Menu
Support
Free Trial

cleanCART Data Processing Addendum

Updated November 13, 2020

This cleanCART  Data Processing Addendum (“cleanCART DPA”) supplements and applies to clean.io’s cleanCART Privacy Policy (the “cleanCART Privacy Policy”), and also to the cleanCART Terms of Service applicable to our cleanCART Services.  This cleanCART DPA applies to all “Personal Information” and “Personal Data” that Clean.io collects regarding the Authorized Users of its Clients. In all other circumstances, this cleanCART DPA applies solely to the extent that (i) Clean.io and the applicable Client have expressly agreed in writing (in the cleanCART Terms of Service, in an Order or otherwise) that Clean.io will collect, receive or otherwise process “Personal Data” originating from the European Economic Area, the United Kingdom and Switzerland; (ii) Clean.io and the applicable Client have expressly agreed in  writing (in an Order or otherwise)  that Clean.io will collect, receive or otherwise process “Personal Information” of California consumers; or (iii) we are aware that we have any such “Personal Data” or “Personal Information” in our possession despite our intention not to collect or receive such data or information

Capitalized terms used in this cleanCART DPA and not otherwise defined shall have the respective meanings provided in the cleanCART Privacy Policy and/or the cleanCART Terms of Service. In the event of any conflict between the terms of this cleanCART DPA and the terms of the cleanCART Terms of Service and/or the cleanCART Privacy Policy, the terms of this cleanCART DPA shall control.

1. CCPA PERSONAL INFORMATION PROCESSING

The California Consumer Privacy Act (“CCPA”) grants California residents certain rights regarding the collection of their personal information and imposes various data protection duties on certain entities conducting business in California. Accordingly, this Section 1 shall primarily apply to all Authorized Users that fall within the scope of the CCPA. In all other circumstances, this Section 1 shall apply solely to the extent that Clean.io and a Client have expressly agreed in writing (in the cleanCART Terms of Service, in an Order or otherwise)  that Clean.io will collect, receive or otherwise process “Personal Information” of California consumers, or Clean.io is aware that it has any such “Personal Information” in its possession despite its intention not to collect or receive such information.

  1. ROLES OF THE PARTIES Our Clients are considered “Businesses” under the terms of the CCPA. Under the CCPA, Businesses are primarily responsible for determining the processes and means by which their Personal Information is processed, and for ensuring their processing of Personal Information is compliant with all relevant data protection laws, including the CCPA.

    When we are providing our cleanCART Services, Clean.io acts as a “Service Provider” under the terms of the CCPA. In this capacity, Clean.io may collect, retain, access, maintain, use, disclose, process and transfer the Personal Information of its Clients and their Consumers solely for the purpose of performing the cleanCART Services, and for no other commercial purpose.

    Users and Authorized Users who are California residents are considered “Consumers” under the terms of the CCPA. The CCPA applies to Personal Information of Consumers. The phrase “Personal Information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Personal Information of a Consumer includes things such as: identifiers (such as contact information, government IDs, cookies, etc.), information protected against security breaches (such as a Consumer’s name and financial account, driver’s license, social security number, user name and password, health/medical information), protected classification information (like race, gender, ethnicity, etc.), commercial information, Internet/electronic activity, geolocation, audio/video data, professional or employment related information, education information, biometrics, and inferences from the foregoing.
  2. DATA PROCESSING, TRANSFERS AND SALES. By accessing and using our cleanCART Services, each Client agrees to the terms of the cleanCART Terms of Service , the terms of the cleanCART Privacy Policy and the terms of this cleanCART DPA. Each Client hereby instructs Clean.io to retain, use, disclose and otherwise process the Personal Information of its Users, Visitors and Authorized Users for the following purposes, and each Client shall provide the Personal Information to Clean.io only for the following purposes:
     
    1. to provide the cleanCART Services to the Client in accordance with the cleanCART Terms of Service;
    2. as otherwise set out in in the cleanCART Terms of Service, the cleanCART Privacy Policy and this cleanCART DPA, in all such cases only as and to the extent permitted by; and
    3. as otherwise instructed in writing by the Client to Clean.io, which Clean.io acknowledges to be instructions for the purposes of this cleanCART DPA.

    Clean.io shall not retain, use, disclose or otherwise process Personal Information of Consumers for any purpose other than for the specific purposes identified above or as otherwise permitted or required by the CCPA or other applicable law or otherwise pre-approved by Client in writing. Clean.io does not “sell” (as defined under the CCPA) Personal Information of Consumers, which means that Clean.io does not and shall not rent, disclose, transfer, make available or otherwise communicate that data or information to any third party for monetary or other valuable consideration.

