This ShoppingGives Data Processing Addendum (“DPA”) is entered into between the individual or entity that has entered into an Agreement incorporating this DPA (“Merchant”) and Niche Interactive Media Inc. d/b/a ShoppingGives (“ShoppingGives”) in connection with ShoppingGives’ provision of services to Merchant under any existing, written, and currently valid agreements (collectively, “Agreement”). This DPA is effective as of the effective date of the Agreement and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this DPA and the Agreement, this DPA will govern unless otherwise expressly stated herein. This DPA applies only to Personal Information that ShoppingGives Processes as a Data Processor on behalf of Merchant, as specified in the Agreement. For clarity, this DPA does not apply to the extent ShoppingGives acts as a Controller. This DPA will survive termination of the Agreement.
1. Data Processing and Protection.
- 1.1. General Use Limitations. ShoppingGives will not: (a) Process the Personal Information for any purpose other than for the specific purpose of providing the Platform and related services as set out in the Agreement (the “Services”); (b) Process the Personal Information for a commercial purpose other than as necessary to provide the Services; (c) “sell” or “share” (each as defined by Data Protection Law) the Personal Information; (d) Process the Personal Information outside of the direct business relationship between ShoppingGives and Merchant; or (e) combine Personal Information with any other personal information it collects from individuals or other Merchants, except as permitted by Data Protection Law.
- 1.2. Instructions. ShoppingGives will Process Personal Information only: (a) in a manner consistent with documented instructions from Merchant, which will include Processing (i) as authorized or permitted under the Agreement, including as specified in Section 1.3 below, and (ii) consistent with other reasonable instructions of Merchant; and (b) as required by Data Protection Law, provided that ShoppingGives will inform Merchant (unless prohibited by applicable law) of the applicable legal requirement before Processing pursuant to such Data Protection Law. Merchant will not instruct ShoppingGives to perform any Processing of Personal Information that violates any Data Protection Law. ShoppingGives may suspend Processing based upon any Merchant instructions that ShoppingGives reasonably suspects violate Data Protection Law, provided ShoppingGives will promptly inform Merchant if, in Merchant’s opinion, an instruction infringes Data Protection Law.
- 1.3. Details of Processing.
- Nature, Purpose and Duration of Processing: ShoppingGives Processes Personal Information in connection with and for the purpose of providing the Services and until the Agreement terminates or expires, unless otherwise agreed upon by the Parties in writing. Personal Information may be subject to storage and analysis, among other Processing activities.
- Types of Personal Information: Personal Information may include some or all of the following, as determined by the Merchant: the consumer’s name and contact information (which may include, email address, address or phone number); information about Purchases (which may include order number, date of purchase, purchase price, items purchased, or billing and shipping details); information about Donations (which may include charity recipient, time/date of Donation and Donation amount).
- Categories of Data Subjects: Customers of Merchant
- 1.4. Compliance. Merchant will comply with its obligations as a Controller under Data Protection Law. ShoppingGives will comply with obligations applicable to it as a Processor under Data Protection Law and provide the same level of privacy protection as is required by Data Protection Law. If ShoppingGives determines it can no longer meet its obligations under this DPA it will notify Merchant Upon providing 30 days’ written notice to ShoppingGives that ShoppingGives has Processed Personal Information without authorization or in violation of Data Protection Law, Merchant may take reasonable and appropriate steps to stop and remediate such Processing.
- 1.5. Confidentiality. ShoppingGives will take steps to ensure that persons authorized by ShoppingGives to Process Personal Information are subject to confidentiality obligations.
- 1.6. Security. ShoppingGives will protect Personal Information in accordance with requirements under Data Protection Law. At a minimum, ShoppingGives will implement appropriate technical and organizational measures designed to protect Personal Information against Security Incidents.
- 1.7. Return or Disposal. At the choice of Merchant, ShoppingGives will (or will enable Merchant via the Platform to) delete or return (and will delete existing copies of) all Personal Information after the end of the provision of the Services (unless Data Protection Law requires the storage of such Personal Information by ShoppingGives).
