Data Processing Agreement (DPA)


Last updated on May 24, 2018

Definitions

Terms defined in the Agreement shall have the same meaning as in these terms. Further, for the purposes of these data protection terms the following terms shall have the following meanings:

  1. "Agreement" Product Filter & Search Subscription Agreement as set out at https://boostcommerce.net/pages/terms-of-service 
  2. "Controller" shall mean the party that determines the purposes and means of the Processing of Personal Data.
  3. "GDPR" means the General Data Protection Regulation, also known as regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  4. "Personal Data" shall mean any information relating to an identified or identifiable natural person ("Data Subject") where Customer is the Controller; an identifiable natural person is a person who can be identified, directly or indirectly with the use of additional information, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  5. "Personal Data Breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Product Filter & Search.
  6. "Processing" or "Process" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  7. "Processor" shall have the meaning given to in the GDPR.

Scope of Processing of Personal Data

In connection with the fulfillment of its obligations under the Agreement BoostCommerce will Process Personal Data on behalf of the Customer who has the ownership of the Personal Data solely for the purposes set out in the Agreement.

Based on the definitions in Art. 4 GDPR (http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm), we considered the following collected data are personal data that the App interacts with:

Store’s Owner Information
We store this data to communicate with the store’s owner regarding BoostCommerce apps and services. Our app minimizes the personal data of store’s owner as we only store Email Address (encrypted in the database) and State/Country of the owner.

This information is kept s long as the store owner continues using the app. When the store owner uninstalls the app, the data is deleted.

Order Hook Information
We need order information to update the availability of related products of the store. The order hook comes to our application from Shopify Webhooks. However, all the personal-related data are deleted as soon as our application receives the hook. Only products-related data are kept for data sync purpose. We do not store any personal data of store’ customers.

Application Logs
We keep application logs for system performance monitoring and security audits. Before storing the log event in our database, the IP Address is translated to Geolocation information including State/Country. As soon as the Geolocation is analyzed, the IP address is removed. We do not store IP addresses in our application log in databases.

The application logs are kept for 3 months.

BoostCommerce do not and will never share, disclose, sell, rent, or otherwise provide personal information to other third parties or companies (other than to specific Shopify merchants you are interacting with, or to third-party apps or service providers being used by the merchants you are interacting with) for the marketing of their own products or services.

General Obligations of the Customer

  1. The Customer shall comply with GDPR.
  2. The Customer shall provide BoostCommerce with necessary written instructions in respect of Processing of Personal Data and be liable for that such instructions are in compliance with GDPR.
  3. The Customer is responsible for the fulfillment of the Customer's obligations to respond to requests for exercising the Data Subjects' rights as well as for necessary notifications to the supervisory authority and/or Data Subjects in case of Personal Data Breach.

General Obligations of BoostCommerce

  1. BoostCommerce shall act solely as the Processor of the Personal Information.
  2. In addition to these data protection terms, BoostCommerce shall also abide by any written instructions in respect of Processing of Personal Data given by the Customer from time to time, provided that such instructions do not create any additional obligations on BoostCommerce.
  3. BoostCommerce shall, at Customer's cost and taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subjects' rights laid down in Chapter III of the Regulation, e.g. by promptly providing the Customer with any such information. For the sake of clarity, BoostCommerce shall not directly respond to Data Subjects, unless the Customer specifically so requests in writing.
  4. BoostCommerce shall, at the choice of the Customer, delete or return all the Personal Data to the Customer, or to a third party assigned by the Customer, after the end of the provision of services related to the Processing, and delete existing copies unless the GDPR require storage of the Personal Data. The return of Personal Data shall include, at a minimum and at no additional costs to the Customer, any data conversion necessary to provide the Customer with its Personal Data in the format in which such information was originally provided to BoostCommerce by the Customer. BoostCommerce shall, at its own initiative and accord, inquire from the Customer whether BoostCommerce shall delete or return the Personal Data no later than within 30 days after the end of the performance of those obligations under the Agreement that involve Processing.
  5. BoostCommerce shall maintain a written record of all categories of processing activities carried out on behalf of the Customer, containing the matters listed in the Article 30 of the Regulation. BoostCommerce shall keep the records available for the Customer on request.
  6. BoostCommerce shall promptly notify the Customer of any queries from the data protection authority or any other law enforcement or regulatory authority.

Security of Personal Data and Personal Data Breach

  1. BoostCommerce shall implement and at all times maintain appropriate, and in any event at least such as are in accordance with good industry practice, technical and organizational measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services, in particular, the protection of the Personal Data against Personal Data Breach.
  2. In case of a Personal Data Breach, BoostCommerce shall without delay, notify the Personal Data Breach in writing to the Customer. The notification shall contain all relevant information regarding the Personal Data Breach, and at least a) a description of the nature of Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, b) a description of the likely consequences of the Personal Data Breach and c) a description of the measures taken or proposed to be taken by BoostCommerce to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  3. BoostCommerce shall document any and all Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken by BoostCommerce. This documentation must enable the Customer to review BoostCommerce's compliance with the Regulation in respect of Personal Data Breaches.
  4. To the extent the GDPR require that a Data Subject or the authority be notified in the event of the Personal Data Breach, BoostCommerce undertakes to reasonably assist the Customer in complying with such requirement.

Right to Audit

  1. BoostCommerce shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in these data protection terms and GDPR.
  2. The Customer, or a third party auditor appointed by the Customer, shall be entitled to audit and inspect BoostCommerce's level of protection of Personal Data and BoostCommerce's compliance with these Data Protection terms and the Regulation. BoostCommerce shall, at Customer's cost, cooperate with the auditors performing the audit to ensure that the auditors are able to form a correct view of BoostCommerce's aforesaid compliance.

Subject to terms of the Agreement

Where these terms apply, they shall form an annex to and be subject to the terms of the Agreement. In the event of conflict between these terms and the Agreement, the terms of the Agreement shall prevail. The governing law and dispute resolution shall be determined according to what has been agreed in the Agreement.