Data Processing Addendum (DPA)

This Data Processing Addendum, including its Schedules and Exhibits (collectively the “DPA”) forms part of the Master Services Agreement, Terms of Service or other written or electronic agreement (“Agreement”) between a Commerce Entity and Customer (collectively the “Parties”) for the purchase of online services identified in the Agreement from a Commerce Entity (hereinafter defined as “Service(s)”). This DPA applies when a Commerce Entity acts as a Processor on behalf of the Customer for the provisions of the Services. Capitalized terms that are not defined in this DPA have the meanings ascribed to them in the Agreement or under Data Protection Laws. In the event of any conflict between the provisions of the Agreement and this DPA, the provisions of this DPA will prevail. This DPA reflects the Parties’ agreement with regard to the Processing of Personal Data. In the course of providing the Services to Customer pursuant to the Agreement, a Commerce Entity Processes Personal Data on behalf of the Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.



OPERATION OF THIS DPA

This DPA consists of the main body of the DPA which is applicable to all Commerce Entity Processing, Exhibit A (Security Procedures) which is applicable to all Commerce Entity Processing, Exhibit B (Commerce.com Specific Data Processing Terms) which applies only to Commerce.com Processing, Exhibit C (Feedonomics Specific Data Processing Terms) which applies only to Feedonomics Processing, and Schedules 1 (Commerce.com Specific Security Procedures) which applies only to Commerce.com Processing.



HOW THIS DPA APPLIES

If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such a case, the Commerce Entity that is party to the Agreement is party to this DPA.



If the Customer entity signing this DPA has executed an Order Form with a Commerce Entity pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Form(s), and that is party to such Order Form is party to this DPA.

If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding.