    
Clean.io may collect, use, retain, access, share, transfer, sell, or disclose information that has been deidentified or aggregated consistent with the terms and conditions of the CCPA. Among other things, this means that Clean.io may share aggregated and/or anonymized information regarding the use or results of the cleanCART Services with third parties to assist with developing and improving the cleanCART Services.

 Clean.io hereby certifies that it understands its restrictions and obligations set forth in this cleanCART DPA and will comply with them.

 Please note that each Client is responsible for obtaining all necessary consents, and giving all necessary notices, to its Consumers related to Clean.io’s processing of Personal Information in connection with the cleanCART Services.
  3. DATA RETENTION AND DELETION. If a Client wishes to delete any Consumer Personal Information processed by the cleanCART Service, the Client should send a deletion request to privacy@clean.io will strive to respond to all such requests as soon as reasonably practical.

    If a Client ceases to subscribe to and use the cleanCART Services, or Clean.io permanently discontinues a Client’s access to the cleanCART Services, all of that Client’s Consumer Personal Information will be promptly deleted or anonymized/aggregated (unless Clean.io is required by applicable law to retain the Personal Information).

2. GDPR PERSONAL DATA PROCESSING

This Section 2 shall primarily apply to all Authorized Users covered by the EU Data Protection Laws. In all other circumstances, this Section 2 shall apply solely to the extent that Clean.io and a Client have expressly agreed in writing (in the cleanCART Terms of Service, in an Order or otherwise) that Clean.io will collect, receive or otherwise process “Personal Data” originating from the European Economic Area, the United Kingdom and Switzerland, or Clean.io is aware that it has any such “Personal Data” in its possession despite its intention not to collect or receive such information.

  1. ROLES OF THE PARTIES. For the purposes of the EU Data Protection Laws, the Parties acknowledge and agree that Clean.io acts as a “Processor” and the Client act as a “Controller.” Clean.io shall be referred to as “Processor” throughout this Section 2. The Parties acknowledge and agree that any claims in connection with EU Data Protection Laws under this cleanCART DPA will be brought by the Client, whether acting for itself or on behalf of an affiliate.
  2. DEFINITIONS. The capitalized terms used in this cleanCART DPA and not otherwise defined in the cleanCART Terms of Service or the cleanCART Privacy Policy shall have the following meanings:
    1. “GDPR Personal Data” means the “personal data” (as defined in the GDPR) described in EXHIBIT 1 and any other personal data that Processor Processes on behalf of Client or Client’s affiliate in connection with Processor’s provision of the cleanCART Services;
    2. “EU Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR Personal Data;
    3. “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
    4. the terms “personal data”, “Controller”, “Processor”, “Data Subject”, “Process” and “Supervisory Authority” shall have the same meaning as set out in the GDPR.
  3. DATA PROCESSING.Processor will only Process Client Personal Data in accordance with (a) the cleanCART Terms of Service, to the extent necessary to provide the cleanCART Service to the Client, and (b) the Client’s written instructions, unless a different manner of Processing is required pursuant to any other applicable law to which Processor is subject, in which case Processor shall, to the extent permitted by applicable law, inform the Client of that legal requirement before Processing that GDPR Personal Data. The cleanCART Terms of Service, the cleanCART Privacy Policy and this cleanCART DPA shall be the Client’s complete and final instructions to Processor in relation to the processing of GDPR Personal Data. Processing outside the scope of this cleanCART DPA, the cleanCART Privacy Policy and the cleanCART Terms of Service will require prior written agreement (in the form of an Order or otherwise) between Client and Processor on additional instructions for Processing.
  4. ASSISTANCE.Where applicable, taking into account the nature of the Processing, and to the extent required under applicable EU Data Protection Laws, the Processor shall provide the Client with any information or assistance reasonably requested by the Client for the purpose of complying with any of the Client’s obligations under applicable EU Data Protection Laws, including: (i) using reasonable efforts to assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR; and (ii) providing reasonable assistance to the Client with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Client, in each case solely in relation to Processing of GDPR Personal Data and taking into account the information available to Processor.
  5. DURATION AND TERMINATION.
    1. Subject to subsections (ii) and (iii) below, Processor shall, to the greatest extent reasonably possible, within ninety (90) days of the date of termination of cleanCART Services to the Client: (1) return a complete copy of all GDPR Personal Data by secure file transfer in such a format as notified by Client to Provider; and (2) delete and use reasonable efforts to procure the deletion of all other copies of GDPR Personal Data Processed by Processor or any Subprocessors.
    2. Subject to subsection (iii) below, Client may in its absolute discretion notify Processor in writing within thirty (30) days of the date of termination of the cleanCART Services to require Processor to delete and procure the deletion of all copies of GDPR Personal Data Processed by Processor. In such case, Processor shall, to the greatest extent reasonably possible, within ninety (90) days of the date of termination of the cleanCART Services : (1) Comply with any such written request; and (2) use reasonable efforts to procure that its Subprocessors delete all GDPR Personal Data Processed by such Subprocessors.
    3. Notwithstanding the foregoing, Client acknowledges that it may be impossible to completely delete certain residual Personal Data. Additionally, Processor and its Subprocessors may retain GDPR Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Provider shall ensure the confidentiality of all such GDPR Personal Data and shall ensure that such GDPR Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

