LimeSpot Data Processing Agreement

Updated June 22, 2021

This LimeSpot (“we”, “us”) Data Processing Agreement (“DPA”) reflects the Parties’ agreement with respect to the Processing of Personal Data by us on behalf of you, in connection with the LimeSpot Subscription Services under the LimeSpot Customer Terms of Service. Together this DPA and the LimeSpot Customer Terms of Service constitute the agreement between you and LimeSpot (collectively, the “Parties”). Together this DPA, LimeSpot Customer Terms of Service, Acceptable Use Policy and the LimeSpot Privacy Policy constitute the Agreement between you and LimeSpot. In the event of any conflict or inconsistency between the provisions of the LimeSpot Customer Terms of Service and this DPA, this DPA will take precedence with respect to the Processing of Personal Data.

1. Definitions

1.1 In this DPA, the following terms shall have the meanings set out below:

1.1.1 “Applicable Laws” means (a) European Union or Member State laws with respect to any Personal Data in respect of which Controller is subject to European Data Protection Laws; and (b) any other applicable law with respect to any Personal Data in respect of which Controller is subject to any other Data Protection Laws.

1.1.2 “Controller” means the person, authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.1.3 “Controller Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Controller, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.1.4 “Personal Data” means any customer information related to an identified or identifiable natural person processed by a LimeSpot on behalf of Controller.

1.1.5 “Processor” means a body which perform the Processing of Personal Data on behalf of the Controller.

1.1.6 “LimeSpot” means LimeSpot or a Subprocessor.

1.1.7 “Data Protection Laws” means European Data Protection Laws, North American Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

1.1.8 “European Data Protection Laws” means data protection laws applicable in Europe, including: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (b) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (c) applicable national implementations of (a) and (b); or (c) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (d) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.

1.1.9 “North American Data Protection Laws” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”), Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, ch. 5 (“PIPEDA”) and any provincial legislation deemed substantially similar to PIPEDA pursuant to the procedures set forth therein, and all amendments to the CCPA, PIPEDA and similar legislation, as they may be enacted, from time to time.

1.1.10 “Instructions” means the written, documented instructions issued by Controller to Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, and making available).

1.1.11 “Restricted Transfer” means:

1.1.11.1 A transfer of Personal Data from Controller to Processor; or

1.1.11.2 An onward transfer of Personal Data from a Processor to a Processor, or between two establishments of a Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of an adequate level of protection (within the meaning of applicable European Data Protection Laws).

1.1.12 “Services” means the services and other activities to be supplied to or carried out by or on behalf of LimeSpot for Controller.

1.1.13 “End User” the employees, contractors, collaborators, customers, prospects, suppliers and subcontractors of the Controller.

1.1.14 “Subprocessor” means any person (including any third-party, but excluding LimeSpot’s employees and subcontractors) appointed by or on behalf of LimeSpot to process Personal Data on behalf of Controller.

1.1.15 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.1.16 Capitalized terms not otherwise defined herein shall have the meaning given to them in the LimeSpot Customer Terms of Service.

2. Details of the Processing

2.1 Categories of Data Subjects. The Personal Data Processed concern the following categories of Data Subjects:

2.1.1 Data Subjects about whom LimeSpot collects Personal Data in its provision of services as a Processor;

2.1.2 Data Subjects about whom Personal Data is transferred to LimeSpot in connection with its services as a Processor by, at the direction of, or on behalf of Controller.

2.2 Types of Information. LimeSpot collects both Personal Data and Non-Personally identifiable information (“NPII”).

2.2.1 Personal Data includes personally identifiable information (“PII”) which is uniquely associated with an identifiable individual which may include age, gender, location, email address, and IP address.

2.2.2 Non-Personally identifiable information (“NPII”) includes information which does not identify, or is not uniquely associated with, an individual. NPII includes, but is not limited to, (a) general information such as name, geographical information and location, age range; (b) interaction information such as products and collections viewed, order information, loyalty programs information, and; (c) behavioral information such as general interests inferred by their interactions with the Controller’s eCommerce platform. NPII may also include information that is non-personally identifiable but was generated from PII, such as by aggregation with other PII or anonymization. While this does not fit the definition of Personal Data, it is being included in this document for transparency of data usage.

2.3 Subject Matter, Nature and Purpose of Processing. Personal Data will be processed for purposes of providing the Services set forth in a Terms and Conditions Agreement between LimeSpot and the Controller.

2.4 Duration of Processing. The Personal Data will be processed for the duration of the Term as set forth in the LimeSpot Customer Terms of Service.

3. Processing of Personal Data

3.1 LimeSpot shall:

3.1.1 comply with all applicable Data Protection Laws in the Processing of Personal Data; and

3.1.2 not Process Personal Data other than accordance with this DPA which constitutes the Controller’s complete and final Instructions to LimeSpot in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between the Controller and LimeSpot.

3.2 The Controller instructs LimeSpot and authorizes LimeSpot to:

3.2.1 Process Personal Data; and

3.2.1.1 in particular, transfer Personal Data to approved countries in accordance with this DPA, as reasonably necessary for the provision of the Services and consistent with the LimeSpot Customer Terms of Service; and

3.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.2.1 on behalf of each relevant Controller Affiliate.

