Data Processing Agreement

This Data Processing Addendum (“Addendum”) amends the Cork Labs Terms of Service and any other terms that incorporate by reference this Addendum (together, the “Agreement”) by and between you and Cork Labs, LLC, a Virginia LLC ( "Cork Labs").

1. Definitions
(a) “European Data Protection Laws” means European Union Regulation 2016/679 (the “General Data Protection Regulation”), the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the DPA, the “UK GDPR”), and any relevant law, statute, regulation, rule or other binding instrument which implements the above or otherwise relates to data protection, privacy, data security or the Processing of Personal Data in any European member state or the United Kingdom, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.

(b) “Personal Data” shall be interpreted in accordance with European Data Protection Laws and US Data Protection Laws, as applicable, and relating to an identifiable or identified individual who visits or engages in transactions through your store (a “Customer”), which Cork Labs processes as a Data Processor or Service Provider (as defined under such laws) in the course of providing you, as a Data Controller or Business (as defined under such laws), with the Service. The term “Personal Data” shall also include “Personal Information” as defined under US Data Protection Laws. Notwithstanding the foregoing sentence, Personal Data does not include information that Cork Labs processes in the context of services that it provides directly to a consumer, if and when such services exist.

(c) “US Data Protection Laws” means the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”) the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and other similar comprehensive state privacy laws that place obligations on a Business or Controller in relation to Personal Data (as defined under such laws), and any relevant regulation, rule or other binding instrument which implements such laws, in each case as applicable and in force, and as amended, consolidated, re-enacted or replaced from time to time.

(d) “US Consumer” means an individual that is a “consumer” as defined under US Data Protection Laws.

(e) All other capitalized terms in this Addendum shall have the same definition as in the Agreement.

2. Details of Processing
2.1. The parties agree that Appendix 1 of this Addendum describes the subject matter and details of the processing of Personal Data. Cork Labs may aggregate, anonymize or deidentify Personal Data and process such data for the purposes set out in Appendix 1 or as otherwise permitted by applicable law. To the extent Cork Labs receives from you Personal Data that has been Deidentified (as defined in section 5.1 of this Addendum), Cork Labs will maintain and use the data only in a Deidentified fashion.

3. European Union and United Kingdom
3.1. This section applies only to the extent that Cork Labs’s Processing of Personal Data is subject to European Data Protection Laws. In this section, “Data Processor”, “Data Controller”, “Data Subject”, “Processing”, “Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance with the European Data Protection Laws.

3.2. You acknowledge that Cork Labs acts as an independent Data Controller with regards to personal data that it collects from consumers in connection with its potential consumer-facing applications and services.

3.3. Where a Data Subject is located in the European Economic Area or the United Kingdom, that Data Subject’s Personal Data will be Processed by Cork Labs. As part of providing the Service, this Personal Data may be transferred to other regions, including to the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation.

3.4. When Cork Labs Processes Personal Data in the course of providing the Service, Cork Labs will:

3.4.1. Process the Personal Data as a Data Processor and/or Service Provider, only for the purpose of providing the Service in accordance with documented instructions from you (provided that such instructions are commensurate with the functionalities of the Service), and as may subsequently be agreed to by you. If Cork Labs is required by law to Process the Personal Data for any other purpose, Cork Labs will provide you with prior notice of this requirement, unless Cork Labs is prohibited by law from providing such notice;

3.4.2. notify you if, in Cork Labs’s opinion, your instruction for the Processing of Personal Data infringes applicable European Data Protection Laws;

3.4.3. notify you, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Cork Labs’s Processing of the Personal Data;

3.4.4. implement reasonable technical and organizational measures enabling you to execute requests relating to your Customer’s Personal Data that you are obligated to fulfill;

3.4.5. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;

3.4.6. upon request, provide reasonable information to help you complete your data protection impact assessments and prior consultations with regulatory authorities;

3.4.7. notify you, in reasonable timeframe, upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;

3.4.8. ensure that its personnel who access the Personal Data are subject to confidentiality obligations; and

3.4.9. upon termination of the Agreement, Cork Labs will promptly initiate its purge process to delete or anonymize the Personal Data. You may also request, within 60 days of termination, that Cork Labs erase such Personal Data.

3.5. In the course of providing the Service, you acknowledge and hereby grant Cork Labs general written authorization to use Subprocessors, listed in Appendix 2 (“Subprocessor List”), to Process the Personal Data. Cork Labs’s use of any specific Subprocessor to process the Personal Data must be in compliance with European Data Protection Laws and must be governed by a contract between Cork Labs and Subprocessor that requires comparable protections to this Data Processing Addendum. If Cork Labs appoints a new subprocessor or intends to make changes concerning the addition or replacement of subprocessors, such changes will be made to our Subprocessor List. You will have seven (7) days from the date of the update of our Subprocessor List to object to the change. If you object to the appointment of a Subprocessor you may terminate this agreement in accordance with the Agreement.

3.6. You warrant that you have complied and continue to comply with European Data Protection Laws, in particular, you have obtained any necessary consents or given any necessary notices and otherwise have a legitimate ground to disclose data to Cork Labs and enable the processing of Personal Data by Cork Labs as set out in this Agreement.

