Data Processing Addendum (DPA)

DATA PROCESSING ADDENDUM

‍

Last updated: 11/18/2024

‍

This Data Processing Addendum (“DPA”) is entered into between each of our customers (each, a “Controller”) and Rivo Commerce, Inc., DBA Rivo (“Processor”).

‍

This DPA forms a part of and is incorporated into Controller’s Terms of Use entered into between the parties and found at www.rivo.io/legal/terms (“Agreement”). In the event of a conflict between this DPA and the Agreement, the DPA controls.

‍

1. Scope of Data Processing

‍

In the course of Processor providing services to Controller, it is necessary for Processor to access personal data (personal information), with respect to which Controller is the data controller for the purposes of applicable Data Protection Laws (“Controller Data”). To the extent the CCPA applies, references in this DPA to Controller and Processor shall be deemed to refer to, respectively, Business and Service Provider.

‍

This DPA substantiates the rights and obligations of the parties in accordance with Data Protection Laws for the processing of Controller Data by the Processor. For purposes of this DPA, “Data Protection Laws” means: (a) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); (b) member state laws implementing the GDPR; (c) the Data Protection Act 2018 (UK); and (d) the California Consumer Privacy Act and California Privacy Rights Act (together, “CCPA”).

‍

2. Subject Matter and Scope of the Commissioned Data Processing, Instruction Rights

‍

Processor collects, processes and uses Controller Data only in accordance with Controller’s written instructions from time to time and within the type, scope and purpose described in Schedule-A, in each case in compliance with Data Protection Laws. Instructions deviating from Controller’s written instructions and outside the scope of Schedule-A require Processor’s consent and Controller shall pay any additional costs incurred by Processor. Processor shall inform Controller if it believes Controller’s instructions breach applicable Data Protection Laws and may suspend execution of Controller instructions until having received confirmation thereof.

‍

Processor shall not combine Controller Data with data collected and used for other purposes under the Agreement. Controller owns and/or holds all relevant rights to Controller Data. 

‍

Processor may process Controller Data outside the European Union or the European Economic Area (EEA) or have it processed by third parties in accordance with Section 8 (if the requirements of Art. 44 to 48 GDPR are fulfilled) or if an exception in accordance with Art 49 GDPR exists. 

‍

3. Obligations of Controller

‍

Controller shall:

• ensure that the collection, processing and use of Controller Data is admissible under Data Protection Laws;
• safeguard data subject rights;
• indemnify Processor from third party claims based on the collection, processing or use of Controller Data by Controller;
• timely provide Processor with Controller Data and ensure Controller Data quality;
• inform Processor upon encountering any errors or irregularities concerning statutory provisions on the Processing of Personal Data or detected during an evaluation of processing results;
• provide Processor with information as per Art 30 Para 2 GDPR and other applicable Data Protection Laws; and
• if Processor is obligated to provide processing information to authorities or a person or to otherwise cooperate with them, support Processor in providing such information and cooperate as necessary. In particular, such support shall be rendered by immediately providing all information and documents regarding the organisational and technical measures taken as per Art 32 GDPR and as required by other applicable Data Protection Laws.

‍

4. Obligations of Processor

‍

Processor shall:

• ensure and check that processing and usage of data conforms with the scope of services rendered under the Agreement and provisions of this DPA;
• not copy or duplicate Controller Data without Controller’s permission, except as set forth in the Agreement, this DPA and/or the Processor’s Privacy Policy (including data backups) and as necessary to fulfil statutory retention obligations;
• reasonably support Controller if Controller is audited by a supervising authority concerning Processor’s data processing;
• upon request, provide Controller with records of processing activities and on the persons with access rights pursuant to Art 30 Para 1 GDPR and other applicable Data Protection Laws;
• ensure that every person employed and/or controlled by Processer processes Controller Data according to this DPA and Controller instructions, according to Art 29 GDPR and other applicable Data Protection Laws; and
• support Controller, within the bounds of what is reasonable and necessary, in return for reimbursement of expenses and costs incurred in a possible data protection impact assessment and subsequent consultation by the supervisory authority according to Art 35, 36 GDPR and other applicable Data Protection Laws.

5. Technical and Organizational Measures

‍

Processor has put in place and maintains appropriate technical and organisational measures to protect Controller Data from the risks posed by the data processing, as described on Schedule-B. 

‍

If the technical and organisational measures adopted by Processor prove to be insufficient or if technological advances or legislative changes require the same, per Art 32 GDPR and other applicable Data Protection Laws, Processor shall introduce additional effective technical and organisational measures as appropriate. Each party shall notify the other if these measures are insufficient or if technological or legislative changes require changes. Processor shall document all substantial changes to technical and organisational measures.

