Affiliate agreement

Smpl, a company registered in USA, with its office at 10300 W. Charleston Blvd., Suite 13-127 Las Vegas, NV 89135

hereinafter jointly referred to as the “Parties”, and each of them individually as a “Party”

RECITALS

WHEREAS .

WHEREAS Affiliate desires to so license the Service;

NOW, THEREFORE, in consideration of the premises set forth above and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

    ENGAGEMENT

    • General: ISO will provide Affiliate with access to the Service and a copy of the embeddable widget component Software for placement on the Website. As part of the Service, ISO will further make a variety of associated graphic and textual Links available to Affiliate for placement on Affiliate’s Website(s). As part of the Services during the Term, the ISO will, at no cost to the Affiliate, provide the Affiliate with Software updates and related documentation as we are reasonably able to do so.
    • License: Subject to the terms and conditions of this Agreement, ISO grants to Affiliate a non-exclusive license to copy, display, perform, use and grant its Customers the use of the Software in connection with the overall Service during the Term (“License”). Under the License, Affiliate may use and may permit its Customers to use the Software on the Website and the overall Service to enable such Customers that have accounts on Affiliate’s Website, Services or Applications to purchase crypto currency assets by credit card or other agreed upon payment method (each, a “Purchase”). Subject to the terms and conditions hereof, Affiliate may display the Software and the Links as often and in as many areas of Affiliate’s Website(s) as desired.

    ISO’S RIGHTS AND OBLIGATIONS

    • Register Affiliate’s Customers: Affiliate will permit ISO to register Affiliate’s Customers and track their transactions that use the Service. Affiliate acknowledges that Customers that open an account with ISO, will be required to agree with all ISO’s customer rules, policies and operating procedures. ISO will provide such rules, policies and operating procedures to each Customer for the Customer’s agreement and consent prior to such Customer registering for an account with ISO. With notice to Affiliate, ISO reserves the right to refuse any Affiliate Customer, or close any Customer account if necessary, to comply with any requirements ISO may periodically establish.
    • Track Customers’ Activity: ISO will track Customers’ activity and all relevant information in a secure and private database. All such Affiliate Customer activity will be considered to be part of Affiliate’s Customer Data (as defined below) subject to the confidentiality restrictions of this Agreement.
    • Chargebacks: Chargebacks are the sole responsibility of the ISO. The Affiliate shall have no liability for chargebacks or uncollected fees relating to ISO. Affiliate shall not be responsible and shall not indemnify ISO with respect to any chargebacks.
    • Promotions: ISO can use the Affiliates logo and name to promote its own services on its website, marketing materials and publications.

    AFFILIATE’S RIGHTS AND OBLIGATIONS

    • Affiliate shall use commercially reasonable efforts to actively and effectively advertise, market and promote its offering of ISO’s Service to its Customers and prospective customers with the intent of maximizing the financial benefit of such Service to both Affiliate and ISO.
    • Affiliate shall only engage in advertising, marketing and promotional efforts which do not violate any law and which reflect positively upon the business reputation of ISO.
    • The Affiliate will take down, delete or correct any false information which has been published upon the request of the ISO.
    • Affiliate agrees to reasonably cooperate with ISO in utilizing and maintaining Links and other promotional tools for the Service as supplied by ISO.
    • Affiliate agrees to: i) Utilize the entire code provided by ISO for the Software, Links and other promotional tools (including the tracking codes therein), and shall not in any way alter or remove any part of such code; ii) Update posted Link images with new images provided by ISO from time to time throughout the Term of this Agreement; and iii) Display other graphic and/or textual images concerning the Service prominently on Affiliate’s Website(s), as agreed by the Parties.

    INTELLECTUAL PROPERTY

    • General: “Intellectual Property” or “IP” shall mean any proprietary rights, title and interest in patents, patent applications, extensions, supplementary protection certificates, design rights, data rights, copyrights, trade secrets, trademarks, service marks, trade names, trade dress, know-how, business processes, technology and all other intellectual property rights, derivatives thereof, and any forms of protection of a similar nature anywhere in the world. The term “Intellectual Property” or “IP” may also be used herein to refer to the embodiments (e.g., computer software or data) that are protected by the foregoing IP rights
    • Retained Intellectual Property: Subject to the license grants of this Agreement, the following Intellectual Property (including any modification, enhancement or derivative work of that Intellectual Property) remains the property of the current owner Party, regardless of its use in the Services:
      1. Intellectual Property that existed prior to the Effective Date of the Agreement; and
      2. Intellectual Property that was developed independently by either Party without reference to any Confidential Information of the other Party outside the context of this Agreement.
    • Ownership going forward: The Affiliate acknowledges and agrees that the ISO and/or its respective licensors own all IP rights in the Services. Except as expressly stated herein, this Agreement does not grant the Affiliate any rights to, under or in any patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences with respect to the Services or the relevant API documentation. The Affiliate shall not obtain title, copyrights or any other IP right to the Software except as licensed herein. At all times, ISO or its licensors retain all rights to such Software, including but not limited to updates, enhancements and additions. The Affiliate shall not disclose such Software to any third party, convey, copy, license, sublicense, modify, translate, reverse engineer, decompile, disassemble, tamper with, or create any derivative work based on such Software except as permitted in this Agreement or applicable law. The Affiliate’s use of such Software shall be limited to that expressly authorised by the ISO. ISO’s licensors are intended third party beneficiaries of this Agreement to the extent of any terms herein pertaining to such licensors’ IP ownership rights and such licensors have the right to rely on and directly enforce such terms against Affiliate.

