This US Data Processing Addendum (DPA) is an addendum to the Terms of Service between Instant and the Merchant (each a Party, and together, the Parties).
This DPA clarifies that Instant acts as a ‘service provider’ and ‘processor’, as relevant, for the purposes of Applicable Data Protection Laws. This DPA shall only apply and bind the Parties if and to the extent that the Merchant is classified as a ‘controller’ or ‘business’ or similar under Applicable Data Protection Laws.
To the extent that Instant processes any Merchant Personal Data on behalf of the Merchant (or, where applicable, the Merchant Affiliate) in connection with the provision of the Ordered Products and Services, the Parties agree that Instant shall do so on the terms of this DPA.
1. Definitions
Capitalized terms used within this DPA but not defined below have the meaning given in the Terms of Service. In addition, the following words have the following meanings:
Affiliate means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of each Agreement.Applicable Data Protection Laws means, to the extent applicable, federal and state laws relating to data protection, the processing of Personal Data, privacy and/or data protection in force from time to time in the United States.
Business Purpose has the meaning given in Schedule 1.
Merchant Personal Data means the Personal Data processed by Instant on behalf of the Merchant or Merchant Affiliate in connection with the provision of the Ordered Products and Services.
Personal Data means any information relating to an identified or identifiable individual or device, or is otherwise “personal data”, “personal information”, “personally identifiable information” and similar terms, and such terms shall have the same meaning as defined by the Applicable Data Protection Laws.
Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Merchant Personal Data.
Sub-processor means Instant Affiliates and third-party processors appointed by Instant to process Merchant Personal Data.The terms “controller”, “processor”, “data subject”, “process”, “sell”, and “service provider” shall have the same meaning as set out in the Applicable Data Protection Laws.
2. Relationship with Agreements
This DPA supplements and, to the extent of any inconsistency, supersedes the Agreements with respect to any processing of Merchant Personal Data.
By entering into the Agreements, the Merchant warrants that it is duly authorized to enter into the DPA for and on behalf of any such Merchant Affiliates and, subject to clause 2.3, each Merchant Affiliate shall be bound by the terms of this DPA as if they were the Merchant.
The Merchant warrants that it is duly mandated by any Merchant Affiliates on whose behalf Instant processes Merchant Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Merchant Affiliates, and to act on behalf of the Merchant Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Merchant Affiliates.
The Parties agree that any notice or communication sent by Instant to the Merchant shall satisfy any obligation to send such notice or communication to a Merchant Affiliate.
3. Acknowledgements
The Parties acknowledge and agree that for the purposes of the Applicable Data Protection Laws, Instant will act as a “service provider” or “processor” in the performance of its obligations pursuant to the Agreements.
Each of the parties represent and warrant that it understands the rules, restrictions, requirements and definitions of the Applicable Data Protection Laws and agrees to adhere to the requirements of the Applicable Data Protection Laws in respect of the processing of Merchant Personal Data as per the Agreements.
4. Details of data processing
The details of data processing (such as subject matter, nature and purpose of the processing, and categories of Personal Data) are described in each Agreement and in Schedule 1.
Merchant Personal Data will only be processed on behalf of and under the instructions of the Merchant for the Business Purpose and in accordance with Applicable Data Protection Laws. Each Agreement and this DPA shall be the Merchant’s instructions for the processing of Merchant Personal Data. The Merchant may issue further written instructions in accordance with this DPA.
Instant agrees that except as specifically permitted under Applicable Data Protection Laws, (a) it shall not process Merchant Personal Data except for the specific Business Purpose, unless required by law or a government authority (in which case Instant shall use reasonable efforts to notify Company before such disclosure or as soon thereafter as reasonably possible), (b) it shall not process (noting such processing may not include the sale, transfer to a third-party or combination with other data) Merchant Personal Data for any commercial purpose outside of the Business Purpose except to provide the Ordered Products and Services, and (c) except for the Sub-processors listed in Schedule 2, it shall only transfer Merchant Personal Data to a third-party as specifically directed by the Merchant.
If the Merchant’s instructions will cause Instant to process Merchant Personal Data in violation of Applicable Data Protection Laws or outside the scope of an Agreement or the DPA, Instant shall promptly inform the Merchant to that effect, unless prohibited by Applicable Data Protection Laws.
Instant may store and process Merchant Personal Data anywhere Instant or its Sub-processors maintain facilities, subject to clause 5 of this DPA.
The Merchant grants Instant the right to access and use data derived from Merchant Personal Data (including pseudonymous identifiers) (Network Data) in connection with the provision of its device and shopper network (Shopper Network), whereby the Merchant and other merchants participating in the Shopper Network (together, the Participants) permit Instant to collect and use data generated by the Merchant’s use of the Ordered Products and Services to better identify end-users of Participants’ websites for the Merchant and other Participants’ benefit. A Participant’s cookie or other first-party ID data included in the Network Data will not be accessed by or transferred to any other Participant. The Merchant also grants Instant the right to disclose Network Data for use in connection with the Shopper Network and related Ordered Products and Services, provided that any such disclosure is of aggregated or anonymized data, or otherwise does not individually identify the Merchant. Instant is not obligated to disclose the identity of any Participant to the Merchant. Upon notification by Instant, the Merchant must cease any and all use of Network Data. Instant owns all rights in and to the Network Data in accordance with Applicable Data Protection Laws, as between Instant and the Merchant.