‍

6. Reporting of Breaches; Reimbursement 

‍

Processor shall notify Controller upon its breach of Data Protection Laws or this DPA and shall support Controller, upon request, if Controller is subject to statutory information or reporting and notification obligations arising from such breach (in particular pursuant to Art 33, 34 GDPR), within reasonable and necessary bounds. Processor shall reimburse Controller’s expenses and costs (including legal fees) associated with any data breach arising from or relating to a breach of Processor, related to Controller Data. Controller shall reimburse Processor’s expenses and costs associated with any data breach arising from or related to a breach of Controller, relating to Controller Data, including legal fees.

‍

7. Controller’s Supervision Rights

‍

Controller may supervise Processor’s compliance with this DPA and relevant Data Protection Laws by, at processor’s discretion, being provided suitable current certificates, reports or statements of evidence from independent bodies of compliance with the technical and organisational measures described on Schedule-B.

‍

Processor may withhold confidential or trade secret information or if granting access would breach Processor’s statutory or contractual obligations, as determined solely by Processor. Controller shall not access data or information not directly relevant to any inspection described above. Controller may engage a subcontractor to perform the inspection, who shall not be a competitor of Processor and shall be bound by a confidentiality agreement acceptable to Processor.

‍

8. Processor’s Subcontractors

‍

Processor may engage third parties in connection with processing or usage of Controller Data and are listed on Schedule-C. Processor’s agreements with these third parties provide a level of security corresponding with this agreement, bind these third parties to the obligations defined in Art 28 Para 3 GDPR and other applicable Data Protection Laws and, if possible, afford Controller with similar supervision rights to Section 7. Processor may engage or change subcontractors in its sole discretion but shall notify Controller of intended changes to these third parties. In individual cases, Controller may object to the commissioning of a potential sub-processor. Controller waives any objection if it does not provide a response within 7 days after receipt of the notification.

‍

This Section 8 also applies if a subcontractor is engaged in a third party country. Controller hereby authorizes Processor to conclude a contract including the EU standard contractual clauses for the transfer of Personal Data to processors in third party countries who process or uses Controller Data outside the EEA, on behalf Controller. Controller agrees to assist in fulfilling the requirements of Art 49 GDPR.

‍

9. Data Subject Rights

‍

The rights of data subjects shall be asserted against Controller. Processor shall timely forward any requests to exercise a data subject’s data right in accordance with Art 12 et seq. GDPR and other applicable Data Protection Laws (“Data Subject Rights”). If a data subject exercises Data Subject Rights and information rights on stored Controller Data, the storage’s purpose and the persons and locations Controller Data is regularly transferred to vis-à-vis Controller, Processor shall support Controller in fulfilling such requirements within reasonable means if Controller is unable to meet the requests without Processor’s support. 

‍

Processor shall enable Controller to correct, delete or block Controller Data or, if and to the extent that this is impossible for Controller, to carry out the correction, blocking or deletion at Controller’s request as required by applicable Data Protection Laws. 

‍

Processor shall provide the foregoing support to Controller within reasonable means in return for reimbursement of expenses and costs incurred by Processor as a result.

‍

10. Return and Deletion of Controller Data and Data Storage Mediums

‍

The duration and termination of this DPA shall be tied to the duration and termination of the Agreement. Processor shall delete or return to Controller all data storage mediums received from Controller, which contain Controller Data, following termination of the Agreement and, upon Controller’s request, provide a written report thereof. Processor should store documentation proving the orderly processing of Controller Data pursuant to the respective retention period beyond the date of the termination of this DPA.

‍‍

10.1 Additional Provisions for CCPA

‍

This Section 10 applies only applies to Controller Data subject to protection under the CCPA (“California Personal Information”). To the extent a term is capitalized but not defined in this Section 10, the applicable definition from the CCPA applies. 

‍

a. Role of the Parties. For purposes of the CCPA, the parties hereby agree that Controller is a Business and Processor a Service Provider when Service Provider is processing California Personal Information pursuant to Business instructions. 

‍

b. Data Processing; Transfer; Sale. Servicer Provider shall Process California Personal Information as a Service Provider solely as necessary to perform services pursuant to the Agreement (“Business Purpose”) or as otherwise permitted by the CCPA, including as described in our Privacy Policy. Service Provider shall not (i) Sell or Share California Personal Information; (ii) process California Personal Information outside the business relationship between the parties, unless required by applicable law; or (iii) combine California Personal Information included in Controller Data with personal data from another source (excluding information received from another source when acting as Service Provider pursuant to the Agreement). The parties acknowledge and agree that the disclosure of California Personal Information by the Business to Service Provider does not constitute consideration between the parties.

‍

c. Compliance. Service Provider shall comply with its CCPA obligations, including but not limited to the protection of California Personal Information as required by the CCPA. If Service Provider determines it is no-longer able to comply with its CCPA obligations, Service Provider shall promptly provide notice thereof.

‍

d. Notice. The Business shall notify end users that their California Personal Information is being used or shared consistent with Cal. Civ. Code 1798.130.

‍

In the event of a conflict between this Section 10 and another section of this DPA as it relates to the CCPA, Section 10 controls.