    CONFIDENTIALITY

    • General: Affiliate and ISO agrees that all non-public information of a Party (the “Disclosing Party”) received by the other Party, its affiliates, employees, consultants and other personnel (the “Receiving Party”) relating to the Disclosing Party’s Customers, and including, without limitation, the Disclosing Party’s: business plans, strategies, forecasts, analyses, processes, financial information, employee information, information technology, and other proprietary information, as well as all Customer Data and the terms of this Agreement (collectively, “Confidential Information”), regardless of the manner or medium in which it is furnished to or otherwise obtained by the Receiving Party, will be held in confidence by the Receiving Party. Notwithstanding the foregoing, a Disclosing Party’s Confidential Information shall not include information that: (a) is or becomes a part of the public domain through no act or omission of the Receiving Party; (b) was in the Receiving Party’s lawful possession prior to the disclosure and had not been obtained by the Receiving Party either directly or indirectly from the Disclosing Party; (c) is lawfully disclosed to the Receiving Party by a third party without any obligation of confidentiality to the Disclosing Party; or (d) is independently developed by the Receiving Party. No Party shall circumvent the other(s) in any manner whatsoever with regard to the Purpose herein, including the nature thereof and any other related potential project(s), or transaction(s), or the like. Likewise, neither Party shall divulge in any manner for any purpose the methods of the other..
    • Restrictions: Any and all Confidential Information in any form or media obtained by a Receiving Party shall be held in strict confidence and shall not be copied, reproduced, or disclosed to third parties for any purpose whatsoever, except as permitted in this Agreement. Each Receiving Party will use all reasonable efforts to avoid disclosure, publication or dissemination of any Confidential Information of the Disclosing Party. Further, each Receiving Party: (a) may use the Confidential Information of the other Disclosing Party only as necessary to provide, perform or utilise the Services and to perform its other obligations under this Agreement, (b) may not disclose the Confidential Information except to its personnel who have a need to know such Confidential Information in connection with this Agreement, and (c) must restrict disclosure of Confidential Information to its personnel who are bound by confidentiality obligations on terms substantially similar to this Section. Each Receiving Party is liable to the Disclosing Party for any unauthorised disclosure or use of Confidential Information of the Disclosing Party by the Receiving Party’s affiliates, employees, consultants and other personnel. The Receiving Party must not use the Confidential Information of the Disclosing Party for any reason other than the mutually agreed upon Purpose and in that regard never in any manner that could be or is detrimental to the Disclosing Party. The Receiving Party must not disclose the Confidential Information of the Disclosing Party to any third party(ies), except those parties with a legitimate need for this information to assist in the finding of resources and closing of transaction(s), such as, but not necessarily limited to, financial contacts, attorneys, wealth managers, company owners, escrow processors and appraisers having existing confidentiality agreements with the Receiving Party, and its and their legal, financial and accounting advisors, or unless it has been specifically authorized to do so by the Disclosing Party as set forth in a duly executed document. The Receiving Party shall immediately notify the Disclosing Party upon the discovery of any unauthorized use and/or disclosure and/or any other breach of this Agreement and shall be required to cooperate or otherwise assist in every reasonable manner to minimize any further harm and/or help regain possession of any Confidential Information.
    • Security: The Receiving Party shall maintain and enforce reasonable physical and information security procedures to protect the Disclosing Party’s Confidential Information. To the extent the Disclosing Party's Confidential Information is stored or processed on any computer or network assets under Receiving Party's control, the Receiving Party shall use the highest degree of care to safeguard the Disclosing Party's Confidential information from intrusion, tampering, theft, loss, and breaches of confidentiality.
    • Disclosure required: The obligations of confidentiality of this Agreement do not apply to any disclosure by a Receiving Party:
      1. for the purpose of performing its obligations under the Agreement or exercising a its rights under the Agreement;
      2. (1) in response to a valid order by a court or other governmental body; (2) as otherwise required by law (including under the rules of any stock exchange); or (3) necessary to establish the rights of either party under this Agreement; provided, however, that the Receiving Party provides prompt prior written notice thereof to the Disclosing Party to enable the Disclosing Party to seek a protective order or otherwise prevent the disclosure; and further that the Receiving Party shall disclose only the minimum amount of the Confidential Information that it is legally required to furnish and, where appropriate, will exercise its best efforts to obtain written assurances that confidential treatment will be accorded to such Confidential Information; or
      3. if required as part of a bona fide sale of the Receiving Party’s business (assets or shares, whether in whole or in part) to a third party, provided that the Receiving Party enters into a confidentiality agreement with the third party on terms no less restrictive than this Section 5.
    • Non-Solicitation: Agent agrees that, during the Term hereof, so long as Agent is receiving fees hereunder and for a period of two (2) years thereafter neither it nor any of its affiliates will directly or indirectly itself or permit or assist any third party to as an employee, employer, consultant, agent, principal, partner, stockholder, corporate officer, director, or in any other individual or representative capacity to call on, solicit, take away, or attempt to call on, solicit, or take away any of the merchants, customers, merchants or Referral Agents of ISO whether referred by the Agent or not. During such time, Agent shall also not (a) entice, induce or in any manner influence any person or entity who is, or shall be in the direct or indirect service of ISO to leave the same for the purpose of engaging in a business or being employed by or associated with any other business; or (b) engage or participate in any business that is in competition in any manner whatsoever with the business and/or contractual relationships of ISO.

    ISO’S FEES

    • ISO may charge a fee to each Customer in the amount of 6.5% of the value of each Purchase made by Debit or Credit cards by such Customer using the Services, with a minimum of EUR 4.99 + (2%) (the “ISO Fees”).
    • ISO may charge a fee to each Customer in the amount of 2.0% of the value of each Purchase made by SEPA (EURO) or FPS (GBP) by such Customer using the Services, with a minimum of EUR 4.99 + (1%).
    • The ISO reserves the right as per its general terms and conditions to review and potentially change the ISO Fees of Section 6.1 and 6.2 no more often than every three (3) months.
    • Any change in ISO Fees will be communicated to the Affiliate at least seven (7) days, in accordance with the provisions of clause 6.3.

