Data Processing Addendum


This Data Processing Addendum including all of its Annexes (“Addendum”) is entered into as of the installation date of the app (the “Effective Date”) between the Simplio entity (or if this Addendum is being incorporated by reference, the Simplio entity identified on the applicable Simplio quote) (“Simplio”) and the Merchant entity(ies) specified during the installation (or if this Addendum is being incorporated by reference, the Merchant entity identified on the applicable Simplio quote) (“Merchant”). This Addendum amends and forms part of the service agreement(s) between the parties that reference this Addendum (including, without limitation, the Simplio Privacy Policy and the Terms of Service (SAAS), if applicable) which respectively govern the software-as-a-service solutions provided by Simplio to Merchant (“Services”) (together, the “Agreement”). In the event that any terms and conditions contained herein are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be deemed to be the controlling terms and conditions, except as otherwise stated. "Controller", "processor", "data subject", "personal data", "processing" and "appropriate technical and organizational measures" shall be interpreted in accordance with the applicable Data Protection Legislation. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or in applicable Data Protection Legislation. In the course of providing the Services to the Merchant pursuant to the Agreement, Simplio may process personal data on behalf of the Merchant. This Addendum sets out the additional terms, requirements, and conditions on which Simplio will process personal data as far as such processing relates to the performance of the Services.

1. Introduction


When this Data Processing Addendum mentions Simplio or Simple Invoice or Simple Promotions and Upsells or Simple Order Printer or or, it refers to “we”, “us”, or “our”, and we will be acting as a Data Processor.

2. Roles of the Parties

This Addendum shall apply where Merchant acts as a controller and Simplio as a processor, or where Merchant acts as a processor and Simplio as a sub-processor. All parties agree to keep every data and Confidential information private and secure from any third party.

3. Compliance with Data Protection Legislation

Both parties will comply with all applicable requirements of the Data Protection Legislation. As used in this Addendum, “Data Protection Legislation” means all applicable privacy and data protection laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including (I) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; (iii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); (iv) and the Swedish Data Act (Datalagen) 1973.

4. Processing of Personal Data

Details of Processing. Annex a sets out the scope, nature, and purpose of processing by Simplio, the duration of the processing, and the types of personal data and categories of the data subject.

  • Instructions. Merchant appoints Simplio to process such personal data on behalf of Merchant, and in accordance with Merchant’s documented instructions, as otherwise necessary to provide the Services, or as otherwise agreed in writing by the parties. The scope of such instructions is initially defined by the Agreement. Simplio shall inform Merchant if, in its opinion, an instruction infringes the Data Protection Legislation, or if Simplio becomes aware it cannot process Personal Data in accordance with Merchant instructions due to a legal requirement under any applicable law, Simplio will (i) promptly notify you; and (ii) where necessary, cease all processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Service until such time as you issue new lawful instructions with regard to the processing.
  • Merchant Responsibilities. Merchant will ensure that he is responsible for complying with all requirements that apply, under applicable Data Protection Laws with respect to the Processing of Personal Data and the Instructions it issues to Simplio. In particular but without prejudice to the foregoing, the Merchant warrant that he/she will be solely responsible for; (i) the quality, accuracy, and legality of Merchant Data and the means by which it was acquired by the Merchant; (ii) complying with all necessary lawfulness and transparency requirements under applicable Data Protection Laws for each collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring you as the Merchant have the necessary right to transfer, or provide access to, Simplio for accessing and Processing of such data; (iv) ensuring that all Instructions regarding the processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Merchant will inform Simplio without undue delay if Merchant is not able to comply with Merchant’s responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
  • Processor Requirements. Simplio acknowledges and agrees that it shall act in the role of a “Service Provider” as defined under the GDPR. Merchant discloses personal data to Simplio solely for (I) a valid business purpose; and (ii) Simplio to perform the Services. Simplio is prohibited from (I) selling Merchant’s personal data; (ii) collecting, retaining, using, or disclosing Merchant’s personal data for any purpose other than providing the Services to Merchant; and (iii) collecting, retaining, using, or disclosing Merchant’s personal data outside of the direct business relationship between Simplio and Merchant; and (iv) combining Merchant’s personal data with personal data that Simplio obtains from other sources. Simplio certifies that it understands the prohibitions outlined in this Section and will comply with them. Merchant understands and agrees that Simplio may use sub-processors to provide the Services and process personal data on Merchant’s behalf in accordance with this addendum. The parties agree that any monetary consideration provided by Merchant to Simplio is provided for the provision of the Services and not for the provision of personal data.

