Relay Commerce - Subcontactors
Fomo
SalesPop
BookThatApp
SmartrMail
Flockler
Relo
Peel Insights
Relay Commerce
Controller Personal Data or other personally identifiable information | Purpose of processing / Legal grounds for processing - Services Agreement | Categories of individuals | function / Data transfer Mechanism and Additional Security Measures | |
---|---|---|---|---|
Relay Commerce Service: FOMO | ||||
Website event data: Url First name City Province Country External id Latitude Longitude Email address Ip address Custom_attributes Continent Country Event content data: Url Form field data Location data: Latitude Longitude Address Continent Country Administrative area level | Purpose of processing: Essential for offering the analytics features of the FOMO service (event information that is collected and displayed in Controller's stores and the service dashboard / archiving the data for debugging and backup purposes / location cache for geolocation services).Legal ground: Contractual (offering the service on the basis of the Fomo Terms of Service) | Website/webstore visitors which interact with the websites/webstores of the Controller where the FOMO service had been integrated by the Controller. | Heroku (deployment),Heroku Pg (database ),AWS (backend systems),NewRelic (monitoring), Airbrake (monitoring)Customer.io (used for sending notifications), Intercom (in-app support),HelpScout (support) | |
Relay Commerce Service: SalesPop | ||||
Data relating to the individual that had submitted the data through the pop-up to the Controller: First Name Last Name Phone Billing Address Shipping Address Order History Products information Users' sessions actions Conversions | Purpose of processing: Essential for offering the SalesPop service (collecting/showing and backing up the data so the data can be publicly displayed and reviewed by the Controller) | Website/webstore visitors which interact with the SalesPop service where the service had been integrated by the Controller. | AWS (RDS), Heroku (logs), Azati (external developers), customer.io (customer journey tracking), Honeycomb (logs), HelpScout (support), Retool (service function). | |
Relay Commerce Service: SmartrMail | ||||
Data relating to the individual that had subscribed to the Controllers newsletter: Subscribers names, Subscribers emails, Subscribers purchased products, Subscribers birth day date Subscribers orders history Subscribers abandoned cart products Subscribers phone number Subscribers browser actions Subscribers custom fields (e.g. any other data on individuals that the Controller might have collected and injected into the Service) Subscriber events (deliveries, clicks, open rates) Subscribers clicked urls, country, region, city, device type, phone type | Purpose of processing: Essential for offering the SmartrMail service (collecting/showing and backing up the data so the data can be displayed to and reviewed by the Controller and processed so that the Controller can send emails to subscribers, analyse subscriber interests and behaviours for marketing purposes (i.e. conduct profiling)).Legal ground: Contractual (offering the service on the basis of the SmartrMail Terms of Use) | Website/webstore visitors which sign-up to the newsletter of the Controller through the SmartrMail service (pop-up/input fields), or; Individuals that had their data uploaded by the Controller into SmartrMail, or;Individuals that have created an account/or shared data with a third party service provider (such as Shopify, JustUno, Mailchimp, etc.,) whereby this third party service provider had shared these data with the Service. | AWS (hosting/APIs),Zapier (automations),Slack (communications / notifications). | |
Relay Commerce Service: Flockler | ||||
Data relating to the individual that had subscribed to the Controllers newsletter: IP Address Name (freeform text field) Public social media content Public social media handle Social media account data for connected accounts (including username, association to a person, access token) | Purpose of processing: Essential for offering the Flockler service (collecting/showing and backing up the data so the data can be publicly displayed and reviewed by the Controller) | Individuals that are tied to the social media content that is shared with the Controller and the visitors of the website of the Controller. | HelpScout (support),HubSpot (integrations for marketing services),Customer.IO (email marketing and segmentation),AWS (underlying hosting provider),Baremetrics (analytics),Amazon Web Services (hosting),Mailgun (Sinch) (sending emails),Sentry (monitoring). | |
Relay Commerce Service: BookThatApp | ||||
First Name Last Name Phone Orders (Bookings) History Locations (Bookings / Shops) | Purpose of processing: Essential for offering the BookThatApp service (collecting/showing and backing up the data so the data can be reviewed and stored by the Controller)Legal ground: Contractual (offering the service on the basis of the BookThatApp Terms of Service) | Individuals that are tied to the booking that had been made with the Controller through the Service. | AWS, Honeycomb (via logs), customer.io (used for sending notifications), Zendesk (offering support services), Cloud66 (hosting), Azati (external development), Baremetrics (analytics). | |
Relay Commerce Service: Relo | ||||
