Simplio: Data Processing Addendum

PLEASE READ THIS DATA PROCESSING ADDENDUM CAREFULLY BEFORE ACCESSING OR USING ON OF THE APPLICATIONS AND SERVICES OFFERED BY SIMPLIO

This Data Processing Addendum including all of its Annexes (“Addendum”) is entered into as of the installation date of the app (the “Effective Date”) between the Simplio entity (or if this Addendum is being incorporated by reference, the Simplio entity identified on the applicable Simplio quote) (“Simplio”) and the Merchant entity(ies) specified during the installation (or if this Addendum is being incorporated by reference, the Merchant entity identified on the applicable Simplio quote) (“Merchant”). This Addendum amends and forms part of the service agreement(s) between the parties that reference this Addendum (including, without limitation, the Simplio Privacy Policy and the Terms of Service (SAAS), if applicable) which respectively govern the software-as-a-service solutions provided by Simplio to Merchant (“Services”) (together, the “Agreement”). In the event that any terms and conditions contained herein are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be deemed to be the controlling terms and conditions, except as otherwise stated. "Controller", "processor", "data subject", "personal data", "processing" and "appropriate technical and organizational measures" shall be interpreted in accordance with the applicable Data Protection Legislation. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or in applicable Data Protection Legislation. In the course of providing the Services to the Merchant pursuant to the Agreement, Simplio may process personal data on behalf of the Merchant. This Addendum sets out the additional terms, requirements, and conditions on which Simplio will process personal data as far as such processing relates to the performance of the Services.

1. Introduction


“SIMPLIO” LOCATED IN KEIZERSGRACHT 482 1017EG AMSTERDAM NETHERLANDS, IS WILLING TO GRANT ACCESS TO THE APPLICATION TO YOU AS THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE APPLICATION (REFERENCED BELOW AS “MERCHANT”) ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS AGREEMENT (AS DEFINED BELOW). BY ENTERING INTO THIS AGREEMENT AS A MERCHANT, YOU REPRESENT THAT WE HAVE THE LEGAL AUTHORITY TO BIND YOU THE MERCHANT TO THIS AGREEMENT. MERCHANT AND SIMPLIO MAY EACH ALSO BE REFERRED TO AS A “PARTY” AND TOGETHER, THE “PARTIES”.

When this Data Processing Addendum mentions Simplio or Simple Invoice or Simple Promotions and Upsells or Simple Order Printer or https://www.simplio.app or https://www.simpleinvoice.info, it refers to “we”, “us”, or “our”, and we will be acting as a Data Processor.

2. Roles of the Parties


This Addendum shall apply where Merchant acts as a controller and Simplio as a processor, or where Merchant acts as a processor and Simplio as a sub-processor. All parties agree to keep every data and Confidential information private and secure from any third party.

3. Compliance with Data Protection Legislation


Both parties will comply with all applicable requirements of the Data Protection Legislation. As used in this Addendum, “Data Protection Legislation” means all applicable privacy and data protection laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including (I) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; (iii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); (iv) and the Swedish Data Act (Datalagen) 1973.

4. Processing of Personal Data


Details of Processing. Annex a sets out the scope, nature, and purpose of processing by Simplio, the duration of the processing, and the types of personal data and categories of the data subject.

5. Security


6. Assistance

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Simplio, then Simplio will promptly inform Merchant and will advise the Data Subject to submit their request to Merchant. Merchant will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

7. Audit

8. Sub-Processors

9. International Transfers of Personal Data

10. Miscellaneous

11. Liability

Notwithstanding anything to the contrary in the Agreement or this Addendum, the liability of each party and each party’s Affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement or, in the absence of such a provision in the Agreement, the following will apply: (a) in no event will either party’s maximum aggregate liability arising out of or related to the Agreement or this Addendum exceed the total amount paid or payable to Simplio under the Agreement during the twelve (12) month period preceding the date of the initial claim, and (b) neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with the Agreement or this Addendum.

