Updated October October 24th, 2022
This PAYWHIRL Data Processing Addendum (“Addendum”) amends and forms a part of the written or electronic agreement(s) (the “Agreement”) by and between the legal entity subject to the Agreement (“Merchant”) and PAYWHIRL Inc. (“PAYWHIRL”), a California, United States corporation with offices at 9452 Telephone Rd., #140 CA, 93004, governing the Merchant’s use of PAYWHIRL’s products and services (the “Service”). Capitalized terms not otherwise defined in this Addendum shall have the same definitions as in the Agreement or the meaning ascribed to the corresponding terms in the Data Protection Legislation.
Definitions
“Business”, “Controller”, “Processor”, “Processing/Process/ Processed”, and “Service Provider” shall be given the meanings given to them by the applicable Data Protection Legislation.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
“Data Subject Request” means the exercise by Data Subjects of their rights in accordance with applicable Data Protection Legislation in respect of Personal Information.
“Data Protection Legislation” means, collectively: (i) the GDPR, (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §§ 1798.100 – 1798.199.100 (“CCPA”), (iii) any legislation, and/or regulation implementing or made pursuant to them or which amends, replaces, re-enacts or consolidates any of them, (iv) applicable data breach notification statutes, and (v) all other applicable laws relating to Processing of Personal Data and privacy that may exist in any relevant jurisdiction, to the extent applicable to the relevant Personal Data or Processing thereof under the Agreement.
“EEA” means the European Economic Area.
“GDPR” stands for “General Data Protection Regulation” and means: (i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); (ii) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).
“Personal Information” means information that constitutes “Personal Data,” “Personal Information,” “Personally Identifiable Information,” or similar information as defined by applicable Data Protection Legislation that PAYWHIRL Processes pursuant to the Agreement.
“Personal Data Breach” means a breach of PAYWHIRL’s security that has resulted in the accidental or unlawful destruction, acquisition, loss, alteration, unauthorized disclosure of, or access to, Personal Information in PAYWHIRL’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
“Relevant Body” (i) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or (ii) in the context of the EEA and EU GDPR, means the European Commission.
“Restricted Country” (i) in the context of the UK, means a country or territory outside the UK; and (ii) in the context of the EEA, means a country or territory outside the EEA (which shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of the Trade and Cooperation Agreement between the EU and the UK), that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Personal Information pursuant to a decision made in accordance with Article 45(1) of the GDPR.
“Restricted Data Transfer” means the disclosure, grant of access, or other transfer of Personal Information to: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision by the European Commission pursuant to Article 45 of the GDPR; and (ii) in the context of the UK, any country or territory outside the UK which does not benefit from an adequacy decision by the UK Information Commissioner’s Office pursuant to Article 45 of the GDPR.
“Security Measures” means the technical and organizational security measures to be applied by Processor in respect of the Personal Information, as set out in Appendix 2.
“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (“EU SCCs”); and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) Data Protection Act 2018 (“UK IDTA”) (in each case, as updated, amended or superseded from time to time).
“Subprocessors” means the relevant subprocessors listed in our Privacy Policy Section 4.1.1 - PAYWHIRL Service.
“Supervisory Authority” means: (i) in the context of the EU GDPR, any authority within the meaning of Article 4(21) of the EU GDPR; and (ii) in the context of the UK GDPR, the UK Information Commissioner’s Office.
“UK” means the United Kingdom of Great Britain and Northern Ireland.
Data Protection
In the course of PAYWHIRL providing the Service under the Agreement, Merchant may from time-to-time provide or make available Personal Information to PAYWHIRL for the limited and specific purposes of providing the Service under the Agreement. The Parties acknowledge and agree that, in relation to any such Personal Information provided or made available to PAYWHIRL for Processing by PAYWHIRL under the Agreement, the Merchant will be the Controller and PAYWHIRL will be the Processor for the purposes of the GDPR and the Merchant will be the Business and PAYWHIRL will be the Service Provider for purposes of the CCPA.
