Version 1.0.0
May 21, 2018
This Data Processing Addendum (“DPA”) applies to all companies which are subject to the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data). It is incorporated by reference into the Terms of Use (“Agreement”) between you and Accumulus Corporation (“Accumulus”).
Purpose and scope
In the course of providing the Services to you under the Agreement, Accumulus will Process Customer Data on your behalf. Customer Data may include Personal Data as required to process and fulfill orders submitted through your website with plug-ins or hosted pages provided by Accumulus or input manually via the administrative application made available by Accumulus. This DPA reflects the parties’ agreement relating to the Processing of Customer Data in accordance with the requirements of Data Protection Laws and Regulations. This DPA will control in the event of any conflict with the Agreement.
Definitions
2.1 “Data Controller” means the entity that determines the purposes and means of Processing of Personal Data.
2.2 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
2.3 “Data Protection Laws and Regulations” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states.
2.4 “Data Subject” means the individual to whom Personal Data relates.
2.5 “Personal Data” means any information relating to an identifiable or identified individual.
2.6 “Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
2.7 “Sub-processor” means Accumulus’s Affiliates or other third-party service providers that Process Customer Data for Accumulus.
Processing of customer data
3.1 Data Processing Roles.
As between you and Accumulus, you are the Data Controller of Customer Data and Accumulus is the Data Processor. You control the categories of Data Subjects and Personal Data Processed under the Agreement. Accumulus has no knowledge of, or control over, the Personal Data that you provide for Processing. You are solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which you acquired the Customer Data.
3.2 Data Processing Instructions.
This DPA and the Agreement are your complete and final instructions to Accumulus for the Processing of Customer Data. You and Accumulus must agree on any additional or alternate instructions. Accumulus will inform you if, in Accumulus’s opinion, your instructions violate Data Protection Laws and Regulations. Accumulus will process Customer Data: (1) in accordance with the Agreement (including all documents incorporated in the Agreement), and (2) to comply with other reasonable instructions you provide to Accumulus (including by email) where your instructions are consistent with the Agreement. Accumulus will not otherwise disclose Customer Data to third parties unless required to do so by applicable law. Accumulus will not Process Customer Data for any other purpose unless you instruct Accumulus.
Rights of data subjects
4.1 Correction, Blocking and Deletion.
If you do not have the ability to amend, block, or delete Customer Data as required by Data Protections Laws and Regulations, you can provide written instructions to Accumulus to act on your behalf. Accumulus will follow your instructions to the extent they are technically feasible and legally permissible. You will pay Accumulus’s costs of providing this assistance if applicable.
4.2 Data Subject Requests.
If permitted, Accumulus will promptly notify you of any request from a Data Subject for access to, correction, amendment, or deletion of that Data Subject’s Personal Data. Accumulus will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.
4.3 Cooperation and Assistance.
Accumulus will assist you to address any request, complaint, notice, or communication you receive relating to Accumulus’s Processing of Customer Data received from (A) a Data Subject whose Personal Data is contained within the Customer Data, or (B) any applicable data protection authority. Accumulus will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay Accumulus’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.
Accumulus personnel
5.1 Confidentiality.
Accumulus informs its personnel engaged in the Processing of Customer Data about the confidential nature of such Customer Data. These personnel receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with Accumulus.
5.2 Limitation of Access.
Accumulus ensures that access to Customer Data is limited to those personnel who require access to Process Customer Data under the Agreement.
Sub-processors
6.1 Authorization.
You expressly authorize Accumulus to use Sub-processors to perform specific services on Accumulus’s behalf to enable Accumulus to perform its obligations under the Agreement by configuring said Sub-processors in the Accumulus system yourself or instructing Accumulus to configure them for you or otherwise authorizing Accumulus to engage them on your behalf. Accumulus’s current Sub-processors are listed at the end of this document.
6.2 Notice and Objection.
You have a right to reasonably object to Accumulus’s use of a new Sub-processor by notifying Accumulus in writing within 10 business days after Accumulus publishes notice of a new Sub-processor. If you do so, Accumulus will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Customer Data by the new Sub-processor. If Accumulus is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that Accumulus cannot provide without using the new Sub-processor. You must provide written notice of termination to Accumulus in accordance with the Agreement. Accumulus will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.
Security and audit.
7.1 Controls for the Protection of Customer Data.
Accumulus maintains appropriate administrative, technical and organizational safeguards to protect Customer Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage.
7.2 Incident Management and Breach Notification.
Accumulus will notify you within 24 hours of becoming aware of a breach of your Customer Data. To the extent known, the notice will include (A) a description of the nature of the personal data breach, including the categories and approximate number of your data subjects concerned and the categories and approximate number of your records concerned; (B) the name and contact details of a Accumulus contact point for more information; (C) the measures Accumulus is taking to address the breach, including measures to mitigate its possible adverse effects.
7.3 Audit Rights.
Accumulus will provide you with additional information—and will allow and contribute to audits, including inspections—reasonably necessary to demonstrate compliance with Data Protection Laws and Regulations. You will reimburse Accumulus for any time taken for an audit or inspection at Accumulus’s then-current professional service rates. Accumulus will provide those rates to you on request. You and Accumulus will agree in advance on the timing, scope, duration and reimbursement rates for any audit or inspection.
Return and deletion of customer data.
You may retrieve Customer Data at any time prior to the end of a Subscription Term. Following your Subscription Term, Accumulus will delete your Customer Data in accordance with the Agreement and the Documentation.
Sub Processor list:
- Avalara
- Amazon Web Services
- Authorize.net
- ChasePaymentech
- ConstantContact
- Cybersource
- Google Analytics
- Google Captcha
- Intuit Quickbooks
- MailChimp
- Merchant e-Solutions
- Microsoft Azure
- PayPal
- Stripe
- Zapier
- Zoho