    AFFILIATE FEES

    • In addition to the ISO Fees of section 6, the ISO shall charge a further fee to each Customer in the amount of 1% of the value of each Purchase made by such Customer using the Services.
    • In return for Affiliate’s services provided under the Agreement, such as placing the Links on the Website, the ISO is obliged to pay the Affiliate remuneration as outlined in section 7.1 of the value of each Purchase made by the Customer using the Services (the “Affiliate Fees”).
    • ISO shall make payment of the Affiliate Fees via Affiliate’s account with ISO. ISO will pay such Affiliate Fees in the cryptocurrency of the Purchase for which the Fees were earned (e.g., BTC, EOS) used by the Customer, at the election of the ISO, within thirty (30) days from the end of the month in which any Purchase has occurred, provided that the accumulated Affiliate Fees equal at least EUR 1,000. If this minimum amount is not reached in a particular month, ISO will be entitled to withhold payment and carry the amount due to the Affiliate to the next payment(s) until the minimum amount is reached.

    WARRANTIES

    • ISO represents and warrants that i) the Software will perform substantially in accordance with its documentation and technical specifications; ii) ISO will test the Software using industry standard virus detection tools to verify the absence of any malicious or harmful code prior to use by to Affiliate; iii) the Services shall be performed in a good and workmanlike manner; and iv) it has all the rights in relation to the Software, Services and the API documentation that are necessary to grant all the rights the ISO purports to grant under, and in accordance with the terms of this Agreement to the Affiliate.
    • Each Party shall perform its obligations under this Agreement in material compliance with all laws, rules, regulations, orders, and other legally binding pronouncements of any governmental authority, foreign or domestic, applicable to and governing such party’s performance of its obligations under this Agreement.
    • EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH HEREIN, NEITHER PARTY MAKES ANY WARRANTIES IN RESPECT OF SUCH PARTY’S SYSTEMS, SOFTWARE OR SERVICES, AND EACH PARTY DISCLAIMS ALL OTHER WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, WITH RESPECT THERETO, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT.

    LIMITATION OF LIABILITY

    • EXCEPT WITH RESPECT TO OBLIGATIONS FOR INDEMNIFICATION, BREACH OF CONFIDENTIALITY, AND CLAIMS INVOLVING GROSS NEGLIGENCE, FRAUD, WILLFUL MISCONDUCT OR VIOLATION OF APPLICABLE LAW, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, RELIANCE, SPECIAL, EXEMPLARY OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFIT OR GOODWILL, FOR ANY MATTER ARISING OUT OF OR RELATING TO THIS AGREEMENT OR ITS SUBJECT MATTER, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT OR OTHERWISE EVEN IF THE PARTY WITH ALLEGED LIABILITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    INDEMNIFICATION

    • ISO (here, the “Indemnifying Party”) agrees to indemnify, defend and hold Affiliate and its affiliates, officers, agents and employees (here, the “Indemnified Party”) harmless from and against any and all losses, costs, damages, injuries, awards, judgments or liabilities, including but not limited to legal fees, costs and expenses (“Losses”), incurred by the Indemnified Party as a result of any claim, suit, proceeding or cause of action asserted against the Indemnified Party by a third party (“Claim”) arising from any IP infringement, unlawful disclosure or use or misappropriation of a trade secret or other IP right owing to the Indemnified Party's use of the Software and/or the Services.
    • Each Party (here, the “Indemnifying Party”) agrees to indemnify, defend and hold the other Party and its affiliates, officers, agents and employees (here, the “Indemnified Party”) harmless from and against any and all Losses incurred by the Indemnified Party as a result of any Claim arising from the Indemnifying Party’s:
      1. Material breach of this Agreement;
      2. Violation of any applicable law, rule or regulation;
      3. Infringement of privacy or other rights of any third party as directly related to the provision or use of the Services;
      4. Data breach or other unauthorized disclosure of privileged, confidential or personally identifiable information as directly related to the provision or use of the Services;
      5. Gross negligence or intentional misconduct.
    • The Indemnifying Party shall have the right to control and direct the investigation, defense and settlement of each such Claim. The Indemnified Party may participate in the defense of the Claims by counsel of its own choosing, at its cost and expense. The Indemnified Party shall give prompt notice of any Claim to the Indemnifying Party, and shall reasonably cooperate with the Indemnifying Party in connection with the foregoing at the Indemnifying Party’s expense.

    TERM AND TERMINATION

    • Duration: The term of this Agreement commences on the Effective Date of this Agreement and continues for an initial period of six (6) months, unless and until earlier terminated as provided under this Agreement (“Initial Term”).
    • Renewal: Upon expiration of the Initial Term, this Agreement shall renew automatically for additional terms of six (6) months (each a “Renewal Term”), unless terminated by either Party upon thirty (30) days’ notice prior to such renewal date. The Initial Term plus all Renewal Terms shall collectively be referred to as the “Term” of this Agreement.
    • Termination for Convenience: After the Initial Term, this Agreement my terminated by either Party for any or no reason by giving thirty (30) days written notice to the other Party.
    • Either Party may, by notice to the other Party, immediately terminate the Agreement if the other Party:
      1. breaches any material provision of the Agreement and the breach is not:
        1. remedied within fourteen (14) business days of the receipt of the notice from the first Party requiring it to remedy the breach; or
        2. capable of being remedied;
      2. is unable to perform a material obligation under the Agreement for thirty (30) days or more due to a Force Majeure event.
    • Consequences of expiry or termination:
      1. Expiry or termination of the Agreement does not affect each Party’s rights and obligations accrued before the expiry or termination date
    • Obligations continuing: The following provisions of this Agreement and all other provisions necessary to their interpretation or enforcement, will survive indefinitely after the expiration or termination of this Agreement and will remain in full force and effect and be binding upon the parties as applicable: Sections 4, 5, 8, 9, 10, 11.5, 11.6 and 12 through 14.

