Data Processing Addendum

This Data Processing Addendum ("DPA") supplements and is incorporated by reference into the Freshline Terms of Service, together with any terms applicable to any additional Freshline services that you choose to use (the "Terms"). In case of any conflict between the Terms and this DPA, the DPA shall prevail with respect to the processing of Your Customer Personal Data.

I. Purpose

This Freshline Data Processing Addendum ("DPA") supplements and is incorporated by reference into the Freshline Terms of Service, together with any terms applicable to any additional Freshline services that you choose to use (the "Terms") by and between You (or "Vendor"), and the Freshline Contracting Entity as set forth in the Terms ("Freshline"), which outline the specific business purposes and services related to this DPA.

You and Freshline (each a "Party", together the "Parties"), agree that this DPA sets forth the Parties' obligations governing the processing of Your Customer Personal Data. You shall act as a Data Controller and Freshline shall act as a Data Processor with respect to the processing of Your Customer Personal Data, in connection with Your use of our Services that rely on our processing of Your Customer Personal Data.

For the avoidance of doubt, this DPA shall not apply to Freshline's processing of any Personal Data about Customers that it receives as a result of the Customer's relationship with Freshline.

II. Definitions

Capitalized terms used but not defined in this DPA shall have the same meaning given to them in the Terms:

A. Applicable Data Protection Law(s): Any data protection or privacy laws applicable to Freshline's processing of Personal Data under the Terms, their implementing regulations and secondary legislation, each as may be amended, updated or replaced from time to time.

B. Customer: An individual or entity that visits, engages with, and/or purchases a product, good, or service from Your Store(s).

C. Data Rights Request: A valid and lawful request by an individual to exercise available rights pertaining to Personal Data under an Applicable Data Protection Law.

D. Data Controller or Business: The Party that determines the purposes and means of the processing of Personal Data, or as otherwise defined under any Applicable Data Protection Law.

E. Data Processor or Service Provider: The Party or other entity or business that provides services on behalf of and processes Personal Data at the direction and on behalf of the Data Controller or as defined under any Applicable Data Protection Laws.

F. Personal Data: Information or data defined as 'personal data,' 'personal information,' or 'personally identifiable information' (or analogous term) under Applicable Data Protection Laws.

G. Personal Data Breach: In relation to Your Customer Personal Data, shall be interpreted in accordance with Applicable Data Protection Laws.

H. "Process," "processes," or "processing": Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

I. "Subprocessor(s)": Affiliated companies or third-party Data Processors or Service Providers that may process Personal Data at Freshline's direction for the purpose of providing the Services.

J. "You," "Your," or "Vendor": Each business that You operate and that uses or benefits from the Services and is a Party to the Terms with Freshline.

K. "Your Customer Personal Data": Personal Data from or about Your Customers excluding any Personal Data about Customers that Freshline receives as a result of the Customer's relationship with Freshline, which is governed by Freshline's Consumer Privacy Policy and not this DPA.

III. Nature of the Processing and Roles of the Parties

Freshline as a Data Processor or Service Provider. Freshline receives and processes Your Customer Personal Data in order to provide You with the Services and as otherwise set forth below.

Freshline shall process Your Customer Personal Data as a Data Processor or Service Provider only to provide the Services instructed in the Terms and any supplemental Terms and as necessary to provide, develop, and improve its Services and engage in any other purposes permitted by Applicable Data Protection Laws.

Freshline as a Data Controller or Business. Freshline shall process Your Customer Personal Data as a Data Controller or Business for any additional purposes compatible with Customer's instructions and Applicable Data Protection Law.

IV. Obligations of Parties

The following section describes the Parties' respective obligations with respect to the processing of Personal Data covered by this DPA.

A. General Compliance

1. The Parties will comply with their respective obligations under Applicable Data Protection Laws.

2. Freshline shall have no obligation to interpret or advise You on Your obligations under Applicable Data Protection Laws. You are solely responsible for determining Your legal and regulatory obligations, including evaluating whether the technical and organizational measures of the Services are consistent with Your independent legal and regulatory obligations.

B. Freshline's Obligations

1. Data Security. Freshline will implement and maintain appropriate technical and organizational measures designed to protect Your Customer Personal Data as set forth in Appendix B.

2. Personal Data Breach Notification and Investigation. As required by Applicable Data Protection Laws, Freshline will provide notice to You upon confirming any Personal Data Breach and will use commercially reasonable efforts to investigate, mitigate, and remedy the effects.

C. Your Obligations With Respect to Personal Data

1. Privacy Notices and Transparency. You are responsible for providing all required notices and transparency to Your Customers concerning Your processing of Your Customer Personal Data and Freshline's processing on Your behalf.

2. Customer Rights and Permissions. You represent that You have all necessary rights, permissions, and consents to provide Your Customer Personal Data to Freshline for processing in accordance with the Terms and this DPA.

3. Data Rights Requests. You will provide mechanisms for Your Customers to exercise applicable privacy rights with respect to Your Customer Personal Data for which You are the Data Controller.

4. Regulatory Inquiries. Unless prohibited by applicable law, You will promptly notify Freshline of any governmental, regulatory, or other third-party inquiry or complaint concerning Your use of the Services.

V. Miscellaneous

A. Global Data Transfers. You acknowledge that Your Customer Personal Data may be transferred and processed in any country in which Freshline, its affiliated companies or third-party service providers are located, in compliance with Applicable Data Protection Laws.

B. Response to Legal Requests. In the course of providing the Services, Freshline may disclose Your Customer Personal Data (i) to comply with legal requirements or to respond to court orders or similar government demands; or (ii) to prevent or investigate suspected fraud, threats to physical safety, illegal activity, or violations of a contract.

C. Disclosure in Corporate Transactions. Freshline may disclose Your Customer Personal Data to potential counterparties in connection with corporate or restructuring transactions.

D. Freshline's Use of Service Providers. You acknowledge that Freshline may use service providers to process Your Customer Personal Data on Freshline's behalf, subject to written agreements imposing substantially similar obligations as those set out in this DPA.

E. DPA Amendment. Freshline may amend this DPA from time to time by posting an updated version on its website. Your continued use of the Services after such posting constitutes your acceptance of the amended DPA.

VI. Appendices

1. Appendix A - Categories of Personal Data
2. Appendix B - Data Security

Appendix A: Categories of Personal Data

As part of Your use of the Services, and depending on which Services You use, we may receive and process the following categories of Personal Data to provide the Services:

• Customer name, email, contact, billing and shipping information.
• Purchase and other transaction information from Your Store(s).
• Updates about the status of transactions with You or Your Store(s).
• Customer activity in Your Store(s), including products viewed and/or included in carts.
• Customer preference signals, including opt-out and opt-in signals.
• Customer device information for device(s) used when visiting Your Store(s), including IP address, browser, and network activity.
• Other information about the Customers' interactions with You.
• Any other Personal Data you or Your Customers choose to make available to Freshline.

Appendix B: Data Security

Freshline will maintain an information security program designed to (a) enable You to secure Your Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure; (b) identify reasonably foreseeable risks to the security and availability of the Services You receive; and (c) minimize security risks to the Services.

A. Logical Security. Freshline maintains access controls, authentication mechanisms, vulnerability assessments, application security practices, change-management controls, and availability and continuity measures designed to protect the Services.

B. Physical Security. Where necessary to protect the Services, Freshline implements measures intended to prevent unauthorized physical access, damage, or interference and restricts access to authorized personnel with a legitimate business need.

C. Employees and Training. Freshline employees who are authorized to access Your Customer Personal Data are subject to confidentiality obligations and receive security awareness training that is reviewed and updated periodically.