Shoplazza Partner Data Processing Agreement

Last updated on: December 19, 2024

This Shoplazza Data Processing Agreement (this “Partner DPA”)  is entered into by you (Partner) and Shoplazza. For the avoidance of doubt, Shoplazza Partner Program Agreement,  Shoplazza’s Privacy Policy and Shoplazza’s Acceptable Use Policy form part of this Agreement and are incorporated by reference. In this Agreement, Shoplazza and Partner may be referred to collectively as “Parties”, or individually as a “Party”.

This Partner DPA is to establish a framework to address scenarios of Personal Data Processing where In connection with the Service Agreement between Shoplazza and the Partner, with respect to the Customer Personal Data, Merchant is the Controller of Personal Data, Shoplazza is the Processor of Personal Data, Partner is the Subprocessor to process Personal Data; with respect to the Merchant Personal Data, Shoplazza is the Controller of Personal Data, Partner is the Processor of Personal Data unless otherwise stipulated or agreed by the Parties. Partner shall process the Personal Data according to this Partner DPA.

1. Definitions.

“Applicable Data Protection Laws” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons, in particular the General Data Protection Regulation 2016/679 (“GDPR”), and supplementing data protection laws of the European Union Member States, the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom laws by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), Canada’s Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5 (“PIPEDA”), and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, California Civil Code Sec. 1798.100 et seq., also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder (“CCPA”), and other applicable United States federal and state privacy laws, Hong Kong’s Personal Data (Privacy) Ordinance Cap. 486 (“PDPO”), China’s Personal Information Protection Law (“PIPL”).

“Authorized Area” means the country/region/territory where Processor/Subprocessor is allowed to Process the Personal Data.

“Controller” means the entity that determines alone or jointly with others the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means the Personal Data of the customers of each Merchant.

“Data Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Merchant” means the merchants who run their business through the Platform.

“Merchant Personal Data” means the Personal Data of the Merchants.

“Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Platform” means shoplazza.com and any associated software, programs, applications, and websites, owned and operated by Shoplazza and its affiliates.

“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt, this includes processing of Personal Data to disclose, aggregate, pseudonymize, de-identify or anonymize Personal Data, and to combine Personal Data with other Personal Data, or to derive any data or information from such Personal Data.

“Processor” means the entity that Processes Personal Data on behalf of the Controller per Controller’s instructions.

“Service Agreement” means the agreement between Shoplazza and Partner that governs the provision of the Partner’s service through Shoplazza platform, including but not limited to Shoplazza Partner Program Agreement.

“Sensitive Personal Data” means any Personal Data is defined as “sensitive personal data”, “special categories of personal data” or any materially similar or analogous concept or definition under Applicable Data Protection Laws and which may therefore be subject to extra protections or restrictions governing its Processing.

“Subprocessor” means the entity that is engaged or appointed by Processor to Process Personal Data on behalf of the Processor per Processor’s instructions within the scope of the instructions received by Processor from Controller.

“Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Laws, including the Processing of Personal Data covered by this Partner DPA.

2.1 Both Parties will comply with Applicable Data Protection Laws, and Partner shall only Process the Personal Data in accordance with Applicable Data Protection Laws and shall not share, sell, disclose or otherwise provide such information to any third party, except as provided for in the Service Agreement and this Partner DPA. This clause is in addition to, and does not relieve, remove, or replace, a Party's obligations or rights under the Applicable Data Protection Laws.

2.2 Unless otherwise agreed by both Parties, Shoplazza shall not be charged for any fees, expenses, costs or remuneration in relation to the execution of this Partner DPA.

2.3 Processing of Personal Data shall be carried out during the provision of the Services Agreement, provided that, Processing shall cease immediately upon the termination or expiration of this Partner DPA.

2.4 To the extent that Partner Processes the Personal Data on behalf of Shoplazza in connection with this Partner DPA, Partner shall: 

2.4.1 Solely process the Personal Data for the purposes of fulfilling its obligations under the Service Agreement and in compliance with Shoplazza’s written instructions as set out in this Partner DPA and as may be specified from time to time in writing by Shoplazza; and

2.4.2 Notify Shoplazza immediately if any instructions of Shoplazza relating to the Processing of Personal Data is unlawful; and

2.4.3 Maintain a record of its Processing in accordance with Applicable Data Protection Laws; and

2.4.4 Assist Shoplazza in ensuring compliance with Applicable Data Protection Laws, taking into account the nature of the data processing undertaken by Partner and the information available to it, including (without limitation):

A. Subprocessor.

(1) Not engage with any Subprocessor to carry out any Processing of Personal Data without the prior written consent of Shoplazza, provided that notwithstanding any such consent, Partner shall remain liable for compliance with all of the requirements of this Partner DPA including in relation to the Processing of Personal Data; and

