Data Processing Addendum

UPDATED: January 2024

THIS DATA PROCESSING ADDENDUM (this “DPA”) supplements and is a part of the Master Collaboration Agreement or other written or electronic agreement (in either case, the “Agreement”) for the purchase of services (identified in the Agreement as either “Services” or otherwise, and hereinafter defined as “Services”) entered into between Tagit, Inc. (“Tagit”, “we”, “us” and “our”), and the entity that has offered our services pursuant to the Agreement (“Merchant-Customer”, “you” and “your”). This English language version controls regardless of any translation.

· Defined Terms. The terms used in this Addendum have the meaning set forth in this Addendum. Capitalized terms not defined herein have the meaning given to them in the Agreement.

  1. Controller” or “Business” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
  2. Consumer-Customer” means a customer of a Merchant that uses Tagit ’s Services.
  3. Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”). 
  4. Data Subject” means any natural person whose Personal Data is Processed in the context of this Addendum.
  5. EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Section 4 below and available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
  6. Europe” means the member states of the European Union (“EU”), Switzerland, the United Kingdom (“UK”), the European Economic Area (“EEA”), the European Free Trade Agreement, and Monaco.
  7. Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws.
  8. Processor” or “Service Provider” means the entity which Processes Personal Data on behalf of a Controller. 
  9.  Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  10. Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Tagit.
  11. Services” means the services provided to Merchant-Customer under the Agreement.
  12. UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf)

· Relationship of the Parties
o Merchant-Customer Personal Data
. o Pursuant to the Agreement, Tagit may collect certain data related to a Merchant’s end users (such as Merchant’s personnel) such as their name, email address and credentials to access the Services (“Merchant-Customer Personal Data”). Tagit acts as a Controller or Business (as applicable under Data Protection Laws) of such Merchant-Customer Personal Data.

o Consumer-Customer Personal Data. Merchant-Customers offer Tagit’s add-on services (“Features”) to Consumer-Customers for the Merchant-Customer’s legitimate business purposes. Merchant-Customers determine what Personal Data to collect from Consumer-Customers in the course of offering the Features and are independent Controllers/Businesses of such Personal Data. Depending on the different ways in which you, and we, may interact with Consumer-Customers, our role with respect to Consumer-Customer Personal Data differs depending upon the circumstances. Tagit acts as:

· Tagit’s Obligations when Acting as a Processor or Service Provider.
1. Obligations. Solely to the extent Tagit is acting as a Processor/Service Provider to Merchant-Customer with respect to Consumer-Customer Personal Data, Tagit will:

2. Security Breach. Tagit will notify Merchant-Customer without undue delay of any known Security Breach of Consumer-Customer Personal Data that Tagit Processes as a Processor/Service Provider on behalf of Merchant-Customer and will assist Merchant-Customer in Merchant-Customer’s compliance with its Security Breach-related obligations, including without limitation, by:

3. Subprocessors. Solely to the extent Tagit is acting as a Processor/Service Provider to Merchant-Customer with respect to Consumer-Customer Personal Data:

4. Audits. Tagit shall permit Merchant-Customer or its appointed third party auditors (the “Auditors”) to audit Tagit’s compliance with this Addendum, at Merchant-Customer’s sole expense, and shall make available to the Auditors all information systems and staff reasonably necessary for the Auditors to conduct such audit. Tagit acknowledges that the Auditors may enter its premises for the purposes of conducting its audit, provided that Merchant-Customer gives at least 30 days’ prior notice of its intention to audit, conducts its audit during normal business hours and takes all reasonable measures to prevent unnecessary disruption to Tagit’s operations. Merchant-Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (1) required by instruction of a relevant regulator; or (2) following a Security Breach.

5. Return or Destruction of Personal Data. When the Agreement terminates or when Tagit ceases to Process Consumer-Customer Personal Data as a Processor/Service Provider on behalf of Merchant-Customer, upon Merchant-Customer’s request, Tagit shall either delete or return all Consumer-Customer Personal Data that Tagit Processes as a Processor/Service Provider, unless Tagit is required or authorized by applicable Data Protection Law to store such Consumer-Customer Personal Data for a longer period.

6. Liability.  Notwithstanding anything to the contrary in the Agreement or this Addendum, Tagit will not be liable for any claim made by a Data Subject arising from or related to Tagit’s acts or omissions with respect to the Processing of Consumer-Customer Personal Data, to the extent that Tagit was acting in accordance with Merchant-Customer’s instructions.

· The Parties’ Obligations as Independent Controllers or Businesses. Where the Parties serve as Independent or Joint Controllers or Businesses under the Agreement, the Parties agree as follows:

· Liability. Subject to the liability clauses in the Agreement and to the maximum extent permitted by applicable Data Protection Law, each party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of applicable Data Protection Law regarding the Processing of Consumer-Customer Personal Data for which it is a Controller or Business. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. Merchant-Customer will indemnify Tagit for any damages or claims arising from a violation of Merchant-Customer’s obligations to comply with applicable Data Protection Laws. Tagit will indemnify Merchant-Customer for any damages or claims arising from a violation of Tagit’s obligations to comply with applicable Data Protection Laws.

· Merchant-Customer’s Obligations as a Data Controller.  In addition to the obligations in Section 4, where Merchant-Customer serves as a Controller, Merchant-Customer hereby agrees to:

· Data Security.  Tagit will implement appropriate administrative, technical, physical, and organizational measures to protect Merchant-Customer Personal Data, as set forth in Appendix 1.

· Data Transfers.

Appendix 1

Annex I
1. LIST OF PARTIES

o Data exporter(s):  

o Data importer(s): 

2. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Categories of personal data transferred

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Nature of the processing

Purpose(s) of the data transfer and further processing

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

3. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13