Data Processing Agreement

This Data Processing Addendum (“DPA”) is a part of the Vendora Cloud Merchant Service Agreement, and are hereby incorporated into the Vendora Terms of Use by reference. Capitalized terms used but not otherwise defined in the DPA will have the meanings set forth in the Cloud Merchant Service Agreement.

Merchant enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Vendora processes Merchant Personal Data for which such Authorized Affiliates qualify as the Controller.

For the purposes of this DPA, and except where indicated otherwise, the term “Merchant” will include Merchant and Authorized Affiliates. “Vendora” refers to Virtual Fulfillment Technologies, Inc. and its Affiliates. Vendora and Merchant are each a “Party” and together are the “Parties.” All terms of the Vendora Master Agreement, Order Form, Merchant Terms of Service Agreement, including all disclaimers, limitations of liability, agreements and indemnities (collectively, to the extent any of the foregoing is applicable, the “Agreement”), apply to this DPA. In the event of any conflict between the Merchant Terms of Service Agreement and this DPA, this DPA will govern.

1. Definitions

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” and its cognates for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2 “Authorized Affiliate” means any of Merchant's Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Vendora Services pursuant to the Agreement between Merchant and Vendora.

1.3 “Merchant Personal Data” means any Merchant Data (as defined in the Cloud Merchant Services Agreement and Vendora Terms of Use available at https://www.vendora.io/terms-of-use that comprises the categories of Personal Data described in the Vendora Privacy Policy. For the avoidance of doubt, Merchant Personal Data excludes information about Users provided to Vendora in connection with the creation or administration of a Vendora Account, as well as Personal Data that Vendora processes for the provision of services as a Controller.

1.4 “Data Protection Laws” means any applicable laws, regulations, or other binding obligations (including any and all legislative and/or regulatory amendments or successors thereto), each as updated from time to time, of the European Union, the EEA, Switzerland, the United Kingdom, the United States, Canada, Australia, or any other jurisdiction that govern or otherwise apply to Personal Data processed under the Agreement.

1.5 “FADP” means the Swiss Federal Act on Data Protection of 25 September 2020.

1.6 “GDPR” means the European Union Regulation 2016/679 and includes any relevant implementing measure in each relevant Member State.

1.7 “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and analogous terms, as defined by Data Protection Laws.

1.8 “Process” and its cognates “processing”, “processed”, etc. mean any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.9 “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Merchant Personal Data.

1.10 “Standard Contractual Clauses” refers to any and all of the following:

(a) The “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.

(b) The “UK Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and completed as set forth herein.

(c) The “ADGM Addendum” means the Abu Dhabi Global Market Approved Addendum, being the template Addendum 1.0 issued by the Commissioner in accordance with Section 49(2)(j) of the DPR 2021 on 1 Nov 2023, as it may be revised under Section ‎‎17 of those Mandatory Clauses, located at https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance#addendum-to-the-eu-standard-contractual-clauses and completed as set forth herein.

(d) The “DIFC SCCs” means the Standard Contractual Clauses for Compliance with Article 27 DIFC Law No 5 of 2020, located at https://www.difc.ae/business/registrars-and-commissioners/commissioner-of-data-protection/data-export-and-sharing and completed as set forth herein.

(e) The  “Turkish SCCs” means the Standard Contractual Clauses issued in accordance with the guidelines and regulations of the Turkish Data Protection Authority ("Turkish Authority") under the Turkish Data Protection Law No. 6698, as updated or amended, and decision no. 2024/959 and dated 4/6/2024 held by the Turkish Authority for the transfer of personal data to third countries or international organizations, available at https://www.kvkk.gov.tr/Icerik/7991/Standard-Contracts and completed as set forth herein.

(f) The “Brazilian SCCs” means the Standard Contractual Clauses approved by the Resolution CD/ANPD No. 19, August 23, 2024, available at https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396 and completed as set forth herein. 

1.11 “Sub-processor” means any third-party that Vendora engages to process Merchant Personal Data.

1.12 “Supervisory Authority” means an independent public authority which is established by an EU Member State, UK or Switzerland, or in other applicable jurisdictions pursuant to Data Protection Laws.

1.13 The terms “Business”, “Consumer”, “Controller”, “Data Subject”, “Processor”, and “Service Provider” have the meanings given to them in Data Protection Laws, or, where not specifically defined, the meanings of analogous terms under Data Protection Laws. For the avoidance of doubt, “Controller” is deemed to also refer to “Business”, and “Processor” is deemed to also refer to “Service Provider”. “Data Subject” is deemed to include “Consumer”.

2. Data Processing

2.1 Scope. This DPA applies when and to the extent Merchant Personal Data is processed by Vendora in connection with the provision of the Services to the Merchant under the Agreement. For the avoidance of doubt, this DPA does not apply to Personal Data that Vendora processes for the provision of services as a Controller.

2.2 Role of the Parties. With regard to the processing of Merchant Personal Data, Vendora acts as a Processor on behalf of Merchant, which may act either as a Controller or a Processor. Vendora or its Affiliates may engage Sub-processors pursuant to the requirements set out in this DPA.

2.3 Compliance with Laws. Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Data Protection Laws.

2.4 Details of Processing. The subject matter of processing of Merchant Personal Data under this DPA is the performance of the Vendora Services pursuant to this Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in the Vendora Privacy Policy.

2.5 Instructions for Processing. Vendora will process Merchant Personal Data on behalf of and only in accordance with Merchant's documented instructions regarding Vendora’s processing of Merchant Personal Data as follows: (a) processing in accordance with the Agreement; (b) processing initiated by Users as authorized by Merchants in the use of the Vendora Services; and (c) processing to comply with other documented reasonable instructions provided by Merchant (e.g., via email) where such instructions are consistent with the terms of the Agreement.