‍

11. Indemnity

‍

Notwithstanding any other provision of this DPA, and to the maximum extent permitted by applicable law, and except with respect to a party’s defense and indemnification obligations expressly set out in this DPA or with respect to a party’s liability for willful misconduct or gross negligence, the liability (if any) of each party to the other party arising from, connected with or relating to this DPA or the subject matter of this DPA is limited to actual direct damages suffered by the other party. Only, and in no event and under no circumstances shall either party be liable to the other party for any incidental, indirect, consequential, special, exemplary or punitive loss or damage of any nature or kind whatsoever, including, but not limited to, loss of profit, loss of use or loss of revenues, whether based on contract, tort or any other legal theory, even if other remedies are not available or do not adequately compensate for the loss or damage, even if the liable party knows or ought to have known of the possibility of the loss or damage being incurred, and regardless of whether or not the loss or damage was foreseeable.

‍

Under no circumstances shall the total aggregate liability of either party to the other party or any other person arising from, connected with or relating to this DPA or the subject matter of this DPA ever exceed USD $100. Processor shall not be responsible or liable for any wrongful act or omission by or on behalf of any subcontractor listed under Schedule-C.

‍

12. Governing Law

‍

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the applicable laws of the United States and the State of Nevada. 

‍

13. Severability

‍

If any provision of this DPA is found by a court of competent jurisdiction to be unenforceable or invalid, that provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will remain in full force and effect. 

‍

14. General

‍

Any amendments, supplements or the cancellation of this DPA must be in writing (email sufficient). Should parts of this DPA be or become invalid or contain a gap, the remaining provisions remain unaffected, and the parties shall replace the invalid provision with a legally permissible provision that comes closest to the economic purpose of the invalid provision or fills such gap. 

‍

SCHEDULE-A

‍

PURPOSE, TYPE AND SCOPE OF DATA PROCESSING, TYPE OF DATA AND CATEGORIES OF DATA SUBJECTS

‍

‍

‍

SCHEDULE-B

‍

TECHNICAL AND ORGANISATIONAL MEASURES

‍

Organisational Control 

• Internal data processing regulations and processes, guidelines, instructions, descriptions of procedures and regulations regarding the programming, checking and publication of data.
• Existence of a data security concept.
• Inspection of systems and programs according to industrial standards.
• Existence of an emergency plan (backup contingency plan).
• Employees agree to abide by confidentiality obligations in writing.
• Regular training for employees regarding data protection aspects.
• Commissioned data protection officer: privacy@rivo.io.

‍

Server Access Control 

‍

Processor shall take the following measures to prevent data processing systems from being used without authorisation:

• Password policy (special characters, minimum length, password change etc.)
• Automatic blocking (for timeout, failed password entry attempts.
• Creation of one master record per user.
• Encryption of data storage media.

‍

Data Access Control 

‍

An authorisation concept (user and administrative rights) ensures that access to data of the system is possible only as far as it is necessary for the task execution in accordance with internal distribution of tasks and functional separation of the user. Rules and procedures for creating, modifying and deleting authorisation profiles and user roles in accordance with are:

• Requirement-driven definition of the access scheme and access rights.
• Differentiated access rights (profiles, roles, transactions).
• Encryption of data storage devices.
• Password protection of files.

‍

Transfer Control 

‍

Processor shall take the following measures to ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport or while being recorded onto data storage media:

• Encryption/tunnelling (VPN = Virtual Private Network).
• Required multi-factor authentication for access to systems.
• Standard logging of electronic transfer, data transport, transmission control.
• Documentation of interfaces for data transfer and documentation of personal data transferred).

Data Entry Control 

‍

Processor shall take the following measures to ensure that it is possible to check and ascertain whether data have been accessed, altered or removed from data processing systems and if so, by whom:

• Concept that defines the user permissions for input (profiles) and ensures that data access by users is restricted to the necessary scope.
• Detailed logging systems for entry, processing or deletion of personal data.
• Documentation of authorised persons.
• Storage and deletion of log files

‍

Data Processing Control 

‍

Processor shall take the following measures to ensure that personal data processed on behalf of others is processed strictly in compliance with the instructions of Controller:

• Assignment of contact persons by both contract parties.
• Unambiguous wording of contracts.
• Formal commissioning (project organisation, request forms). 
• Monitoring of contract performance.

‍

Loss Control 

‍

Processor shall take the following measures to protect personal data against accidental destruction or loss:

• Backup procedures and secure storage of backups.
• Separate storage.
• Antivirus protection/Firewall.
• Emergency concept.
• Backup and recovery concept.

Separation Control 

‍

Processor shall take the following measures suitable for enabling the separate processing of data collected:

• Separate virtual systems.
• Separate applications on the same server (e.g. different database systems).
• Separate databases with restricted rights for each user.
  

SCHEDULE-C

‍

SUBCONTRACTORS

‍

Stores personal data to deliver messaging to subscribed customers

‍

‍