When PAYWHIRL Processes Personal Information in the course of providing the Service, PAYWHIRL will:
The Merchant shall ensure that it is entitled to give access to the relevant Personal Information to PAYWHIRL so that PAYWHIRL may lawfully Process Personal Information in accordance with the Agreement on the Merchant’s behalf. The Merchant shall:
In the course of providing the Service, the Merchant acknowledges and agrees that PAYWHIRL may use Subprocessors to Process the Personal Information. PAYWHIRL’s use of any specific Subprocessor to Process the Personal Information must be in compliance with Data Protection Legislation and must be governed by a contract between PAYWHIRL and the Subprocessor. PAYWHIRL will notify the Customer of any changes to the list of Subprocessors by updating Section 4.1.1 - PAYWHIRL Service of our Privacy Policy, concerning the addition or replacement of other Subprocessors. The Merchant acknowledges it needs to review the list after being notified and may object to such changes in writing setting out its reasonable concerns in detail within 14 days from the date of the notification. If the Merchant does not object to such changes, PAYWHIRL shall have the right to continue to Process the Personal Information in accordance with the terms of this Addendum, including using the relevant Subprocessors. If the Merchant objects, PAYWHIRL shall consult with the Merchant, consider the Merchant’s concerns in good faith and inform the Merchant of any measures taken to address the Merchant’s concerns. If the Merchant upholds its objection and/or demands significant accommodation measures which would result in a material increase in cost to provide the Services, PAYWHIRL shall be entitled to increase the fees for the Service or, at its option, terminate the Agreement.
As part of providing the Service, Data Subject’s Personal Information will be Processed in the United States. Such Processing will be completed in compliance with relevant Data Protection Legislation.
Customer acknowledges and hereby agrees that PAYWHIRL may transfer to, access and process Personal Information in a Restricted Country, as necessary to provide the Service in accordance with the Agreement. PAYWHIRL will make any such Restricted Data Transfers in compliance with the applicable Data Protection Legislation. If PAYWHIRL’s compliance with Data Protection Legislation applicable to Restricted Data Transfers is affected by circumstances outside of PAYWHIRL’s control, including if a legal instrument for Restricted Data Transfers is invalidated, amended, or replaced, then the Merchant and PAYWHIRL will work together in good faith to reasonably resolve such non-compliance.
Solely to the extent required to ensure the legality of Restricted Transfers, in the event that the transfer of Personal Information from Controller to PAYWHIRL involves a transfer of Personal Information, that is subject to GDPR or UK GDPR, to a Restricted Country, the SCCs shall be incorporated by reference and form an integral part of this Addendum with Controller as “data exporter” and PAYWHIRL as “data importer.” For the purposes of the EU SCCs: (i) Module Two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted; (ii) Clause 7 (Docking Clause) shall not apply; (iii) in Clause 9, Option 2 shall apply and the “time period” shall be 14 days; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17 (Option 1), the EU SCCs shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex 1 and 3 of the EU SCCs shall be populated with the information set out in Appendix 1; and (viii) Annex 2 of the EU SCCs shall be deemed populated with the information set out in Appendix 2 . For the purposes of the UK IDTA: (i) the Appendices or Annexes of the UK IDTA shall be populated with the relevant information set out in this DPA; and (ii) the UK IDTA shall be governed by the laws of, and disputes shall be resolved before the courts of, England and Wales. If and to the extent the applicable SCCs conflict with any provision of this Addendum regarding the transfer of Personal Information from the Merchant to PAYWHIRL, the SCCs shall prevail to the extent of such conflict.
Miscellaneous
In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement.
The Merchant acknowledges and agrees that PAYWHIRL may amend this Addendum from time to time by posting the relevant amended and restated Addendum on PAYWHIRL’s website, available at https://app.paywhirl.com/dpa and such amendments to the Addendum are effective as of the date of posting. The Merchant’s continued use of the Service after the amended Addendum is posted to PAYWHIRL’s website constitutes the Merchant’s agreement to, and acceptance of, the amended Addendum. If the Merchant does not agree to any changes to the Addendum, the Merchant should cease use of the Service immediately.
Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.
The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the State of California and the laws of the United States applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the State of California with respect to any dispute or claim arising out of or in connection with this Addendum.
Appendix 1 – Data Processing Details
This Appendix includes certain details of the Processing of Personal Information: (i) as required by Article 28(3) of the GDPR; and (ii) where applicable, to populate Appendix 1 to the Standard Contractual Clauses.
PAYWHIRL’s activities and purpose of the Processing
PAYWHIRL provides a subscriptions management platform.
Subject matter and duration of the Processing of Personal Information
The subject matter and duration of the Processing of Personal Information is part of the Service under the Agreement. Start date is the date Personal Information is first Processed by Processor. End date is the date of termination or expiry of the Agreement. The frequency of the processing is continual and ongoing during the term of the Agreement.
The nature and purpose of the Processing of Personal Information
The processing of certain Personal Information by the Processor on behalf of the Controller in relation to allowing access of the Subscribers to the Processor’s subscriptions management platform.
The categories of Personal Information to be Processed
Personal Information that PAYWHIRL receives as described at: https://app.paywhirl.com/privacy.
The categories of Data Subjects to whom Personal Information Relates
Appendix 2 – Security Measures
As from the effective date of the Addendum, PAYWHIRL will implement and maintain the security measures set out in this Appendix 2 (“Security Measures”).
PAYWHIRL may update or modify such Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Service.
Updated October October 24th, 2022