408-612-4990
Schedule a Demo

Legal DPA

DATA PROCESSING ADDENDUM

I. PURPOSE

This "SVM Contracting Entity" (DBA PURL CC) (“DPA”) supplements and is incorporated by reference into the the Terms of Service, together with any terms applicable to any additional SVM services that you choose to use (the “Terms”) by and between You (or “Merchant”), and the SVM Contracting Entity as outlined in the Terms (“PURL CC”), which outline the specific business purposes and services related to the DPA. In case of any conflict between the Terms and this DPA, the DPA shall prevail with respect to the processing of Your Personal Data.

You and SVM (each a “Party”, together the “Parties”), agree that this DPA sets forth the Parties’ obligations governing the processing of Your Personal Data in connection with the Terms and Your use of the Services. 

II. DEFINITIONS

Capitalized terms used but not defined in this DPA shall have the same meaning given to them in the Terms:

  1. Applicable Data Protection Law(s): Any data protection or privacy laws applicable to SVM’s processing of Your Personal Data under the Terms, their implementing regulations and secondary legislation, each as may be amended, updated or replaced from time to time, including (as applicable, based on the location or residence of Merchant and/or Your Customer(s)):
    1. the (a) California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), (b) Virginia Consumer Data Protection Act, (c) Colorado Privacy Act, (d) Connecticut Data Privacy Act, (e) Utah Consumer Privacy Act, (f) Oregon Consumer Privacy Act, (g) Texas Data Privacy and Security Act, (h) Montana Consumer Data Privacy Act and (i) once effective, similar comprehensive privacy laws in other U.S. states (together, “U.S. Data Protection Laws”);
    2. General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and any applicable national implementing laws;
    3. EU e-Privacy Directive (Directive 2002/58/EC), as amended (“e-Privacy Law”);
    4. UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (“UK DPA”);
    5. Singapore’s Personal Data Protection Act 2012 (“PDPA”); and
    6. Swiss Federal Data Protection Act ("Swiss FDPA")
  2. Customer: An individual or entity that visits, engages with, and/or purchases a product, good, or service from Your Store(s).
  3. Personal Data: Information or data defined as ‘personal data,’ ‘personal information,’ or ‘personally identifiable information’ (or analogous term) under Applicable Data Protection Laws from or about Your Customers that is made available to SVM (or third-parties acting on SVM’s behalf) by You (or third-parties acting on Your behalf) as part of using the Services, as well as other personal data You choose to share with SVM about Your Customers as part of using the Services. For clarity, Personal Data shall not include any personal data about Customers that SVM processes as a Data Controller and/or receives as a result of the Customer’s direct relationship or intentional interaction with SVM or with other SVM merchants.
  4. Data Rights Request: A valid and lawful request by an individual to exercise available rights pertaining to Personal Data under an Applicable Data Protection Law.
  5. Data Controller: The Party that determines the purposes and means of the processing of Personal Data, or as otherwise defined under any Applicable Data Protection Law.
  6. Data Processor or Service Provider: The Party or other entity or business that provides services on behalf of and processes Personal Data at the direction and on behalf of the Data Controller, and shall be interpreted in accordance with the Applicable Data Protection Laws.
  7. Personal Data Breach: In relation to Your Personal Data, shall be interpreted in accordance with Applicable Data Protection Law.
  8. Process,” “processes,” or “processing”: (a) Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; or (b) the definition given to such term(s) under the Applicable Data Protection Law.
  9. Subprocessor(s)”: Affiliated companies or third-party Data Processors or Service Providers that may process Personal Data at SVM’s direction for the purpose of providing the Services.
  10. You,” “Your,” or “Merchant”: Means the business that uses the Services and is a Party to the Terms with SVM.

III. NATURE OF THE PROCESSING AND ROLES OF THE PARTIES

SVM receives and processes Your Personal Data in order to provide You with the Services and as otherwise set forth below. Depending on which of the Services You request or use, SVM will process the categories of Personal Data set forth at Appendix A, in the manner and on the basis contained therein.