    DATA PROTECTION

    • General: The ISO shall, in providing the Services, comply with all applicable data protection legislation, including the General Data Protection Regulation (“GDPR") and with the Affiliate’s data protection and privacy policies (“Privacy Policy”)
    • Customer Data: The Parties agree that ISO will process Customer Data that is ‘personal data’ (as defined by GDPR) on the Affiliate’s behalf during the course of fulfilling its obligations under this Agreement. Accordingly, the Parties agree that Affiliate shall be a GDPR data ‘controller’ and ISO shall be a GDPR data ‘processor’, and further agree that the both Parties are bound by the GDPR-compliant Data Protection Addendum (“DPA”) of Exhibit A, attached hereto. As further specified in the DPA, in any such case:
      1. Affiliate acknowledges and agrees that the personal data may be exported to or stored outside the countries where ISO, Affiliate and the Customers are located in order to carry out the Services or to fulfil any other obligations under this Agreement in accordance with the DPA Standard Contractual Clauses ("SCCs") of Exhibit A;
      2. Affiliate warrants that it is entitled to disclose and transfer the relevant personal data to the ISO so that the ISO may lawfully use, process, transfer and export the personal data in accordance with the DPA and this Agreement on Affiliate’s behalf;
      3. Affiliate shall ensure that Customers have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation;
      4. the ISO shall, unless otherwise agreed in writing, process the personal data only in accordance with ISO’s Privacy Policy, the terms of the DPA and this Agreement and any lawful instructions reasonably given by Affiliate from time to time;
      5. each Party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage as further provisioned in the DPA; and
      6. subject to Affiliate’s Privacy Policy, the ISO may process and monitor any Customer Data (including in aggregated and anonymised form) for any one or more of the following purposes: to identify Affiliate and any of Affiliate’s Customer accounts with Affiliate only as needed to provide the Services; administration; research, statistical analysis, benchmarking and behavioural analysis; Customer profiling and analysis; fraud prevention and detection; prevention and/or detection of crime; improvement of ISO’s goods and services; and participation in interactive features.

    GENERAL PROVISIONS

    • Force Majeure: Neither party will be liable for delay or failure to perform any of its obligations where such delay or failure is due to the acts or omissions of the other party, unavailability of parts or software, war, civil insurrection, natural disaster (such as flood, earthquake, hurricane or lightning strike) or other act of God or any other event or condition beyond the reasonable control of such Party (each, a “Force Majeure event”), provided that the affected Party: Party incurs in successfully enforcing or defending this Agreement, including reasonable attorneys' and other professionals’ fees.
      1. immediately notifies the other Party and provides full information about the Force Majeure event;
      2. uses best endeavours to overcome the Force Majeure event; and
      3. continues to perform its obligations as far as practicable.
    • Waiver: The failure of either Party to insist upon the performance of any provision herein or to exercise any right or privilege granted to it hereunder will not be construed as a waiver of such provision or any provisions herein, and the same will continue in full force. The various rights and remedies given to or reserved by either Party herein or allowed by law, are cumulative, and no delay or omission to exercise any of its rights will be construed as a waiver of any default or acquiescence, nor will any waiver of any breach or any provision be considered to condone any continuing or subsequent breach of the same provision.
    • No partnership or agency: The Parties agree that each is an independent contractor and the Agreement does not create any employment relationship between the Parties for taxation or any other purpose. Each Party shall be responsible for the payment of compensation (including provision for employment taxes, workmen's compensation and any similar taxes) associated with the employment of its personnel. Neither Party shall have the right to bind the other to any agreement with a third party, or to incur any obligation or liability on behalf of the other Party.
    • Notices: All notices and requests in connection with the Agreement shall be given or made upon the respective Parties in writing and shall be deemed to be given as of the day such notice or request is received by the other Party. All such notices and requests should be directed to the addresses identified in the Agreement, or any other address identified via written notice to the other Party. A notice given by a Party under the Agreement may be delivered via email to the email address provided below by the other Party for this purpose:
      1. Provider Email: Fabien@easyswipe.us
      2. Subscriber Email: ________________________
    • Severability: Any illegality, unenforceability or invalidity of a provision of the Agreement does not affect the legality, enforceability or validity of the remaining provisions of the Agreement. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the Parties.
    • Variation: Any variation to the Agreement must be in writing and signed by both Parties. Should the change in the Agreement be in order to comply with law or regulations, the Affiliate is not entitled to object, and shall not have the rights set out in this clause.
    • Entire Agreement: This Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter. Each Party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of, any undertaking, promise, statement, representation, assurance, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not), whether made innocently or negligently, that is not set out in this Agreement. Each Party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Agreement.
    • Assignment: Neither Party may assign or transfer any right or obligation under the Agreement to third parties without the prior written approval of the other (not to be unreasonably withheld). Notwithstanding the foregoing, either Party may assign or otherwise transfer this Agreement to an affiliate or to a third party that is not a direct competitor of the non-assigning Party, without requiring consent from the non-assigning Party in the event of a sale, merger or other divestiture of substantially all of that assigning Party’s assets to such third party, and the existence and terms of this Agreement may be disclosed in confidence to such third party for the sole purpose of effecting such assignment or transfer, provided that the assigning Party must give notice of any such assignment or transfer to the other Party at least sixty (60) days prior to the time at which such assignment or transfer shall take effect. Subject to the foregoing, this Agreement will bind and inure to the benefit of each of the Parties and their respective successors and permitted assigns, and shall not otherwise give rise to any rights to entities other than the immediate Parties hereto, including but not limited to third party beneficiary rights.
    • Third party rights: Unless it expressly states otherwise, this Agreement does not confer any rights on any person or third party (other than the Parties to this Agreement and, where applicable, their successors and permitted assigns). The rights of the Parties to rescind or vary this Agreement are not subject to the consent of any other person.

