If incorporated by reference into an Order Form and/or accompanying Terms and Conditions (the “Agreement”) that is entered into between Lymion Group, Inc., a Florida corporation, also doing business as Overproof (“Overproof”), and the company listed in the Agreement purchasing services from Overproof (“Customer”), this Data Processing Addendum shall supplement and modify the Agreement.
1.1. In this Data Processing Addendum, the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:
a) “Addendum Effective Date” means the effective date of the Agreement.
b) “Adequate Country” means a country or territory outside the European Economic Area that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR.
c) “Agreement” means the Overproof Order Form and accompanying Terms and Conditions, or any other written agreement entered into by and between the Parties, that expressly incorporates this Data Processing Addendum.
d) “Anonymized Data” means any Personal Data (including Customer Personal Data), which has been anonymized such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Supplier or any other party reasonably likely to receive or access that Anonymized Personal Data.
e) “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in the Supplier location.
f) “CCPA” means the California Consumer Privacy Act of 2018, as amended, and any regulations promulgated thereunder.
g) “Cessation Date” has the meaning given in Paragraph 9.1.
h) “Customer Personal Data” means any Personal Data Processed by or on behalf of Supplier on behalf of Customer under the Agreement. Customer Personal Data does not include Personal Data of representatives of Customer with whom Supplier has business relationships independent of the Services.
i) “Data Protection Laws” means the CCPA and the EU General Data Protection Regulation 2016/679 (the “GDPR”) and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom (references to “Articles” or “Chapters” of the GDPR shall be construed accordingly), in each case to the extent applicable to the relevant Customer Personal Data or Processing thereof under the Agreement.
j) “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with applicable Data Protection Laws.
k) “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
l) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
m) “Personal Data” means (a) the personal data (as defined in the GDPR) that Customer provides to Supplier for the provision of the Services; and (b) any other information that Customer provides to Supplier for the provision of the Services that constitutes “personal information” under and governed by the CCPA.
n) “Personal Data Breach” means a breach of Supplier’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Supplier’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
o) “Personnel” means a person’s employees, agents, consultants or contractors.
p) “Restricted Country” means a country or territory outside the European Economic Area that is not an Adequate Country.
q) “Restricted Transfer” means: (i) a transfer of Customer Personal Data from Customer to Supplier in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from Supplier to a Subprocessor in a Restricted Country, (in each case) where such transfer would be prohibited by applicable Data Protection Laws without a legal basis therefor under Chapter V of the GDPR.
r) “Services” means those services and activities to be supplied to or carried out by or on behalf of Supplier for Customer pursuant to the Agreement.
s) “Standard Contractual Clauses” means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Data Controllers established inside the European Economic Area to Data Processors established in Restricted Countries.
t) “Subprocessor” means any third party appointed by or on behalf of Supplier to Process Customer Personal Data.
1.2. In this Data Processing Addendum:
a) the terms, “Data Controller”, “Data Processor”, “Process” (and its derivatives) and “Supervisory Authority” as used in this Data Processing Addendum shall have the meaning ascribed to the corresponding terms in applicable Data Protection Laws;
b) unless otherwise defined in this Data Processing Addendum, all capitalized terms shall have the meaning given to them in the Agreement; and
c) any reference to any statute, regulation or other legislation in this Data Processing Addendum shall be construed as meaning such statute, regulation or other legislation, together with any applicable judicial or administrative interpretation thereof (including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority).
2.1. In respect of Customer Personal Data, the Parties acknowledge that:
a) Supplier acts as a Data Processor or “service provider” as defined under the CCPA; and
b) Customer acts as the Data Controller or “business” as defined under the CCPA.
2.2. Supplier shall:
a) comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
b) not Process Customer Personal Data other than:
(i) on Customer’s instructions (subject always to Paragraph 2.9); and
(ii) as required by applicable laws.
2.3. Customer instructs Supplier to Process Customer Personal Data as necessary:
a) to provide the Services to Customer;
b) to perform Supplier’s obligations and exercise Supplier’s rights or defend legal claims under the Agreement; and
c) for the proper management and administration of Supplier’s business.
2.4. Annex 1 (Data Processing Details) sets out certain information regarding Supplier’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
2.5. Customer may amend Annex 1 (Data Processing Details) on written notice to Supplier from time to time as Customer reasonably considers necessary to meet any applicable requirements of Data Protection Laws.
2.6. Nothing in Annex 1 (Data Processing Details) (including as amended pursuant to Paragraph 2.6) confers any right or imposes any obligation on any Party to this Data Processing Addendum.
2.7. Where Supplier receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Supplier shall inform Customer.
2.8. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Supplier pursuant to or in connection with the Agreement:
a) shall be strictly required for the sole purpose of ensuring compliance with applicable Data Protection Laws; and
b) (without limitation to the generality of Paragraph 2.7) shall not relate to the scope of, or otherwise materially change, the Services to be provided by Supplier under the Agreement.