Name Surname, Delivery address IP address Billing address Order items Order price Order shipping costs Order date | Purpose of processing: Essential for offering the Relo service ( services collecting/showing/combining consumer data on past purchases in order to form purchase predictions for Klaviyo related email flows and backing up the data so the data can be reviewed and used by the Controller)Legal ground: Contractual (offering the service on the basis of the Relo Terms of Service) | Individuals that are tied to the e-commerce data (consumers) that is collected by the Controller through the implemented Relo service. | AWS (storage),Sentry (support monitoring), Attentive (sending messages), Recharge (for setting up subscription flows by the Controller), Klaviyo (sending emails to consumers by the Controller), Slack (notifications regarding Controller requests via Slack). | |
Relay Commerce Service: Peel Analytics | ||||
Name Session information Order/Purchase information | Purpose of processing: Essential for offering the Peel Analytics Service (collecting/showing/combining and backing up the data so the data can be shown in aggregate form and reviewed and by the Controller)Legal ground: Contractual (offering the service on the basis of the Peel Insights Terms of Service) | Individuals that are tied to the e-commerce data that is collected by the Controller on websites where the Controller had implemented the Peel Analytics service. | AWS (hosting), Snowflake (hosting and analytics), Clickhouse (analytical processing), Google Cloud (hosting and APIs), Sendgrid (notifications),Datadog (performance metrics), Newrelic (monitoring), Sentry (monitoring). | |
Relay Commerce Service: Relay Platform | ||||
Phone number | Purpose of processing: Essential for offering the essential functioning of the service and sending follow up messages to individuals. | Individuals who have visited the websites of Controllers that are using the Relay Platform service. | AWS (hosting), Mailgun (notifications)Twilio (service event monitoring),Zapier (service workflow management)WisePops (pop-up generation)MailChimp (email communication)BigCommerce (data integration)Shopify (data integration)WooCommerce (data integration)Slack (notifications)Shortcut (issue tracking)Intercom (in-app support)Google Suite (APIs). |
APPENDIX 5: UNITED STATES PROCESSING CLAUSES
This Appendix 5 of the DPA shall apply to the extent Supplier processes personal data that relates to an identified or identifiable household or individual in the United States, where such personal data is provided by or on behalf of the Data Controller to Supplier in connection with Supplier’s performance of the Services pursuant to the Agreement (“US Personal Data”).
To the extent Supplier processes US Personal Data as a Data Processor or “service provider” under applicable Data Protection Laws, Supplier agrees to process such US Personal Data subject to the General Processing Conditions set forth in Appendix 2 of this DPA and the following provisions:
1. Supplier acknowledges that the Controller is disclosing to Supplier, or authorising Supplier to collect on the Data Controller’s behalf or otherwise making available, US Personal Data only for the limited and specified purposes set out in the Processing Instructions set forth in Appendix 2 of this DPA, or as otherwise specified under the Agreement and any applicable Statement of Work (collectively, the “Instructions”)
2. Supplier shall: (1) process US Personal Data only as set forth in the Instructions; and (2) process US Personal Data at all times in compliance with Data Protection Laws, including by providing no less than the level of privacy protection as required by Data Protection Laws.
3. Supplier shall not: (1) retain, use, disclose, or otherwise process US Personal Data except as necessary for the business purposes specified in the Instructions; (2) “Sell” or “Share” US Personal Data as those terms are defined under Data Protection Laws; (3) retain, use, disclose, or otherwise process US Personal Data in any manner outside of the direct business relationship between the Data Controller and Supplier; or (4) combine any US Personal Data with any personal data that Supplier receives from or on behalf of any other third party or collects from Supplier’s own interactions with Data Subjects, provided that Supplier may so combine US Personal Data with other personal data for a purpose permitted under Data Protection Laws if directed to do so by the Data Controller or as otherwise expressly permitted by Data Protection Laws.
4. The Data Controller may, upon providing reasonable notice to Supplier, take all reasonable and appropriate steps to prevent, stop, or remediate any unauthorized processing of US Personal Data.
5. Supplier agrees to promptly notify the Data Controller if it can no longer comply with Data Protection Laws applicable to US Personal Data, no later than three business days after it makes a determination that it can no longer meet its obligations.
6. For purposes of this Appendix 5 of the DPA, “Deidentified Data” means data originally created from US Personal Data that has been deidentified or anonymized such that it cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject and where such data is processed only in accordance with this Clause 6 of Appendix 5 of the DPA. To the extent the Data Controller discloses or otherwise makes available Deidentified Data to Supplier, or to the extent Supplier creates Deidentified Data from US Personal Data, Supplier shall (1) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (2) publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, except that Supplier may attempt to re-identify the data solely for the purpose of determining whether Supplier’s deidentification processes are compliant with Data Protection Laws; and (3) before sharing Deidentified Data with any other party, including Subprocessors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Clause 6 of Appendix 5 of the DPA (including imposing this requirement on any further Recipients).