3. REQUIRED CONSENTS

Please note that each Client is responsible for obtaining all necessary consents, and giving all necessary privacy notices, to its Consumers and Data Subject related to Clean.io’s processing of Personal Information and/or GDPR Personal Data in connection with the cleanCART Services, including any consents or notices required by this cleanCART DPA, the cleanCART Privacy Policy or the cleanCART Terms of Service (or any Orders entered into thereunder) . With this in mind, Client hereby warrants and represents that: (a) it has provided all applicable notices to its Data Subjects and Consumers required for the lawful processing of their GDPR Personal Data and Personal Information, as applicable, by Clean.io in accordance with the cleanCART Terms of Service (and/or any Orders entered into thereunder) , the cleanCART Privacy Policy and this cleanCART DPA; and (b) in respect of any GDPR Personal Data or Personal Information collected by Clean.io on behalf of the Client, it has reviewed and confirmed the notices provided by Clean.io to Data Subjects and Consumers as accurate and sufficient for the lawful processing of that GDPR Personal Data or Personal Information by Clean.io in accordance with the cleanCART Terms of Service (or any Orders entered into thereunder) , the cleanCART Privacy Policy and this cleanCART DPA.

4. ACCESS REQUESTS

If Clean.io receives a request submitted by a Consumer or Data Subject to exercise a right it has under the CCPA or a EU Data Protection Laws in relation to that Consumer’s Personal Information or that Data Subject’s GDPR Personal Data, respectively, it will provide a copy of the request to the Client. The Client will be responsible for handling and communicating with Consumers and Data Subjects in relation to such requests and, to the extent permitted by applicable law, Clean.io shall not respond to the Data Subject or Consumer.

5. GOVERNMENT REQUESTS

Clean.io shall notify Client of any request for the disclosure of GDPR Personal Data or Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

6. INTERNATIONAL TRANSFERS

Clean.io is located in the USA. Therefore, any GDPR Personal Data we collect will be collected and stored in the USA. For Users, Visitors and Authorized Users that are in the EU, EEA, Switzerland or UK, this means that their GDPR Personal Data will be stored in a jurisdiction that offers a level of protection that may, in certain instances, be less protective of their GDPR Personal Data than the jurisdiction the User, Visitor or Authorized User is typically resident in; provided however that please note that Clean.io adheres to the Standard Contractual Clauses. For this purpose, “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data from controllers in the EU to data processors established outside the EU or EEA issued by the European Commission under decision 2010/87/EU attached hereto as EXHIBIT 2, consistent with the terms of this cleanCART DPA.

7. SUBPROCESSORS

Clean.io may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the cleanCART Services (“Subprocessors”). See our Subprocessor List  for more information regarding the specific Subprocessors we use. For the avoidance of doubt, Client hereby approves all applicable Subprocessors identified on our Subprocessor List to the extent applicable to the cleanCART Services received by Client. Clean.io may update our Subprocessor List from time to time and we recommend for each Client to periodically review the Subprocessor List. By continuing to use our cleanCART Services after any changes or modifications are made to the Subprocessor List, Client is deemed to have automatically accepted the updated Subprocessor List. If a Client (acting reasonably) does not approve of any Subprocessor on the list, they should contact us at privacy@clean.io so we can discuss the basis for the Client’s disapproval and possible alternative Subprocessors.

Our Subprocessors may have access to Personal Information and/or GDPR Personal Data of Users, Visitors and/or Authorized Users to the extent that Clean.io actually receives or collects any such information. Please know that Clean.io carefully selects its Subprocessors based on their security practices and availability levels and we perform due diligence on the technical and organizational security measures of all Subprocessors. We have entered into agreements with each Subprocessor which impose in all material respects the same obligations on the Subprocessor with regard to their processing of Personal Information and GDPR Personal Data as are imposed on Clean.io under this cleanCART DPA, the cleanCART Privacy Policy and the cleanCART Terms of Service and which, as applicable, otherwise comply with the requirements of the CCPA and EU Data Protection Laws. Clean.io is responsible for the acts and omissions of Subprocessors in relation to Clean.io’s obligations under this cleanCART DPA, the cleanCART Privacy Policy and the cleanCART Terms of Service.