SVM shall only process Your Personal Data as a Data Processor or Service Provider as necessary to provide and improve its Services or as otherwise permitted by Applicable Data Protection Laws. As part of its provision and ongoing improvement of its Services, SVM may aggregate, anonymize or de-identify Your Personal Data. SVM will not attempt to re-identify data once de-identified. 

To the extent SVM receives from You Personal Data that has been de-identified, SVM will maintain and use the data only in a de-identified fashion.

IV. OBLIGATIONS OF PARTIES

The following section describes the Parties’ respective obligations with respect to the processing of Personal Data covered by this DPA.

 

General Compliance

  1. The Parties will comply with their respective obligations under Applicable Data Protection Laws.
  2. SVM shall have no obligation to interpret or advise You on Your obligations under Applicable Data Protection Laws, including with respect to Personal Data covered by this DPA. You are solely responsible for determining Your legal and regulatory obligations, including evaluating whether the technical and organizational measures of the Services are consistent with Your independent legal and regulatory obligations.

 

SVM’s Obligations

  1. Data Security
    SVM will implement and maintain appropriate technical and organizational measures designed to protect Your Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure, as set forth in Appendix B.
  2. Personal Data Breach Notification and Investigation
    1. As required by Applicable Data Protection Laws, SVM will provide notice to you upon SVM confirming any Personal Data Breach.
    2. Such notice shall include the information required under Applicable Data Protection Laws to the extent such information is reasonably available to SVM. SVM’s response to, or notice of, a Personal Data Breach is not an acknowledgment by SVM of any fault or liability.
    3. SVM agrees to investigate any Personal Data Breach, and use commercially reasonable efforts to identify, prevent, mitigate, and remedy the effects.
  3. Data Rights Requests
    1. To the extent required under Applicable Data Protection Laws, SVM will facilitate Your ability to process and respond to Data Rights Requests from Your Customers related to Your use of the Services.
    2. To obtain assistance in responding to any such Data Rights Request, forward the Request to SVM at .

 

Your Obligations With Respect to Personal Data

  1. Privacy Notices and Transparency: You represent and warrant that You are in compliance with all obligations under Applicable Data Protection Laws to provide notice and transparency concerning Your processing of Personal Data under the Terms and in connection with Your use of the Services. To the extent required under Applicable Data Protection Laws, You shall communicate to the relevant individuals all disclosures necessary for SVM to lawfully and fairly process Personal Data in connection with this DPA, including by providing a link to SVM’s Privacy Policy or to Your own Privacy Policy.
  2. Customer Rights and Permissions: You represent and warrant that You have all necessary rights, permissions, and consents to make available Personal Data to SVM in accordance with the Terms, Your use of the Services You receive and Applicable Data Protection Laws.
  3. Data Rights Requests: You represent and warrant that You provide the ability for Your Customers to exercise Data Rights Requests, as required under Applicable Data Protection Laws, with respect to all Personal Data processed by SVM for which You are the Data Controller.
  4. Regulatory Inquiries: Unless prohibited by applicable law, You will notify us promptly in accordance with the Notice provision in the Terms of any governmental, regulatory or other third party inquiry or complaint concerning Your use of the Services.

 

V. LIMITATION OF LIABILITY & INDEMNIFICATION

To the maximum extent permitted by Applicable Data Protection Laws and notwithstanding anything to the contrary in the Terms, SVM’s total aggregate liability arising out of or relating to this DPA, whether in contract, tort or under any other theory of liability, shall not exceed the total amount paid by You to SVM under the Terms in the twelve (12) months preceding the event giving rise to the liability. The limitations in this section shall not apply to liability which cannot be limited by applicable law.

 

Merchant Indemnification

You agree to indemnify, defend, and hold harmless SVM and its affiliates, directors, officers, employees, agents, and subcontractors from and against any and all third-party claims, actions, demands, losses, damages, penalties, liabilities, costs and expenses (including reasonable legal fees) arising out of or relating to: (i) Your breach of this DPA or the Terms; (ii) Your failure to comply with Applicable Data Protection Laws; (iii) any instructions provided by You to SVM that infringe any applicable law; or (iv) any claim that the processing of Personal Data by SVM in accordance with this DPA violates or misappropriates the rights of a third party, to the extent such claim is attributable to You.

