Data Processing Addendum
I. Purpose
This Freshline Data Processing Addendum ("DPA") supplements and is incorporated by reference into the Freshline Terms of Service, together with any terms applicable to any additional Freshline services that you choose to use (the "Terms") by and between You (or "Vendor"), and the Freshline Contracting Entity as set forth in the Terms ("Freshline"), which outline the specific business purposes and services related to this DPA. In case of any conflict between the Terms and this DPA, the DPA shall prevail with respect to the processing of Your Customer Personal Data, as defined below.
You and Freshline (each a "Party", together the "Parties"), agree that this DPA sets forth the Parties' obligations governing the processing of Your Customer Personal Data. You shall act as a Data Controller and Freshline shall act as a Data Processor with respect to the processing of Your Customer Personal Data, in connection with Your use of our Services that rely on our processing of Your Customer Personal Data.
For the avoidance of doubt, this DPA shall not apply to Freshline's processing of any Personal Data about Customers that it receives as a result of the Customer's relationship with Freshline.
II. Definitions
Capitalized terms used but not defined in this DPA shall have the same meaning given to them in the Terms:
A. Applicable Data Protection Law(s): Any data protection or privacy laws applicable to Freshline's processing of Personal Data under the Terms, their implementing regulations and secondary legislation, each as may be amended, updated or replaced from time to time, including such laws that apply based on the location or residence of Vendor and/or Your Customer(s).
B. Customer: An individual or entity that visits, engages with, and/or purchases a product, good, or service from Your Store(s).
C. Data Rights Request: A valid and lawful request by an individual to exercise available rights pertaining to Personal Data under an Applicable Data Protection Law.
D. Data Controller or Business: The Party that determines the purposes and means of the processing of Personal Data, or as otherwise defined under any Applicable Data Protection Law.
E. Data Processor or Service Provider: The Party or other entity or business that provides services on behalf of and processes Personal Data at the direction and on behalf of the Data Controller or as defined under any Applicable Data Protection Laws.
F. Personal Data: Information or data defined as 'personal data,' 'personal information,' or 'personally identifiable information' (or analogous term) under Applicable Data Protection Laws.
G. Personal Data Breach: In relation to Your Customer Personal Data, shall be interpreted in accordance with Applicable Data Protection Laws.
H. "Process," "processes," or "processing": (a) Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; or (b) the definition given to such term(s) under the Applicable Data Protection Law(s).
I. "Subprocessor(s)": Affiliated companies or third-party Data Processors or Service Providers that may process Personal Data at Freshline's direction for the purpose of providing the Services.
J. "You," "Your," or "Vendor": Means each business that You operate and that uses or benefits from the Services and is a Party to the Terms with Freshline.
K. "Your Customer Personal Data": Personal Data from or about Your Customers excluding any Personal Data about Customers that Freshline receives as a result of the Customer's relationship with Freshline, which is governed by Freshline's Consumer Privacy Policy and not this DPA.
III. Nature of the Processing and Roles of the Parties
Freshline as a Data Processor or Service Provider. Freshline receives and processes Your Customer Personal Data in order to provide You with the Services and as otherwise set forth below. Depending on which of the Services You request or use, Freshline will process the categories of Personal Data set forth at Appendix A, in the manner and on the bases contained therein.
Freshline shall process Your Customer Personal Data as a Data Processor or Service Provider only to provide the Services instructed in the Terms and any supplemental Terms and as necessary to provide, develop, and improve its Services and engage in any other purposes permitted by Applicable Data Protection Laws.
Freshline as a Data Controller or Business. Freshline shall process Your Customer Personal Data as a Data Controller or Business for any additional purposes compatible with Customer's instructions and Applicable Data Protection Law.
IV. Obligations of Parties
The following section describes the Parties' respective obligations with respect to the processing of Personal Data covered by this DPA.