2. Data Processing Assistance.
- 2.1. Data Subject Rights Assistance. Merchant is responsible for responding to requests from individuals to exercise rights under Data Protection Law relating to Personal Information (each a “Data Subject Request”). Merchant will inform ShoppingGives of any Data Subject Request that ShoppingGives must comply with and provide the information necessary for ShoppingGives to comply with the request. ShoppingGives will, to the extent permitted by Data Protection Law, notify Merchant without undue delay if ShoppingGives receives a Data Subject Request. To the extent Merchant does not have the ability to address the Data Subject Request itself (e.g., with information in its possession or control or via Platform tools), ShoppingGives will, upon Merchant’s request, provide commercially reasonable efforts to assist Merchant in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law.
- 2.2. Security Assistance. Taking into account the nature of Processing and the information available to ShoppingGives, ShoppingGives will provide commercially reasonable efforts to assist Merchant in Merchant’s efforts to comply with obligations to secure Personal Information under Data Protection Law, by providing the information and assistance described in Section 4 of this DPA (Audits).
- 2.3. Other Compliance Assistance. If required under Data Protection Law, ShoppingGives will provide assistance to Merchant as reasonably requested by Merchant to facilitate Merchant’s compliance with requirements under Data Protection Law in connection with ShoppingGives’ Processing of any Personal Information, including any requirements related to data retention, data minimization, data protection assessments, and consultations with supervisory authorities.
3. Personal Information Breach Notice and Assistance.
- ShoppingGives will notify Merchant without undue delay after becoming aware of a Security Incident and provide any information required under Data Protection Law. At Merchant’s expense, ShoppingGives will provide reasonable assistance to Merchant as may be necessary for Merchant to satisfy its notification obligations imposed under Data Protection Law.
- ShoppingGives will make available to Merchant information reasonably necessary to demonstrate compliance with the obligations in this DPA and Data Protection Law. At Merchant’s expense, ShoppingGives will allow for and contribute to audits no more than once every 12 months, in accordance with the terms of this Section 4. Any such audit must be tailored to what is necessary to verify ShoppingGives’ compliance with this DPA and Data Protection Law, and must occur during ShoppingGives’ normal business hours. In connection with any such audit, the auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by ShoppingGives; (b) comply with reasonable and applicable on-site policies and procedures provided by ShoppingGives, and (c) not unreasonably interfere with ShoppingGives’ business activities. Merchant will provide written communication of any audit findings to ShoppingGives, and the results of the audit will be the confidential information of ShoppingGives. Unless otherwise required by a supervisory authority, Merchant will provide no less than sixty (60) days' advance notice of its request for any such audit, and will cooperate in good faith with ShoppingGives to schedule any such audit on a mutually agreed upon date and time.
- Merchant provides ShoppingGives with general authorization to use subprocessors to Process Personal Information (each, a “Subprocessor”). ShoppingGives will provide Merchant with notice of its current list of Subprocessors upon request. ShoppingGives will only add or remove a Subprocessor after providing Merchant with reasonable prior notice (email suffices) and an opportunity to object. ShoppingGives will enter into a written contract with each Subprocessor imposing data protection obligations that are no less protective than those included in this DPA. ShoppingGives will remain liable for any acts or omissions of its Subprocessors.
- ShoppingGives’ liability under this DPA, including with respect to any breach of this DPA, will be subject to the limitations of liability under the Agreement.
Attachment 1: Definitions
- Capitalized terms used but not defined in this DPA have the meanings given under the Agreement. The following definitions apply to this DPA:
- “Controller” means “controller” or “business” (and analogous variations of such terms), as defined under Data Protection Law.
- “Data Protection Law” means any data protection or privacy laws in the United States that apply to ShoppingGives’ Processing of Personal Information.
- “Personal Information” means (a) “personal data” or “personal information” (and analogous variations of such terms), as defined under Data Protection Law, and (b) that the Agreement states ShoppingGives will Process as a Processor subject to this DPA.
- “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.
- “Processor” means “processor” or “service provider” (and analogous variations of such terms), as defined under Data Protection Law.
- “Security Incident” means “personal data breach” or “security incident” (and analogous variations of such terms), as defined under Data Protection Law.
Learn more about how you can drive stronger business performance by giving back