2.6 Vendora’s Obligations. Vendora will:

(a) inform Merchant within a reasonable time if: (i) in Vendora’s sole determination, an instruction from Merchant violates Data Protection Laws and/or (ii) Vendora is unable to comply with Data Protection Laws or Merchant’s instructions for the processing of Merchant Personal Data; 

(b) not retain, use, or disclose Merchant Personal Data outside the direct business relationship between Merchant and Vendora or as permitted by Data Protection Laws; and

(c) treat Merchant Personal Data as Confidential Information under the Agreement. If a governmental body sends Vendora a demand for Merchant Personal Data, Vendora will attempt to redirect the governmental body to request that data directly from Merchant. As part of this effort, Vendora may provide Merchant’s basic contact information to the governmental body. If compelled to disclose Merchant Personal Data to a governmental body, then Vendora will give Merchant reasonable notice of the demand to allow Merchant to seek a protective order or other appropriate remedy unless Vendora is legally prohibited from doing so.

2.7 Third-Party Disclosures Comprising Part of Our Services. Merchant acknowledges that, as part of the provision of the Vendora Services, Vendora will disclose Merchant Personal Data to certain third-party vendors acting as Controllers (including professional advisers such as lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services). 

2.8 Merchant Rights. Merchant retains the right, upon reasonable notice to Vendora, to take reasonable and appropriate steps to stop and remediate unauthorized use of Merchant Personal Data.

3. Merchant Responsibilities

Merchant will, in its use of the Vendora Services, process Merchant Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Vendora as Processor. For the avoidance of doubt, Merchant's instructions for the processing of Merchant Personal Data will comply with Data Protection Laws. Merchant will have sole responsibility for the accuracy, quality, and legality of Merchant Personal Data and the means by which Merchant acquired Merchant Personal Data. Merchant specifically acknowledges and agrees that its use of the Vendora Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Merchant Personal Data, to the extent applicable under the Data Protection Laws. 

4. Assistance to Merchant

4.1 Data Subject Requests. Vendora will, to the extent legally permitted or required, promptly notify Merchant of any complaint or request it receives from a Data Subject with respect to the processing of their Personal Data covered by this DPA (each such request being a “Data Subject Request”). Merchant authorizes on its behalf, and on behalf of its Controllers when Merchant is acting as a Processor, Vendora to respond to any Data Subject who makes a Data Subject Request to Vendora, to confirm that Vendora has forwarded the request to Merchant. To the extent Merchant, in its use of the Vendora Services, does not have the ability to address a Data Subject Request, Vendora will upon Merchant's request provide commercially reasonable efforts to assist Merchant in responding to such Data Subject Request, to the extent Vendora is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Merchant will be responsible for any costs arising from Vendora's provision of such assistance.

5. Sub-processors

5.1 Appointment of Sub-processors. Merchant acknowledges and agrees that Vendora may engage Sub-processors in connection with the provision of the Vendora Services. Vendora will enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Vendora Services provided by such Sub-processor.

5.2 Liability. Vendora will be liable for the willful and grossly negligent acts and omissions of its Sub-processors to the same extent Vendora would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. Security

6.1 Controls for the Protection of Merchant Personal Data. Vendora has implemented and will maintain the technical and organizational measures that is reasonable to protect the confidentiality and integrity of Merchant Personal Data, and to protect Merchant Personal Data against Security Breaches. Vendora may update or change these measures from time to time, but will not materially decrease the overall security of the Vendora Services during a Subscription Term. Merchant is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in this DPA meet Merchant’s requirements.

7. Security Incident Management

7.1 Notification. Vendora will notify Merchant without undue delay after becoming aware of a Security Breach. Vendora will make reasonable efforts to identify the cause of such Security Breach and take those steps as Vendora deems necessary and reasonable in order to remediate the cause of such a Security Breach to the extent the remediation is within Vendora's reasonable control. The obligations herein will not apply to Security Breaches that are caused by Merchant or Merchant's Users.

7.2 Assistance. To enable Merchant to notify a Security Breach to Supervisory Authorities or Data Subjects (as applicable), Vendora will cooperate with and assist Merchant by including in the notification under Section 7.1 such information about the Security Breach as Vendora is able to disclose to Merchant, taking into account the nature of the processing, the information available to Vendora, and any restrictions on disclosing the information, such as confidentiality. 

8. Data Storage

All Merchant Data is housed within the United States and no cross-border transfers are contemplated at this time.  

9. Authorized Affiliates

11.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the Agreement, Merchant enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Vendora and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 9 and Section 10. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Vendora Services and Content by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate will be deemed a violation by Merchant.

9.2 Communication. The Merchant that is the contracting party to the Agreement will remain responsible for coordinating all communication with Vendora under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

9.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Vendora, it will to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

9.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Vendora directly by itself, the Parties agree that (i) solely the Merchant that is the contracting party to the Agreement will exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Merchant that is the contracting party to the Agreement will exercise any such rights under this DPA not for each Authorized Affiliate individually, but in a combined manner for itself and all of its Authorized Affiliates together.

10. Limitation of Liability

To the extent permitted by Data Protection Laws, each Party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Vendora, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Vendora Merchant Terms of Service Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Vendora's and its Affiliates' total liability for all claims from Merchant and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Merchant and all Authorized Affiliates, and, in particular, will not be understood to apply individually and severally to Merchant and/or to any Authorized Affiliate that is a contractual party to any such DPA.