APPENDIX 6: SECURITY REQUIREMENTS
The controller accepts the following Security Requirements as adequate and sufficient at the time of the conclusion of this Agreement. The Supplier shall now offer a lower level of Security Requirements than that listed at the time of the conclusion of this Agreement.
The Security Requirements describe the baseline technical and organisational measures that the Supplier will maintain through its systems and the Relay Commerce Services and that the Supplier will operate to ensure confidentiality, integrity and availability of any data (including but not limited to personal data) created, collected, transferred or otherwise processed and provide the Services to Controller, in a manner that the data and the Services are sufficiently protected at all times (such as where appropriate, encryption, pseudonymization and anonymization).
Security Requirements that have been integrated for a specific Relay Commerce Service:
Flockler - https://flockler.com/technical-and-organisational-measures
SmartrMail - Secured networks; Strong passwords; Limited access to personal data by data importer’s staff; Information security audits; and Anonymisation of personal data (when possible).
List of Security Requirements that are implemented and maintained by the Supplier across its organisations and systems (whereby, in the case of overlap or ambiguity the above listed integrated requirements shall be deemed as specific and applicable for each Service):
1. PHYSICAL ACCESS CONTROLS
The entrance to the common areas and the offices of the Supplier is under supervision, with the key to the entrance of the office being held only by the head of the office, the director and any other supervising employees.
Cabinets, desks and other office furniture in which personal data carriers are kept and which are located outside the protected areas (corridors, common areas) are locked. The keys are kept by the employee who supervises the individual cabinet or desk at a designated place. Leaving keys in their locks is not allowed.
Access to the protected premises is allowed only during regular working hours, whereby access at a different time is only allowed with the permission of the responsible person (supervising employee).
Cabinets and desks containing personal data carriers are locked in protected rooms at the end of working hours or after the completion of work after working hours, while computers and other hardware are switched off and physically locked or locked through software. Leaving keys in their locks is not allowed.
Employees ensure that persons who are not employees of the company (e.g. customers, maintenance staff, business partners, etc.) do not enter the protected premises unattended, but only with the knowledge / presence of the responsible person.
2. PROTECTION OF DATA CARRIERS CONTAINING PERSONAL DATA DURING WORKING HOURS
Personal data carriers are not left in visible places (e.g. on desks) in the presence of persons who do not have the right to inspect them.
Data carriers containing sensitive or special types of personal data shall not be stored outside secure premises.
Data carriers containing personal data may be removed from the premises of the company only with the permission of the supervising employee, whereby the supervising employee shall be deemed to have given permission by engaging a certain associate in a task which includes the processing of personal data outside the protected premises.
In the premises, which are intended for performing business with external employees and/or collaborators, data carriers which contain personal data and computer displays are placed in such a way that external employees/collaborators do not have access to them.
3. HARDWARE AND SOFTWARE PROTECTION
Measures related to the organisation:
- Data Protection Officer
- Determined appropriate access to databases based on job tasks and responsibilities,
- Adopted records of processing
- Adopted an internal Data Protection Security Policy
- Adopted a dedicated Data Protection Policy
Measures related to human resources:
- Dedicated Chief Security Officer
- Regular employee training
- Use of dedicated VPN system for remote work situations
Measures related to network protection:
- Separate networks for development, other office tasks and guests
- Separate network accesses based on employee credentials and tasks
- Two-factor authentication for Google Cloud storage
Measures related to hardware protection:
- Implemented specialised work stations and remote work computers
- Use of anti-virus software
- Use of employee log-in
Measures related to software protection
- Use of anti-virus software
- Use of employee log-in
- Use of separated development environments
- Use of “dummy data”
APPENDIX 7: USE OF PERSONAL DATA IN AI SYSTEMS
This Appendix 6 of the DPA shall apply to the extent the Supplier processes personal data that is or may be used in AI Systems. It applies if the AI System is used on a stand-alone basis or as a component of a Service. This Appendix 6 applies irrespective of whether the AI System is itself the Service provided by the Supplier or is merely a functionality of the Services provided by the Supplier to the Data Controller. This Appendix 6 shall not limit any of the Supplier’s obligations set out in the Controller Processing Requirements.
DEFINITIONS
For the purposes of this Appendix 6 and unless otherwise indicated in the Controller Processing Requirements, the following terms shall have the following meaning:
1.1 AI Laws means any applicable law, regulation, directive or binding court order applicable to the provision of any part of the Services which involves the development, deployment, publication, use, maintenance, support and/or improvement of an AI System in any relevant jurisdiction as amended from time to time.