Jurisdiction: This Agreement shall be governed by the laws of the United States of America without giving effect to its choice or conflict of law provisions. All disputes and/or legal proceedings related to the Agreement shall be brought and maintained exclusively courts located in State of Delaware, in the United States of America , and the Parties agree to personal jurisdiction and convenient forum therein. If any action in law or in equity is necessary to enforce the terms of this Agreement, the prevailing Party will be entitled to reasonable fees of attorneys and related costs and expenses in addition to any other relief to which such prevailing Party may be entitled.

  • Headings and Recitals: The paragraph headings in the Agreement are to be given no legal effect. The preamble recitals are included as an integral part of this Agreement and are to be given full legal effect.
  • Counterparts: The Agreement may be signed in counterparts, each of which constitutes an original and all of which constitute the same agreement. A Party may enter the Agreement by signing and sending (including by email) a counterpart copy to the other Party.

GDPR Compliance – Data Processing Addendum

Exhibit A

This Data Processing Amendment ("DPA" or “Addendum”) between SMPL(“SubProcessor” or “ISO”) acting on its own behalf and as agent for its affiliates, and ______________________. (“Controller” or “Affiliate”) acting on its own behalf and as agent for its Affiliates, hereby amends and is incorporated into that certain Affiliate Agreement between Processor and Controller (“Agreement”). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. The scope of definitions for terms that are defined in this Addendum shall be limited to this Addendum. Unless expressly modified below, the terms of the Agreement shall remain in full force and effect. The “Addendum Effective Date” shall be the same as the Effective Date of the Agreement.

  • Definitions

 

      1. The definitions of this Section 1.1 shall apply to this Addendum, and cognate terms shall be construed accordingly.
        1. “Applicable Laws” means (a) European Union (“EU”) or Member State laws (including without limitation EU Data Protection Laws) that apply to any Controller Personal Data, and to which Controller is subject; and (b) any other Data Protection Laws that apply to any Controller Personal Data, and to which any Controller is subject.
        2. “Contracted Processor” means Processor, a Processor affiliate, a Subprocessor or an affiliate of a Subprocessor. 
        3. “Controller affiliate” means any affiliate of Controller other than Processor.
        4. “Controller Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Controller pursuant to the Agreement.
        5. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
        6. “EEA” means the European Economic Area.
        7. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
        8. “GDPR” means EU General Data Protection Regulation 2016/679.
        9. “Processor affiliate” means any affiliate of Processor other than Controller.
        10. “Restricted Transfer” means:
          1. a transfer of Controller Personal Data from Controller to a Contracted Processor; or
          2. any onward transfer of Controller Personal Data from a Contracted Processor to a Subprocessor, or between two facilities of a Contracted Processor; where in each case such transfer would be prohibited by Data Protection Laws in the absence the parties agreeing to the Standard Contractual Clauses.
        11. “Services” means the services and other activities to be provided by or on behalf of Processor for Controller pursuant to the Agreement.
        12. “Standard Contractual Clauses” means the contractual clauses set out in Annex 1 as may be amended under Section 13.4.
        13. “Subprocessor” means any person (including any third party and any Processor affiliate, but excluding employees of Processor or its sub-contractors) appointed by or on behalf of Processor to Process Personal Data on behalf of Controller in connection with the Agreement.
      2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the meanings assigned in the EU Data Protection Laws, and their cognate terms shall be construed accordingly.
      3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

 

  • Authority

 

Processor warrants and represents that, before any Contracted Processor may Process any Controller Personal Data on behalf of Controller, such Contracted Processor will have authorized Processor’s entry into this Addendum as agent for such Contracted Processor or signed another processing agreement acceptable to Controller. 

 

  • Processing of Controller Personal Data

 

    1. Each Contracted Processor shall:
      1. comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and
      2. only Process Controller Personal Data as directed by Controller, unless such Processing is required by Applicable Laws in which case Contracted Processor shall inform Controller of that legal requirement (to the extent permitted by the Applicable Laws) before Processing that Personal Data. 
    2. Controller hereby:
      1. instructs Processor (and authorizes Processor to instruct Contracted Processors) to: 
        1. Process Controller Personal Data; and
        2. transfer Controller Personal Data to any country or territory,

as is reasonably necessary for the provision of the Services and consistent with the Agreement; and

  1. Pursuant to GDPR Article 28(3), Controller agrees that descriptions of: i) the subject matter, nature and purpose of Processing, ii) the types of Controller Personal Data to be Processed, and iii) the categories of Data Subjects within the Controller Personal Data to be Processed under the Agreement, are as specified in the Standard Contractual Clauses ("SCCs") attached hereto as Annex A. Controller will notify Processor with respect to any revisions to such descriptions that may be required regarding the Controller Personal Data. The duration of the Processing shall be the Term of the Agreement.

 

  • Personnel

 

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Controller Personal Data; and ensure in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties.

 

  • Security 

 

      1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risks (of varying likelihood and severity) to the rights and freedoms of natural persons, each Contracted Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to those risks, including, as appropriate, the security measures referred to in GDPR Article 32(1) (e.g., pseudonymization and encryption).
      2. In assessing the appropriate level of security, each Contracted Processor shall take into account the risks that are presented by Processing the Controller Personal Data including Personal Data Breaches.