12. Governing Law and Jurisdiction

This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the terms of service unless required otherwise by applicable Data Protection Legislation.

13. Termination of Addendum

This Addendum will terminate simultaneously and automatically with the uninstallation of the app.

This Addendum is entered into and becomes a binding part of the Agreement with effect as of the Addendum Effective Date.

ANNEX A - PERSONAL DATA PROCESSING PURPOSES AND DETAILS

LIST OF PARTIES

Data exporter(s): Role (controller/processor): Controller

Contact person for data protection matters position and contact details of the data protection officer and/or representative in the European Union (if different): data exporter shall provide these details by email to [email protected] upon signature of the Agreement.

Activities relevant to the data transferred under these SCCs: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the Agreement.

Data importer(s): Contact details for data protection matters: [email protected]

Activities relevant to the data transfer: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the Agreement.

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Merchant may submit personal data to Simplio to enable Simplio to perform the Services, the extent of which is determined and controlled by Merchant in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

Categories of personal data transferred

Merchant may submit personal data to Simplio to enable Simplio to perform the Services, the extent of which is determined and controlled by Merchant in its sole discretion, and which may include (depending on the nature of the Services):

The merchant may upload, submit, or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by the Merchant in its sole discretion, and may include the following types of personal data:

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive data may be transferred by the Merchant to Simplio solely where Merchant needs to transfer such data to Simplio for the provision of the Services as described pursuant to the Agreement.

The safeguards applying to the processing of such data are described under Annex B. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous.

Nature of the Processing

Simplio will process personal data as necessary to perform the Services pursuant to the Agreement, as further instructed by Merchant (as expressly set forth in this Addendum) in its use of the Services.

Purpose(s) of the data transfer and further processing

Simplio will process personal data for the purposes necessary to perform the Services pursuant to the Agreement, as further instructed by Merchant (as expressly set forth in this Addendum) in its use of the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The personal data will be retained as long as needed for the provision of Services by Simplio under the Agreement.

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing

Matter, and nature of the processing, for the duration required for the data importer to provide the Services to the data exporter.

ANNEX B - TECHNICAL AND ORGANISATIONAL MEASURES

This Annex II sets forth the security measures that Simplio shall maintain in connection with the personal data submitted by Merchant to Simplio to enable it to provide the services under the Agreement.

1. Measures of pseudonymization and encryption of personal data

Simplio encrypts Merchant personal data it processes while in transit over corporate networks and from and to Simplio’s Applications.

2. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing system and services

Simplio maintains documented business continuity and disaster recovery plans that are designed to ensure that business functions can respond quickly and continue with minimum disruption in case of an unexpected interruption that may materially impact Merchant personal data or Simplio’s ability to provide products and services under the Agreement.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Simplio performs ongoing data replication and backup as necessary, designed to prevent data loss and to facilitate service recovery for the Merchant.

4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Simplio utilizes various tools to continuously track and monitor security vulnerabilities to identify, report, and remediate network vulnerabilities. As part of the ongoing information security activities, the security vulnerabilities are prioritized and assigned an appropriate remediation process according to the type of vulnerability, its severity, and its potential impact.

Simplio also frequently performs penetration testing on its networks, infrastructure, and products, including identifying security vulnerabilities. Simplio further leverages automated penetration testing tools for a wide and comprehensive view of existing vulnerabilities and attack vectors to mitigate the risk of cyber attacks

5. Measures for user identification and authorization

Simplio controls, monitors and protects the credentials and secrets related to users’ access by utilizing industry-standard tools, including its own security products. Simplio also secures physical access to its equipment used to store Merchant personal data by using industry-standard processes to limit access to authorized personnel.

Simplio’s policies governing internal access to Merchant personal data are designed on the least privileged and need-to-know basis, based on individual roles and responsibilities. Simplio maintains methods and procedures designed to prevent unauthorized access to the Merchant's personal data and the systems that host it. Appropriate authentication methods are used to control access to the network applications and systems that Contain Merchant personal data (which may include Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) and more).

