data collected via Shopify and notified to Processor via webhooks, Processor shall promptly confirm receipt of the request and complete the action within 30 days (unless legal requirements mandate data retention).
10. Audit Rights:
Processor shall provide the Company with the necessary information to demonstrate compliance with this Agreement and permit audits, including inspections, by the Company or an auditor designated by the Company, concerning the Processing of Company Personal Data by the Contracted Processors.
11. Data Transfer:
When the Customer enables tracking of Company Personal Data of individuals in Europe in their Shopify store settings and agrees to use EComposer's Analytics feature, the Customer acknowledges and consents to EComposer transferring Company Personal Data to regions outside the EU and/or the EEA, including the United States, for data cloud storage with the Subprocessor.
All Processing of Personal Data in countries without adequate data protection, per the European Commission's decision of 5 February 2010, will rely on Standard Contractual Clauses.
12. General Terms:
12.1 Confidentiality: Each Party must maintain the confidentiality of this Agreement and information received about the other Party and its business in connection with this Agreement, unless required by law or if the information is already in the public domain.
12.2 Notices: All notices under this Agreement must be in writing, delivered personally, sent by post, or emailed to the addresses specified in the Agreement.
Annex 1 - Details of Processing of Personal Data:
- Subject Matter of Processing: Use and access of EComposer analytics ("Service") in accordance with the Agreement.
- Duration of Processing: Personal Data will be processed for the duration of the Principal Agreement.
- Nature and Purpose of Processing Types of Personal Data: Provision of the Service.
- Types of Personal Data: Page visitors, clicks on tracking objects of the page, purchases happening on the page.
- Categories of Data Subjects: Page visitors.
- Obligations and Rights of the Customer: The obligations and rights of the Customer are as set out in this DPA.
Addendums: California Consumer Privacy Act Addendum – available at https://ecomposer.io/pages/ccpa