4. US Consumers
4.1. This section applies only to the extent that, for purposes of the US Data Protection Laws, you are a Business or Controller and in the course of providing the Service, Cork Labs processes Personal Data about US Consumers that is subject to US Data Protection Laws. In this section, “Business”, “Business Purpose”, “Commercial Purpose”, “Controller”, “Deidentified”, “Processor”, “Sell”, “Sale”, “Service Provider” shall have the meanings ascribed to them in US Data Protection Laws, and “Share” shall have the meaning ascribed to it in the CCPA, are incorporated herein by reference.

4.2. With respect to such Personal Data, and to the extent required by applicable US Data Protection Laws, Cork Labs will:

4.2.1. process Personal Data as a Service Provider and/or Processor on your behalf to provide the Service or as otherwise permitted by US Data Protection Laws;

4.2.2. not retain, use or disclose Personal Data outside its direct business relationship with you or for any purpose other than to provide the Service, including retaining, using or disclosing such Personal Data for a Commercial Purpose other than performing the Business Purposes described in the Agreement, or as otherwise permitted by US Data Protection Laws;

4.2.3. not Sell or Share such Personal Data;

4.2.3. not combine Personal Data collected in connection with performing the Service with Personal Data received from another source or collected from its own interactions with the individual, except to perform the Service, with consent or direction, or as otherwise permitted by US Data Protection Laws;

4.2.4. in connection with processing the Personal Data, comply with provisions of the US Data Protection Laws applicable to Service Providers or Processors, including providing the same level of privacy protection required of Businesses or Controllers by the US Data Protection Laws, and notify you if it determines it can no longer meet these obligations. You may, upon receiving such a notice, take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Cork Labs;

4.2.5. only engage subcontractors to process Personal Data on its behalf pursuant to a written contract that requires comparable protections to this Data Processing Addendum. In the course of providing the Service, you acknowledge and hereby grant Cork Labs general written authorization to use subcontractors, listed in Appendix 2 (“Subprocessor List”), to Process the Personal Data. Cork Labs’s use of any specific Subprocessor to process the Personal Data must be in compliance with US Data Protection Laws and must be governed by a contract between Cork Labs and Subcontractor that requires comparable protections to this Data Processing Addendum. If Cork Labs appoints a new subcontractor or intends to make changes concerning the addition or replacement of subcontractors, such changes will be made to our Subprocessor List. You will have seven (7) days from the date of the update of our Subprocessor List to object to the change. In the event we do not receive a response from you, the change will be deemed to be accepted. If you object to the appointment of a subcontractor you may terminate this agreement in accordance with the Agreement.

4.2.6. ensure that its personnel who process the Personal Data are subject to confidentiality obligations with respect to such information;

4.2.7. take reasonable and appropriate steps, upon reasonable written notice from you and subject to the confidentiality obligations set out in the Agreement, to assist you with confirming that Cork Labs’s use of Personal Data is consistent with your obligations under US Data Protection Laws; and

4.2.8 upon termination of the Agreement, Cork Labs will promptly initiate its purge process to delete or Deidentify the Personal Data. You may also request, within 60 days of termination, that Cork Labs erase such Personal Data.

4.3. You represent and warrant that you:

4.3.1. have obtained any necessary consents, rights and authorizations and given any necessary notices to individuals regarding your disclosure of Personal Data to Cork Labs to enable Cork Labs’s processing of Personal Data to provide the Service, as required by applicable law;

4.3.2. will not share with Cork Labs any Personal Data of any individual subject to the US Data Protection Laws who has exercised an opt-out that you have committed to honoring;

4.3.3. will not share with Cork Labs sensitive data of any US Consumer who has not consented to the processing of their sensitive data;

4.3.4. inform Cork Labs of any rights requests individuals make to you pursuant to US Data Protection Laws that Cork Labs must comply with and provide the information necessary for Cork Labs to comply with the requests; and

4.3.5. be solely liable for your compliance with such laws.

4.4 You and Cork Labs agree that the existence of this Addendum does not constitute an admission that sharing of Personal Data constitutes a Sale or a Share.

5. General
5.1. In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail, unless such provisions contradict a requirement under applicable law, in which case such requirement shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that Cork Labs may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Cork Labs’s website, available at https://www.corklabs.com/data-processing-agreement and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Service after the amended Addendum is posted to Cork Labs’s website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service.

5.2. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.

5.3. The terms of this Addendum shall be governed by and interpreted in accordance with the laws of the Commonwealth of Virginia and the laws of United States applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the Commonwealth of Virginia with respect to any dispute or claim arising out of or in connection with this Addendum.

Appendix 1: Details of Processing

Nature and purpose of processing: To provide and improve the Service under the Cork Labs Terms of Service and any other terms that this Addendum is incorporated into, provide any related support to Customer, as otherwise permitted under European Data Protection Laws or US Data Protection Laws, as applicable, or as initiated by you from time to time.

Subject Matter, Types of Personal Data and Categories of Data Subjects: Personal Data relating to Customers.

Duration of processing: The term of this Addendum plus the period from the end of the term until deletion of all Customer Personal Data by Cork Labs in accordance with its obligations under this Addendum.

Appendix 2: Subprocessor List

Affiliated subprocessors

None

Third-party subprocessors

Heroku - Cloud hosting. HQ USA. Data: All platform data
MongoDB - Database hosting. HQ USA. Data: All platform data
Rollbar - Error logging. HQ USA. Data: Customer personal data if necessary to log errors
Cloudflare - Load balancing and DDoS protection. HQ USA. Data: All platform data
Twilio - Email transmission. HQ USA. Data: Customer personal data necessary to provide email transactions