 

  • Subprocessing

 

      1. Controller authorizes Processor to appoint (and permit authorized Contracted Processors to appoint) Subprocessors in accordance with this Section 6 and any restrictions in the Agreement.
      2. Contracted Processors may continue to use those Subprocessors already engaged as of the Addendum Effective Date, subject to the Contracted Processors promptly meeting the obligations set out in Section 6.4. 
      3. Processor shall give Controller prior written notice any new Subprocessor appointments, including full details of the Processing to be undertaken by the Subprocessor. If, within fifteen (15) days of receipt of such notice, Controller notifies Processor in writing of any reasonable objections to the proposed appointment, then the applicable Contracted Processor may not appoint (or disclose any Controller Personal Data to) such proposed Subprocessor until reasonable steps have been disclosed to Controller and taken to address the objections raised by Controller. If Controller reasonably objects to such steps as insufficient, the parties shall work together in good faith to effect a commercially reasonable change in the provision of the Services that avoids the use of that proposed Subprocessor.
      4. With respect to each Subprocessor, each Contracted Processor shall:
        1. carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller Personal Data required by this Amendment before the Subprocessor may Processes Controller Personal Data;
        2. ensure that the Subcontractor is bound by a written agreement that offers at least the same levels of protection for Controller Personal Data as those set out in this Addendum, and meets the requirements of Article 28(3) of the GDPR (“Subprocessor Agreement”); 
        3. ensure that the Standard Contractual Clauses are incorporated into the Subprocessor Agreement if Restricted Transfers are contemplated; or ensure that Subprocessor enters into an agreement with Controller incorporating the Standard Contractual Clauses before the Subprocessor may Process Controller Personal Data; and
        4. provide copies of the Subprocessor Agreement to Controller for review (which copies may be redacted to remove confidential information not relevant to the requirements of this Addendum) as Controller may request from time to time.
      5. Contracted Processors shall ensure that each Subprocessor performs the obligations under Sections 3.1, 4, 5, 7.1, 8.2, 9 and 11.1, as they apply to Processing of Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum.

 

  • Data Subject Rights 

 

      1. Taking into account the nature of the Processing, each Contracted Processor shall assist Controller by implementing appropriate commercially reasonable technical and organizational measures for the purpose of fulfilling Controller’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
      2. Processor shall:
        1. promptly notify Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law with respect to Controller Personal Data; and
        2. ensure that the Contracted Processor does not respond to that request except: i) on the documented instructions of Controller or the relevant Controller affiliate; or ii) as required by Applicable Laws to which the Contracted Processor is subject, in which case Processor shall (to the extent permitted by Applicable Laws) inform Controller of that legal requirement before the Contracted Processor responds to the request.

 

  • Personal Data Breach

 

    1. Processor shall notify Controller without undue delay upon Contracted Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, providing Controller with sufficient information to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. 
    2. Processor shall co-operate with Controller and take such commercially reasonable steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

 

 

  • Data Protection Impact Assessment and Prior Consultation

 

Each Contracted Processor shall provide reasonable assistance to Controller with any data protection impact assessments and/or relevant consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required by GDPR Articles 35 or 36, or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

 

  • Deletion or return of Controller Personal Data 

 

      1. Subject to Sections 10.2 and 10.3, each Contracted Processor shall within thirty (30) days after the date of cessation of Services involving the Processing of Controller Personal Data (the “Cessation Date”), delete and ensure the deletion of all copies of those Controller Personal Data.
      2. Subject to Section 10.3, Controller may in its absolute discretion by written notice to Processor within fifteen (15) days of the Cessation Date require each Contracted Processor to (a) return a complete copy of all Controller Personal Data in such Contracted Processor’s possession to Controller by secure file transfer in such format as is reasonably requested by Controller; and (b) delete and ensure the deletion of all other copies of Controller Personal Data in such Contracted Processor’s possession. Each Contracted Processor shall comply with any such written request within thirty (30) of the Cessation Date.
      3. Each Contracted Processor may retain Controller Personal Data to the extent and for such period as is required by Applicable Laws, provided that each Contracted Processor shall ensure the confidentiality of all such Controller Personal Data, and shall ensure that such Controller Personal Data are only retained only for the purpose(s) specified in the Applicable Laws requiring its storage. 
      4. Processor shall provide written certification to Controller that it and each Contracted Processor have fully complied with this Section 10 within forty-five (45) days of the Cessation Date.

 

  • Audit rights

 

    1. Subject to Sections 11.2 to 11.4, each Contracted Processor shall make available to Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and cooperate with audits, including inspections, by Controller or an auditor mandated by Controller in relation to the Processing of the Controller Personal Data by the Contracted Processors.
    2. Information and audit rights of Controller only arise under Section 11.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (e.g., GDPR Article 28(3)(h)).
    3. Controller shall give any Contracted Processor reasonable notice of any audit or inspection to be conducted under Section 11.1, and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing and/or minimize any damage, injury or disruption to the Contracted Processor’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of an audit or inspection:
      1. to any individual unless he or she produces reasonable evidence of identity and authority;
      2. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller has given notice to the Contracted Processor that this is the case before attendance outside those hours begins; or
      3. more than once per year except for any additional audits or inspections that:
        1. Controller reasonably considers necessary because of genuine concerns as to Contracted Processor’s compliance with this Addendum; or 
        2. Controller is required to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Controller has identified its concerns or requirement in its notice to the Contracted Processor of the audit or inspection.

 

 

  • Restricted Transfers

 

      1. Subject to Section 12.3, Controller (as “Data Exporter”) and each Contracted Processor, as applicable, (as “Data Importer”) hereby enter into the Standard Contractual Clauses of Annex 1 in respect of any Restricted Transfer from Controller to that Contracted Processor.
      2. The Standard Contractual Clauses shall come into effect under Section 12.1 on the later of: 
        1. the Data Exporter becoming a party to them; 
        2. the Data Importer becoming a party to them; and 
        3. the commencement of the relevant Restricted Transfer.
      3. Section 12.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
      4. Processor warrants and represents that before it commences any Restricted Transfer to a Subprocessor (that is not a Processor affiliate), it will ensure that the Subprocessor will enter into the Standard Contractual Clauses (or variations of those Standard Contractual Clauses made under Section 13.4.1).

