You (“Customer”) are entering into a business relationship with

zkipster AG, with registered office at, Grossmünsterplatz 8, 8001 Zürich, Switzerland (company number CHE-345.444.895) (“Supplier”).

BACKGROUND

A. Customer has engaged (or proposes to engage) Supplier to provide the services (“Services”) described in an agreement (terms of service) between Customer and the Supplier (the “Services Agreement”).

B. In the course of providing the Services, Supplier will be processing Customer Personal Data (as defined below) on behalf of Customer. This Agreement sets out the terms on which Supplier will be processing that Customer Personal Data.

AGREED TERMS

1. DEFINITIONS

1.1.

In this Agreement:

a) “CCPA” means the California Consumer Privacy Act, as amended.

b) “Customer Personal Data” means any Personal Data for which Customer is a controller.

c) “Customer Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

d) “Data Protection Laws” means any applicable privacy or data protection laws or regulations, including as the case may be and without limitation the GDPR, the Swiss Federal Act on Data Protection, the UK Data Protection Act 2018 (“DPA 2018”), the CCPA and any other federal, state, or local privacy, data protection, information security, or related laws or regulations (together, including any similar, analogous or successor laws, regulations, or other standards).

e) “EEA” means the European Economic Area.

f) “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

g) “GDPR” means UK GDPR or EU GDPR, as applicable.

h) “Personal Data” means any information relating to identified or identifiable natural persons; that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, a particular individual, consumer, data subject, or household; or that is defined as “personal data,” “personal information,” “personally identifiable information” or similar term under applicable Data Protection Laws (as defined herein), and shall include any IP addresses, cookies or other identifiers for individual users.

i) “Security Measures” means technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Customer Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data.

j) “Standard Contractual Clauses” means any or all of the following:

1. i) the standard contractual clauses for the transfer of personal data to third countries set out in European Commission Decision 2021/914;
2. ii) in respect of transfers subject to the EU GDPR or Swiss Federal Act on Data Protection only, until 27 December 2022 the standard contractual clauses set out in the Data Protection Directive 95/46 in relation only to contracts that were concluded before 27 September 2021, provided that the processing operations that are the subject matter of the contract remain unchanged;
3. iii) the international data transfer agreement issued by the UK Information Commissioner under section 119A of the DPA 2018;
4. iv) the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers issued by the UK Information Commissioner under section 119A of the DPA 2018; or
5. v) such standard contractual provisions issued by the UK Information Commissioner or European Commission as may replace any of the above from time to time.

k) “UK GDPR” means (i) the retained EU law version of the EU GDPR as in force in the UK, (ii) the DPA 2018, (iii) or similar legislation as implemented under English law in each case in force in England from time to time.

l) The terms “controller”, “processor”, “data subject” and “processing” have the meanings given to them in GDPR.

1.2.

In this Agreement, the following rules apply:

a) a “person” includes a natural person, corporate or unincorporated body (whether or not having separate legal personality);

b) a reference to a party includes its personal representatives, successors or permitted assigns;

c) a reference to a statute or statutory provision is a reference to such statute or statutory provision as amended or re-enacted. A reference to a statute or statutory provision includes any subordinate legislation made under that statute or statutory provision, as amended or re-enacted;

d) any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms; and

e) a reference to “writing” or “written” includes emails but not faxes.

2. AGREEMENT

2.1.

In consideration of Customer engaging Supplier to process Customer Personal Data and Customer agreeing to comply with Customer’s obligations under this Agreement, Supplier undertakes to comply with Supplier’s obligations set out in this Agreement.

2.2.

This Agreement shall form part of the Services Agreement and the terms of the Services Agreement will apply to this Agreement.

3. DATA PROCESSING PARTICULARS

3.1.

Each of the parties acknowledges and agrees that the table set out in Annex 1 is an accurate description of the processing of Customer Personal Data under this Agreement.

3.2.

Either party may from time to time propose in writing updates to the table set out in Annex 1 in order to ensure it remains an accurate description of the Data Protection Particulars, and neither party will unreasonably withhold its consent to any change reasonably necessary to ensure the table remains an accurate description of the Data Protection Particulars.

4. DATA PROCESSING

4.1.

Supplier acknowledges that it acts as a processor in respect of any Customer Personal Data processed by it in connection with this Agreement.

4.2.

Subject to clause 4, Supplier will:

a) process Customer Personal Data only to the extent, and in such a manner, as is necessary for the provision of the Services in accordance with the Services Agreement, together with any other purposes described in the Data Processing Particulars, in accordance with Customer’s written instructions as set out in this Agreement;

b) not process Customer Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Laws; and

c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure that a level of security appropriate to the risk including considering those measures referred to in Article 32 of the GDPR (‘Security of processing’); and

d) comply with all obligations imposed on processors by the Data Protection Laws from time to time.