5. Security

  • Security Measures. Simplio shall implement appropriate technical and organizational measures for processing the Merchant’s personal data which shall, at minimum, meet the requirements in Annex B
  • Breach Notification. Simplio shall, to the extent permitted by law, notify Merchant without undue delay upon discovery of the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data processed by Simple on behalf of Merchant.
  • Personnel. Simplio shall ensure that all personnel who process (including having access to) personal data have committed themselves to keep the personal data confidential in accordance with Simplio’s confidentiality obligations under the Agreement.

6. Assistance

  • Cooperation with Merchant. Taking into account the nature of the processing and the information available to us, Simplio shall reasonably provide the Merchant, at Merchant’s expense;
  • Self-service features. The Simplio Application offers a number of features the Merchant can use to correct, retrieve, delete or restrict his/her Personal Data, This feature was provided to assist Merchant in its obligations under Data Protection Laws, including responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws.
  • Additional assistance. Should the Merchant be unable to address a Data Subject Request through the Self Service Feature provided by Simplio, the Merchant reserve the right to send a written request to Simplio for additional assistance to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under this Agreement.
  • Return and Deletion of Personal Data. At the written direction of Merchant, Simplio shall delete or return personal data and copies thereof to Merchant following termination of the Agreement unless required by applicable law or where Simplio has archived Merchant Data on back-up systems (including any Data Protection Legislation) to store the personal data. In the event that Merchant has not provided such written direction, the personal data will be deleted as set out in the Agreement.

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Simplio, then Simplio will promptly inform Merchant and will advise the Data Subject to submit their request to Merchant. Merchant will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

7. Audit

  • Audit Requirements. The parties acknowledge that Merchant must be able to assess Simplio’s compliance with its obligations under Data Protection Legislation, to the extent that Simplio is acting as a processor on behalf of the Merchant. Merchant further agrees that the audits described in Section below meet Merchant’s audit requirements, and Merchant agrees to exercise any right it may have to conduct an inspection or audit (including under the Standard Contractual Clauses, as applicable) by written notice to Simplio to carry out the audits described below.
  • Audit Procedures. Upon not less than thirty (30) days advance written notice to Simplio and no more frequently than once annually, with Simplio’s reasonable costs of complying with any such request to be met by Merchant, Simplio shall (I) make available all information necessary to demonstrate to Merchant its compliance with Article 28 of the GDPR, including without limitation, executive summaries of its information security and privacy policies, and (ii) cooperate with and respond promptly to Merchant’s reasonable privacy and/or security questionnaire(s). Notwithstanding the above, if Merchant’s request for audit occurs during Simplio’s quarter or year-end, or such other time during which Simplio cannot reasonably accommodate such request, the parties shall mutually agree on an extension to the thirty (30) days advance written notification. Merchant shall execute a confidentiality agreement in form and substance reasonably satisfactory to Simplio prior to such audit. For the avoidance of doubt, nothing contained herein will allow Merchant to review data pertaining to Simplio’s other Merchants or partners. Merchant shall bare its own costs and expenses with respect to the audits described in this addendum. The parties shall use all reasonable endeavors when exercising rights under this addendum to minimize disruption to Simplio’s business activities.

