Updated November 13, 2020
1. CCPA PERSONAL INFORMATION PROCESSING
The California Consumer Privacy Act (“CCPA”) grants California residents certain rights regarding the collection of their personal information and imposes various data protection duties on certain entities conducting business in California. Accordingly, this Section 1 shall primarily apply to all Authorized Users that fall within the scope of the CCPA. In all other circumstances, this Section 1 shall apply solely to the extent that Clean.io and a Client have expressly agreed in writing (in the cleanCART Terms of Service, in an Order or otherwise) that Clean.io will collect, receive or otherwise process “Personal Information” of California consumers, or Clean.io is aware that it has any such “Personal Information” in its possession despite its intention not to collect or receive such information.
2. GDPR PERSONAL DATA PROCESSING
This Section 2 shall primarily apply to all Authorized Users covered by the EU Data Protection Laws. In all other circumstances, this Section 2 shall apply solely to the extent that Clean.io and a Client have expressly agreed in writing (in the cleanCART Terms of Service, in an Order or otherwise) that Clean.io will collect, receive or otherwise process “Personal Data” originating from the European Economic Area, the United Kingdom and Switzerland, or Clean.io is aware that it has any such “Personal Data” in its possession despite its intention not to collect or receive such information.
3. REQUIRED CONSENTS
4. ACCESS REQUESTS
If Clean.io receives a request submitted by a Consumer or Data Subject to exercise a right it has under the CCPA or a EU Data Protection Laws in relation to that Consumer’s Personal Information or that Data Subject’s GDPR Personal Data, respectively, it will provide a copy of the request to the Client. The Client will be responsible for handling and communicating with Consumers and Data Subjects in relation to such requests and, to the extent permitted by applicable law, Clean.io shall not respond to the Data Subject or Consumer.
5. GOVERNMENT REQUESTS
Clean.io shall notify Client of any request for the disclosure of GDPR Personal Data or Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
6. INTERNATIONAL TRANSFERS
Clean.io is located in the USA. Therefore, any GDPR Personal Data we collect will be collected and stored in the USA. For Users, Visitors and Authorized Users that are in the EU, EEA, Switzerland or UK, this means that their GDPR Personal Data will be stored in a jurisdiction that offers a level of protection that may, in certain instances, be less protective of their GDPR Personal Data than the jurisdiction the User, Visitor or Authorized User is typically resident in; provided however that please note that Clean.io adheres to the Standard Contractual Clauses. For this purpose, “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data from controllers in the EU to data processors established outside the EU or EEA issued by the European Commission under decision 2010/87/EU attached hereto as EXHIBIT 2, consistent with the terms of this cleanCART DPA.
Clean.io may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the cleanCART Services (“Subprocessors”). See our Subprocessor List for more information regarding the specific Subprocessors we use. For the avoidance of doubt, Client hereby approves all applicable Subprocessors identified on our Subprocessor List to the extent applicable to the cleanCART Services received by Client. Clean.io may update our Subprocessor List from time to time and we recommend for each Client to periodically review the Subprocessor List. By continuing to use our cleanCART Services after any changes or modifications are made to the Subprocessor List, Client is deemed to have automatically accepted the updated Subprocessor List. If a Client (acting reasonably) does not approve of any Subprocessor on the list, they should contact us at firstname.lastname@example.org so we can discuss the basis for the Client’s disapproval and possible alternative Subprocessors.
With respect to all Subprocessors having access to GDPR Personal Data: Client acknowledges that in order for Clean.io to provide the cleanCART Services it may be necessary for certain Subprocessors to access or otherwise process the GDPR Personal Data outside the EEA, Switzerland or United Kingdom. In those circumstances, Client will only use Subprocessors that have and maintain certification to the EU-U.S. Privacy Shield (or any comparable successor thereto that is deemed valid by applicable law) or that comply with the Standard Contractual Clauses.
8. DATA SECURITY MEASURES
Clean.io follows industry standards on information security management to safeguard sensitive information (such as Personal Information as defined by CCPA and Personal Data as defined by EU Data Protection Laws), including the measures set out in EXHIBIT 3. Our information security systems apply to people, processes and information technology systems on a risk management basis. Without limiting the foregoing, Clean.io shall treat the GDPR Personal Data and all CCPA Personal Information as the confidential information of the Client, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of such data and information. Upon request by the Client, but no more frequently than once per calendar year (or more frequently if circumstances reasonably require) and only upon ten business days prior written notice, Clean.io shall make available all information reasonably necessary to demonstrate compliance with this cleanCART DPA.
If Clean.io becomes aware of a security incident involving a Client’s sensitive information, Clean.io will (a) notify the Client of the security incident within 72 hours, (b) investigate the security incident and provide such reasonable assistance to the Client (and any law enforcement or regulatory official) as required to investigate the security incident, and (c) take steps to remedy any non-compliance with this cleanCART DPA.
Notwithstanding the foregoing, because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Clean.io cannot guarantee that unauthorized parties will not gain access to Personal Information or Personal Data processed by the cleanCART Services. To the extent permitted by applicable law, Clean.io expressly excludes any liability arising from any unauthorized access to Personal Information as defined by CCPA and Personal Data as defined by EU Data Protection Laws.
We may in certain circumstances collect, receive or otherwise process Personal Information and/or GDPR Personal Data in connection with use of the cleanCART Services by a Client’s affiliates. In such cases, the Client will act as a single point of contact for its affiliates with respect to CCPA and GDPR compliance, such that if Clean.io gives notice to the Client, such information or notice will be deemed received by the Client’s affiliates. Client shall be responsible for such affiliates’ compliance with this cleanCART DPA and all acts and/or omissions by a Client affiliate with respect to Client’s obligations in this cleanCART DPA shall be considered the acts and/or omissions of Client. The Parties acknowledge and agree that any claims in connection with this cleanCART DPA (or GDPR or CCPA) will be brought by the Client, whether acting for itself or on behalf of an affiliate.
10. CLIENT AGREEMENTS
11. ENFORCEABILITY OF THIS ADDENDUM
Any provision of this cleanCART DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. In such event, the Parties agree that a valid and enforceable provision that is a reasonable substitute shall be incorporated into this cleanCART DPA.
12. LIMITATION OF LIABILITY
Clean.io’s aggregate liability to its Clients arising from or related to this cleanCART DPA is subject to the applicable terms and conditions of the cleanCART Terms of Service and any Orders entered into by the Parties.
Client agrees to indemnify the Processor and its officers, directors, employees, agents, affiliates, successors and permitted assigns (each an “Indemnified Party”, and collectively the “Indemnified Parties”) against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including legal fees and court fees, that are incurred by the Indemnified Parties (collectively, “Losses”) arising out of any third party claim brought against the Processor relating to or arising out any instructions given by the Client to the Processor with respect to processing of Personal Information and/or GDPR Personal Data, any failure to obtain the consents or provide the notices required under Section 3, or any other breach by the Client of any EU Data Protection Laws, the CCPA, or any other applicable privacy law.