 

  • General Terms

 

    1. Governing Law and Jurisdiction. Without prejudice to Clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
      1. the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
      2. this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement. 
    2. Nothing in this Addendum reduces Processor’s obligations under the Agreement in relation to the protection of Personal Data or permits any Contracted Processor to Process (or permit the Processing of) Personal Data in a manner that is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
    3. Subject to Section 13.2, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing by the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
    4. Controller may:
      1. upon at least thirty (30) days’ written notice to Processor make variations to the Standard Contractual Clauses entered into under Section 12.1, that are required, as a result of any change in, or decision of a competent authority under the Data Protection Laws; and
      2. propose any other variations to this Addendum that Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.
    5. If Controller gives notice under Section 13.4.1:
      1. Each Contracted Processor shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under Section 6.4.3; and
      2. Controller shall not unreasonably withhold or delay agreement to any variations to this Addendum proposed by Processor to protect the Contracted Processors against additional risks associated with the variations made under Section 13.4.1 and/or 13.5.1.
    6. If Controller gives notice under Section 13.4.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller’s notice as soon as is reasonably practicable.
    7. Neither Controller nor Processor shall require the consent or approval of any affiliate to amend this Addendum. 
    8. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to make it valid and enforceable, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.




 ANNEX 1

Standard Contractual Clauses

These Standard Contractual Clauses (the “Clauses”) of this Annex 1 between SMPL (“Processor” or “Data Importer”) acting on its own behalf and as agent for its affiliates, and ______________________. (“Controller” or “Data Exporter”) acting on its own behalf and as agent for its affiliates, hereby amend and are incorporated into that certain Affiliate Agreement between Processor and Controller (“Agreement”) and its Data Protection Addendum (“Addendum”) to which this Annex 1 is attached. The Clauses shall apply to Restricted Transfers of Personal Data to the facilities of Processor as are established in countries that do not ensure the level of Personal Data protection as are required under the applicable Data Protection Laws (e.g., GDPR). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or the Addendum. The scope of definitions for terms that are defined in these Clauses shall be limited to this Annex 1. Unless expressly modified below, the terms of the Agreement shall remain in full force and effect.

The parties hereby agree to the following Clauses in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer of Personal Data by the Data Exporter to the Data Importer. The parties agree to amend these Clauses as necessary to reflect (if reasonably possible) any change made to the applicable Data Protection Laws governing Restricted Transfers made: (i) by the Commission to or of the equivalent contractual clauses approved by the Commission under EU Directive 95/46/EC or the GDPR (in the case of the Data Protection Laws of the EU or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under other Data Protection Law.

Clause 1 

  1. Definitions 
    1. The terms ‘Personal Data’, ‘Special Categories Of Data’, ‘Process/Processing’, ‘Controller’, ‘Processor’, ‘Data Subject’ and ‘Supervisory Authority’ shall have the same meaning as in the EU Data Protection Laws for the protection of individuals with regard to the Processing of Personal Data and on the free movement of such Personal Data. If the data transfers contemplated under the Agreement encompass data relating to identified or identifiable corporate (as well as natural) persons, the definition of “Personal Data” is then expanded to include those data.
    2. ‘Data Exporter’ means the Controller who transfers the Personal Data;
    3. ‘Data Importer’ means the Processor who agrees to receive from the Data Exporter Personal Data intended for Processing on Data Exporter’s behalf after the Restricted Transfer in accordance with Data Exporter’s instructions.
    4. ‘Technical and Organizational Security Measures’ means those measures aimed at protecting Personal Data: i) against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and ii) against all other unlawful forms of Processing.

Clause 2 

  1. Details of the Transfer

The details of the transfer are specified in Appendix 1 of this Addendum, which forms an integral part of these Clauses.

Clause 3

  1. Third-Party Beneficiary Clause
    1. The Data Subject can enforce the following Clauses against the Data Exporter: this Clause 3.1, Clauses 4.2 to 4.9, Clauses 5.1 to 5.4, and 5.7 to 5.10, Clauses 6.1 and 6.2, Clause 7, Clause 8.2, and Clauses 9 to 12 as a third-party beneficiary. 
    2. The Data Subject can enforce against the Data Importer this Clause, Clause 5.1 to 5.5 and 5.7, Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce the above Clauses against such entity. 
    3. The Data Subject can enforce against the Subprocessor this Clause, Clause 5.1 to 5.5 and 5.7, Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce the above Clauses against such entity. Such third-party liability of the Subprocessor shall be limited to its own Processing operations under the Clauses. 
    4. The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law. 

Clause 4

  1. Obligations of the Data Exporter

The Data Exporter agrees and warrants: 

  1. that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable Data Protection Laws (and, where applicable, has been notified to the relevant authorities of the jurisdiction in which the Data Exporter is established) and does not violate the relevant provisions of such jurisdiction;
  2. that it has instructed and throughout the duration of providing the Personal Data Processing services will instruct the Data Importer to Process the Personal Data transferred only on the Data Exporter’s behalf and in accordance with the applicable Data Protection Laws and the Clauses;
  3. that the Data Importer will provide sufficient guarantees in respect of the Technical and Organizational Security Measures specified in Appendix 1 of this Addendum;
  4. that after assessment of the requirements of the applicable Data Protection Law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of implementation of the measures;
  5. that it will ensure compliance with the security measures;
  6. that, if the transfer involves Special Categories Of Data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of applicable Data Protection Laws.
  7. to forward any notification received from the Data Importer or any Subprocessor pursuant to Clause 5.2 and Clause 8.3 to the data protection Supervisory Authority if the Data Exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the Data Subjects upon request a copy of the Clauses and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; and
  9. that, in the event of subprocessing, the Processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the Personal Data and the rights of Data Subject as the Data Importer under the Clauses.