 

Authority and Legal Basis

You represent and warrant that You have obtained all necessary rights, consents, and authorizations to provide the Personal Data to SVM for processing in accordance with this DPA and that such processing does not violate any Applicable Data Protection Law. SVM shall not be responsible for determining whether such rights, consents, or authorizations are valid or sufficient.

VI. MISCELLANEOUS

Response to Legal Requests

  1. You acknowledge that, in the course of providing the Services to You, SVM may share Your Personal Data (i) to comply with legal requirements or to respond to court orders or other similar government or regulatory demands; or (ii) to prevent or investigate suspected fraud, threats to physical safety, illegal activity, or violations of a contract (such as the Terms) or our policies (such as our Acceptable Use Policy).
  2. SVM will make reasonable efforts before producing such Personal Data to ensure that such disclosure is permitted under Applicable Data Protection Laws and will be treated as confidential information under the applicable legal framework.

 

SVM’s Use of Subprocessors/Service Providers

  1. You acknowledge that, in the course of providing the Services to You, SVM may use Subprocessors to process Personal Data. SMV maintains an updated list of all Subprocessors used. If Applicable Data Protection Laws grant you such rights, You may object to the use of a Subprocessor, and if SVM is unable or unwilling to accommodate such requests, You may, in accordance with such laws, terminate Your use of the impacted Services within 30 days of such notification in accordance with the Terms.
  2. SVM’s use of Subprocessors to process Personal Data that You provide will be in compliance with Applicable Data Protection Laws. Where SVM engages a Subprocessor, SVM will enter into a written agreement with the Subprocessor that imposes contractual obligations that are substantially the same as the ones set out in this DPA.

 

DPA Amendment

You acknowledge and agree that SVM may amend this DPA from time to time by posting the relevant amended and restated DPA on SVM’s website, available at https://purlcc.com/legal-dpa and such amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA is posted to SMV’s website constitutes Your agreement to, and acceptance of, the amended DPA. If You do not agree to any changes to the DPA, do not continue to use the Service.

VII. APPENDICES

Appendix A - Categories of Personal Data

Appendix B - Data Security

Appendix C - GDPR, UK GDPR, and Switzerland Data Processing Appendix

 

APPENDIX A: CATEGORIES OF PERSONAL DATA

As part of Your use of the Services, and depending on which Services You use, we may receive and process the following categories of Personal Data to provide the Services:

  • Customer name, email, contact, billing and shipping information.
  • Purchase and other transaction information from Your Store(s).
  • Update(s) about the status of transaction(s) with You or Your Store(s)
  • Customer activity in Your Store(s), including products viewed and/or included in shopping carts.
  • Customer preference signals, including Global Privacy Control (“GPC”), opt-out and opt-in signals.
  • Customer device information for device(s) used when visiting Your Store(s), including IP address, browser, and network activity.
  • Other information about the Customers’ interactions with You.
  • Any other Personal Data You choose to make available with SVM.

 

APPENDIX B: DATA SECURITY

SVM will maintain an information security program designed to (a) enable You to secure Your Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure; (b) identify reasonably foreseeable risks to the security and availability of the Services You receive; and (c) minimize security risks to the Services.

SVM’s information security program will include the following safeguards:

