This Data Processing Agreement ("DPA") is incorporated by reference into the Terms of Service ("ToS") of Kluvos and is binding upon the parties when the Controller accepts the ToS by using Kluvos’s services. The parties to this DPA are:
2.1 Purpose: This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the services provided by the Processor as described in the Terms of Service between the parties.
2.2 Scope: The Processor agrees to process Personal Data on behalf of the Controller in accordance with the terms of this DPA and the Controller's instructions.
3.1 Compliance with Laws: The Processor shall comply with all applicable Data Protection Laws in the Processing of Personal Data according to the Controller's instructions. The Processor will honor the privacy settings configured by the merchant within their e-commerce platform, including Shopify and WooCommerce, by integrating with and adhering to the privacy settings provided by these platforms. The Controller is responsible for setting and maintaining these privacy settings in compliance with applicable laws, including GDPR.
3.2 Instructions from Controller: The Processor shall process Personal Data only in accordance with the documented instructions from the Controller unless required to do so by law. While the Processor will handle the collection and processing of Personal Data through automated scripts and APIs, the Controller is responsible for ensuring that the data provided is lawful. The Processor shall inform the Controller about the types of data collected and processed, but the Controller acknowledges that they may not have direct visibility into the specifics of data processing. The Processor shall not be liable for any breach of data protection laws resulting from the Controller's failure to configure the necessary settings within their e-commerce platform.
3.3 Security: The Processor shall implement industry-standard technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
3.4 Confidentiality: The Processor shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.5 Sub-processing: The Processor shall not engage any Sub-processor without prior specific or general written authorization of the Controller. Since the Processor does not currently engage Sub-processors, this clause will apply only if this changes in the future.
3.6 Data Subject Rights: The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights.
3.7 Data Breach Notification: The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include all information required under applicable Data Protection Laws. The Controller shall be responsible for notifying affected data subjects and relevant authorities, unless otherwise agreed.
4.1 Lawfulness of Processing: The Controller shall ensure that the Personal Data processed has been collected in accordance with applicable Data Protection Laws and that such processing, including the instructions given to the Processor, will not cause the Processor to be in breach of any applicable law. The Controller is also responsible for configuring and maintaining the necessary privacy settings on their e-commerce platform in compliance with these laws.
4.2 Instructions: The Controller shall provide documented instructions regarding the processing of Personal Data and ensure that the necessary data protection settings within their e-commerce platform, whether Shopify, WooCommerce, or another platform, are correctly configured. The Processor shall not be liable for any issues arising from incorrect or incomplete instructions or settings.
5.1 Data Retention: The Processor will retain analytics data collected during the provision of services. Unnecessary Personally Identifiable Information (PII) will be minimized and retained only as long as required by applicable laws or as needed for the service.
5.2 Data Deletion: The Processor will delete Personal Data only if explicitly requested by the Controller or if required by applicable law. The Processor shall not be liable for any failure to delete data unless a deletion request is received from the Controller in compliance with GDPR, CCPA, and other applicable laws.
6.1 Transfer Mechanisms: The Processor may transfer Personal Data outside the European Economic Area (EEA) as part of providing services. By accepting these services, the Controller consents to such transfers. The Processor shall ensure that appropriate safeguards are in place in compliance with applicable Data Protection Laws, including the use of recognized transfer mechanisms, to protect the data wherever it is processed or stored.
7.1 Limited Audit: The Processor shall make available to the Controller relevant documentation necessary to demonstrate compliance with the obligations laid down in this DPA. The Processor is not required to facilitate physical inspections or on-site audits. The Controller may request a review of the Processor's compliance documentation, which the Processor will provide within a reasonable timeframe. The Processor’s obligation to assist with audits is limited to the provision of documentation and does not include on-site inspections or detailed technical audits.
8.1 Term: This DPA shall remain in effect as long as the Processor processes Personal Data on behalf of the Controller.
8.2 Termination: Upon termination of the Terms of Service , the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.
9.1 Exclusion of Indirect Damages: To the fullest extent permitted by law, the Processor shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from or in connection with the Processing of Personal Data under this DPA.
9.2 Processor's Limited Liability: The Processor shall be liable only for its own breaches of this DPA and applicable Data Protection Laws, and not for any non-compliance resulting from the Controller's failure to provide accurate instructions or to configure appropriate settings within Shopify. The Processor shall indemnify the Controller against any third-party claims arising from such breaches directly caused by the Processor.
9.3 Controller's Liability: The Controller shall be solely responsible for ensuring that the Personal Data provided to the Processor is lawfully collected and processed and that the necessary settings within Shopify are correctly configured to comply with Data Protection Laws.
10.1 Force Majeure: The Processor shall not be liable for any delay or failure to perform any obligation under this DPA if the delay or failure is due to unforeseen events that are beyond the Processor's reasonable control, such as natural disasters, war, acts of terrorism, cyberattacks, or other events that would render performance commercially impracticable.
11.1 Jurisdiction: This DPA shall be governed by and construed in accordance with the laws of The State of Oregon.
12.1 Arbitration Clause: Any dispute arising out of or in connection with this DPA shall be resolved through binding arbitration in Albany, Oregon, in accordance with the rules of American Arbitration Association (AAA). The decision of the arbitrator shall be final and binding on the parties.
13.1 Security Review Clause: The Processor reserves the right to periodically review and update its security measures based on emerging risks and industry best practices. These updates shall be consistent with maintaining a high level of security but shall not be considered an enhancement or guarantee of absolute security.