8. Sub-Processors

  • Use of Sub-Processors. The merchant provides general written authorization for (a) Simplio to engage the sub-processors, (b) Simplio to engage Simplio’s Affiliates as sub-processors and (c) Simplio’s Affiliates to engage third-party sub-processors (including other Affiliates as sub-processors) set out at the Privacy policy. For purposes of this Addendum, “Affiliate” means an entity controlling, controlled by, or under common control with a party (an entity will be deemed to have control if it owns over 50% of another entity). Simplio and its Affiliates may engage such sub-processors to process personal data, provided that Simplio and its Affiliates have entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum.
  • Changes to Sub-Processors. If Simplio or its Affiliates appoint a new (or remove an existing) sub-processor, it shall update the list at the Privacy Center. The merchant may opt-in to receive alerts regarding such list updates via the mechanism set out at the Privacy Center, and, provided Merchant has done so, Simplio will send an email publicizing the change, to the email address the Merchant has provided at the Privacy Center. The merchant may object to Simplio’s appointment or replacement of a sub-processor, provided Merchant notifies Simplio in writing of its specific objection within thirty (30) days of receiving such notification from Simplio. If Merchant does not object within such period, the addition of the new sub-processor shall be deemed accepted. If Merchant does object to the addition of a new sub-processor and Simplio, in its reasonable opinion, cannot reasonably accommodate Merchant’s objection, the Merchant may terminate the affected Service(s) upon written notice to Simplio. Any previously accrued rights and obligations will survive such termination..
  • General authorization under the Standard Contractual Clauses. If the Standard Contractual Clauses apply, then the Parties agree to (general written authorization) (a) of the Standard Contractual Clauses (Module Two). Merchant acknowledges and agrees that it will be informed of any intended changes to the list of Sub-Processors and have the ability to exercise the corresponding right to object under this agreement(a) of the Standard Contractual Clauses (Module Two) in the manner described under this Addendum.
  • Liability. Simplio remains liable for the acts and omissions of its sub-processors to the same extent Simplio would be liable if performing the Services of each sub-processor directly under the terms of this Addendum.
  • Copies of Sub-processor Agreements. The parties agree that the copies of the sub-processor agreements that must be provided by Simplio to the Merchant of the Standard Contractual Clauses (Module Two) may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Simplio beforehand. Simplio will provide such copies in a manner to be determined in its sole discretion, upon request by Merchant.
  • Communications are sent through the Service and payment gateways. Merchant acknowledges and agrees that Simplio may use telecommunication providers in the provision of the Service. Merchant further acknowledges that in order to send communications for the provision of the Service, Simplio may need to transmit Merchant’s communications through existing telecommunications networks and suppliers, via companies bound to comply with applicable telecommunications and privacy laws but who may not all have direct contracts with Simplio and/or Merchant. Merchant further acknowledges that Simplio may use payment gateways in the provision of Service via companies bound to comply with data protection laws but who may not have direct contracts with Simplio. Merchant hereby instructs Simplio to transmit the communications through existing telecommunications networks and to use payment gateways as necessary to provide the Service and acknowledges and agrees that telecommunications networks and payment gateways suppliers are not considered Sub-processors under either the Agreement.
  • Service quality. When Merchant reports potential issues with the quality of the Service, the Merchant instructs Simplio to engage its relevant suppliers for assistance including by providing them with access to necessary data (for example, recordings, logs) which may contain personal data for the purpose of diagnosing and resolving the reported issues.