  1. Logical Security
    1. Access Controls SVM will make its systems accessible only to authorized personnel, and only as necessary to maintain and provide the Services. SVM will maintain access controls and policies designed to manage authorizations for access to its systems, including through the use of firewalls and/or other technology and authentication controls.
    2. Restricted User Access SVM will (i) provision and restrict access to its systems in accordance with least privilege principles based on personnel job functions, and (ii) require two-factor authentication (2FA) for access to its systems.
    3. Vulnerability Assessments SVM will maintain a vulnerability assessment and penetration testing program, responsible for investigating and tracking identified issues with the Services to resolution where necessary.
    4. Application Security SVM maintains an application security program responsible for protecting Services from application security threats.
    5. Change Management SVM will maintain controls designed to log, authorize, test, approve and document changes to existing Services resources, and will document change details within its change management or deployment tools. SVM will test changes according to its change management standards prior to migration to production.
    6. Data Integrity As appropriate, SVM will maintain controls designed to provide data integrity during transmission, storage and processing within the Services.
    7. Availability SVM will (i) implement redundancy where appropriate for the Services to minimize the effect of a malfunction on the Services, (ii) design the Services to anticipate and tolerate failures, and (iii) implement appropriate processes designed to move Personal Data traffic away from the affected areas when necessary to recover from failures.
    8. Business Continuity and Disaster Recovery SVM will maintain a risk management program designed to support the continuity of its critical business functions, including processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair SVM’s provision of the Services You receive.
    9. Incident Management SVM provides documentation for You to report security or availability incidents, ask security or availability questions, and submit information about potential security or availability issues. SVM will maintain corrective action plans and incident response plans designed to detect, mitigate, investigate, and respond to potential security threats to the Services.
  1. Physical Security Where necessary to protect Services, SVM will (i) implement reasonable measures designed to prevent unauthorized physical access, damage, or interference to the Services, (ii) use appropriate control devices designed to restrict physical access to the Services to only authorized personnel who have a legitimate business need for such access, and (iii) perform periodic reviews to validate adherence with these standards.
  2. SVM Employees SVM employees who are authorized to access Personal Data are bound by obligations of confidentiality as part of their terms of employment. SVM will implement and maintain employee security training programs regarding SVM information security requirements. The security awareness training programs will be reviewed and updated periodically.

Modifications to this Appendix

SVM reviews its security measures from time to time, and may update this Appendix in its sole discretion. Any such updates will replace prior versions of this Appendix as of the date that SVM publishes the updated version.

 

APPENDIX C: GDPR, UK GDPR, AND SWITZERLAND DATA PROCESSING APPENDIX

Where the processing of Personal Data under the DPA is subject to data protection requirements in the European Economic Area (the “EEA”), the United Kingdom (the “UK”), or Switzerland (collectively, “European Data Protection Laws”), Appendix C supplements this DPA.

Nature of the Processing and Role of the Parties

  1. Personal Data
    1. Under this Appendix You shall act as a Data Controller and SVM shall act as a Data Processor with respect to the processing of Your Personal Data as described in Annex 1, as necessary to fulfill the business purposes outlined in the Terms and provide You with the Services You choose to use.
    2. For the avoidance of doubt, SVM shall act as an independent Data Controller with respect to Personal Data about Customers that SVM receives as a result of the Customer’s direct relationship or intentional interactions with SVM, as described in SVM’s Privacy Policy.

Obligations of the Parties

Your Obligations

You shall comply with:

  • European Data Protection Laws binding on You in the performance of this Appendix; and
  • Your obligations set out in the DPA, including Your obligations set forth in this Appendix.

You represent and warrant that You have a valid legal basis for processing the Personal Data (including making any such data available to SVM) and have obtained any necessary consents, rights and authorizations and given any necessary notices to individuals regarding Your disclosure of Personal Data to SVM to enable SVM’s processing of Personal Data to provide the Services, as required by European Data Protection Laws.

 

