Data Processing Addendum
This Data Processing Addendum (“Agreement”) is between you and ShopSync, LLC, a Tennessee limited liability company (“ShopSync”), and is made and entered into immediately upon acceptance of its terms and conditions by you, or immediately upon your use of the services provided by ShopSync.
ShopSync provides a service that transfer data between Shopify and MailChimp (“Services”).
This Agreement is an addendum to ShopSync’s standard terms and conditions to which you are required to agree in order to use the Services.
You and ShopSync hereby agree as follows:
- GDPR. If you allow ShopSync to Process the personal data of European Union citizens through the ShopSync servers as a part of the Services, then this Agreement applies to you. This Agreement complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”). For purposes of this Agreement you are acting as a controller and ShopSync is acting as a processor. The terms controller, personal data, processor, processing, and pseudonymisation have the definitions set forth in the GDPR.
- Processor. You agree that ShopSync can process information for individuals and companies on your behalf for the purpose of allowing you to use the information in your MailChimp and Shopify instances for as long as you have an Agreement with ShopSync. ShopSync may use another processor (“subprocessor”) to store information provided by you.
- Instructions. ShopSync shall process the personal data only on documented instructions from you as set out in Section 2, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which ShopSync is subject; in such a case, ShopSync shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- Safeguards. ShopSync shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. ShopSync shall implement appropriate technical and organizational measures to safeguard personal data, which shall meet the requirements of the GDPR (Article 32). ShopSync may update or modify these measures from time to time provided that such updates or modifications do not result in any material degradation of the security of personal data.
- Subprocessor. ShopSync is permitted to appoint a subprocessor to process personal data provided that:
a. ShopSync enters into a written contract with the subprocessor on the same terms as those set out in this Agreement;
b. ShopSync shall inform you of any intended changes concerning the addition or replacement of any subprocessor and give you the opportunity to object to such changes; and
c. where a subprocessor fails to fulfil its data protection obligations, ShopSync shall remain fully liable to you for the performance of the subprocessor’s obligations.
- Subprocessor Objections. If you have a reasonable basis to object to ShopSync’s use of a new subprocessor on grounds of such subprocessor’s non-compliance with this Agreement, you shall notify ShopSync in writing within 15 days after receipt of ShopSync’s notice. If ShopySync does change the subprocessor you objected to within 60 days of receiving your notice you may terminate your use of the Services.
- Requests. Taking into account the nature of the processing, ShopSync shall provide commercially reasonable assistance to you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing or his/her rights not to be subject to an automated individual decision making. To the extent legally permitted, you shall be responsible for any costs arising from ShopSync’s provision of such assistance. ShopSync shall assist you in complying with the obligations of Articles 32 and 36 of the GDPR, taking into account the nature of processing and the information available to ShopSync.
- Deletion of Data,At your choice and to the extent ShopSync has any personal data, ShopSync shall delete or return all personal data to you after the end of the provision of Services relating to personal data, and delete existing copies of personal data unless the Union or Member State law requires storage of personal data by ShopSync. ShopSync does not store personal data
- Compliance. Upon your written request, ShopSync shall make available to you the information necessary to demonstrate compliance with the obligations set out in the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. You agree to give ShopSync reasonable notice prior to any audit and minimize any disruption to ShopSync’s business. You agree to pay all costs associated with such audit. You agree to provide ShopSync with the results of the audit.
- Improper Instructions. ShopSync shall immediately inform you if, in ShopSync’s opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
- Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ShopSync shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a. the pseudonymisation and encryption of personal data;
b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Security Assessment. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Breach Notification. ShopSync shall notify you without undue delay after becoming aware of a personal data breach. ShopSync shall provide all information to you so that you may comply with the notification obligations of GDPR in the event of a breach.
- Data Transfer. ShopSync transfers personal data in encrypted form to servers in the United States for the processing of the personal data. The personal data stays in encrypted form throughout the processing. You agree to the transfer of personal data to the United States.
- Addendum. This Agreement is an addendum to ShopSync’s standard terms and conditions and is incorporated into those terms and conditions by reference. This Agreement along with ShopSync’s standard terms and conditions constitutes the entire agreement between the parties hereto and supersedes any prior oral or written agreements between the parties. This Agreement may not be amended unless such amendment is in writing and signed by all parties hereto.