Clause 5

  1. Obligations of the Data Importer

The Data Importer agrees and warrants:

  1. to Process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the Agreement;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the Agreement, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the Agreement;
  3. that it has implemented the Technical and Organizational Security Measures specified in Appendix 1 before Processing the Personal Data transferred;
  4. that it will promptly notify the Data Exporter about:
    1. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    2. any accidental or unauthorized access, and
    3. any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorized to do so;
  5. to deal promptly and properly with all inquiries from the Data Exporter relating to its Processing of the Personal Data subject to the transfer, and to abide by the advice of the Supervisory Authority with regard to the Processing of the data transferred;
  6. at the request of the Data Exporter to submit its data Processing facilities for audit of the Processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the Supervisory Authority;
  7. to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of the Technical and Organizational Security Measures of Appendix 1 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter; that, in the event of subprocessing, it has previously informed the Data Exporter and obtained its prior written consent;
  8. that the Processing services by the Subprocessor will be carried out in accordance with Clause 11;
  9. to send promptly a copy of any Subprocessor agreement executed under the Clauses to the Data Exporter.

Clause 6

  1. Liability
    1. The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.
    2. If a Data Subject is not able to bring a claim for compensation in accordance with Clause 6.1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract of by operation of law, in which case the Data Subject can enforce its rights against such entity.
    3. The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
    4. If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in Clauses 6.1 and 6.2, arising out of a breach by the Subprocessor because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the data Subprocessor with regard to its own Processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own Processing operations under the Clauses.

Clause 7

  1. Mediation and jurisdiction
    1. The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject:
      1. to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority;
      2. to refer the dispute to the courts in the applicable jurisdiction in which the Data Exporter is established.
    2. The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

  1. Cooperation with supervisory authorities
    1. The Data Exporter agrees to deposit a copy of the Agreement with the Supervisory Authority if it so requests or if such deposit is required under the applicable Data Protection Law.
    2. The parties agree that the Supervisory Authority has the right to conduct an audit of the Data Importer, and of any Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable Data Protection Law.
    3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to Clause 8.2. In such a case the Data Exporter shall be entitled to take the suspension measures provisioned in Clause 5.2.

Clause 9

  1. Governing Law

The Clauses (but not the Agreement) shall be governed by the law of the jurisdiction in which the Data Exporter is established.

Clause 10

  1. Variation of the Agreement

Except as permitted herein, the parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business-related issues where required as long as they do not contradict the Clauses.

Clause 11

  1. Subprocessing
    1. The Data Importer shall not subcontract any of its Processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor’s obligations under such agreement. 
    2. The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in Clause 6.1 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own Processing operations under the Clauses.
    3. The provisions relating to data protection aspects for subprocessing of the contract referred to in Clause 11.1 shall be governed by the law of the jurisdiction in which the Data Exporter is established.
    4. The Data Exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5.10, which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection Supervisory Authority. 

Clause 12

  1. Obligation after the termination of Personal Data Processing services
    1. The parties agree that on the termination of the provision of data Processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter, or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not further actively Process the Personal Data transferred.
    2. The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the Supervisory Authority, it will submit its data Processing facilities for an audit of the measures referred to in Clause 12.1.

APPENDIX 1

 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses as agreed by the parties. 

The applicable jurisdiction may specify any additional necessary information to be contained in this Appendix 1.

  1. Data exporter

The Data Exporter is: ______________________.

  1. Data importer

The Data Importer is: Smpl.

  1. Categories of Data Subjects

The Personal Data transferred concern the following categories of data subjects: 

  • website users, general public users.
  1. Categories of Personal Data

The Personal Data transferred may include the following categories of data:

  • Contact and Account Information: First Name, Last Name, Email Address, Date of Birth, Physical Address, Phone Number, Passport/Driving License/National Identify Card; and
  • Financial Information: Visa/Mastercard credit card information including card brand/pin/expiration.
  1. Special Categories of Data (if appropriate)

Special Categories of Data include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

  • Special Categories of Data are not applicable to this Agreement.
  1. Processing operations

The Personal Data transferred will be subject to the following basic Processing activities: 

  • Performing financial transactions enabling Data Exporter end user customers to purchase crypto currency assets with fiat currency via credit card debits directly from within Data Exporter’s website.
  1. Description of the Technical and Organizational Security Measures

‘Technical and Organizational Security Measures’ means those measures (e.g., encryption, anonymization) aimed at protecting Personal Data: i) against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and ii) against all other unlawful forms of Processing. The Data Importer provides the following description of its Technical and Organizational Security Measures in accordance with Clauses 4 and 5:

  • Physical Access Control. Data Importer prevents unauthorized persons from gaining physical access to premises, buildings or rooms where data processing systems that process and/or use Personal Data are located;
  • System Access Control. Data Importer implements commercially reasonable system access control measures to prevent its data processing systems from being used without authorization; 
  • User Control. Data Importer requires users’ identities must be authenticated prior to entering and accessing Personal Data; all stored passwords are encrypted;
  • Data Access Control. Data Importer implements measures to ensure that persons that use data processing systems gain access to only the Personal Data that they are authorized to access, and that Personal Data are not read, copied, modified or removed without authorization in the course of processing, use and storage;
  • Data Transmission Control. Communication to the Controller or any intra-Processor systems is over a secured HTTPS connection using industry standard strong encryption; 
  • Job Control. Personal Data that are processed on commission (i.e., Personal Data processed on a user’s or Data Exporter’s behalf) are so processed solely in accordance with the Agreement and related instructions of Data Exporter; Processing software is scanned using security vulnerability software to identify any vulnerabilities prior to use with live Personal Data;
  • Data Loss Control. Data Importer implements commercially reasonable measures to protect Personal Data against accidental or unauthorized destruction or loss;
  • Data Integrity Control. Company ensures that Personal Data remain intact, complete and current during processing activities via the following measures:
  • Firewalls;
  • Security Monitoring Center;
  • Antivirus software;
  • Backup and recovery;
  • External and internal penetration testing;
  • Regular external audits to prove security measures.