(2) Shoplazza gives Partner general authorization to replace any of its Subprocessors or to add a new Subprocessor. However, Partner shall inform Shoplazza of any intended changes concerning the addition or replacement of Subprocessors in advance, thereby giving Shoplazza the opportunity to object to such changes. If no objection is raised within thirty (30) days, the proposed replacement or addition will be considered as accepted. If an objection is raised, and the Parties do not reach an agreement within thirty (30) days from the day the objection is raised, Partner shall have the right to proceed with the proposed addition or replacement, and Shoplazza shall have the right to terminate this Partner DPA and the Service Agreement forthwith at no cost and with no need to provide notice; and

(3) With respect to each Sub-processor, Partner shall:

1. provide Shoplazza with full details of the Processing to be undertaken by the each Sub-processor; 
2. carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Agreement including without limitation sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of Applicable Data Protection Laws and this Partner DPA;
3. include obligations in the contract between Partner and each Sub-processor which are the same as those set out in this Partner DPA, and shall supervise compliance thereof. Upon request, Partner shall provide a copy of its agreements with Sub-processors to Shoplazza for its review;
4. insofar as that contract involves the transfer of Personal Data of EEA Data Subject outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by Shoplazza into the contract between Partner and each Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as Shoplazza may approve as providing an adequate protection in respect of the processing of Personal Data in such third country;
5. remain fully liable to Shoplazza for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
   
   

（1）Partner shall only Process the Personal Data within the Authorized Area, and shall not conduct any transfers of Personal Data to a country/region/territory outside of the Authorized Area, unless obtaining prior written consent from Shoplazza; and

（2）Any cross-border transfer of Personal Data shall not be executed unless the following conditions are fulfilled:

• Appropriate safeguards in relation to the transfer are provided; and
• Data Subject has enforceable rights and effective legal remedies; and
• Partner complies with its obligations under Applicable Data Protection Laws by including but not limited to providing an adequate level of protection to any Personal Data that is transferred; and
• Partner complies with reasonable instructions given by Shoplazza in advance with respect to the Processing of Personal Data.
  
  

Partner shall ensure that all persons engaged to Process Personal Data are subject to legally binding obligations of confidentiality in relation to the Personal Data and shall ensure that all persons engaged to provide the Partner’s services have undergone professional training in data protection and in the care and handling of Personal Data.

(1) Partner shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data and against accidental loss or destruction of or damage to Personal Data taking into account the harm that might result from such unauthorized or unlawful Processing, loss, destruction or damage and the nature of the Personal Data to be protected including without limitation, all such measures that may be required to ensure compliance with Applicable Data Protection Laws.

(2) Security Measures includes but not limited to:

(1) Partner shall promptly notify Shoplazza if it receives a request from a Data Subject under any Applicable Data Protection Laws; and

(2) Partner shall only respond to that request according to the documented instructions of Shoplazza or as required by Applicable Data Protection Laws to which Partner is subject after informing Shoplazza; and

(3) Taking into account the nature of the Processing undertaken by Partner, provide all possible assistance and co-operation (including without limitation putting in place appropriate technical and organizational measures) to enable Shoplazza to fulfill its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws; and

(4) Should Shoplazza/Controller is requested to delete certain Personal Data from Data Subject, Controller, or according to Applicable Data Protection Laws, upon the request of Shoplazza, Partner shall cease to Process such Personal Data immediately and arrange for the prompt and safe deletion or return of such Personal Data to Shoplazza, together with all copies of Personal Data in its possession or control or that of its affiliates, representatives, agents, or contractors, within thirty (30) days and with the manners specified by Shoplazza (if any), and regarding the deletion or destruction, Partner is required to provide documentary evidence to support the deletion or destruction.

(1) Partner shall provide information and assistance requested by Shoplazza in a timely manner to enable Shoplazza/Controller to notify Data Security Breaches to Supervisory Authority and Data Subjects, as the case may be to comply with the Applicable Data Protection Laws; and

(2) Partner shall notify Shoplazza without undue delay (and in any event within 24 hours) to Shoplazza Partner Support via email at privacy@shoplazza.com of becoming aware of a Data Security Breach if:

• Partner or any of its Subprocessor suffers a Data Security Breach; or
• Partner or any of its Subprocessor receives any Data Security Breach notification, complaint, notice or communication which relates directly or indirectly to the Processing of Personal Data or to either Party’s compliance with Applicable Data Protection Laws; or

(3) In each case, Partner shall provide full co-operation, information, and assistance to Shoplazza/Controller in relation to any such Data Security Breach, compliance notice or communication. Partner shall, at its own cost: (A) promptly remedy the Data Security Breach to prevent any further loss of Personal Data; (B) investigate the incident; (C) take reasonable actions to mitigate any future anticipated harm to Shoplazza, the Shoplazza related entities, merchants or customers; and (D) regularly communicate the progress of its investigation to Shoplazza and cooperate to provide Shoplazza with any additional requested information in a timely manner.

(4) The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. Partner shall not inform any third party without first obtaining Shoplazza’s prior written consent, unless notification is required by Applicable Data Protection Laws, in which case Partner shall to the extent permitted by such law inform Shoplazza of that legal requirement, provide a copy of the proposed notification and consider any comments made by Shoplazza before notifying the data breach.

