Data Processing Addendum
- “Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
- “Authorized Employee” means an employee of Processor who has a need to know or otherwise access Personal Data to enable Processor to perform their obligations under this Addendum or the Agreement.
- “Authorized Sub-Processor” means a third-party engaged by or on behalf of the Processor who has a need to know or otherwise access or Process Personal Data to enable Processor to perform its obligations under this Addendum or the Agreement, and who is either (1) listed in Exhibit C or (2) authorized by Controller to do so under Section 4.2 of this Addendum.
- “C2C SCCs” means Module I (Controller to Controller) of the Standard Contractual Clauses completed in accordance with Part 1 of Exhibit D to this Addendum.
- “C2P SCCs” means Module II (Controller to Processor) of the Standard Contractual Clauses completed in accordance with Part 2 of Exhibit D to this Addendum.
- “Data Controller”, “Data Processor” “Data Subject”, “Data Subject Access Request”, “Processing”, “Personal Data Breach”, “Sub-Processor” have the meaning set out in the applicable Data Protection Laws in force at the time.
- “Controller” means the entity that determines the purposes and means of the Processing of Personal Data, as set out at Section 2.1.
- “Data Protection Laws” means all applicable privacy and data protection laws, including (but not limited to) the GDPR and any applicable national implementing laws and regulations relating to the Processing of Personal Data and the California Consumer Privacy Act of 2018, as amended, and regulations promulgated thereunder (“CCPA”), and laws and regulations similar to the CCPA as they become effective, such as the Virginia Consumer Data Protection Act, the Colorado Privacy Act and related regulations, the Utah Consumer Privacy Act, the Iowa Consumer Privacy Act, and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (together with the CCPA, the “U.S. State Privacy Laws”).
- “GDPR” means (as applicable): (a) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("EU GDPR"); and/or (b) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR").
- “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by the applicable Data Protection Laws in force at the time.
- “Processor” means the entity which Processes Personal Data on behalf of the Controller, as set out at Section 2.1.
- “Restricted Transfers” means a transfer of personal data from one Party to another, which transfer would be prohibited by applicable Data Protection Legislation in the absence of the relevant Restricted Transfer Agreement to be established under paragraph 6 of the DPA (or an agreement comparable thereto). There will not be a Restricted Transfer where: (a) the Data Importer is within a jurisdiction which has been deemed to provide an adequate level of data protection for the purposes of applicable data protection law; or (b) the transfer falls within the terms of an alternative safeguard or a derogation under applicable data protection law, including as set out in Article 46 and Article 49 GDPR respectively.
- “Restricted Transfer Agreement” means C2C SCCs or C2P SCCs, as applicable.
- “Services” shall have the meaning set forth in the Agreement.
- “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 contained in the annex to European Commission decision 2021/914 of 4 June 2021.
- “Supervisory Authority” means an independent public authority which is established by a member state of the European Union, the United Kingdom, Switzerland, Iceland, Liechtenstein, or Norway.
- “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under Section 119A(1) of the Data Protection Act 2018 (as amended or replaced from time to time), completed in accordance with Exhibit E of the DPA.
- Subject to Clause 11, the parties agree and acknowledge that Shippo may process Personal Data shared by Customer for the purposes of delivering the Services and with regard to such processing, Customer is a data controller ("Controller") and Shippo is a data processor ("Processor"). To the extent that Shippo acts as a data processor, clauses 2, 3, 4 , 5, 6, 7 and 8 shall apply.
- The rights and obligations of the Controller with respect to this Processing are described herein. Controller shall, in its use of the Services, at all times Process Personal Data, and provide instructions for the Processing of Personal Data, in compliance with Data Protection Laws. Controller shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Personal Data, and that the Processing of Personal Data in accordance with Controller’s instructions will not cause Processor to be in breach of the Data Protection Laws. Controller is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Processor by or on behalf of Controller, (ii) the means by which Controller acquired any such Personal Data, and (iii) the instructions it provides to Processor regarding the Processing of such Personal Data. Controller shall not provide or make available to Processor any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Processor from all claims and losses in connection therewith.
Subject to Clause 11, Processor shall not Process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with the terms and conditions set forth in this Addendum or any other documented instructions provided by Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest and (iii) in violation of applicable Data Protection Laws. Controller hereby instructs Processor to Process Personal Data in accordance with the foregoing and as part of any Processing initiated by Controller in its use of the Services.
- Processor will not "sell" Personal Data (as such term in quotation marks is defined in U.S. State Privacy Laws), "share" or Process Personal Data for purposes of "cross-context behavioral advertising" or "targeted advertising" (as such terms in quotation marks are defined in the CCPA), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Controller.
- Processor will comply with any applicable restrictions under Data Protection Laws on combining the Personal Data with personal data that Processor receives from, or on behalf of, another person or persons, or that Processor collects from any interaction between it and any Data Subject.
- Processor will not attempt to re-identify any de-identified Personal Data without Controller’s express written permission.
- Processor will provide the same level of protection for the Personal Data as is required under the CCPA applicable to Controller.