1. Definitions.
   1. “Commerce Entity” means a Commerce Entity which is party to this DPA, as specified in the section “HOW THIS DPA APPLIES” located above,Commerce.com US, Inc., a Texas corporation in the United States; Commerce Software UK Ltd., a United Kingdom limited company, Commerce Software Ireland Limited., an Irish limited company, Commerce.com Pty Ltd., an Australia proprietary limited company., and Feedonomics Holdings. LLC, a Delaware corporation in the United States.
   2. “Commerce.com” means the following legal entities Commerce.com US, Inc., a Texas corporation in the United States; Commerce Software UK Ltd., a United Kingdom limited company, Commerce Software Ireland Limited., an Irish limited company, Commerce.com Pty Ltd., an Australia proprietary limited company.
   3. “Feedonomics” means the following legal entities- Feedonomics Holdings. LLC, a Delaware corporation in the United States for services rendered under the Service for the Marketplaces product.
   4. “Data Protection Laws” means any data protection legislation or regulation applicable to the Processing of Personal Data by a Commerce Entity under the Agreement, including, as applicable: (i) the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); (ii) the General Data Protection Regulation as it forms part of UK domestic law by virtue of the UK Data Protection Act 2018 and Section 3 of the European Union (Withdrawal) Act 2018 and subsequent amendments (“UK GDPR”); and (iii) the California Consumer Privacy Act of 2018, as amended or modified, including as amended by the California Privacy Rights Act of 2020 (“CCPA”). Unless otherwise stated, “GDPR” means both the EU GDPR and UK GDPR. Notwithstanding the foregoing, “Data Protection Laws” shall not include any laws or regulations that require the localisation of Personal Data.
   5. “Extension” means the same as the definition provided in the MSA for the same term. The Processing details for an Extension are located in the Processing Details section of the Program Document attached to the Order Form.
   6. “Personal Data” means any information relating to an identifiable or identified Data Subject or Customer of a Customer who visits or engages in transactions with a Commerce Service where (i) Commerce Processes such data as a Processor while providing Customer with the Services under the Agreement , and (ii) would be considered personal information or personal data as such terms/concepts are defined by applicable Data Protection Laws; provided, however, that Personal Data excludes any such information that has been aggregated or anonymized in a manner that is not (1) identifiable as having originated from the Data Subject, or (2) capable of allowing a recipient to infer the Data Subject’s information.
   7. “Sell”, “Share”, “Controller”, “Business” “Data Subject”, “Consumer”, “Processor”, “Subprocessor”, “Service Provider” and “Processing” have the meanings ascribed to them in applicable Data Protection Laws and their cognate terms will be construed accordingly.
   8. “Subprocessor” means an entity appointed by a Commerce Entity to Process Personal Data on behalf of Customer in connection with the Agreement and excludes the following: (i) third-party apps in a Commerce entities app marketplace; and (ii) third-party contributions, features, functionality, consulting or other third-party services elected by Customer.
2. Roles and Processing. A Commerce Entity shall act as Processor and Process the Personal Data only to provide the Services, on Customer’s documented instructions, or as consistent with the Agreement or any underlying Agreement. Customer shall act as Controller and shall comply with all applicable laws, including Data Protection Laws, in providing Personal Data to a Commerce Entity and further represents and warrants that all Personal Data will be collected and used by or on behalf of Customer in compliance with such laws, including with respect to any applicable obligations to provide notice to and/or obtain consent from individuals.
3. Subprocessing.
   1. Commerce Entities may use Subprocessors to Process the Personal Data in compliance with Data Protection Laws. For the avoidance of doubt under this Agreement, the definition of Subprocessors excludes the following which Customer may utilize in the course of the Agreement: (i) third-party apps in the applicable Commerce Entity marketplace; and (ii) third party contributions, features, functionality, consulting or other third-party services elected by Customer and that are not directly related to a Commerce Entity's performance under this DPA.
      1. Commerce.com’s current Subprocessors are set forth at https://www.commerce.com/privacy/data-processors/, or its successor page.
      2. Feedonomics Subprocessors, may be found at the following link: https://feedonomics.com/third-party-sub-processors/, or its successor page.
   2. Additions; Replacement. This DPA is Customer’s general written authorization for a Commerce Entity to engage Subprocessors; provided, however, that the Commerce Entity will inform Customer through Customer’s primary contact or by posting on Customer’s control panel any intended changes concerning the addition or replacement of Subprocessors affecting the relevant services being affecting the Customers contracted Services. If, within 14 days of receiving such notice, Customer does not provide written notice to the Commerce Entity of any reasonable objections that detail why the proposed Subprocessor would not adequately support Customer’s obligations under the Data Protection Laws, Customer will be deemed to have consented to the proposed engagement. If the Parties are not able to resolve a reasonable objection and the Commerce Entity continues to appoint such Subprocessor, then Customer will be entitled to terminate any Agreements with respect to the Processing of Personal Data under the Data Protection Laws by the new Subprocessor without any liability as a result of such termination (such termination, a “Subprocessor Objection Termination”). For the avoidance of doubt, the Commerce Entity shall have no liability for a Subprocessor Objection Termination and such Subprocessor Objection Termination shall not constitute a termination for breach.
