Want a tour of Rebuy? Schedule a call with an ecommerce expert for a personalized demo!
✨ Get a Demo ✨

Data Processing Addendum

Last Updated: November 22, 2023

This Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the terms and conditions of the Rebuy Terms of Service or other commercial agreement for Rebuy’s Services that incorporates this Addendum by reference (the “Agreement”) by and between the Rebuy customer that has executed the Agreement (“Customer”) and Rebuy, Inc. (“Rebuy”). 

 

 

EXHIBIT A TO THE DATA PROCESSING ADDENDUM

This Exhibit A forms part of the Addendum and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

  1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

  2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:

    A. List of Parties


    Data Exporter: Customer.
    Address: As set forth in the Notices section of the Agreement.
    Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.
    Activities relevant to the data transferred under these Clauses: The Services.
    Role: Controller.

    Data Importer:
    Rebuy.
    Address: As set forth in the Notices section of the Agreement.
    Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.
    Activities relevant to the data transferred under these Clauses: The Services.
    Role: Processor.


    B. Description of the Transfer:

    Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses.

    Categories of personal data transferred: The categories of personal data transferred under the Clauses.

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties knowledge, no sensitive data is transferred.

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

    Nature of the processing: The Services.

    Purpose(s) of the data transfer and further processing: The Services.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum. 

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature, and duration as identified above.



    C. Competent Supervisory Authority:

    The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.


    D. Additional Data Transfer Impact Assessment Questions:

    Will data importer process any personal data under the Clauses about a non-United States person that is “foreign intelligence information” as defined by 50 U.S.C. § 1801(e)?

    Not to data importer’s knowledge.

    Is data importer subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where personal data is stored or accessed from that would interfere with data importer fulfilling its obligations under the Clauses? For example, FISA Section 702. If yes, please list these laws:

    As of the effective date of the Addendum, no court has found data importer to be eligible to receive process issued under the laws contemplated by this question, including FISA Section 702, and no such court action is pending. 

    Has data importer ever received a request from public authorities for information pursuant to the laws contemplated by the question above? If yes, please explain:

    No.

    Has data importer ever received a request from public authorities for personal data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain:

    No.


    E. Data Transfer Impact Assessment Outcome:

    Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.


    F. Clarifying Terms:

    The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.

  3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:

    Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with the Addendum.

    Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum. 

  4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

    The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

    Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

    Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.

    Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

    Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.