9. International Transfers of Personal Data

  • General Obligation. Simplio shall comply with all applicable requirements for cross-border transfers of personal data under Data Protection Legislation.
  • To the extent that Simplio processes any personal data under this Addendum that originates from the European Economic Area (“EEA”) or in a country that has not been designated by the European Commission (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses for the transfer of personal data to third countries as set out in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021 (“Standard Contractual Clauses”) which are hereby incorporated into and form part of this Addendum.
  • Annexes. The parties hereby agree that data processing details set out in Annex A of this Addendum shall apply for the purposes of Annex 1 of the Standard Contractual Clauses and the technical and organizational security measures set out in Annex B of this Addendum shall apply for the purpose of Annex 2 to the Standard Contractual Clauses. Simplio shall be deemed the “data importer” and Merchant the “data exporter” under the Standard Contractual Clauses, and the parties will comply with their respective obligations under the Standard Contractual Clauses. Merchant grants Simplio a mandate to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processor (including Simplio Affiliates). Unless Simplio notifies Merchant to the contrary, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C shall apply to the use of the Standard Contractual Clauses.
  • To the extent that Simplio processes under this Addendum any personal data that originates from a country that has not been designated by the Government as providing an adequate level of protection for personal data, and where the parties have implemented a validation mechanism for such transfers, the parties agree that such mechanism shall continue to apply to such transfers. Unless Merchant notifies Simplio to the contrary if the government recognizes the new Standard Contractual Clauses as a valid data transfer mechanism at a date later than the Effective Date of this Addendum, such as the new version of the Standard Contractual Clauses will supersede and replace the existing mechanism. The Annexes to this Addendum supersede the Annexes of any previous data processing agreements signed between Merchant and Simplio, except where such would represent a conflict with this section.
  • Alternative Data Export Solution. The parties agree that the data export solution identified here will not apply if and to the extent that the Merchant adopts an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation), in which event, Merchant shall reasonably cooperate with Simplio for a solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which personal data is transferred under this Addendum).

10. Miscellaneous

  • Interpretation. Any words following the terms “including” and similar expressions shall not limit the sense of the words preceding those terms.
  • Entire Agreement. This Addendum shall replace and supersede any existing data processing addendum (including any privacy addendums), attachment, or exhibit (including any standard contractual clauses) between the parties, except as provided for in this DPA, if applicable. Any addenda, attachments, or exhibits related to security shall remain in place and supplement any security measures set out in Annex B. In the event of a conflict between Annex B and any other agreement that the Merchant has entered into with Simplio governing information security, including administrative, physical, or technical safeguards regarding the protection of data, the provisions more protective of the data shall prevail.

11. Liability

Notwithstanding anything to the contrary in the Agreement or this Addendum, the liability of each party and each party’s Affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement or, in the absence of such a provision in the Agreement, the following will apply: (a) in no event will either party’s maximum aggregate liability arising out of or related to the Agreement or this Addendum exceed the total amount paid or payable to Simplio under the Agreement during the twelve (12) month period preceding the date of the initial claim, and (b) neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with the Agreement or this Addendum.

12. Governing Law and Jurisdiction

This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the terms of service unless required otherwise by applicable Data Protection Legislation.

13. Termination of Addendum

This Addendum will terminate simultaneously and automatically with the uninstallation of the app.

This Addendum is entered into and becomes a binding part of the Agreement with effect as of the Addendum Effective Date.



Data exporter(s): Role (controller/processor): Controller

Contact person for data protection matters position and contact details of the data protection officer and/or representative in the European Union (if different): data exporter shall provide these details by email to [email protected] upon signature of the Agreement.

Activities relevant to the data transferred under these SCCs: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the Agreement.

Data importer(s): Contact details for data protection matters: [email protected]

Activities relevant to the data transfer: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the Agreement.


Categories of data subjects whose personal data is transferred

Merchant may submit personal data to Simplio to enable Simplio to perform the Services, the extent of which is determined and controlled by Merchant in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

  • Merchants, business partners, and (who are natural persons)
  • Employees or contact persons (both of whom are natural persons) of Merchant, business partners, and vendors
  • Merchant’s end users (i.e., customers, respondents, visitors).
  • Employees, agents, advisors, contractors, or any user authorized by Merchant to use the Services (who are natural persons)

Categories of personal data transferred

Merchant may submit personal data to Simplio to enable Simplio to perform the Services, the extent of which is determined and controlled by Merchant in its sole discretion, and which may include (depending on the nature of the Services):

  • First and last name and title;
  • Employer and position;
  • Contact information (email, username, phone number, physical business address);
  • Order information
  • Device identification data (Device ID);
  • Electronic identification data (IP address);
  • Technical data (operating system information; software logs; crash reports);
  • Username and password to Simplio Services; and
  • In relation to certain Simplio Services, including the Simplio Identity services, the geo-location of the device using such Services.

