Data protection addendum
This Data Protection Addendum (“Addendum“) forms part of the Agreement between Exposebox and the Customer.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
WHEREAS, Exposebox, subject to the scope of Services agreed within Agreement, may (a) process Customer Personal Data on behalf of Customer; (b) on behalf of Customer store and/or have access to information stored within the device of an internet user through Cookies and/or SDK; or (c) send unsolicited commercial messages on behalf of Customer;
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
In this Addendum:
The terms “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process”), shall all have the same meanings as ascribed to them under the GDPR. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA.
“Cookies“ means cookies placed and assessed by Exposebox on behalf of Customer on devices of Data Subjects in connection with the provision of the Services as further described in Schedule 1.
“Customer Personal Data” means any data relating to an identified or identifiable individual that are within the scope of protection as “personal data” under the applicable Data Protection Laws, and which are provided by or on behalf of Customer to Exposebox, or are otherwise processed by Exposebox for the purposes of providing the Services, and specifically the Personal Data described in Schedule
“Data Protection Laws” means:
(a) the General Data Protection Regulation (EU 2016/679) (“GDPR”) and any legislation which amends, re-enacts or replaces it in an EEA member state or in England and Wales from such time as the United Kingdom ceases to be an EEA member state;
(b) any legislation of England and Wales or an EEA member state that implements Directive 2002/58/EC of the European Union Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector; and at all times, any other data protection laws and regulations applicable in an EEA member state or in England and Wales from such time as the United Kingdom ceases to be an EEA member state;
(c) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq (“CCPA”).
“Data Subject” means an individual who is the subject of Personal Data.
“EEA” means the European Economic Area.
“Personal Data / Personal Information” means any information which (i) can be related to, describes and/or is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual; and (ii) supplied by Customer to Exposebox pursuant to the Principal Agreement or which Exposebox generates, collects, stores, transmits, or otherwise processes on behalf of Customer in connection with the Principal Agreement. Personal Data may include information which is related to Customer’s end users, clients, contractors, suppliers and other third parties.
“Services” means the services and other activities to be supplied to or carried out by or on behalf of Exposebox for Customer pursuant to the Agreement;
“SDK“ means Exposebox software development kit installed on Customer’s mobile application(s) in connection with the provision of the Services as further described in Schedule 1.
“Sub-Processor” has the meaning set out in Clause 1.6.
“Supervisory Authority” means any regulatory, supervisory, governmental or other competent authority with jurisdiction or oversight over the Data Protection Laws.
1.2 Data Processing
1.2.1 The parties agree and acknowledge that under the performance of their obligations set forth in the Principal Agreement, this Addendum, and with respect to the processing of Customer Personal Data, Exposebox is acting as a Data Processor and Customer is acting as a Data Controller. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Exposebox is the Service Provider. Each party shall be individually and separately responsible for complying with the obligations that apply to under applicable Data Protection Laws.
1.2.2 Exposebox will process Customer Personal Data to the extent it relates to:
(a) the types of Customer Personal Data;
(b) the categories of Data Subject;
(c) the nature and purpose,
set out in this Addendum, and only for the duration specified in Schedule 1 (Data Processing).
1.2.3 Exposebox shall process the Customer Personal Data only in accordance with the written instructions of Customer as detailed in the Principal Agreement, this Addendum and other written notices of Customer unless Exposebox is required to process the Customer Personal Data for other reasons under laws to which Exposebox is subject. If ExposeBox is required to process the Customer Personal Data for these other reasons, ExposeBox shall inform Customer before carrying out the processing, unless prohibited by relevant law. ExposeBox shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue the purposes determined by Customer. Notwithstanding the above, the Company hereby acknowledges and authorize ExposeBox to process Customer Personal Data in an aggregated and unidentified manner, for the purpose of optimizing the performance of the Services.
(a) instructs Exposebox (and authorises Exposebox to instruct each Sub-processor) to:
(i) Process Customer Personal Data; and
(ii) in particular, transfer Customer Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with the Agreement;
(b) warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 1.2.4. (a); and
(c) shall comply at all times with its respective obligations under the Data Protection Legislation.
1.2.5 Each party shall identify and provide contact details for its contact point within its organization authorized to respond to enquiries concerning Processing of the Customer Personal Data or its Data Protection Officer (“DPO”), as applicable. In the event of a change of the above contact person or DPO’s identity, each party shall provide updated contact details.