4. Processor Personnel

LimeSpot shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access the relevant Personal Data, as strictly necessary for the purposes of delivering the Services, and to comply with Applicable Laws in the context of that individual’s duties to LimeSpot, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

5.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, LimeSpot shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 In assessing the appropriate level of security, LimeSpot shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

6.1 Controller authorizes LimeSpot to appoint, and permit each Subprocessor appointed in accordance with this section 6 to appoint, Subprocessors in accordance with this section 6 and any restrictions in the LimeSpot Customer Terms of Service.

6.2 LimeSpot may continue to use those Subprocessors already engaged by LimeSpot as at the date of this DPA.

6.3 Controller may request a list of Subprocessors at any time via email privacy@limespot.com.

6.3.1 LimeSpot shall work with Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor.

6.4 With respect to each Subprocessor, LimeSpot shall:

6.4.1 before the Subprocessor first Processes Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by the LimeSpot Customer Terms of Service;

6.4.2 ensure that the arrangement between on the one hand (a) LimeSpot, or (b) the relevant intermediate Subprocessor; and on the other hand, the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR;

6.4.3 if that arrangement involves a Restricted Transfer, ensure that an adequate level of protection (within the meaning of applicable European Data Protection Laws) exists before the Subprocessor first Processes Personal Data; and

6.4.4 provide to Controller for review such copies of LimeSpots’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Controller may request from time to time.

6.5 LimeSpot shall ensure that each Subprocessor performs the obligations under sections 3.1, 4, 5, 7, 8, 9 and 11.1, as they apply to Processing of Personal Data carried out by that Subprocessor, as if it were party to this DPA in place of LimeSpot.

7. Data Subject Rights

Taking into account the nature of the Processing, LimeSpot shall assist Controller by implementing appropriate technical and organizational measures to respond to requests to exercise Data Subject rights under the Data Protection Laws.

8. Personal Data Breach

8.1 LimeSpot shall notify Controller without undue delay upon LimeSpot or any Subprocessor becoming aware of a Personal Data Breach affecting Personal Data.

8.2 LimeSpot shall co-operate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

LimeSpot shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations competent data privacy authorities, which Controller reasonably considers to be required of Controller by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, LimeSpot.

10. Storage, Transfer or Deletion of Personal Data

10.1. LimeSpot may transfer, store and process Personal Data, to or on computers located in the United States, Europe, and Canada. Accordingly, such information may be subject to the laws of these relevant jurisdictions.

10.2. LimeSpot does not provide a fixed period for PII. LimeSpot will delete PII upon any of the following:

  • A request from an End User via email at privacy@limespot.com
  • A request from the Controller owning the eCommerce store the End User, whose data requested to being deleted, was obtained;
  • If LimeSpot learns that any PII has been collected unlawfully;
  • A request from any legal body having sufficient legal authority; or
  • If LimeSpot being made aware that PII should be deleted to ensure compliance with an applicable legal obligation.

10.3 The storage period for any NPII is indefinite.

 

11. Audit rights

11.1 Subject to section 11.2, LimeSpot shall make available to Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller in relation to the Processing of the Personal Data by LimeSpot.

11.2 Information and audit rights of the Controller only arise under section 11.1 to the extent that the LimeSpot Customer Terms of Service does not otherwise give the Controller sufficient information and audit rights to meet the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).

11.3 Controller or the relevant Controller Affiliate undertaking an audit shall give LimeSpot reasonable notice of any audit or inspection to be conducted under section 11.1 and shall make, and ensure that each of its mandated auditors makes, reasonable endeavors to avoid causing, or if it cannot avoid, to minimize, any damage, injury or disruption to LimeSpot’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. LimeSpot need not give access to its premises for the purposes of such an audit or inspection:

11.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;

11.3.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller or the relevant Controller Affiliate undertaking an audit has given notice to LimeSpot that this is the case before attendance outside those hours begins; or

11.3.3 for the purposes of more than one audit or inspection, in respect of each Processor, in any calendar year, except for any additional audits or inspections which:

11.3.3.1 Controller or the relevant Controller Affiliate undertaking an audit reasonably considers necessary because of genuine concerns as to LimeSpot’s compliance with this DPA; or

11.3.3.2 Controller is required or requested to carry out by Data Protection Law or a legitimate regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Controller or the relevant Controller Affiliate undertaking an audit has identified its concerns or the relevant requirement or request in its notice to LimeSpot of the audit or inspection.

12. General Terms

12.1 Save as specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the LimeSpot Customer Terms of Service shall remain in full force and effect and govern this DPA. If any provision of this DPA is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this DPA shall remain operative and binding on the parties.

12.2 The Controller acknowledges and agrees that LimeSpot may amend this DPA from time to time by posting the relevant amended and restated DPA on LimeSpot’s website, available at limespot.com/dpa and such amendments to this DPA are effective as of the date of posting. The Controller’s continued use of the Services after the amended DPA is posted to LimeSpot’s website constitutes Controller’s agreement to, and acceptance of, the amended DPA.

12.3 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the LimeSpot Customer Terms of Service. The parties irrevocably and unconditionally submit to the venue stipulated in the LimeSpot Customer Terms of Service with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

12.4 Nothing in this DPA reduces LimeSpot’s obligations under the LimeSpot Customer Terms of Service in relation to the protection of Personal Data or permits LimeSpot to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the LimeSpot Customer Terms of Service.

12.5 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.