The merchant may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by the Merchant in its sole discretion, and may include the following types of personal data:

  • Merchants: Identification and contact data (name, address, title, contact details, username); financial information (account details, payment information); employment details (employer, job title, geographic location, area of responsibility).
  • Contacts: Identification and contact data (name, gender, general, occupation or other demographic information, address, title, contact details, including email address, phone, and profile photo); personal interests or preferences; IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data).
  • Project content: Content submitted by all customers via the Service in form of texts, images, video and audio files, or other data files. The extent is typically determined by the project type (segmentation, consumer habits and opinions, user preferences, market segmentation, and other data).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive data may be transferred by the Merchant to Simplio solely where Merchant needs to transfer such data to Simplio for the provision of the Services as described pursuant to the Agreement.

The safeguards applying to the processing of such data are described under Annex B. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous.

Nature of the Processing

Simplio will process personal data as necessary to perform the Services pursuant to the Agreement, as further instructed by Merchant (as expressly set forth in this Addendum) in its use of the Services.

Purpose(s) of the data transfer and further processing

Simplio will process personal data for the purposes necessary to perform the Services pursuant to the Agreement, as further instructed by Merchant (as expressly set forth in this Addendum) in its use of the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The personal data will be retained as long as needed for the provision of Services by Simplio under the Agreement.

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing

Matter, and nature of the processing, for the duration required for the data importer to provide the Services to the data exporter.


This Annex II sets forth the security measures that Simplio shall maintain in connection with the personal data submitted by Merchant to Simplio to enable it to provide the services under the Agreement.

1. Measures of pseudonymization and encryption of personal data

Simplio encrypts Merchant personal data it processes while in transit over corporate networks and from and to Simplio’s Applications.

2. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing system and services

Simplio maintains documented business continuity and disaster recovery plans that are designed to ensure that business functions can respond quickly and continue with minimum disruption in case of an unexpected interruption that may materially impact Merchant personal data or Simplio’s ability to provide products and services under the Agreement.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Simplio performs ongoing data replication and backup as necessary, designed to prevent data loss and to facilitate service recovery for the Merchant.

4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Simplio utilizes various tools to continuously track and monitor security vulnerabilities to identify, report, and remediate network vulnerabilities. As part of the ongoing information security activities, the security vulnerabilities are prioritized and assigned an appropriate remediation process according to the type of vulnerability, its severity, and its potential impact.

Simplio also frequently performs penetration testing on its networks, infrastructure, and products, including identifying security vulnerabilities. Simplio further leverages automated penetration testing tools for a wide and comprehensive view of existing vulnerabilities and attack vectors to mitigate the risk of cyber attacks

5. Measures for user identification and authorization

Simplio controls, monitors and protects the credentials and secrets related to users’ access by utilizing industry-standard tools, including its own security products. Simplio also secures physical access to its equipment used to store Merchant personal data by using industry-standard processes to limit access to authorized personnel.

Simplio’s policies governing internal access to Merchant personal data are designed on the least privileged and need-to-know basis, based on individual roles and responsibilities. Simplio maintains methods and procedures designed to prevent unauthorized access to the Merchant's personal data and the systems that host it. Appropriate authentication methods are used to control access to the network applications and systems that Contain Merchant personal data (which may include Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) and more).

6. Measures for the protection of data during transmission

Simplio encrypts all Merchant personal data it processes while in transit over corporate networks and from and to Simplio’s Applications.

7. Measures for the protection of data during storage

Where possible in light of the services being provided to Merchant, Simplio encrypts Merchant personal data it processes while at rest.

8. Measures for ensuring the physical security of locations at which personal data are processed

Simplio applies security measures to its offices and facilities that host servers that contain sensitive or critical information, including Merchant personal data, (“Facilities”), and limits access to these facilities only to authorized personnel. These measures include

  • 24/7 monitoring and access control of these Facilities;
  • Procedure to promptly disable data access in case of employee termination.
  • Policies and training of employees to secure and prevent unauthorized disclosure of Merchant personal data (e.g. screen locks and least privilege access).

9. Measures for ensuring events logging

We have put in place processes and policies to ensure that incidents are dealt with and logged in accordance with the following process:

  • Identification,
  • Classification,
  • Reported to appropriate internal stakeholders,
  • Mitigated and remediated throughout incident response stages including post-incident assessments.