   3. Subprocessors for Extensions. If Customer elects an Extension as a Service offering provided byCommerce.comthen the applicable Subprocessors specific to the Extension can be found within the relevant table within the Subprocessor list for Commerce.com for which the Extension applies. Customer will engage the Subprocessors identified in the table applicable for the elected Extension until the Term of the Extension ends or the Agreement is terminated. For the avoidance of doubt, 1.) the process described in Section 3.2 is not applicable for the initial selection of Subprocessors for an elected Extension and is only applicable for additions and replacements, and 2.) an Extension is neither part of Commerce.com’s E-Commerce Platform, nor a Customer elected Third-Party Product.
   4. Liability. A Commerce Entity shall conduct security, privacy, and transfer assessments of all Subprocessors prior to onboarding and will enter into written agreements with any Subprocessor requiring the Subprocessor to provide a substantially similar level of data protection and information security as provided by this DPA and required by Data Protection Laws. A Commerce Entity will remain liable for any Subprocessor’s compliance with its obligations and for any acts or omissions of a Subprocessor that cause a Subprocessor to fail to fulfill such obligations or that cause a Commerce Entity to breach any of its material obligations under this DPA.
4. Confidentiality. A Commerce Entity will treat all Personal Data that it Processes as confidential and will inform its employees, agents and/or approved Subprocessors engaged in Processing Customer Personal Data of the confidential nature of the Personal Data. A Commerce Entity will make commercially reasonable efforts to ensure that these persons or entities have signed an appropriate confidentiality or data protection agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
5. Security. A Commerce Entity will implement the measures set forth in Exhibit A and not less than appropriate technical and organizational measures to protect the security of the Processing of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6. Data Subject Requests. To the extent possible and taking into account the nature of the Processing, the Commerce Entity will make commercially reasonable efforts to assist Customer by providing functionality or taking appropriate measures to help fulfill Customer’s obligation to respond to Data Subject requests under applicable Data Protection Laws.
7. Notifications. If a Commerce Entity is otherwise required to comply with a legal obligation, a Commerce Entity will make commercially reasonable efforts to inform Customer of that legal obligation, unless the Commerce Entity is prohibited from doing so. A Commerce Entity will inform Customer if, to its knowledge, an instruction from Customer would infringe Data Protection Laws.
8. Incident Management. If a Commerce Entity becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by a Commerce Entity under this DPA while providing the Services (a “Security Incident”), it will, in accordance with Exhibit A notify Customer and provide Customer a description of the Security Incident as well as periodic updates to information about the Security Incident. In accordance with Exhibit A, the Commerce Entity will investigate the Security Incident and take reasonable steps to prevent or mitigate the effects of a Security Incident caused by a material breach of a Commerce Entity’s obligations under this DPA.
9. Data Processing Limitations. Except as specifically provided in writing otherwise, the Services are not intended to store, use, or otherwise Process any type of Personal Data that may be considered “sensitive data” or “special categories of personal data” under Data Protection Laws, or that otherwise would reasonably be considered sensitive in nature (collectively, “Sensitive Data”). For example, the Services are not intended to Process Personal Data including but not limited to protected health information (“PHI”), as defined by the Health Insurance Portability and Accountability Act of 1996 and its enabling regulations and related laws ("HIPAA"). Customer represents and warrants that it will not provide a Commerce Entity or allow a Commerce Entity to Process Sensitive Data on Customer’s behalf through use of the Services. For the avoidance of doubt, nothing in this section prohibits or limits the ability of the Customer to Process payment information under a Commerce.com product.
10. CCPA Compliance. If a Commerce Entity Processes Personal Data of California residents, the Commerce Entity shall comply with the CCPA. Specifically, the Commerce Entity agrees that:
    1. A Commerce Entity acts solely as a Service Provider in relation to Personal Data and, in accordance with the provisions of this DPA, Customer alone acts as a Business and solely determines the purposes and means of the Processing of Personal Data (“Service Provider” shall have the same meaning ascribed in the CCPA).
    2. The Commerce Entity will not Sell or Share Personal Data of California residents, and the Parties acknowledge and agree that Customer does not Sell or Share Personal Data to the Commerce Entity in connection with the Services (“Sell” and “Share” shall have the meaning ascribed to in the CCPA). Further, as set forth elsewhere in this DPA, the Commerce Entity will not retain, use, Share, or disclose Customer Personal Data (1) for any purpose other than performing or supporting the Services, or (2) outside of the direct business relationship between the Parties except as authorized through the Agreement. When utilizing Subprocessors to perform or support the Services, the Commerce Entity will comply with the provisions of Section 3 of this DPA.
    3. For the purposes of data security under the CCPA, a Commerce Entity shall comply with the applicable requirements and restrictions set forth in the Agreement and this DPA, including Exhibit A.
11. Termination. Upon termination of the Services or expiration of the Term and subject to the law, a Commerce Entity will promptly delete or anonymize Personal Data. If Customer requests a copy of such Personal Data prior to deletion, the Commerce Entity will make a copy of such Personal Data reasonably available to Customer.
12. Updates. Subject to compliance with Data Protection Laws, a Commerce Entity may update this DPA, including as necessary to account for changes in circumstances, Data Protection Laws, international data transfer mechanisms, and Commerce Entity products, features, or functionality. When this DPA is updated a Commerce Entity shall provide notice (email to suffice) to the customer. If within thirty (30) days of receiving the update, Customer does not provide written notice to the Commerce Entity of any reasonable objections that detail why the proposed change would not adequately support Customer’s obligations under the Data Protection Laws, Customer will be deemed to have consented to the proposed update.