Veeqo Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements and forms part of the Veeqo Customer Terms and Conditions available at www.veeqo.com/us/terms-and-conditions, as updated from time to time between Customer and Veeqo, or other agreement between Customer and Veeqo governing Customer’s use of the Service Offerings (the “Agreement”) when the GDPR applies to your use of the Veeqo Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Veeqo as the Service Provider.
All capitalised terms not defined in this DPA shall have the meanings set forth in the Terms.
Definitions - For the purposes of this DPA:
“Data Protection Legislation” means all applicable laws and regulations relating to the processing of personal data and privacy and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated.
“EEA” means the European Economic Area.
“Terms” means the terms and conditions which apply to you as a customer of the Service and the current version of which is contained on the Veeqo website, or other written or electronic agreement between Veeqo and Customer setting out the provision and use of the Service.
The terms “Controller”, “Processor”, “Personal Data”, “processing”, “special categories of data” and “Data Subject” have the meanings given to them in the GDPR.
Applicability of DPA
Applicability. This DPA applies to any processing of Personal Data which Veeqo carries out on behalf of Customer in the course of providing the Service under the Terms.
Roles and Responsibilities
Roles of the Parties. As between Veeqo and Customer, Customer is the Controller of the Personal Data described in Annex A (the “Client Data”) and Veeqo shall process the Client Data as a Processor acting on behalf of Customer.
Customer shall comply at all times with the Data Protection Legislation and all other applicable laws relating to privacy and data protection in respect of its use of the Service, its use of the Client Data, and any processing instructions it issues to Veeqo;
Customer warrants and represents that it has obtained and/or has in place, all necessary consents, approvals and/or valid legal basis to lawfully transfer, or provide access to, the Client Data to Veeqo for the purposes of this DPA and the provision of the Service by Veeqo; and
Customer acknowledges that Veeqo is reliant on Customer for directions as to the extent to which Veeqo is entitled to use and process the Client Data.
Veeqo's processing of Personal Data. Veeqo may process Client Data for any or all of the purposes set out in Annex A; and shall only process Client Data in accordance with the lawful, documented instructions by Customer (including the instructions of any users accessing Veeqo with permission given by Customer) as set out in the Terms, this DPA or otherwise agreed in writing. In the event that a legal requirement prevents Veeqo from complying with such instructions or requires Veeqo to disclose the Client Data to a third party Veeqo shall, unless such legal requirement prohibits it from doing so, inform Customer of the relevant legal requirement before carrying out the relevant processing activities.
Aggregated and anonymized Client Data. Customer acknowledges and agrees that Veeqo may use, share or otherwise process the Client Data (in aggregated or otherwise anonymized form only) for its own business purposes.
Security. Veeqo shall take reasonable steps to implement appropriate technical and organisational measures to protect the Client Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (a “Security Incident”).
Confidentiality obligations. Veeqo shall ensure that any personnel that it authorises to process the Client Data shall be subject to a duty of confidentiality.
Security Incidents. Veeqo shall notify Customer of a Security Incident within a reasonable timeframe and without undue delay. Veeqo shall make reasonable efforts to identify the cause of the Security Incident and to take such steps as Veeqo deems necessary and reasonable to mitigate the effects of such Security Incident, to the extent such efforts are within Veeqo’s reasonable control. Where this relates to data for which Veeqo is a processor, Veeqo shall, taking into account the nature of processing and the information available to the processor, make reasonable efforts to assist the controller in ensuring compliance with the obligations under the Data Protection Legislation.
Sub-processors. Customer agrees that Veeqo may engage Veeqo affiliates and third party sub-processors (collectively, “Sub-processors”) to process Client Data on Veeqo's behalf provided that:
Veeqo shall maintain an up to date list of Sub-processors at:
which it shall update with details of any change in Sub-processors no later than 30 days after any such change;
Veeqo imposes on such Sub-processors, by way of contract, data protection terms equivalent to those set out in this DPA; and
Veeqo remains liable for any breach of the DPA caused by a Sub-processor.
Objection to Sub-processors. For up to thirty (30) days from when Veeqo updates its list of Sub-processors (the “Objection Period”), Customer may object to Veeqo's appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached during the Objection Period, then Veeqo, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Service (without prejudice to any fees incurred by Customer prior to suspension or termination, subject to this action being requested within the objection period).
