Data Processing Agreement (DPA)


Last updated on September 3rd, 2020

This Data Processing Agreement (DPA) hereby reflects the parties’ agreement with respect to the terms and conditions under the Boost Commerce Terms of Service (the “Agreement”). This DPA is an amendment to the Agreement, and is effective upon its incorporation into the Agreement.

Definitions

Terms defined in the Agreement shall have the same meaning as in these terms. Further, for the purposes of these data protection terms the following terms shall have the following meanings:

  1. "Agreement" Product Filter & Search Subscription Agreement as set out at https://boostcommerce.net/pages/terms-of-service 
  2. "Controller" shall mean the party that determines the purposes and means of the Processing of Personal Data.
  3. “Data Protection Law” means all applicable legislation relating to data protection and privacy, including without limitation the General Data Protection Regulation ("GDPR"), also known as regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  4. "Personal Data" shall mean any information relating to an identified or identifiable natural person ("Data Subject") where Customer is the Controller; an identifiable natural person is a person who can be identified, directly or indirectly with the use of additional information, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  5. "Personal Data Breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Product Filter & Search.
  6. "Processing" or "Process" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  7. "Processor" shall have the meaning given to in the GDPR.

Scope of Processing of Personal Data

In connection with the fulfillment of its obligations under the Agreement, Boost Commerce will process Personal Data on behalf of the Customer, who has the ownership of the Personal Data, for the purposes set out in the Agreement.
The Personal Data may be subject to the following Processing activities: a) storage and other Processing necessary to provide, maintain and improve the Services provided to the Customer; b) to provide technical support to Customer; and c) disclosures as required by law or otherwise set forth in the Agreement.

Boost Commerce do not and will never share, disclose, sell, rent, or otherwise provide personal information to other third parties or companies (other than to specific Shopify merchants you are interacting with, or to third-party apps or service providers being used by the merchants you are interacting with) for the marketing of their own products or services.

General Obligations of the Customer

  1. The Customer shall comply with GDPR.
  2. The Customer shall provide Boost Commerce with necessary written instructions in respect of Processing of Personal Data and be liable for that such instructions are in compliance with GDPR.
  3. The Customer is responsible for the fulfillment of the Customer's obligations to respond to requests for exercising the Data Subjects' rights as well as for necessary notifications to the supervisory authority and/or Data Subjects in case of Personal Data Breach.

General Obligations of Boost Commerce

  1. Boost Commerce shall act solely as the Processor of the Personal Information.
  2. In addition to these data protection terms, Boost Commerce shall also abide by any written instructions in respect of Processing of Personal Data given by the Customer from time to time, provided that such instructions do not create any additional obligations on Boost Commerce.
  3. Boost Commerce shall, at Customer's cost and taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subjects' rights laid down in Chapter III of the Regulation, e.g. by promptly providing the Customer with any such information. For the sake of clarity, Boost Commerce shall not directly respond to Data Subjects, unless the Customer specifically so requests in writing.
  4. Boost Commerce shall, at the choice of the Customer, delete or return all the Personal Data to the Customer, or to a third party assigned by the Customer, after the end of the provision of services related to the Processing, and delete existing copies unless the Data Protection Law require storage of the Personal Data. The return of Personal Data shall include, at a minimum and at no additional costs to the Customer, any data conversion necessary to provide the Customer with its Personal Data in the format in which such information was originally provided to Boost Commerce by the Customer. Boost Commerce shall, at its own initiative and accord, inquire from the Customer whether Boost Commerce shall delete or return the Personal Data no later than within 30 days after the end of the performance of those obligations under the Agreement that involve Processing.
  5. Boost Commerce shall maintain a written record of all categories of processing activities carried out on behalf of the Customer, containing the matters listed in the Article 30 of the Regulation. Boost Commerce shall keep the records available for the Customer on request.
  6. Boost Commerce shall promptly notify the Customer of any queries from the data protection authority or any other law enforcement or regulatory authority.

Security of Personal Data and Personal Data Breach

  1. Boost Commerce shall implement and at all times maintain appropriate, at least in accordance with good industry practice, technical and organizational measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services, and the protection of the Personal Data against Personal Data Breach in particular.
  2. In case of a Personal Data Breach, Boost Commerce shall without delay, notify the Personal Data Breach in writing to the Customer. The notification shall contain all relevant information regarding the Personal Data Breach, and at least a) a description of the nature of Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, b) a description of the likely consequences of the Personal Data Breach and c) a description of the measures taken or proposed to be taken by Boost Commerce to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  3. Boost Commerce shall document any and all Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken by Boost Commerce. This documentation must enable the Customer to review Boost Commerce's compliance with the Data Protection Law in respect of Personal Data Breaches.
  4. To the extent the Data Protection Law requires that a Data Subject or the authority be notified in the event of the Personal Data Breach, Boost Commerce undertakes to reasonably assist the Customer in complying with such requirement.

Right to Audit

  1. Boost Commerce shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in these data protection terms and GDPR.
  2. The Customer, or a third party auditor appointed by the Customer, shall be entitled to audit and inspect Boost Commerce's level of protection of Personal Data and Boost Commerce's compliance with these Data Protection terms and the Regulation. Boost Commerce shall, at Customer's cost, cooperate with the auditors performing the audit to ensure that the auditors are able to form a correct view of Boost Commerce's aforesaid compliance.

Subject to terms of the Agreement

Where these terms apply, they shall form an annex to and be subject to the terms of the Agreement. In the event of conflict between these terms and the Agreement, the terms of the Agreement shall prevail. The governing law and dispute resolution shall be determined according to what has been agreed in the Agreement.