Partner shall provide input into and carry out data protection impact assessments in relation to its Processing of Personal Data, or assist Shoplazza/Controller in conducting the data protection impact assessments, as the case may be to comply with the Applicable Data Protection Laws.

(1) Partner shall make available to Shoplazza all information necessary to demonstrate compliance with the obligations set out in this Partner DPA and any other instructions and allow for and contribute to audits, including inspections, conducted by or on behalf of Shoplazza/Controller or by Supervisory Authority pursuant to Applicable Data Protection Laws; and

(2) Upon request Partner shall allow Shoplazza/Controller, or Supervisory Authority access to Partner’s premises, records, and personnel for the purposes of assessing its compliance with its obligations under this Partner DPA and Applicable Data Protection Laws.

Partner should notify Shoplazza if it receives a legally binding request from a public (including judicial) authority under the applicable law of the Partner. Partner should notify Shopazza if it becomes aware of any direct access by public authorities to such personal data, in accordance with applicable law of the Partner. Partner should provide Shoplazza with as much relevant information as possible on the legally binding requests. Partner should also be required to document any request for disclosure received and the response provided, and make that information available to Shoplazza. If, following a review of the legality of such a request under the applicable laws of Partner, Partner should challenge it, including, where appropriate, by exhausting available possibilities of appeal. 

2.4.5 Partner shall not communicate with customers directly or indirectly, provided however that Partner may contact customers if the information is obtained from another source, such as from the customers themselves.

3.1 Partner shall indemnify Shoplazza from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages, and other liabilities of whatever nature (whether contractual, tortious, or otherwise) suffered or incurred by Shoplazza and arising out of or in connection with any breach by Partner or any of its Subprocessor.

3.2 Partner’s liability for the indemnity in this Section 3 shall not be limited or excluded, including by any provision of this Partner DPA.

4.1 Each Party must keep the information it receives about the other Party and its business in connection with this Partner DPA (the “Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party.

4.2 The termination or expiration of this Partner DPA shall not discharge Partner from its confidential obligations under this Section 4.

5.1 This Partner DPA shall come into effect and keep in force unless and until terminated or expired according to this Section 5.

5.2 This Partner DPA shall expire automatically upon the termination or expiration of the Service Agreement.

5.3 If Partner is in a material breach of any provision of this Partner DPA, Shoplazza has the right to terminate both this Partner DPA as well as the Service Agreement, in whole or in part, effect upon the written notice is given by Shoplazza.

5.4 Upon the termination or expiration of this Partner DPA for whatever reason, Partner shall cease to Process the Personal Data and access the Confidential Information immediately and shall arrange for the prompt and safe deletion or return of all Personal Data Processed and Confidential Information received to Shoplazza, together with all copies of Personal Data and Confidential Information in its possession or control or that of its affiliates, representatives, agents, or contractors, within thirty (30) days and with the manners specified by Shoplazza (if any).

5.4.1 Upon the termination or expiration of this Partner DPA, should Shoplazza require the deletion or destruction of Personal Data and/or Confidential Information still held by Partner, then Partner is required to provide documentary evidence to support the deletion or destruction within thirty (30) days.

5.4.2 Notwithstanding anything to the contrary, Partner shall be solely responsible for any breach, violation, and negligence on its (or its Subprocessors) behalf of this Section 5.

5.4.3 Termination of this Partner DPA shall not affect any rights or obligations of either Party which have accrued prior to the date of termination and all provisions which are expressed to, or do by implication, survive the termination of this Partner DPA shall remain in full force and effect.

6. Miscellaneous.

6.1 This Partner DPA is a part of the Service Agreement, in the event of a conflict between this Partner DPA and the Service Agreement, this Partner DPA shall govern and control with respect to the subject matter of the Processing of Personal Data.

6.2 The contracting party of Shoplazza of this Partner DPA shall be governed by Clause 6 of Shoplazza Privacy Policy. 

6.2.1 If Shoplazza contracting party is Shoplazza Corp., this Partner DPA will be governed by and interpreted in accordance with the laws of Ontario, Canada, without regard to principles of conflicts of laws. The United Nations Convention on Contracts for the International Sale of Goods will not apply to this Partner DPA and is hereby expressly excluded. 

The Parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of Ontario, Canada with respect to any dispute or claim arising out of or in connection with this Partner DPA.

6.2.2 If Shoplazza contracting party is Shoplazza Hongkong Limited, this Partner DPA will be governed by and interpreted in accordance with the laws of Hong Kong SAR, China, without regard to principles of conflicts of laws. The United Nations Convention on Contracts for the International Sale of Goods will not apply to this Partner DPA and is hereby expressly excluded.

The Parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of Hong Kong SAR, China with respect to any dispute or claim arising out of or in connection with this Partner DPA.

6.3 Where individual provisions of this Partner DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this Partner DPA shall not be affected.

6.4 This Partner DPA contains the entire understanding of the Parties with respect to the subject matter hereof and supersedes all previous verbal and written agreements between the parties hereto with respect to such subject matter.

6.5 The section headings used in this Partner DPA are intended for convenience of reference and will not by themselves determine the construction or interpretation of any provision of this Partner DPA.