This Clever Few Data Processing Addendum (“Addendum”) amends the Clever Few Terms of Service and any other terms that incorporate by reference this Addendum (together, the “Agreement”) by and between you and Clever Few Corp., a Canadian corporation.
Definitions
- “European Data Protection Laws” means European Union Regulation 2016/679 (the “General Data Protection Regulation”), the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the DPA, the “UK GDPR”), and any relevant law, statute, regulation, rule or other binding instrument which implements the above or otherwise relates to data protection, privacy, data security or the processing of Personal Data in any European member state or the United Kingdom, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.
- “Personal Data” shall be interpreted in accordance with European Data Protection Laws and US Data Protection Laws, as applicable, and relating to an identifiable or identified individual who visits or engages in transactions through your store (a “Customer”), which Clever Few Processes as a Data Processor or Service Provider (as defined under such laws) in the course of providing you, as a Data Controller or Business (as defined under such laws), with the Services. The term “Personal Data” shall also include “Personal Information” as defined under US Data Protection Laws.
- “US Data Protection Laws” means the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and other similar comprehensive state privacy laws that place obligations on a Business or Controller in relation to Personal Data (as defined under such laws), and any relevant regulation, rule or other binding instrument which implements such laws, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.
- “US Consumer” means an individual that is a “consumer” as defined under US Data Protection Laws.
- All other capitalized terms in this Addendum shall have the same definition as in the Agreement.
Details of Processing
- The parties agree that Appendix 1 of this Addendum describes the subject matter and details of the processing of Personal Data. Clever Few may aggregate, anonymize or deidentify Personal Data and process such data for the purposes set out in Appendix 1 or as otherwise permitted by applicable law. To the extent Clever Few receives from you Personal Data that has been Deidentified (as defined in section 5.1 of this Addendum), Clever Few will maintain and use the data only in a Deidentified fashion.
European Union and United Kingdom
- This section applies only to the extent that Clever Few’s Processing of Personal Data is subject to European Data Protection Laws. In this section, “Data Processor”, “Data Controller”, “Data Subject”, “Processing”, “Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance with the European Data Protection Laws.
- When Clever Few Processes Personal Data in the course of providing the Services, Clever Few will:
- Process the Personal Data as a Data Processor and/or Service Provider, only for the purpose of providing the Services in accordance with documented instructions from you (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by you. If Clever Few is required by law to Process the Personal Data for any other purpose, Clever Few will provide you with prior notice of this requirement, unless Clever Few is prohibited by law from providing such notice;
- notify you if, in Clever Few’s opinion, your instruction for the Processing of Personal Data infringes applicable European Data Protection Laws;
- notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Clever Few’s Processing of the Personal Data;
- implement reasonable technical and organizational measures enabling you to execute requests relating to your Customer’s Personal Data that you are obligated to fulfill;
- implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
- upon request, provide reasonable information to help you complete your data protection impact assessments and prior consultations with regulatory authorities;
- provide you, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing Clever Few’s data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable you to assess compliance with the terms of this Addendum;
- notify you without undue delay upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
- ensure that its personnel who access the Personal Data are subject to confidentiality obligations; and
- upon termination of the Agreement, Clever Few will promptly initiate its purge process to delete or anonymize the Personal Data.
- In the course of providing the Services, you acknowledge and hereby grant Clever Few general written authorisation to use Subprocessors, listed online at: Clever Few Subprocessors (“Subprocessor List”), to Process the Personal Data. Clever Few’s use of any specific Subprocessor to process the Personal Data must be in compliance with European Data Protection Laws and must be governed by a contract between Clever Few and Subprocessor that requires comparable protections to this Data Processing Addendum. If Clever Few appoints a new subprocessor or intends to make changes concerning the addition or replacement of subprocessors, such changes will be made to our Subprocessor List. You will have seven (7) days from the date of the update of our Subprocessor List to object to the change. If you object to the appointment of a Subprocessor you may terminate this agreement in accordance with the Agreement.
- You warrant that you have complied and continue to comply with European Data Protection Laws, in particular, you have obtained any necessary consents or given any necessary notices and otherwise have a legitimate ground to disclose data to Clever Few and enable the processing of Personal Data by Clever Few as set out in this Agreement.