2.9. Notwithstanding anything to the contrary herein, Supplier may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if Supplier considers (in its reasonable discretion) that:
a) it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
c) For the avoidance of doubt, this Paragraph 2.9 does not refer to the instructions set out in Paragraph 2.3.
2.10. Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Supplier of Customer Personal Data in accordance with this Data Processing Addendum and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing).
Supplier shall take reasonable steps to ensure the reliability of any Supplier Personnel who Process Customer Personal Data, ensuring:
a) that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data for the purposes described in this Data Processing Addendum; and
b) that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Supplier shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Supplier shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.
5.1. Customer authorizes Supplier to appoint Subprocessors in accordance with this Paragraph 5.
5.2. Supplier may continue to use those Subprocessors already engaged by Supplier as at the date of this Data Processing Addendum, subject to Supplier meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4.
5.3. Supplier shall give Customer prior written notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. The parties agree that notice of a new Subprocessor posted on Supplier’s website at this URL is sufficient notice, unless the parties expressly agreed in writing to require email notification. If, within ten (10) Business Days of receipt of that notice, Customer notifies Supplier in writing of any objections (on reasonable grounds) to the proposed appointment:
a) Supplier shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
(i) such a change cannot be made within 40 Business Days from Supplier receipt of Customer’s notice;
(ii) no commercially reasonable change is available; and/or
(iii) Customer declines to bear the cost of the proposed change,
(iv) then either Party may, by written notice to the other Party with immediate effect, terminate the Agreement either in whole or to the extent that it relates to the Services which require the use of the proposed Subprocessor.
5.4. With respect to each Subprocessor, Supplier shall: (a) ensure that the arrangement between Supplier and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (including those set out in Paragraph 4); and (b) be fully responsible and liable for all acts and omissions by the Subprocessor.
6.1. Taking into account the nature of the Processing, Supplier shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2. Supplier shall:
a) promptly notify Customer if Supplier receives a Data Subject Request; and
b) ensure that Supplier does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
7.1. Supplier shall notify Customer without undue delay upon Supplier becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within Supplier’s possession to allow Customer to meet any obligations under Data Protection Laws to report the Personal Data Breach to:
a) affected Data Subjects; or
b) the relevant Supervisory Authority(ies) (as may be determined in accordance with the applicable Data Protection Laws).
c) Supplier shall take reasonable steps to identify the cause of such Personal Data Breach, minimize harm, and prevent a recurrence. Notification of or response to a Personal Data Breach will not be construed as an acknowledgment by Supplier of any fault or liability with respect to the Personal Data Breach.
8.1. Supplier shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Supplier.
9.1. Subject to Paragraph 9.2 and 9.4, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Supplier shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.
9.2. Customer hereby acknowledges and agrees that, due to the nature of the Customer Personal Data Processed by Supplier, return (as opposed to Deletion) of Customer Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Customer agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected Deletion, in preference of return, of the Customer Personal Data.
9.3. To the fullest extent technically possible in the circumstances, within forty (40) Business Days after the Cessation Date, Supplier shall either (at its option):
a) Delete; or
b) irreversibly render Anonymized Data,
c) all Customer Personal Data then within Supplier’s possession.
9.4. Supplier and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Supplier and any such Subprocessor shall ensure:
a) the confidentiality of all such Customer Personal Data; and
b) that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
10.1. Supplier shall make available to Customer on request such information as Supplier (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.
10.2. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Supplier pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Supplier’s compliance with this Data Processing Addendum, Supplier shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Supplier.
10.3. Customer shall give Supplier reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than 40 Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 10.4(f)(i)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Supplier in respect of, any damage, injury or disruption to Supplier’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Supplier’s other customers or the availability of Supplier’s services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any on-premise inspection.
10.4. Supplier need not give access to its premises for the purposes of such an audit or inspection:
a) to any individual unless he or she produces reasonable evidence of their identity and authority;
b) to any auditor whom Supplier has not given its prior written approval (not to be unreasonably withheld);
c) unless the auditor enters into a non-disclosure agreement with Supplier on terms acceptable to Supplier;
d) where, and to the extent that, Supplier considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Supplier’s other customers or the availability of Supplier’s services to such other customers;
e) outside normal business hours at those premises; or
f) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which:
(i) Customer is required to carry out by applicable Data Protection Law and/or a Supervisory Authority, and
(ii) where Customer has identified the relevant requirement specified in 10.4(f)(i) in its notice to Supplier of the audit or inspection.
10.5. Customer shall bear any third party costs in connection with such inspection or audit and reimburse Supplier for all costs incurred by Supplier and time spent by Supplier (at Supplier’s then-current professional services rates) in connection with any such inspection or audit.
11.1. Subject to Paragraph 11.3, to the extent that any Processing by either Supplier or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
a) Customer – as “data exporter”; and
b) Supplier or Subprocessor (as applicable) – as “data importer”,
c) shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing in accordance with Paragraph 11.3.