4.3.

Supplier will promptly notify Customer if:

a) in Supplier’s opinion, any Customer instruction would not comply with the Data Protection Laws; or

b) if it is required under applicable law to process any Customer Personal Data other than as stated in clause 4.2, except where those laws prohibit Supplier notifying Customer on important grounds of public interest.

5. COMPLIANCE WITH DATA PROTECTION LAWS

5.1.

Customer warrants it has all rights to appoint the Supplier to process the Customer Personal Data in compliance with all Data Protection Laws and the processing of the Customer Personal Data by the Supplier will not put the Supplier in breach of the Data Protection Laws.

5.2.

Supplier will reasonably assist Customer with meeting Customer’s compliance obligations under the Data Protection Laws, taking into account the nature of Supplier’s processing and the information available to Supplier, including in relation to Data Subject and consumer rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Laws.

5.3.

In particular, Supplier will at the request of the Customer and in respect of the Customer Personal Data in so far as which the Supplier is acting as processor:

a) promptly comply with any reasonable Customer request or instruction requiring Supplier to amend, transfer, delete or otherwise process Customer Personal Data, or to stop, mitigate or remedy any unauthorized processing;

b) promptly (and in any event within 48 hours of receipt) notify Customer if Supplier receives any complaint, notice or communication that relates directly or indirectly to the processing of Customer Personal Data by the Supplier as processor;

c) promptly (and in any event within 48 hours of receipt) notify Customer if it receives a request from a data subject for access to their Customer Personal Data or to exercise any of their related rights under the Data Protection Laws in respect of the Customer Personal Data;

d) promptly provide reasonable assistance to the Customer with all notices, requests or other enquiries in respect of the Customer Personal Data relating to the Data Protection Laws which may be received whether by Customer or Supplier, including requests from data subjects and consumers;

e) promptly provide reasonable assistance to the Customer in fulfilling any obligation to respond to requests by data subjects or consumers, including Customer’s obligation to respond to requests for exercising the data subject’s or consumer’s rights laid down in Data Protection Laws;

f) not disclose any Customer Personal Data in response to any data subject or consumer access request without first obtaining the consent of Customer;

g) not disclose any Customer Personal Data to a third party except at the specific request of Customer or where obliged to do so under any requirements of law (in which case where permissible it will advise Customer in advance of such disclosure);

h) promptly provide reasonable assistance to the Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of GDPR;

i) promptly provide any information reasonably requested by Customer and in the Customer’s possession concerning Supplier’s systems and processes relating to the processing of Customer Personal Data under this Agreement and Supplier’s compliance with its obligations under this Agreement; and

j) allow its data processing facilities, procedures and documentation to be submitted for scrutiny by Customer or its auditors in order to ascertain compliance with the terms of this Agreement provided reasonable notice is given in advance.

k) The Customer shall reimburse the Supplier for any third party costs, expenses and any time reasonably incurred by the Supplier in connection with the fulfillment of the Supplier’s obligations under clause 5.3 (d), (e) and (h).

6. CONFIDENTIALITY

6.1.

Supplier will maintain the confidentiality of all Customer Personal Data and will not disclose Customer Personal Data to third parties unless Customer or this Agreement specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Supplier to process or disclose Customer Personal Data, Supplier will first inform Customer of the legal or regulatory requirement and give Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

6.2.

Supplier will ensure that only such of its employees who may be required by Supplier to assist it in meeting its obligations under this Agreement will have access to the Customer Personal Data and that all employees’ use of it will be subject to written contractual obligations which are no less onerous than those imposed on Supplier by this Agreement, including contractual or statutory obligations of confidentiality no less onerous than those set out in clause 6.1.

7. SUBPROCESSORS

7.1.

Supplier will not engage another processor (“Subprocessor”) to process Customer Personal Data without prior specific or general written authorization of Customer. Customer authorizes Supplier to engage the Subprocessors set out in Annex 3 (if any).

7.2.

Supplier will inform the controller of any intended changes concerning the addition or replacement of Subprocessors.

7.3.

If Customer objects to any change under clause 7.2 then Customer will have the right to terminate the Services Agreement by notice in writing to Supplier (given within 90 days of Customer’s receiving notice under clause 7.2), and Supplier will provide a pro rata refund of prepaid fees upon that termination taking effect.

7.4.

Without prejudice to Customer’s rights under clause 7.3, Supplier will (at Customer’s request) discuss in good faith with Customer how to resolve Customer’s objections to a change notified under clause 7.2.

7.5.