(a) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Exposebox shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
(b) Exposebox shall ensure that all employees with access to Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
1.4 Transfers outside of the EEA
The Exposebox shall not transfer any Customer Personal Data (nor permit any Customer Personal Data to be transferred) to a territory outside of the European Economic Area (“EEA“) unless the Exposebox has implemented appropriate safeguards, where required by the Data Protection Laws. The Exposebox may transfer any Customer Personal Data to Israel.
1.5 No Sale of Personal Information
It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and the Exposebox does not receive or process any Personal Data as consideration for the Services. Thus, such collection, processing and share of Personal Data shall not be considered as a Sell. It is agreed that it is in the Customer’s sole responsibility and liability to determine whether the sharing or transferring of Personal Information during the course of performance of the Services constitute Sell of Personal Information, as well as to comply with the applicable CCPA requirements in this regard, including providing the Vendor with “Do Not Sell” signal of users who have exercised their right to opt out, where applicable.
1.6.1 Customer acknowledges that Exposebox may engage third parties to carry out processing in connection with the Services (“Sub-Processor”) subject to Exposebox entering into a written agreement with the Sub-Processor under which Sub-Processor is obliged to comply with terms materially equivalent to those in this Addendum. Customer specifically authorizes the engagement of ExposeBox’ affiliates as Sub-Processors. It is acknowledged and agreed that ExposeBox uses Google as a Sub-Processor for the purpose of provision of Google Cloud Platform, which uses is subject to the respective Google applicable terms as well as Amazon Web Services as a Sub-Processor for the purpose of cloud hosting services, which use is subject to the respective Amazon applicable guidelines.
1.6.2 Exposebox shall notify Customer of any intended changes concerning the addition or replacement of Sub-Processors. Exposebox shall remain fully liable to Customer for any acts or omissions of any Sub-Processors.
1.7 Information provision and data protection audits
1.7.1 On Customer’s request, such request not to be submitted more frequently than once in any 12 month period, Exposebox shall provide to Customer all necessary information to demonstrate Exposebox’s compliance with this Addendum, and shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer in relation to the processing of the Customer Personal Data by the ExposeBox.
1.7.2 Customer shall give Exposebox reasonable prior written notice of at least 10 working days of any audit or inspection to be conducted under Section 1.7.1, shall bear all expenses related to the audit and shall reimburse the Vendor for all such expenses occurred to it due to the audit. The Company shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the ExposeBox’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Exposebox need not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of identity and authority;
(b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Exposebox that this is the case before attendance outside those hours begins; or
(c) for the purposes of more than one audit or inspection, in respect of Exposebox, in any 12 month period, except for any additional audits or inspections which Customer reasonably considers necessary because of genuine concerns as to Exposebox’s compliance with this Addendum, where Customer has identified its concerns in its notice to Exposebox of the audit or inspection.
1.7.3 For the avoidance of doubt, it is hereby clarified that any information provided or generated in connection of the audit or inspection is considered as confidential information and shall be subject to all of the obligations, restrictions or any other terms as other confidential information disclosed between the parties.
1.8 Dealings with Supervisory Authorities
Exposebox shall provide reasonable assistance to Customer to allow Customer to prepare any necessary data protection impact assessments or undertake any necessary consultations with Supervisory Authorities.
1.9 Data Subjects
1.9.1 On request, Exposebox shall provide reasonable assistance (including by appropriate technical and organisational measures insofar as this is possible) necessary for Customer to comply with its obligations under the Data Protection Laws in relation to:
(a) the provision of access to, and information relating to, Personal Data processed in relation to a Data Subject;
(b) the rectification of inaccurate Personal Data in relation to a Data Subject;
(c) the permanent erasure of a Data Subject’s Personal Data;
(d) the restriction of processing of the Personal Data of a Data Subject; and
(e) the provision of a copy of the Personal Data of a Data Subject in a machine-readable format, and/or the transfer of such Personal Data to a third party.
Exposebox shall notify Customer immediately upon receiving a request from a Data Subject to exercise his or her rights set out in Clause 1.9.1.
1.10 Personal data breaches
Exposebox shall notify Customer without undue delay upon becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data (a “Security Incident”). Such notification shall include, as far as possible, (i) a description of the nature of the Security Incident, including the categories and an approximate number of data subjects concerned and the categories and the approximate number of data records concerned and (ii) the likely consequences of the breach and (iii) the measures taken or to be taken to address the breach, including measures taken to mitigate any possible adverse effects. The notification of or response to a Security Incident under this section shall not be construed as an acknowledgement by the vendor of any fault or liability with respect to the Security Incident.