- Controller retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this Addendum.
- Processor will notify Controller as soon as legally permissible if Processor determines that Process can no longer meet its obligations under this Addendum or applicable Data Protection Law.
- Processor certifies that it understands its obligations under this Addendum (including this Section 2.3) and that it will comply with them.
- The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this Addendum.
- Following completion of the Services, at Controller’s choice, Processor shall return or delete the Personal Data, unless further storage of Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Processor shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 11 (Transfers of Personal Data), the parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the C2P SCCs [or Clause 3.5 of the C2C SCCs (as applicable)] shall be provided by Processor to Controller only upon Controller’s request.
- Processor shall take commercially reasonable steps to ensure the reliability and appropriate training of any Authorized Employee.
- Processor shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Processor, any Personal Data except in accordance with their obligations in connection with the Services.
- Processor shall take commercially reasonable steps to limit access to Personal Data to only Authorized Employees.
- Controller acknowledges and agrees that Processor may (1) engage its affiliates and the Authorized Sub-Processors listed in Exhibit C to this Addendum to access and Process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data. By way of this Addendum, Controller provides general written authorization to Processor to engage sub-processors as necessary to perform the Services.
- A list of Processor’s current Authorized Sub-Processors (the “List”) will be made available to Controller, either attached hereto, at a link provided to Controller, via email or through another means made available to Controller. Such List which may be updated by Processor from time to time. The List may provide a mechanism to subscribe to notifications of new Authorized Sub-Processors and Controller agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than Authorized Sub-Processors to access or participate in the Processing of Personal Data, Processor will add such third party to the List. Controller may reasonably object to such an engagement on legitimate grounds by informing Processor in writing within ten (10) days of receipt of the aforementioned notice by Controller. Controller acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Processor from offering the Services to Controller.
- If Controller reasonably objects to an engagement in accordance with Section 4.2, and Processor cannot provide a commercially reasonable alternative within a reasonable period of time, Processor may terminate this Addendum. Termination shall not relieve Controller of any fees owed to Processor under the Agreement.
- If Controller does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Processor, that third party will be deemed an Authorized Sub-Processor for the purposes of this Addendum.
- Processor will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Processor under this Addendum with respect to the protection of Personal Data. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Processor, Processor will remain liable to Controller for the performance of the Authorized Sub-Processor’s obligations under such agreement.
- If Controller and Processor have entered into C2P SCCs as described in Section 11 (Transfers of Personal Data), (i) the above authorizations will constitute Controller’s prior written consent to the subcontracting by Processor of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Processor to Controller pursuant to Clause 9(c) of the C2P SCCs may have commercial information, or information unrelated to the C2P SCCs or their equivalent, removed by the Processor beforehand, and that such copies will be provided by the Processor only upon request by Controller.
- Security of Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data.
Rights of Data Subjects
- Processor shall, to the extent permitted by law, notify Controller upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Processor receives a Data Subject Request in relation to Controller’s data, Processor will advise the Data Subject to submit their request to Controller and Controller will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Controller is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of Processing, or withdrawal of consent to Processing of any Personal Data are communicated to Processor, and, if applicable, for ensuring that a record of consent to Processing is maintained with respect to each Data Subject.
- Processor shall, at the request of the Controller, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Controller in complying with Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Controller is itself unable to respond without Processor’s assistance and (ii) Processor is able to do so in accordance with all applicable laws, rules, and regulations. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.
Actions and Access Requests
- Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance where necessary for Controller to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Controller does not otherwise have access to the relevant information. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.
- Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance with respect to Controller’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by applicable Data Protection Laws. Controller shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.
- Processor shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum, and retain such records for a period of three (3) years after the termination of the Agreement. Controller shall, with reasonable notice to Processor, have the right to review, audit and copy such records at Processor’s offices during regular business hours.
- Upon Controller’s request, Processor shall, no more than once per calendar year, either (i) make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the Processing of Controller’s Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Controller or its authorized representative, upon reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of Processor’s data security infrastructure and procedures that is sufficient to demonstrate Processor’s compliance with its obligations under this Addendum, provided that Controller shall provide reasonable prior notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Processor’s business. Controller shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Processor for any time expended for on-site audits. If Controller and Processor have entered into Standard Contractual Clauses as described in Section 11 (Transfers of Personal Data), the parties agree that the audits described in Clause 13 of each of the Standard Contractual Clauses shall be carried out in accordance with this Section 7.4.
- Processor shall, without delay, notify Controller if an instruction, in the Processor’s opinion, infringes the Data Protection Laws or Supervisory Authority.
- In the event of a Personal Data Breach, Processor shall, without undue delay, inform Controller of the Personal Data Breach and take such steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor’s reasonable control).
- In the event of a Personal Data Breach, Processor shall, taking into account the nature of the Processing and the information available to Processor, provide Controller with reasonable cooperation and assistance necessary for Controller to comply with its obligations under applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.