With respect to all Subprocessors having access to GDPR Personal Data: Client acknowledges that in order for Clean.io to provide the cleanCART Services it may be necessary for certain Subprocessors to access or otherwise process the GDPR Personal Data outside the EEA, Switzerland or United Kingdom. In those circumstances, Client will only use Subprocessors that have and maintain certification to the EU-U.S. Privacy Shield (or any comparable successor thereto that is deemed valid by applicable law) or that comply with the Standard Contractual Clauses.

8. DATA SECURITY MEASURES

Clean.io follows industry standards on information security management to safeguard sensitive information (such as Personal Information as defined by CCPA and Personal Data as defined by EU Data Protection Laws), including the measures set out in EXHIBIT 3. Our information security systems apply to people, processes and information technology systems on a risk management basis. Without limiting the foregoing, Clean.io shall treat the GDPR Personal Data and all CCPA Personal Information as the confidential information of the Client, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of such data and information. Upon request by the Client, but no more frequently than once per calendar year (or more frequently if circumstances reasonably require) and only upon ten business days prior written notice, Clean.io shall make available all information reasonably necessary to demonstrate compliance with this cleanCART DPA.

If Clean.io becomes aware of a security incident involving a Client’s sensitive information, Clean.io will (a) notify the Client of the security incident within 72 hours, (b) investigate the security incident and provide such reasonable assistance to the Client (and any law enforcement or regulatory official) as required to investigate the security incident, and (c) take steps to remedy any non-compliance with this cleanCART DPA.

Notwithstanding the foregoing, because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Clean.io cannot guarantee that unauthorized parties will not gain access to Personal Information or Personal Data processed by the cleanCART Services. To the extent permitted by applicable law, Clean.io expressly excludes any liability arising from any unauthorized access to Personal Information as defined by CCPA and Personal Data as defined by EU Data Protection Laws.

9. AFFILIATES

We may in certain circumstances collect, receive or otherwise process Personal Information and/or GDPR Personal Data in connection with use of the cleanCART Services by a Client’s affiliates. In such cases, the Client will act as a single point of contact for its affiliates with respect to CCPA and GDPR compliance, such that if Clean.io gives notice to the Client, such information or notice will be deemed received by the Client’s affiliates. Client shall be responsible for such affiliates’ compliance with this cleanCART DPA and all acts and/or omissions by a Client affiliate with respect to Client’s obligations in this cleanCART DPA shall be considered the acts and/or omissions of Client. The Parties acknowledge and agree that any claims in connection with this cleanCART DPA (or GDPR or CCPA) will be brought by the Client, whether acting for itself or on behalf of an affiliate.

10. CLIENT AGREEMENTS

Client agrees that it: (i) will comply with its obligations under all applicable data protection laws and related laws with respect to  Personal Information and/or GDPR Personal Data collected, provided or otherwise made available to Clean.io by Client; (ii) will make appropriate use of the cleanCART Services to ensure a level of security appropriate to the particular content of the Client personal information, such as pseudonymizing or backing-up Client personal information; and(iii) has obtained all consents, permissions and rights necessary under applicable data protection laws and related laws for Clean.io to lawfully process such Personal Information and/or GDPR Personal Data for the purposes described herein, in the cleanCART Privacy Policy, in the cleanCART Terms of Service or any other written agreement between the Parties, including, without limitation, Client’s sharing and/or receiving of Client personal information with or from third-parties via the cleanCART Services.

11. ENFORCEABILITY OF THIS ADDENDUM

Any provision of this cleanCART DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. In such event, the Parties agree that a valid and enforceable provision that is a reasonable substitute shall be incorporated into this cleanCART DPA.

12. LIMITATION OF LIABILITY

Clean.io’s aggregate liability to its Clients arising from or related to this cleanCART DPA is subject to the applicable terms and conditions of the cleanCART Terms of Service and any Orders entered into by the Parties.

13. INDEMNITY

Client agrees to indemnify the Processor and its officers, directors, employees, agents, affiliates, successors and permitted assigns (each an “Indemnified Party”, and collectively the “Indemnified Parties”) against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including legal fees and court fees, that are incurred by the Indemnified Parties (collectively, “Losses”) arising out of any third party claim brought against the Processor relating to or arising out any instructions given by the Client to the Processor with respect to processing of Personal Information and/or GDPR Personal Data, any failure to obtain the consents or provide the notices required under Section 3, or any other breach by the Client of any EU Data Protection Laws, the CCPA, or any other applicable privacy law.