International transfers. To the extent that Veeqo transfers any Client Data originating from the UK to a country that has not been designated by the UK government as providing an adequate level of data protection, it shall put in place the appropriate standard contractual clauses which have been approved by the UK government and set out in the Annex to that decision, or such other measures as are necessary to ensure such transfer is in compliance with the Data Protection Legislation. Customer authorises transfers of Client Data to such destinations outside of the UK subject to such appropriate safeguards having been put in place.
Assistance. Veeqo shall, taking into account the nature of the processing, provide reasonable assistance to Customer to meet its obligations in responding to requests from data subjects exercising their rights, conducting data protection impact assessments and consulting with competent supervisory authorities).
Provision of information and reports. Veeqo shall make information about its security architecture and processes applicable to the Service on Veeqo's Security webpage (accessible via https://www.veeqo.com/security), or as otherwise made reasonably available by Veeqo. Veeqo shall make available to Customer at Customer’s expense information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by a supervisory authority or an auditor authorised by Customer provided always such inspections and/or audits shall be carried out on reasonable notice, at reasonable intervals and during normal business hours of Veeqo and upon production of appropriate identity evidencing authority. Customer undertakes to ensure avoidance or disruption (or at least minimise disruption, where avoidance is not possible) to the day to day operations of Veeqo’s business and/or damage or injury to Veeqo’s equipment, premises and personnel. Any materials produced during such audits or inspections will be Veeqo’s confidential information and may not be disclosed without Veeqo’s prior written consent, except as required by applicable law.
Return/Deletion of Data
Upon termination or expiry of the Terms, Veeqo shall delete or return to Customer the Client Data (including copies) in Veeqo's possession in accordance with the procedures and timeframes specified in the Terms.
The parties confirm that this DPA forms part of and is attached to the Terms. Except as modified by this DPA, the Terms shall remain in full force and effect.
Any claims brought under this DPA shall be subject to the Terms, including but not limited to the exclusions and limitations of liability set forth in the Terms.
With regard to the processing of Client Data, in the event of any conflict or inconsistency between the terms of this DPA and the Terms, the terms of this DPA shall prevail.
Veeqo may amend or replace or vary the terms of this DPA and/or its Annexes (if necessary) to reflect any changes in the Client Data being processed and/or to reflect any changes in the Data Protection Legislation or a new requirement under such law.
This DPA may be signed in two or more original counterparts in English (subject to any mandatory legal requirement which requires otherwise), which shall together constitute the same instrument.
This DPA shall be interpreted, construed and enforced in accordance with English law and shall be subject to the exclusive jurisdiction of the English Courts.
In the event any provision of this DPA is determined to be illegal, unenforceable or void such provision shall be severed and all other provisions of this DPA shall continue in full force and effect. The parties hereby undertake to cooperate to replace the illegal, unenforceable or void provision as soon as possible with a new provision that accomplishes a permissible result and achieves an economic effect as similar as possible to the result attempted to be accomplished by the illegal, unenforceable or void provision.
Data Processing Description
This Annex A forms part of the Agreement and describes the processing that the processor will perform on behalf of the controller.
The controller is the entity entering into an agreement with Veeqo for the provision of Veeqo's order processing and retail management services, referred to as “Customer” in the DPA.
The processor is Veeqo Limited, a company established in United Kingdom, which provides order management and retail management software and related services (“Services”) to Customers.
The personal data to be processed concern the following categories of data subjects:
Consumers/end users of Customer: past, present and potential consumers and end users of Customer whose Personal Data is submitted to the Services.
Categories of data
The personal data to be processed concern the following categories of data:
Contact data: such as names, email addresses, shipping/billing addresses, phone numbers, contact details.
Sales data: such as details of the transactions undertaken through the Services, products/services purchased, date/time, payment amount/method, cancellations, returns, exchanges, communications with controller etc.
Financial or payment information.
Marketing preferences and communications.
Any other data that consumers/end users have provided to Customer which are processed through the Services, the extent of which is determined and controlled by Customer or consumer/end-user in their sole discretion.
Special categories of data
The personal data to be processed concern the following special categories of data:
Veeqo does not intentionally collect or process any special categories of data in the provision of its Services. Under the Terms, Customer agrees not to provide (or permit any user to provide) any special categories of data to Veeqo for processing unless agreed to in writing first.
The personal data will be subject to the following basic processing activities:
The provision, operation and delivery of the Services.
Product and service development and improvement.
Assessing and managing Veeqo’s performance of the Services.
Helping Customers use the Services more effectively.
Any other purposes pursuant to Customer's Terms with Veeqo.