6. Measures for the protection of data during transmission

Simplio encrypts all Merchant personal data it processes while in transit over corporate networks and from and to Simplio’s Applications.

7. Measures for the protection of data during storage

Where possible in light of the services being provided to Merchant, Simplio encrypts Merchant personal data it processes while at rest.

8. Measures for ensuring the physical security of locations at which personal data are processed

Simplio applies security measures to its offices and facilities that host servers that contain sensitive or critical information, including Merchant personal data, (“Facilities”), and limits access to these facilities only to authorized personnel. These measures include

9. Measures for ensuring events logging

We have put in place processes and policies to ensure that incidents are dealt with and logged in accordance with the following process:

10. Measures for ensuring system configuration, including default configuration

Simplio develops, documents, and maintains under configuration control, a current baseline configuration for systems, and reviews these configurations at least annually. Default configurations of technical controls are removed prior to operational use.

11. Measures for internal IT and IT security governance and management

Simplio has implemented policies and processes to ensure that roles and responsibilities regarding the management and monitoring of Simplio’s security requirements and procedures are clearly determined. For example, Simplio’s organizational roles and responsibilities include the following roles:

12. Measures for certification/assurance of processes and products

Simplio currently adopts leading practices to develop its products and services.

13. Measures for ensuring data minimization

All of Simplio’s personnel are required to undergo onboarding and refresher training courses on information security and GDPR compliance. This includes specific modules about data minimization.

Simplio’s Internal Privacy Policy also contains practical guidance for employees designed to ensure that the data they process is limited in scope and time to the extent which is necessary for the purpose of that processing.

Simplio handles the data which Merchants provide to us. The extent of the processed data is determined and controlled by Merchant in its sole discretion.

14. Measures for ensuring data quality

Simplio handles the data which Merchants provide over Shopify API. Simplio isn’t responsible for the accuracy of the provided data.

The quality of the data generated by Simplio’s products is ensured by the implementation of secure development practices. When introducing or modifying code, this includes:

15. Measures for ensuring limited data retention

Simplio retains Merchant Information only for as long as specified within the Agreement or Documentation, except to the extent that a longer retention period is required by applicable law or regulations.

Simplio securely disposes of Merchant personal data in accordance with applicable law and the Agreement, in a manner that Merchant personal data cannot be read or reconstructed.

16. Measures for ensuring accountability

Simplio’s information security framework includes practices and procedures such as asset management, access management, physical security, people security, network security, third-party security, product security, vulnerability management, security monitoring, and incident response. Information security policies and standards are approved by management and available to all Simplio employees.

17. Measures for allowing data portability and ensuring erasure

For certain of our app(s), Merchants may also be able to see the Merchant data via the product interface.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Prior to engaging with a new third party that may have access to Merchant personal data, Simplio evaluates such third party’s data security standards using a qualification risk assessment and, if necessary at Simplio’s reasonable determination, maintains ongoing oversight of such third party in order to meet its information security standards. This includes measures replicating Simplio’s own assistance obligations towards Merchant as indicated under the Data Processing Addendum.

ANNEX C - STANDARD CONTRACTUAL CLAUSES - SUPPLEMENTARY TERMS TO PROVIDE ADDITIONAL SAFEGUARDS

This Annex is supplemental to and should be read in conjunction with, the Standard Contractual Clauses. Any references to the ‘Clauses’ in this Annex should be read as references to the Standard Contractual Clauses.

The data subject can enforce, as a third party beneficiary, this Paragraph 2 and Paragraph 4 of this Annex against the data importer in accordance with Clause 3 of the Clauses.

The data importer shall reasonably assist the data exporter with the data exporter’s continuing assessment of the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law.

Upon receipt of any legally binding order or request for disclosure of the personal data by a law enforcement authority or other competent government authority, the data importer will, in accordance with and supplementing Clause 15 of the Clauses:

Support Services and Upgrades

To send us your questions, comments, or complaints or receive communications from us kindly email us; [email protected]

Last update: January, 2023