A. General Compliance
1. The Parties will comply with their respective obligations under Applicable Data Protection Laws.
2. Freshline shall have no obligation to interpret or advise You on Your obligations under Applicable Data Protection Laws, including with respect to the processing of Personal Data covered by this DPA. You are solely responsible for determining Your legal and regulatory obligations, including evaluating whether the technical and organizational measures of the Services are consistent with Your independent legal and regulatory obligations.
B. Freshline's Obligations
1. Data Security
Freshline will implement and maintain appropriate technical and organizational measures designed to protect Your Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure, as set forth in Appendix B.
2. Personal Data Breach Notification and Investigation
a) As required by Applicable Data Protection Laws, Freshline will provide notice to You upon Freshline confirming any Personal Data Breach.
b) Such notice shall include the information required under Applicable Data Protection Laws to the extent such information is reasonably available to Freshline. Freshline's response to, or notice of, a Personal Data Breach is not an acknowledgment by Freshline of any fault or liability.
c) Freshline agrees to investigate any Personal Data Breach, and use commercially reasonable efforts to identify, prevent, mitigate, and remedy the effects.
C. Your Obligations With Respect to Personal Data
1. Privacy Notices and Transparency: You represent and warrant that You are in compliance with all obligations under Applicable Data Protection Laws to provide notice and transparency concerning Your processing of Your Customer Personal Data under the Terms and in connection with Your use of the Services. Consistent with Applicable Data Protection Laws, You shall communicate to the relevant individuals all disclosures necessary for Freshline to lawfully and fairly process Your Customer Personal Data in connection with this DPA.
2. Customer Rights and Permissions: You represent and warrant that You have all necessary rights, permissions, and consents to make available Your Customer Personal Data to Freshline, and for Freshline to process Your Customer Personal Data in order for You to receive the Services, including Enhanced Services or other Additional Services you receive, in accordance with the Terms, this DPA, and Applicable Data Protection Laws.
3. Data Rights Requests: You represent and warrant that You provide the ability for Your Customers to exercise Data Rights Requests, as required under Applicable Data Protection Laws, with respect to processing of Your Customer Personal Data by Freshline for which You are the Data Controller.
4. Regulatory Inquiries: Unless prohibited by applicable law, You will notify us promptly in accordance with the Notice provision in the Terms of any governmental, regulatory or other third party inquiry or complaint concerning Your use of the Services.
V. Miscellaneous
A. Global Data Transfers
You acknowledge that Your Customer Personal Data may be transferred and processed in any country in which Freshline, its affiliated companies or third party service providers are located. Any transfer of Your Customer Personal Data to these recipients will be made in compliance with Applicable Data Protection Laws.
B. Response to Legal Requests
1. You acknowledge that, in the course of providing the Services to You, Freshline may share Your Customer Personal Data (i) to comply with legal requirements or to respond to court orders or other similar government or regulatory demands; or (ii) to prevent or investigate suspected fraud, threats to physical safety, illegal activity, or violations of a contract.
2. Freshline will make reasonable efforts before producing Your Customer Personal Data to ensure that such disclosure is permitted under Applicable Data Protection Laws and will be treated as confidential information under the applicable legal framework.
C. Disclosure in Corporate Transactions
You acknowledge that, in the course of providing the Services to You, Freshline may be required to share Your Customer Personal Data with potential counterparties to any corporate or restructuring transaction.
D. Freshline's Use of Service Providers
1. You acknowledge and agree that, in the course of providing the Services to You, Freshline may use service providers to process Your Customer Personal Data. If Applicable Data Protection Laws grant you such rights, You may object to Freshline's use of a service provider, and if Freshline is unable or unwilling to accommodate such requests, You may, in accordance with such laws, terminate Your use of the impacted Services in accordance with the Terms.
2. Freshline's use of service providers to process Your Customer Personal Data that You provide will be in compliance with Applicable Data Protection Laws. Where Freshline engages a service provider, Freshline will enter into a written agreement with the service provider that imposes contractual obligations that are substantially the same as the ones set out in this DPA.