5. Sub-processors
Merchant grants Instant general authorization to engage Sub-processors, subject to clause 5.2, from Instant’s current Sub-processors listed in Schedule 2 as of the Commencement Date.
Instant shall enter into written agreements with Sub-processors that provide substantially similar levels of protection for Merchant Personal Data as those in this DPA to the extent applicable to the nature of the services provided by such Sub-processor. Instant will be responsible for all acts or omissions of its Sub-processors.
Instant shall provide the Merchant with at least 15 days’ notice of any proposed changes to its Sub-processors used to process Merchant Personal Data (including any addition or replacement of any Sub-processors). The Merchant may object to Instant’s use of a new Sub-processor (provided that such objection is based on reasonable grounds relating to data protection) by providing Instant with written notice within 10 days after receiving Instant’s notice of a proposed change (an Objection). If the Merchant provides an Objection, Instant and the Merchant will work together in good faith to find a mutually acceptable resolution. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreements by providing written notice to the other party. During any such Objection period, Instant may suspend the affected portion of the Ordered Products and Services.
6. Data Subjects and Data Subject Requests
- The Merchant shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Merchant Personal Data (Data Subject Requests).
- Instant will forward to the Merchant without undue delay any Data Subject Request received by Instant or any Sub-processor from an individual in relation to their Merchant Personal Data and may advise the individual to submit their request directly to the Merchant.
- Instant will (taking into account the nature of the processing of Merchant Personal Data) provide the Merchant with functionality through the Ordered Products and Services or other reasonable assistance as necessary for the Merchant to fulfil its obligation under Applicable Data Protection Laws to respond to Data Subject Requests. Instant may charge the Merchant, and the Merchant shall reimburse Instant, for any such assistance beyond providing features included as part of the Ordered Products and Services.
The Merchant agrees that it is responsible for providing legally sufficient privacy notices to applicable data subjects and (where required by Applicable Data Protection Laws) must obtain appropriate consent from data subjects for Instant’s information collection and use practices relating to the Ordered Products Services including but not limited to the use of cookies and similar technologies for tracking purposes in connection with the Ordered Products Services, as applicable.
7. Security measures and compliance audits
Instant will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure the security and confidentiality of Merchant Personal Data, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Merchant Personal Data) and against accidental loss, destruction, or damage of or to it.
Once per year, the Merchant (or its appointed representatives) may audit Instant’s compliance with this DPA at the Merchant’s expense and during normal business hours and subject to reasonable prior notice where the Merchant considers it necessary or appropriate (for example, without limitation, where Company has reasonable concerns about Instant’s compliance with this DPA, following a Security Incident or following instruction from a data protection authority).
8. Security Incidents
Instant shall notify the Merchant in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate in the investigation of any such Security Incident and any obligation of the Merchant under Applicable Data Protection Laws to make any notifications to individuals, supervisory authorities, governmental or other regulatory authority, or the public in respect of such Security Incident.
Instant shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall without undue delay, send information to the Merchant including, but not limited to, the nature of the Security Incident, measures taken to mitigate or contain the Security Incident, and the status of the investigation.
Following a Security Incident, Instant shall document the responsive actions taken in connection with the Security Incident and shall conduct a post-breach review of events and actions taken, if any, to make changes in security practices and procedures to prevent such Security Incident from occurring again in the future.
Instant’s notification of or response to a Security Incident under this clause 8 will not be construed as an acknowledgement by Instant of any fault or liability with respect to the Security Incident.
9. Legal compliance
Both parties agree to notify the other party within five (5) business days if it (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and cannot cure this within a reasonable timeframe; or (ii) becomes aware of any circumstances or change in applicable Applicable Data Protection Laws that is likely to prevent it from fulfilling its obligations under this DPA. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, does not or would not satisfy either party’s obligations under such Applicable Data Protection Laws, the Parties will negotiate in good faith an amendment to this DPA.
10. Data retention
Instant shall retain Merchant Personal Data only for as long as necessary to provide the Ordered Products and Services to the Company. Upon termination of the parties Agreement for any reason, Instant shall erase, delete, or destroy all or any part of such Merchant Personal Data in accordance with Instant’s policy.
Upon written request by the Merchant, Instant shall (if required to by Applicable Data Protection Laws) delete (or enable the Merchant to delete) the Merchant Personal Data and shall notify any Sub-Processors who may have accessed such Personal Information from or through Instant (unless the information was accessed at the direction of the Merchant) to delete the Personal Information, unless this proves impossible or involves disproportionate effort.
11. Contract period
- This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreements, will remain in effect until, and automatically expire upon, Instant’s deletion of all Merchant Personal Data as described in this DPA.
Schedule 1
Details of processing
Nature of data processed: Merchant Personal Data may include name, phone number, email address, address data, cookie values, IP address, device identifiers, and usage data.
Business Purpose(s): to provide the Ordered Products and Services under the Agreements, which may involve (a) providing advertising and marketing services to Merchants (eg transferring Merchant Personal Data to marketing channels and enabling Merchants to analyze customer behaviour to make better marketing decisions), (b) operating the Shopper Network, and (c) providing Merchant customers with accounts on the Merchant’s website that enables a checkout experience. Such data may also be used for internal research and technological development and undertaking activities to verify or maintain the quality or safety of an Ordered Product and Service and to improve, upgrade, or enhance the same.
Schedule 2
List of Sub-processors
Amazon Web Services, Inc.
Stripe, Inc.