1.2. AI System means (a) any machine-based system or model that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate Outputs that influence physical or virtual environments (including any artificial intelligence model that is trained on broad data at scale, is designed for generality of Output, and can be adapted to a wide range of distinctive tasks); or (b) any technology, system or tool enabled by a machine-based system or model of the type referred to in (a) above, as the case may be.
1.3 Adverse Impact means the negative effect an unfair and/or biased output may have on a Data Subject.
1.4 Malfunctions means, without limitation, biases, discrimination, inconsistencies.
1.5 Output means, without limitation, any predictions, recommendations, decisions or classifications as the case may be.
GENERAL CONDITIONS
2.1 The Supplier shall only use Personal Data for the AI System if and to the extent it is strictly necessary for the provision of the Service, and only for the purposes for which the Data Controller has given prior written approval. The Data Controller's prior written approval for the use of Personal Data in the AI System is not approval or authorization for using Personal Data in training the AI System or any AI system. Use of Personal Data for training an AI System or any AI system requires the Data Controller's prior written approval.
2.2. Where the Supplier processes Personal Data in accordance with Clause 2.1., the Supplier warrants to the Data Controller that it will:
(a) comply with all the applicable Data Protection Laws and all applicable AI Laws;
(b) treat all Personal Data generated as part of the Output as the Controller Personal Data, which shall be subject to all the provisions of the Controller Data Processing Requirements;
(c) only process the minimum amount of Personal Data required to provide the Services to the Data Controller;inform the Data Controller about any foreseeable adverse impact the AI System may have on the Data Subject as per Clause 2.4t;
(d) inform the Data Controller about any foreseeable adverse impact the AI System may have on the Data Subject as per Clause 2.4t;
(e) implement all necessary Technical and Organisational measures as set out in the Security Requirements to ensure an appropriate level of accuracy, transparency, fairness, robustness and cybersecurity, and the security and confidentiality of personal data, including but not limited to using privacy by design and default measures (as defined in the applicable Data Protection Laws) and other privacy-enhancing techniques, including but not limited to technical limitations on using and re-using the Personal Data, and using pseudonymisation and encryption techniques where possible;
(f) design and develop the AI System in a manner that, where relevant, it can be effectively overseen by a natural person and/or endowed with technical capabilities to allow for continuous monitoring by the Data Controller during the period in which the AI System is in use to avoid any potential biases (including unintentional or hidden), and the risk of discrimination or other adverse impacts on the Data Subjects by virtue of the processing of Personal Data;
(g) design the AI System in a manner that it respects Data Subject rights under the applicable Data Protections Laws;
(h) regularly train, test and audit the AI System in view of possible Malfunctions. The Supplier shall ensure that appropriate mitigation measures are implemented to sufficiently address any Malfunction. In the event the Supplier has identified a Malfunction, it shall promptly notify the Data Controller and provide a detailed explanation of the Malfunction, including the effect and consequences for the Data Controller, Data Subjects and Personal Data concerned, and the mitigating measures that have been or will be taken to appropriately address the Malfunction. It is the Supplier's responsibility to address and correct any Malfunction at its own cost and expense.
2.3. If Supplier requests the Data Controller to authorise the use of Personal Data for training and testing the AI System, Supplier will provide Data Controller with (a) appropriate documentation that sets out, at a minimum, the purposes of the use of Personal Data for the training and testing of the AI systems (b) a detailed explanation as to why these purposes cannot be achieved by using anonymous data or pseudonymous data and, the minimum Personal Data or pseudonymised data required, the storage and segregation of the Personal Data or pseudonymised data (c) the retention period of the Personal Data or pseudonymised data used (d) the technical measures taken to ensure the security and confidentiality of the Personal Data and to ensure the Data Subject rights under applicable Data Protection Law are respected, and (e) any other information that allows Data Controller to make an informed decision and to comply with its obligations under the applicable Data Protection Laws.
2.4. In the course of providing the Services to the Data Controller, the Supplier shall without undue delay notify the Data Controller if the AI system materially adversely impacts the Data Subjects in an unforeseen manner and shall 1) identify all the known and foreseeable risks associated with such impact and take all the appropriate steps and measures to cure, prevent or substantially minimise those risks 2) keep the Data Controller updated on the mitigation steps to be taken and their expected completion date; and 3) suspend the uses of the AI System or the specific function of the impacted AI Systems until those risks are cured, unless otherwise agreed in written with the Data Controller.