10. Measures for ensuring system configuration, including default configuration

Simplio develops, documents, and maintains under configuration control, a current baseline configuration for systems, and reviews these configurations at least annually. Default configurations of technical controls are removed prior to operational use.

11. Measures for internal IT and IT security governance and management

Simplio has implemented policies and processes to ensure that roles and responsibilities regarding the management and monitoring of Simplio’s security requirements and procedures are clearly determined. For example, Simplio’s organizational roles and responsibilities include the following roles:

  • Product security manager, and production services security manager.

12. Measures for certification/assurance of processes and products

Simplio currently adopts leading practices to develop its products and services.

13. Measures for ensuring data minimization

All of Simplio’s personnel are required to undergo onboarding and refresher training courses on information security and GDPR compliance. This includes specific modules about data minimization.

Simplio’s Internal Privacy Policy also contains practical guidance for employees designed to ensure that the data they process is limited in scope and time to the extent which is necessary for the purpose of that processing.

Simplio handles the data which Merchants provide to us. The extent of the processed data is determined and controlled by Merchant in its sole discretion.

14. Measures for ensuring data quality

Simplio handles the data which Merchants provide over Shopify API. Simplio isn’t responsible for the accuracy of the provided data.

The quality of the data generated by Simplio’s products is ensured by the implementation of secure development practices. When introducing or modifying code, this includes:

  • Peer-reviews of changes/new code;
  • Examination by static code analysis;
  • Regression testing, prior to code being introduced into production, designed to identify any potential security vulnerabilities.
  • Tracking in a source control system;
  • Deployment into production environments by different personnel than the ones who developed such code;
  • Logical or physical separation of environments for development, testing, and production.

15. Measures for ensuring limited data retention

Simplio retains Merchant Information only for as long as specified within the Agreement or Documentation, except to the extent that a longer retention period is required by applicable law or regulations.

Simplio securely disposes of Merchant personal data in accordance with applicable law and the Agreement, in a manner that Merchant personal data cannot be read or reconstructed.

16. Measures for ensuring accountability

Simplio’s information security framework includes practices and procedures such as asset management, access management, physical security, people security, network security, third-party security, product security, vulnerability management, security monitoring, and incident response. Information security policies and standards are approved by management and available to all Simplio employees.

17. Measures for allowing data portability and ensuring erasure

For certain of our app(s), Merchants may also be able to see the Merchant data via the product interface.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Prior to engaging with a new third party that may have access to Merchant personal data, Simplio evaluates such third party’s data security standards using a qualification risk assessment and, if necessary at Simplio’s reasonable determination, maintains ongoing oversight of such third party in order to meet its information security standards. This includes measures replicating Simplio’s own assistance obligations towards Merchant as indicated under the Data Processing Addendum.


This Annex is supplemental to and should be read in conjunction with, the Standard Contractual Clauses. Any references to the ‘Clauses’ in this Annex should be read as references to the Standard Contractual Clauses.

The data subject can enforce, as a third party beneficiary, this Paragraph 2 and Paragraph 4 of this Annex against the data importer in accordance with Clause 3 of the Clauses.

The data importer shall reasonably assist the data exporter with the data exporter’s continuing assessment of the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law.

Upon receipt of any legally binding order or request for disclosure of the personal data by a law enforcement authority or other competent government authority, the data importer will, in accordance with and supplementing Clause 15 of the Clauses:

  • use reasonable efforts to re-direct the relevant authority to request or obtain the personal data directly from the data exporter;
  • in addition to promptly notifying the data exporter of the request or order pursuant to Clause 15.1(a) of the Clauses, use reasonable efforts to assist the data exporter in its efforts to oppose the request or order, if applicable; and
  • In the event it is prohibited by applicable laws from notifying the data exporter of the request or order, use reasonable efforts to challenge such request or order

Support Services and Upgrades

To send us your questions, comments, or complaints or receive communications from us kindly email us; [email protected]

Last update: July, 2024