This Privacy and Data Protection Agreement (the "Agreement") is entered into by and between the merchant ("Merchant") and Comstack ("Provider"), collectively referred to as the "Parties," and shall be effective as of the date the Merchant installs a Comstack App (the "Effective Date"). This Agreement sets forth the terms and conditions under which the Provider processes personal data on behalf of the Merchant in connection with the services provided through the Comstack App (the "Services").
1.1. "Personal Data" means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.3. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.4. "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Roles and Responsibilities
2.1. The Merchant, as the Controller, determines the purposes and means of the processing of Personal Data in connection with the Services.
2.2. The Provider, as the Processor, processes Personal Data on behalf of the Merchant in accordance with the Merchant's instructions and the terms of this Agreement.
Scope of Data Processing
3.1. The Provider shall process Personal Data only for the purpose of providing the Services to the Merchant and shall not process Personal Data for any other purpose unless otherwise instructed by the Merchant in writing.
3.2. The types of Personal Data processed by the Provider may include, but are not limited to, customer names, addresses, email addresses, phone numbers, purchase histories, and payment information.
Data Transfer Mechanisms
4.1. The Provider shall implement appropriate safeguards to protect the Personal Data during transmission and storage, including encryption and secure storage facilities.
4.2. The Provider shall not transfer Personal Data to any third party without the prior written consent of the Merchant, unless required by applicable law.
Retention and Erasure
5.1. The Provider shall retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations.
5.2. Upon termination of the Services or upon the Merchant's request, the Provider shall, at the Merchant's choice, return or securely delete all Personal Data in its possession or control, unless required to retain the data by applicable law.
6.1. The Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
7.1. In the event of a Personal Data breach, the Provider shall promptly notify the Merchant and provide all relevant information to enable the Merchant to comply with applicable data protection laws.
Audits and Inspections
8.1. The Provider shall make available to the Merchant, upon request, all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits and inspections conducted by the Merchant or its designated auditor.
8.2. The Provider shall immediately inform the Merchant if, in its opinion, an instruction from the Merchant infringes applicable data protection laws.
9.1. The Provider shall not engage any sub processor for processing Personal Data without the prior written consent of the Merchant. The Provider shall inform the Merchant of any intended changes concerning the addition or replacement of sub processors, giving the Merchant the opportunity to object to such changes.
9.2. Where the Provider engages a sub processor, the Provider shall ensure that the sub processor is subject to the same data protection obligations as those set out in this Agreement, including implementing appropriate technical and organizational measures to protect the Personal Data.
10.1. The Provider shall provide reasonable assistance to the Merchant in complying with its obligations under applicable data protection laws, including responding to requests from Data Subjects and data protection authorities.
11.1. The Provider shall indemnify and hold harmless the Merchant from and against any and all claims, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with any breach by the Provider of its obligations under this Agreement.
Governing Law and Jurisdiction
12.1. This Agreement shall be governed by and construed in accordance with the laws of the jurisdiction in which the Merchant is located, without regard to its conflict of laws provisions.
12.2. Any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the jurisdiction in which the Merchant is located.
13.1. This Agreement may be amended or modified only by a written agreement signed by both Parties.
13.2. If any provision of this Agreement is found to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.
13.3. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written, of the Parties relating to the subject matter hereof.