- The obligations described in Sections 7.6 and 7.7 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Controller. Processor’s obligation to report or respond to a Personal Data Breach under Sections 7.5 and 7.6 will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.
- Law Enforcement Requests. If a law enforcement or government agency sends Processor a demand for Personal Data, Processor shall attempt to give Controller reasonable notice of the demand and cooperation to allow Controller to seek a protective order or other appropriate remedy unless Processor is prohibited from doing so.
Liability. The total liability of each of Controller and Processor (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
Shippo’s Role as a Data Controller
- The parties acknowledge and agree that to the extent Shippo processes Personal Data in connection with the Agreement to: (i) monitor, prevent and detect fraud, investigate potential criminal activity and to prevent harm to Customer, Shippo and Shippo's affiliates, and to third parties; (ii) comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Shippo is subject; (iii) conducting analytics, and developing and improve Shippo's products and services; (iv) market to business contacts at the Customer; or (v) share Personal Data with selected partners for their further use Shippo is acting as a data controller with respect to the Processing of such Personal Data it receives from or through Customer.
- To the extent that each party acts as a Data Controller in connection with this Agreement, each agrees that all Personal Data collected which is otherwise provided or made available to the other Party shall have been collected or otherwise obtained in compliance with Data Protection Laws, and may be processed, disclosed and transferred as described in or in connection with this Agreement.
Transfers of Personal Data
- The parties agree that Shippo may transfer Personal Data processed under this Addendum outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland as necessary provided that, if Shippo transfers Personal Data protected under this Addendum to a jurisdiction which has not been deemed to provide an adequate level of data protection for the purposes of applicable data protection law, Shippo will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.
The parties agree that agree that, in respect of Restricted Transfers (whether direct transfers or onwards transfers of Personal Data from the EEA or UK):
- the C2C SCCs will apply to such transfers from Customer as Controller to Shippo as Controller; and
- the C2P SCCs will apply to such transfers from Customer as Controller to Shippo as Processor.
- The C2P SCCs and the C2C SCCs are hereby incorporated by reference into this DPA in respect of such transfers.
- Where a Restricted Transfer is subject to the UK GDPR, the C2C SCCs, or the C2P SCCs, as applicable, shall incorporate the UK Addendum.
Execution of this Addendum. Shippo has pre-signed this Addendum, in the signature block below. To complete this Addendum, Customer must complete the information requested in the signature block below and sign there and send the completed and signed Addendum to Shippo by email to email@example.com. Upon receipt of the validly completed Addendum by Shippo at this email address, this Addendum will become legally binding.
Details of Processing
Technical and Organisational Measures
Preventing Unauthorized Access
- Outsourced processing: Shippo hosts its Service with outsourced cloud infrastructure providers. Additionally, Shippo maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Shippo relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
- Physical and environmental security: Shippo hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
- Authentication: Shippo implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
- Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure.
- Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
Preventing Unauthorized Product Use
Shippo implements industry standard access controls and detection capabilities for the internal networks that support its products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Static code analysis: Security review of code stored in Shippo’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
- Penetration testing: Shippo maintains relationships with industry recognized penetration testing service providers for at least one annual penetration test. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
Limitations of Privilege & Authorization Requirements
- Production access: A subset of Shippo’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
- Background checks: All Shippo employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
- In-transit: Shippo makes HTTPS encryption (also referred to as SSL or TLS) available on of its login interfaces. Shippo’s HTTPS implementation uses industry standard algorithms and certificates.
- At-rest: Shippo stores user passwords following policies that follow industry standard practices for security. Our databases are encrypted at rest at our multi-tenants hosting facility.
- Detection: Shippo designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Shippo personnel, including security, operations, and support personnel, are responsive to known incidents.
- Response and tracking: Shippo maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Shippo will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
- Communication: If Shippo becomes aware of unlawful access to Customer data stored within its products, Shippo will follow the Shippo Security and Privacy Incident Response policy dealing with incidents and mitigate the potential harm to customers.
- Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
- Fault tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
- Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
- Shippo’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Shippo operations in maintaining and updating the product applications and backend while limiting downtime.
Controller acknowledges and agrees that the following entities shall be deemed Authorized Sub-Processors that may Process Personal Data pursuant to this Addendum:
- Amazon Web Services (AWS)
- Looker Data Sciences
- Mailchimp (SendGrid)
- Melissa Data
- Mode Analytics
- Sift Science
Standard Contractual Clauses
Part 1: Controller-Controller Agreement (Module I)
The parties acknowledge and agree that the C2C SCCs entered into by pursuant to Section 11.2.1 of the Addendum are completed by the insertion of the information set out below:
Part 2: Controller-Processor Agreement (Module II)
The parties acknowledge and agree that the C2P SCCs entered into by pursuant to Section 11.2.2 of the Addendum are completed by the insertion of the information set out below:
The parties acknowledge and agree that the tables in the UK Addendum are amended by the insertion of the information set out below:
Table 1: Parties
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information
Table 4: Ending this Addendum when the Approved Addendum Changes