11.2. In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1:
a) Clause 9 of such Standard Contractual Clauses shall be populated as follows:
“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
b) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
c) Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1 (Data Processing Details); and
d) Appendix 2 to such Standard Contractual Clauses shall be populated as follows:
“The technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.”
11.3. The Standard Contractual Clauses shall be deemed to come into effect under Paragraph 11.1 automatically upon the commencement of the relevant Restricted Transfer provided that Paragraph
11.4. shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws.
Customer acknowledges and agrees that Supplier may create and derive, from Processing under the Agreement, Anonymized Data. Supplier shall be freely able to use and disclose Anonymized Data for Supplier’s own business purposes without restriction.
13.1. Supplier shall not retain, use, or disclose any Customer Personal Data that constitutes “personal information” under the CCPA (“CA Personal Information”) for any purpose other than for the specific purpose of providing the Services or as otherwise permitted by CCPA, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in CCPA) other than providing the Services.
13.2. Supplier shall not (a) sell any CA Personal Information; (b) retain use or disclose any CA Personal Information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in CCPA) other than provision of the Services; or (c) retain, use, or disclose the CA Personal Information outside of the direct business relationship between Customer and Supplier. Supplier hereby certifies that it understands its obligations under this Section 13.2 and will comply with them.
13.3. Provision of the Services encompasses the processing authorized by Customer’s instructions described in Section 2 of the Data Processing Addendum (Processing of Customer Personal Data).
13.4. Notwithstanding anything in the agreement or any order form entered in connection therewith, the parties acknowledge and agree that Supplier’s access to CA Personal Information or any other Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
Supplier’s total liability for any action, proceeding, liability, loss, damage, cost, claim, fine, expense and/or demand incurred by the Customer arising from the Supplier’s breach of its obligations under this Data Processing Addendum is limited to the total monthly recurring revenue Supplier received during the twelve (12) months preceding the claim.
Supplier agrees and warrants that it will implement such policies and commitments as Customer may reasonably request in connection with compliance with applicable new or amended privacy laws, including without limitation undertaking reasonable commitments to otherwise address new or amended privacy laws, with regard to which Customer and Supplier agree and warrant that they will work together in good faith to agree upon and to amend this Data Processing Addendum accordingly before the applicable effective dates such laws. If the parties cannot reach agreement on how to address such laws, Customer may terminate the Services Agreement, subject to a transition period designated by Customer during which Supplier will continue to provide the Services and assist in transitioning the Services to a new provider, and Customer shall only be responsible for fees and costs on a pro rata basis through the post-transition termination date.
16.1. This Data Processing Addendum shall be incorporated into and form part of the Agreement.
16.2. In the event of any conflict or inconsistency between:
a) this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or
b) to the extent applicable, any Standard Contractual Clauses entered into pursuant to Paragraph 11 and this Data Processing Addendum, those Standard Contractual Clauses shall prevail.
This Annex 1 to the Data Processing Addendum includes certain details of the Processing of Customer Personal Data: as required by Article 28(3) GDPR; and (where applicable in accordance with Paragraph 12) to populate Appendix 1 to the Standard Contractual Clauses.
Overproof provides software as a service that provides businesses with a retail and hospitality execution platform.
Subject matter and duration of the Processing of Customer Personal Data
Duration and Object of Data Processing. The duration of data processing shall be for the term designated under the Agreement between the data exporter and Overproof. The objective of the data processing is Overproof’s performance of Services agreed to in the Agreement.
The nature and purpose of the Processing of Customer Personal Data
The personal data transferred will be subject to the following basic processing activities:
The personal data transferred concern the following categories of data: See Appendix 1.
The categories of Data Subject to whom the Customer Personal Data relates
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and the Data Processing Addendum.
Appendix 1 to the Standard Contractual Clauses (if applicable)
This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data Exporter is the legal entity that has executed the Standard Contractual Clauses as a Data Exporter established within the European Economic Area (EEA) and/or Switzerland that have purchased Covered Services on the basis of one or more order document(s).
Lymion Group, Inc. which processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement.
Data exporter may submit Personal Data to the Covered Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
(i) Prospects, customers, business partners and vendors of data exporter (who are natural persons)
(ii) Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
(iii) Employees, agents, advisors, freelancers of data exporter (who are natural persons)
(iv) Data exporter’s Users authorized by data exporter to use the Covered Services
(v) Categories of data
(vi) Data exporter may submit Personal Data to the Covered Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
(vii) First and last name
(xi) Contact information (company, email, phone, physical business address)
(xii) ID data
(xiii) professional life data
(xiv) personal life data
(xv) connection data
(xvi) localization data
Special categories of personal data (if appropriate)
Data exporter may submit special categories of personal data to the Covered Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation:
The objective of Processing of Personal Data by data importer is the performance of the following Covered Service pursuant to the Agreement and any order document: Overproof services.
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.