Rights and responsibilities for the processing and security of customer data
Last updated: January 21th, 2023
This Data Processing Addendum (“Addendum”), effective as of the DPA Effective Date (defined below), is entered into by and between BOSST Inc. (“BOSST”) and you (“Customer”) (collectively the “Parties”). This Addendum forms part of the Terms of Service or other agreement you may have entered with BOSST governing the provision of BOSST’s checkout platform application (collectively “Agreement”) and will amend the terms of the Agreement to reflect the parties’ rights and responsibilities with respect to the processing and security of Customer’s data under the Agreement.
- a) Agreement to Terms. If you are accessing and using the Services on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to this Addendum. In that case, “Customer” will refer to that company or other legal entity.
- b) Subject Matter. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
- c) Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date that the Customer electronically accepts other otherwise agrees or opts-in to this Addendum if it is completed after the effective date of the Agreement. BOSST will Process Customer Personal Data until the relationship terminates as specified in the Agreement. BOSST’s obligations and Customer’s rights under this Addendum will continue in effect so long as BOSST Processes Customer Personal Data.
DEFINITIONS AND INTERPRETATION
The following terms shall have the following meanings:
“Data Protection Legislation” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom which are applicable to the processing of Personal Data under this Agreement including but not limited to the EU General Data Protection Regulation (2016/679);
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Subprocessor” each have the meanings given to them in the Data Protection Legislation;
“Processing” has the meaning set out in the Data Protection Legislation and “process” and “processed” shall be construed accordingly;
“Services” means those services and other activities to be provided to or carried out by on behalf of BOSST for Customer by BOSST pursuant to the Agreement.
For the purpose of this Addendum, references to clauses shall be deemed to be references to the terms of this Addendum, unless otherwise stated or if the context otherwise requires.
3. Data Use and Processing
- a) Compliance with Laws. Customer shall ensure that it has obtained any and all authorizations and lawful bases for processing (including verifiable consent where necessary) in accordance with Applicable Data Protections Law(s) in order to provide Customer Personal Data to BOSST for Processing. Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
- b) Authorization to Use Third Parties. The Customer consents to the use of third-party processors by BOSST to process Personal Data on behalf of Customer in the performance of its obligations under this Agreement, and to provide certain services on behalf of BOSST, such as support services. BOSST confirms that it has entered or (as the case may be) will enter with the third-party processors into written agreements incorporating terms which are substantially similar to, and no less onerous than, those set out in this Addendum. BOSST shall inform Customer of any intended changes concerning the appointment or replacement of further third-party processors. The Customer may object to any new third-party processor by terminating the applicable service with respect only to those services which cannot be provided by BOSST without the use of the objected-to new third-party processor. Such termination will be made by providing written notice to BOSST, on the condition that Customer provides such notice within 14 days of being informed of the engagement of the new third-party processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new third-party processor.
- c) Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
- d) Personal Data Inquiries and Requests. BOSST agrees to assist Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators provided that BOSST may charge Customer on a time and materials basis in the event that BOSST considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
4. Cross-Border Transfers of Personal Data
- a) The Customer acknowledges and agrees that Personal Data will be processed by BOSST outside of the European Union, the European Economic Area or Switzerland (the “EU”) including in the United States of America. Where Personal Data is transferred from the EU to a jurisdiction outside of the EU, BOSST will execute appropriate safeguards in relation to the transfer (unless appropriate safeguards have already been provided by Customer).
5. Information Security Program
- a) BOSST will ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (“Personal Data Breach”), appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
6. Security Incidents
- a) Security Incident Procedure. Upon becoming aware of a Security Incident, BOSST will notify Customer without delay on becoming aware of a Personal Data Breach and shall provide further information about the Personal Data Breach to Customer in phases as such information becomes available.
- a) Audits. If Applicable Data Protection Law affords Customer an audit right, Customer (or its appointed representative) may, no more than once annually, carry out an inspection of BOSST’s operations and facilities with respect to the Processing of Customer Personal Data. Customer must provide BOSST forty-five (45) days written notice of such intention to audit, conduct its audit during normal business hours, and take reasonable measures necessary to prevent unnecessary disruption to BOSST’s operations. Prior to any audit being conducted, the Parties will agree Any such audit shall be subject to BOSST’s security and confidentiality terms and guidelines. Customer shall be responsible for any costs arising from such audit.
8. Data Deletion
- a) Data Deletion. At the written direction of Customer, BOSST will, at Customer’s option, delete or return all Customer Personal Data to Customer, except where BOSST is required to retain copies under applicable laws, in which case BOSST will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.