SVM’s Obligations

  1. Instructions of the Controller and Infringement of European Data Protection Laws
    1. The Parties agree that the Terms together with this DPA constitute Your documented instructions regarding SVM’s processing of Your Personal Data (“Documented instructions”).
    2. SVM will process Personal Data as a Processor only: (i) in accordance with Your Documented instructions, or (ii) to comply with SVM's obligations under applicable laws, subject to any notice requirements under European Union or European Union member state law to which SVM is subject.
    3. SVM will notify You if it receives an instruction that it reasonably determines infringes European Data Protection Laws (but SVM has no obligation to actively monitor Your compliance with European Data Protection Laws).
  2. Confidentiality obligation: SVM will ensure persons who it authorizes to process Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.
  3. Security measures
    1. SVM shall implement and maintain appropriate technical and organizational measures designed to protect Your Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, unauthorized access, alteration, or disclosure, as set forth in Annex 2.
    2. Taking into account the nature of the Personal Data and related processing, SVM shall provide such reasonable assistance as You may reasonably request to help You fulfill Your security obligations under European Data Protection Laws.
    3. SVM shall provide You with notice, without undue delay, upon becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Personal Data transmitted, stored or otherwise processed.
    4. SVM agrees to investigate any such security breach and use commercially reasonable efforts to mitigate the effects.
  4. Subprocessors
    1. You generally authorize SVM to engage Subprocessors to process Personal Data. You further agree that SVM may engage its affiliates as Subprocessors.
    2. SVM’s use of Subprocessors to process Your Personal Data will be in compliance with European Data Protection Laws.
    3. SVM maintains an updated list of all Subprocessors as set forth in Annex 3. SVM will update the list of Subprocessors as appropriate and provide You with a mechanism to obtain notice of the addition or replacement of a Subprocessor. You may object to SVM’s use of a new Subprocessor.
    4. To the extent You object to SVM’s use of a Subprocessor, and SVM is unable or unwilling to accommodate such requests, You may terminate Your use of the impacted Services within 30 days of such notification in accordance with the Terms.
    5. Where SVM engages a new Subprocessor, SVM will enter into a written agreement with the Subprocessor and SVM will impose, on the Subprocessor, contractual obligations that are substantially the same as the ones set out in this DPA. SVM shall be fully liable for the acts and omissions of its Subprocessors to the same extent SVM would be liable if performing the services of each Subprocessor directly under the terms of this DPA. SVM’s liability will nevertheless be subject to the conditions and limitations of liability set forth in the Terms.
  5. Assistance to the Controller: Taking into account the nature of Your Personal Data and related processing, SVM shall provide such reasonable assistance as You may reasonably request to assist You in complying with Your obligations:
    • to respond to Data Rights Requests under European Data Protection Laws.
    • to notify relevant authorities and/or data subjects of a Personal Data Breach;
  6. Assessing compliance
    1. SVM may fulfill Your right of audit under European Data Protection Laws in relation to the processing of personal data by providing You - upon Your written request and subject to confidentiality - with:
      1. SVM's most recent self-audit report results
  7. End of processing
    1. During Your use of the Services, You may leverage account tools to access, return to yourself, or delete Personal Data.
    2. Following termination, SVM will, at Your choice, delete or return Your Personal Data. Notwithstanding the foregoing, SVM may retain Personal Data: (i) as required by law, including European Data Protection Laws; and (ii) in accordance with its standard backup or record retention policies, provided that, in either case, SVM will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Personal Data, and not further Process retained Personal Data except for such purpose(s) and duration permitted under such applicable laws.

ANNEX 1 - PERSONAL DATA

DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

Subject Matter of the Processing

Provision of SVM Services to Merchant.

Categories Of Data Subjects

Customers of Merchant.

Categories Of Personal Data Processed

See Appendix A above.

Frequency of the transfer

Continuous.

Nature Of The Processing

Collection, recording, hosting, access, use, transfer and deletion of Personal Data as described in the Terms.

Purposes For Which The Personal Data Is Processed On Behalf Of The Controller

For the performance and improvement of the Services as described in the Terms.

Duration Of The Processing

Duration of the Services under the Terms or applicable agreement, plus the period after such expiration until the anonymization, return, or deletion of data.

ANNEX 2 - SECURITY MEASURES

Information on security measures is provided in Appendix B of the DPA.

ANNEX 3 - LIST OF SUBPROCESSORS

The Subprocessors SVM uses to perform the Services under the Terms are listed here.

Subprocessor service provided headquarters data
Liquid Web Cloud Hosting USA All platform data
Cloudflare, Inc. Load Balancing and DDoS protection USA All platform data
Google LLC Mapping delivery USA All platform data
Mailersend SMTP Email Relay USA Personal data necessary to provide transactional emails

 

The Subprocessors will process the categories of Personal Data described above in connection with the Services for the duration of their agreement with SVM.