1.11 Return or destruction of Data
Exposebox shall, at Customer’s discretion, destroy or return all Customer Personal Data to Customer on termination of the Agreement, and shall destroy or delete all copies it holds of the Customer Personal Data, unless a law of England and Wales, the European Union (or a member state of the EEA) to which Exposebox is subject requires the Customer Personal Data to be stored.
1.12.1 To the extent Cookies are placed or accessed by Exposebox on behalf of Customer in connection with the provision of Services, Customer shall ensure that Cookies are placed and accessed in accordance with the requirements of Data Protection Laws. In particular, Customer will:
(b) obtain legally compliant prior consent (using the “opt-in” method) of the Data Subject for placement and accessing the Cookies to allow Exposebox to process Customer Personal Data for provision of the Services;
(c) provide Data Subjects with information about how they can revoke their consent to the Cookies.
1.12.2 Customer shall immediately notify Exposebox in writing of any Data Subjects who revoked their consent as required to discontinue the use of the relevant Cookies and related data and remove the Cookies.
1.13 Unsolicited Commercial Messages
1.13.1 To the extent Exposebox sends unsolicited commercial messages on behalf of Customer in connection with the provision of Services, Customer shall ensure that such messages are sent in accordance with the requirements of Data Protection Laws. In particular, Customer will:
(a) ensure that it has a valid lawful basis for sending any electronic or SMS messages for the purposes of the Data Protection Laws;
(b) provide the Data Subject with the right to object to such processing, including, at least, by informing the Data Subject of an e-mail address of Customer where such right can be exercised and providing a possibility to opt-out in any commercial electronic message (or informing the Data Subject how to opt-out in any SMS message) sent by Exposebox on behalf of Customer.
1.13.2 Customer shall immediately notify Exposebox in writing of any Data Subjects who revoked their consent to receive commercial electronic messages of Customer.
1.14.1 To the extent Customer Personal Data is collected and processed by Exposebox on behalf of Customer through SDK installed on Customer’s mobile application in connection with the provision of Services, Customer shall ensure that such data is collected and processed in accordance with the requirements of Data Protection Laws. In particular, Customer will:
(a) provide Data Subjects with clear and comprehensive information in accordance with requirements of Data Protection Laws about data collected through SDK, processing of the data obtained through SDK by Customer and by Exposebox, purposes of collecting and processing of the data obtained through SDK;
(b) obtain legally compliant prior consent (using the “opt-in” method) of the Data Subject for collecting the data through SDK to allow Exposebox to process Customer Personal Data for provision of the Services;
(c) to provide Data Subject with information on how to revoke its consent.
1.14.2 Customer shall immediately notify Exposebox in writing of any Data Subjects who revoked their consent.
The total combined liability of Exposebox under or in connection with the Addendum will be limited to any liability cap set forth in the Principal Agreement.
1.16 Order of precedence
1.16.1 Nothing in this Addendum reduces Exposebox’s obligations under the Agreement in relation to the protection of Customer Personal Data or permits Exposebox to process (or permit the processing of) Customer Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
1.16.2 Subject to section 1.16.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Subject matter and duration of the processing of Customer Personal Data
The subject matter and duration of the processing of the Customer Personal Data are set out in the Agreement and this Addendum
- The types of Customer Personal Data to be Processed
first and last name,
|Cookie Name||Purpose and description of the Cookie|
|__etn||Unique user identifier, persistent, expires after 12 months|
|Used for user personal recommendations, persistent, Up to a month|
|Used for ad network campaigns, persistent, Up to a month|
Device information collected through SDK, including:
- type and model, manufacturer, operating system,
- list of installed applications on the device,
- Geolocation data,
- Advertising IDs.
- Categories of Data Subject whose Customer Personal Data will be processed
Internet and mobile users, employees of the Customer
- Nature and purpose of processing
Provision of the Services as detailed in the Agreement, including as required for providing product recommendations and personalising experience of the Data Subjects based on their interests and browsing history.
Exposebox may track the following actions of the Data Subject on Customer’s website or application:
- Any page view
- Product category page view
- Product page view
- Add to cart event
- Internal website search
- Email newsletter subscription
- Product recommendation blocks clicks
- Clicks in emails sent via Services
- entrance from external campaigns
- mouse overview