Supplier will ensure that any Subprocessor is bound by obligations no less onerous than those set out in this Agreement. In particular, any Subprocessor will enter into a written agreement that:

a) imposes obligations to implement appropriate technical and organizational measures to ensure that the processing will meet the requirements of Data Protection Laws;

b) requires Subprocessor to access, retain, process, and use Customer Personal Data solely as necessary to provide services to Customer or Supplier acting on either entity’s behalf; and

c) prohibits Subprocessor from selling Customer Personal Data.

7.6.

Supplier will be liable for the acts or omissions of any Subprocessor in relation to Customer Personal Data as if they were the acts or omissions of Supplier.

8. SECURITY

8.1.

Supplier will at all times implement appropriate Security Measures. Supplier will document those Security Measures in writing and periodically review them to ensure they remain current and complete, at least annually.

8.2.

Supplier will implement such Security Measures to ensure a level of security appropriate to the risk involved, including as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.

9. CUSTOMER PERSONAL DATA BREACH

9.1.

Supplier will notify Customer without undue delay if any Customer Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Supplier will restore that Customer Personal Data at its own expense.

9.2.

Supplier will notify Customer without undue delay if it becomes aware of any Customer Personal Data Breach.

9.3.

Where Supplier becomes aware of a Customer Personal Data Breach, it will, without undue delay, also provide Customer with the following information:

a) a description of the nature of the Customer Personal Data Breach, including the categories and approximate number of both Data Subjects and Personal Data records concerned;

b) the likely consequences; and

c) a description of the measures taken, or proposed to be taken to address the Customer Personal Data Breach, including measures to mitigate its possible adverse effects.

9.4.

Following any Customer Personal Data Breach, the parties will coordinate with each other to investigate the matter. Supplier will provide all reasonable cooperation with Customer in Customer’s handling of the matter, including:

a) assisting with any investigation;

b) providing Customer with physical access to any facilities and operations affected;

c) facilitating interviews with Supplier’s employees, former employees and others involved in the matter;

d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by Customer; and

e) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Customer Personal Data Breach.

9.5.

Supplier will not inform any third party of any Customer Personal Data Breach without first obtaining Customer’s prior written consent, except when required to do so under the Data Protection Laws.

9.6.

Supplier agrees that Customer has the sole right to determine:

a) whether to provide notice of a Customer Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Customer’s discretion, including the contents and delivery method of the notice; and

b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

9.7.

Supplier will cover all reasonable expenses associated with the performance of the obligations under clause 9.3 and clause 9.4, unless the matter arose from Customer’s specific instructions, negligence, willful default or breach of this Agreement, in which case Customer will cover all reasonable expenses.

9.8.

Supplier will also reimburse Customer for actual reasonable expenses that Customer incurs when responding to a Customer Personal Data Breach to the extent that Supplier caused that Customer Personal Data Breach, including all costs of notice and any remedy as set out in clause 9.6.

10. DATA TRANSFERS

10.1.

Supplier will not transfer any Customer Personal Data from one jurisdiction to another jurisdiction without obtaining Customer’s prior written consent. Customer hereby consents to the transfer of Customer Personal Data to the Subprocessors set out in Annex 2, subject to the Supplier’s compliance with this DPA and in particular this Clause 10.

10.2.

Where such consent is granted, Supplier will only process Customer Personal Data outside of the United Kingdom or EEA or Switzerland in compliance with appropriate safeguards (as set out in Article 46 of GDPR or UK GDPR and the Swiss Federal Act on Data Protection), including entering into and complying with any required Standard Contractual Clauses with any Subprocessor and (promptly upon Customer’s written request) with Customer.

10.3.

If at any time the United Kingdom is (for the purposes of EU GDPR and/or the Swiss Federal Act on Data Protection) a third country which the European Commission or the Swiss Federal Data Protection and Information Commissioner has not decided offers an adequate level of protection (as defined in EU GDPR and in the Swiss Federal Act on Data Protection), then the parties will cooperate to implement such measures as Customer may reasonably request (including the signing of standard contractual clauses) in order to ensure that any transfers of Customer Personal Data to or from the United Kingdom comply with the requirements of the Data Protection Laws.

10.4.

Supplier warrants that, where applicable, it has relied on an adequacy finding or has entered into an international data transfer agreement (as referred to in (i) of the definition of Standard Contractual Clauses) or international data transfer addendum (as referred to in (ii) of the definition of Standard Contractual Clauses) with each Subprocessor outside the UK, EEA or Switzerland.

11. TERMINATION OF THE SERVICES AGREEMENT

11.1.

This Agreement will terminate immediately upon termination of the Services Agreement.

11.2.

On termination of this Agreement, howsoever caused, Supplier will immediately cease processing the Customer Personal Data and, at Supplier’s option or direction, arrange for the prompt and safe return or destruction of all Customer Personal Data together with all copies in its possession or control and, where requested by Customer, certify that such destruction has taken place.