E. DPA Amendment
You acknowledge and agree that Freshline may amend this DPA from time to time by posting the relevant amended and restated DPA on Freshline's website, and such amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA is posted to Freshline's website constitutes Your agreement to, and acceptance of, the amended DPA. If You do not agree to any changes to the DPA, do not continue to use the Services.
VI. Appendices
1. Appendix A - Categories of Personal Data
2. Appendix B - Data Security
Appendix A: Categories of Personal Data
As part of Your use of the Services, and depending on which Services You use, we may receive and process the following categories of Personal Data to provide the Services:
• Customer name, email, contact, billing and shipping information.
• Purchase and other transaction information from Your Store(s).
• Update(s) about the status of transaction(s) with You or Your Store(s)
• Customer activity in Your Store(s), including products viewed and/or included in carts.
• Customer preference signals, including opt-out and opt-in signals.
• Customer device information for device(s) used when visiting Your Store(s), including IP address, browser, and network activity.
• Other information about the Customers' interactions with You.
• Any other Personal Data you or Your Customers choose to make available to Freshline.
Appendix B: Data Security
Freshline will maintain an information security program designed to (a) enable You to secure Your Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure; (b) identify reasonably foreseeable risks to the security and availability of the Services You receive; and (c) minimize security risks to the Services.
I. Freshline's information security program will include the following safeguards:
A. Logical Security
1. Access Controls: Freshline will make its systems accessible only to authorized personnel, and only as necessary to maintain and provide the Services. Freshline will maintain access controls and policies designed to manage authorizations for access to its systems, including through the use of firewalls and/or other technology and authentication controls.
2. Restricted User Access: Freshline will provision and restrict access to its systems in accordance with least privilege principles based on personnel job functions.
3. Vulnerability Assessments: Freshline will maintain a vulnerability assessment program, responsible for investigating and tracking identified issues with the Services to resolution where necessary.
4. Application Security: Freshline maintains an application security program responsible for protecting Services from application security threats.
5. Change Management: Freshline will maintain controls designed to log, authorize, test, approve and document changes to existing Services resources, and will document change details within its change management or deployment tools. Freshline will test changes according to its change management standards prior to migration to production.
6. Data Integrity: As appropriate, Freshline will maintain controls designed to provide data integrity during transmission, storage and processing within the Services.
7. Availability: Freshline will (i) implement redundancy where appropriate for the Services to minimize the effect of a malfunction on the Services, (ii) design the Services to anticipate and tolerate failures, and (iii) implement appropriate processes designed to move Personal Data traffic away from the affected areas when necessary to recover from failures.
8. Business Continuity and Disaster Recovery: Freshline will maintain a risk management program designed to support the continuity of its critical business functions, including processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair Freshline's provision of the Services You receive.
9. Incident Management: Freshline provides documentation for You to report security or availability incidents, ask security or availability questions, and submit information about potential security or availability issues. Freshline will maintain corrective action plans and incident response plans designed to detect, mitigate, investigate, and respond to potential security threats to the Services.
B. Physical Security: Where necessary to protect Services, Freshline will (i) implement reasonable measures designed to prevent unauthorized physical access, damage, or interference to the Services, (ii) use appropriate control devices designed to restrict physical access to the Services to only authorized personnel who have a legitimate business need for such access, and (iii) perform periodic reviews to validate adherence with these standards.
C. Freshline Employees: Freshline employees who are authorized to access Your Customer Personal Data are bound by obligations of confidentiality as part of their terms of employment. Freshline will implement and maintain employee security training programs regarding Freshline information security requirements. The security awareness training programs will be reviewed and updated periodically.
II. Modifications to this Appendix
Freshline reviews its security measures from time to time, and may update this Appendix in its sole discretion. Any such updates will replace prior versions of this Appendix as of the date that Freshline publishes the updated version.