DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms part of the Terms of Use for Shopify Apps and the Website provided by WebShopAssist ("Terms of Use") between (i) SMART BIT AGILE CONSULT S.R.L., a company incorporated under the Romanian law, ("WebShopAssist"), and (ii) Client (as defined in the Terms of Use), each being a “Party” and together the “Parties”.

This DPA shall apply whenever WebShopAssist processes Personal Data on behalf of Client, in connection with the provision of the Services.

1. Definitions

1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

(a) "Client Personal Data" means any Personal Data Processed by WebShopAssist on behalf of Client pursuant to or in connection with instructions given by Client consistent with the Terms of Use;

(b) "Data Protection Laws" means, Regulation (EU) 2016/679 ("GDPR") together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, together with binding guidance and codes of practice issued from time to time by relevant supervisory authorities;

1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process" and "Processor" have the same meanings as described in the Data Protection Laws and cognate terms shall be construed accordingly.

1.3 Capitalized terms not otherwise defined in this DPA shall have the meanings ascribed to them in the Terms of Use.

2. Roles of the Parties

2.1 The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and as more fully described in Annex 1 hereto, Client acts as a Controller and WebShopAssist acts as a Processor.

2.2 In Annex 1 to this DPA, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by WebShopAssist pursuant to this DPA, as required by Article 28(3) of the GDPR.

3. Data Processing Terms

3.1 WebShopAssist shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data and WebShopAssist shall:

3.1.1 process the Client Personal Data solely in accordance with Client's instructions, for the purposes of providing the Services and as otherwise necessary to perform its legal obligations, as such instructions are set out in the Terms of Use and this DPA;

3.1.2 ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality ;

3.1.3 implement and maintain reasonable technical and organizational measures, having regard to the assessment of the appropriate level of security for Client Personal Data and the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access or damage to such Data.

3.1.4 promptly notify Client of any communication from a Data Subject regarding the Processing of Client Personal Data, or any other communication (including from a supervisory authority) relating to any obligation under the Data Protection Laws in respect of the Client Personal Data and, on Client's request and at Client's costs, taking into account the nature of the Processing, assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR;

3.1.5 notify Client without undue delay of any Personal Data Breach involving Client Personal Data, upon WebShopAssist’s becoming aware of a Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client to comply with its obligations under the Data Protection Laws;

3.1.6 reasonably assist Client with their obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and information available to WebShopAssist, at the sole cost of the Client;

3.1.7 cease Processing the Client Personal Data upon the termination or expiry of the Terms of Use, and delete (including by ensuring such data is in non-readable format) all copies of the Client Personal Data Processed by WebShopAssist, unless (and solely to the extent and for such period as) Union or Member State law requires storage of the Personal Data; and

3.1.8 in addition to any audit rights granted pursuant to the Terms of Use, make available to Client on request and with costs to be borne by Client, all information necessary to demonstrate compliance with this DPA and with Article 28(3)(h) of the GDPR and allow for and contribute to audits, including inspections, by Client or an auditor mandated by Client at the sole cost of Client.

4. Appointment of Sub-Processors

4.1 Client hereby expressly and specifically authorizes WebShopAssist to engage another Processor to Process the Client Personal Data ("Sub-Processor"), subject to WebShopAssist:

4.1.1 notifying Client of any intended changes to its use of Sub-Processors by emailing notice of the intended change to Client;

4.1.2 including terms in its contract with each Sub-Processor which are materially the same as those set out in this DPA; and

4.1.3 remaining liable to the Client for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of the Client Personal Data.

The list of authorized Sub-Processors is included in Annex 2 of this DPA.

4.2 In relation to any notice received under section 4.1.1, the Client shall have a period of 15 (fifteen) days from the date of the notice to inform WebShopAssist in writing of any reasonable objection to the use of that Sub-processor. The parties will then, for a period of no more than 15 (fifteen) days from the date of the Client's objection, work together in good faith to attempt to find a commercially reasonable solution for the Client which avoids the use of the objected-to Sub-processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Terms of Use) terminate the relevant Services immediately on written notice to the other Party;

4.3 Any transfer by WebShopAssist of Client Personal Data to a Sub-processor in a third country outside the EU/EEA which lacks an adequacy decision (if the case) shall be done on the basis of the standard contractual clauses issued by the European Commission or on another adequate safeguard provided by the Data Protection Laws.

5. Precedence

The provisions of this DPA are supplemental to the provisions of the Terms of Use. In the event of any inconsistency between the provisions of this DPA and the provisions of the Terms of Use, the provisions of this DPA shall prevail.

Annex 1: Description of Processing of Client Personal Data

This Annex includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of the Personal Data

The provision of the Services by way of the following Shopify Apps:

1. FGO integration

2. DPD integration

3. Fan Shipping

The Personal Data shall be stored for a period of maximum 90 days as of the date of the collection.

The nature and purpose of the Processing of the Personal Data

The provision of Services by WebShopAssist, as detailed in the Terms of Use.

The categories of Data Subject to whom the Client Personal Data relates

The customers – natural persons – of WebShopAssist's Clients who use the Shopify Apps listed above.

The types of Client Personal Data to be Processed

Name, address, e-mail address, telephone number, information related to the purchase order.

The obligations and rights of Client

The obligations and rights of Client are set out in the Data Protection DPA.

Annex 2: Authorised Sub-processors

DigitalOcean, LLC - 101 Avenue of the Americas, 10th Floor, New York, NY 10013 USA
Amazon Web Services EMEA SARL - 38 Avenue John F. Kennedy, L-1855, Luxembourg