US Consumers
- This section applies only to the extent that, for purposes of the US Data Protection Laws, you are a Business or Controller and in the course of providing the Services, Clever Few processes Personal Data about US Consumers that is subject to US Data Protection Laws. In this section, “Business”, “Business Purpose”, “Commercial Purpose”, “Controller”, “Deidentified”, “Processor”, “Sell”, “Sale”, “Service Provider” shall have the meanings ascribed to them in US Data Protection Laws, and “Share” shall have the meaning ascribed to it in the CCPA, are incorporated herein by reference.
- With respect to such Personal Data, and to the extent required by applicable US Data Protection Laws, Clever Few will:
- process Personal Data as a Service Provider and/or Processor on your behalf to provide the Services or as otherwise permitted by US Data Protection Laws;
- not retain, use or disclose Personal Data outside its direct business relationship with you or for any purpose other than to provide the Services, including retaining, using or disclosing such Personal Data for a Commercial Purpose other than performing the Business Purposes described in the Agreement, or as otherwise permitted by US Data Protection Laws;
- not Sell or Share such Personal Data;
- not combine Personal Data collected in connection with performing the Services with Personal Data received from another source or collected from its own interactions with the individual, except to perform the Services, with consent or direction, or as otherwise permitted by US Data Protection Laws;
- in connection with processing the Personal Data, comply with provisions of the US Data Protection Laws applicable to Service Providers or Processors, including providing the same level of privacy protection required of Businesses or Controllers by the US Data Protection Laws, and notify you if it determines it can no longer meet these obligations. You may, upon receiving such a notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Clever Few;
- only engage subcontractors to process Personal Data on its behalf pursuant to a written contract that requires comparable protections to this Data Processing Addendum. In the course of providing the Services, you acknowledge and hereby grant Clever Few general written authorisation to use subcontractors, listed online at: Clever Few Subprocessors (“Subprocessor List”), to Process the Personal Data. Clever Few’s use of any specific Subprocessor to process the Personal Data must be in compliance with US Data Protection Laws and must be governed by a contract between Clever Few and Subcontractor that requires comparable protections to this Data Processing Addendum. If Clever Few appoints a new subcontractor or intends to make changes concerning the addition or replacement of subcontractors, such changes will be made to our Subprocessor List. You will have seven (7) days from the date of the update of our Subprocessor List to object to the change. In the event we do not receive a response from you, the change will be deemed to be accepted.
- take reasonable and appropriate steps, upon reasonable written notice from you and subject to the confidentiality obligations set out in the Agreement, to assist you with confirming that Clever Few’s use of Personal Data is consistent with your obligations under US Data Protection Laws;
- Upon request, provide a report of a reasonable assessment of Clever Few’s policies and technical and organizational measures in support of its obligations under applicable US Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments; and
- upon termination of the Agreement, Clever Few will promptly initiate its purge process to delete or Deidentify the Personal Data.
- You represent and warrant that you:
- have obtained any necessary consents, rights and authorizations and given any necessary notices to individuals regarding your disclosure of Personal Data to Clever Few to enable Clever Fews’s processing of Personal Data to provide the Services, as required by applicable law;
- will not share with Clever Few any Personal Data of any individual subject to the US Data Protection Laws who has exercised an opt-out that you have committed to honoring;
- will not share with Clever Few sensitive data of any US Consumer who has not consented to the processing of their sensitive data;
- inform Clever Few of any rights requests individuals make to you pursuant to US Data Protection Laws that Clever Few must comply with and provide the information necessary for Clever Few to comply with the requests; and
- be solely liable for your compliance with such laws.
- You and Clever Few agree that the existence of this Addendum does not constitute an admission that sharing of Personal Data constitutes a Sale or a Share.
General
- In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail, unless such provisions contradict a requirement under applicable law, in which case such requirement shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that Clever Few may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Clever Few’s website, available at Clever Few Processing Addendum and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Services after the amended Addendum is posted to Clever Few’s website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service.
- Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.
- The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the Province of Ontario and the laws of Canada applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the Province of Ontario with respect to any dispute or claim arising out of or in connection with this Addendum.
Appendix 1: Details of Processing
Nature and purpose of processing: To provide and improve the Services under the Clever Few Terms of Service and any other terms that this Addendum is incorporated into, provide any related support to Customer, as otherwise permitted under European Data Protection Laws or US Data Protection Laws, as applicable, or as initiated by you from time to time.
Subject Matter, Types of Personal Data and Categories of Data Subjects: Personal Data relating to Customers.
Duration of processing: The term of this Addendum plus the period from the end of the term until deletion of all Customer Personal Data by Clever Few in accordance with its obligations under this Addendum.