This Data Processing Addendum (“DPA”) amends and supplements any existing and currently valid Agreement(s) (the “Agreement(s)”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and BridalLive Software, LLC, d/b/a BridalLive (together with its subsidiary and affiliated entities, collectively, “Processor”) and is hereby incorporated by reference into the Agreement(s).
WHEREAS, Processor provides to Customer bridal web solutions (collectively, the “Service”) pursuant to the Agreement. In connection with the Service, the parties anticipate that Processor may process outside of the European Economic Area (“EEA”) and United Kingdom, certain Personal Data (as defined below) in respect of which Customer may be a data controller under applicable EU Data Protection Laws (as defined below); and
WHEREAS, the parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws.
NOW THEREFORE, the parties agree as follows:
1. Defined Terms. Terms used but not defined in the Addendum, such as “personal data breach”, “processing”, “controller”, “processor” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR. In addition, the following definitions are used in the Addendum:
2. Effective Date. This DPA is effective on the later of (a) the start of enforcement of the GDPR or (b) the date Processor begins to process Personal Data on behalf of Customer.
3. Data Processing Description. Exhibit A to this DPA describes the data exporter, data importer, data subjects, data categories, special data categories (if appropriate), the processing operations and the technical and organizational measures implemented by Processor to protect the Personal Data.
4. GDPR Contractual Terms. Pursuant to Articles 28, 32 and 33 of the GDPR:
5. International Transfers. Processor adheres to both EU-U.S. and U.S.-Swiss Privacy Shield compliance frameworks. [Article 46] Customer acknowledges and agrees that Processor is located in the United States and Customer’s provision of Personal Data to Processor for processing is a transfer of Personal Data to the United States.
6. Processing by Controller. Customer represents and warrants that the Personal Data provided to Processor for processing under the Agreement and this DPA is collected and/or validly obtained by Customer in compliance with all applicable EU Data Protection Laws, including without limitation Chapter II of the GDPR.
7. Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits.
8. Modification. To the extent that it is determined by any data protection authority that this DPA is insufficient to comply with the applicable EU Data Protection Laws, or to the extent required otherwise by any changes in the applicable data protection laws, Customer and Processor agree to cooperate in good faith to amend this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with any EU Data Protection Laws applicable to the Processor and Customer.
9. General. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data. This DPA does not confer any third-party beneficiary rights, is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person. This DPA only applies to the extent Processor processes Personal Data on behalf of Customer. Except as required under the GDPR, this DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to applicable principles of conflicts of law to the extent that the application of the laws of another jurisdiction would be required thereby. In case of any dispute related to this DPA, the parties agree to submit to personal jurisdiction in the State of Delaware. Furthermore, the parties hereby irrevocably and unconditionally submit to the exclusive jurisdiction of any court of the State of Delaware or any federal court sitting in the State of Delaware for purposes of any suit, action or other proceeding arising out of this DPA. THE PARTIES HEREBY IRREVOCABLY WAIVE ANY AND ALL RIGHTS TO A TRIAL BY JURY IN ANY ACTION, SUIT OR OTHER PROCEEDING ARISING OUT OF OR RELATING TO THE TERMS, OBLIGATIONS AND/OR PERFORMANCE OF THIS DPA. This DPA together with the Agreement is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.
The data exporter is: Customer. Customer is a user of Services supplied by Processor.
The data importer is: Processor, a provider of software and services.
The personal data transferred concern the following categories of data subjects (please specify): Data subjects include the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer Personal Data to users of the Services.
Categories of data
Information we collect on our customers (businesses): includes business name, physical address, web address, email address, phone number, business Hours, sales agreements, email templates, inventory, sales, purchase orders, employee contact information (name, email, phone), and application usage statistics.
Information we collect on our customers' customers: includes names, phone numbers, email addresses, physical addresses, event information, fit measurements, appointment history, style preferences, purchase history, and other data in an electronic form used by Processor in the context of the Services.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify): None
The personal data transferred will be subject to the following basic processing activities (please specify): collect, store, retrieve, consult, use, erase or destruct, disclose by transmission, disseminate or otherwise make available data exporter’s data as necessary to provide the Services in accordance with the data exporter’s instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.).
Description of the technical and organizational security measures implemented by the data importer:
|Sub-processor name||Permitted sub-processing activities|
|Amazon Web Services||Cloud Hosting Services|
|Stripe||Payment card processing|
|Fullsteam Operations||Payment card and ACH payment processing|
Copyright © BridalLive Software, LLC 2020
Certificate #: IC-20599-RA-BRIDALLIVE SOFTWARE, LLC- 2020-ED1 Version: 3.8