Data Processing Agreement

This data processing agreement (hereinafter "DPA") governs the personal data processing conducted by Creem as a data processor (hereinafter "Processor") on behalf of the Merchant acting as a data controller (hereinafter "Controller") within the scope of providing the service (hereinafter "Service") as defined in and provided under the Merchant Terms, which forms an integral part of the Merchant Terms concluded between the Controller and the Processor (hereinafter "Agreement").

The Controller and the Processor are hereinafter individually referred to as the "Party" or collectively as the "Parties".

The Parties acknowledge that this DPA and processing activities conducted during fulfilment of the Agreement in relation to the personal data are governed by the Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the "GDPR") and other relevant legislative acts governing the processing of personal data (altogether with the GDPR "Legislation").

All and every term, unless specifically defined herein, is being used in the meaning of the GDPR or the Agreement. For matters not stipulated in this DPA, the Agreement applies. In the event of a conflict or ambiguity between the Agreement and this DPA, this DPA prevails.

The Processor's personal data processing's subject-matter, nature, types of personal data and categories of data subjects and processing duration are specified in Annex 1 to this DPA.

The Controller shall:

Ensure that all instructions for the processing of the personal data under the Agreement, this DPA or as otherwise agreed or stipulated shall comply with the Legislation, and such instructions will not in any way cause the Processor to be in breach of the Legislation.

Comply with the Legislation, including ensure the accuracy, quality and lawfulness of the personal data processed by the Processor and inform the data subjects of the processing operations carried out by the Processor.

Notify the Processor prior to concluding the Agreement if the Controller requires the Processor to adopt specific procedures, security measures or similar.

The Processor shall:

Process the personal data on behalf of the Controller only based on documented (e.g., received via e-mail or any other documented form) instructions given, received and updated (including the ones regulated herein), from time to time, from the Controller and in accordance with the Legislation, unless required to do so by the Legislation to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless the Legislation prohibits this on important grounds of public interest.

Immediately inform the Controller if, in the Processor's opinion, instructions given by the Controller infringe data protection provisions set forth in the Legislation.

Ensure that all of its employees, subcontractors, members of the management board, or other persons to whom the Processor has provided access to the personal data are subject to confidentiality obligation or to an appropriate statutory confidentiality obligation and are aware of their duties and obligations in relation to the personal data processing.

Take measures required pursuant to Article 32 of the GDPR and the Legislation, including implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk related to the processing of the personal data and avoid alteration, loss or non-authorised processing thereof or access thereto. As a minimum, the Processor undertakes to implement the technical and organisational measures set out in Annex 2 to this DPA.

Provide assistance to the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligations to respond to the data subjects' requests for exercising their rights laid down in Chapter III of the GDPR.

Not communicate to the data subjects nor perform the data subjects' request directly and independently. The Processor shall forward any requests received from the relevant data subjects for exercising any of their rights to the Controller's contact person specified in this DPA as soon as reasonably possible, but no later than in five (5) calendar days after the receipt of such a request.

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, while taking into account the nature of processing and the information available to the Processor.

Notify the Controller in a form reproducible in writing without undue delay, but no later than within twenty-four (24) hours after becoming aware of a personal data breach concerning personal data processed by the Processor. Such notification shall contain at least the information required in Article 33 (3) of the GDPR.

The Processor acknowledges that according to Article 28 (10) of the GDPR if it infringes the DPA and the Legislation by determining the purposes and means of the processing, the Processor shall be considered a separate controller in respect of that processing.

Upon the Controller's request in a form reproducible in writing, the Processor shall provide the Controller with all information necessary (which may be redacted to remove confidential commercial information not relevant to the requirements to the fulfilment of this DPA) to demonstrate compliance with the obligations laid down in the DPA and the Legislation, within fifteen (15) calendar days of the receipt of such request.

Where, in the opinion of the Controller, such information is not sufficient to verify the Processor's compliance with the DPA and the Legislation, the Controller may, upon thirty (30) calendar days prior notice in a form reproducible in writing to the Processor, conduct an audit by the Controller or another auditor mandated by the Controller. The notification shall contain a proposal for an auditing plan. Any costs for conducting the audit shall be borne by each Party themselves. However, if the audit reveals any non-compliance with the Processor's or its sub-processors' obligations under this DPA or the Legislation, the Processor shall bear the cost of the audit.

The notice periods specified in this Section 3 are not applicable in case there is an extraordinary event (e.g. there are reasonable grounds to believe that a personal data breach has occurred, a personal data breach has occurred, a request or investigation by a supervisory authority, a request from a data subject, a violation of the Legislation etc.).

Any audit shall be performed during the Processor's regular business hours and the performance of the audit must not interrupt the Processor's business activities.

The Processor shall remedy any deficits found during the audit at its own expense within a reasonable period determined by the Controller. Failure to do so shall be considered as material breach.

The Processor is permitted to engage another processor (hereinafter "Sub-processor") for the performance of the DPA under the Controller's general authorisation provided hereby. The Controller acknowledges and agrees, that the Processor has engaged the Sub-processors listed in Annex 3 to this DPA.

Should the Processor wish to engage a new Sub-processor or replace a current Sub-processor with a new Sub-processor, then the Processor is obliged to inform the Controller in a form reproducible in writing. Upon having reasonable grounds, the Controller may object, in a form reproducible in writing, to any such additions, changes or replacements within thirty (30) calendar days as of the Processor informing the Controller. If the Controller does not object during such time period, the addition, change or replacement shall be deemed accepted.

In case the Controller exercises, pursuant to Section 4.2 of the DPA, its opportunity to object to the addition or replacement of a Sub-processor and the Processor does not, under reasonable grounds, agree with such objections, both Parties have the right to terminate the Agreement, together with the DPA by notifying the other Party thirty (30) calendar days in advance.

In the event the Processor engages or replaces a current Sub-processor, the Processor shall engage such Sub-processor under an agreement at least in a form reproducible in writing containing the same obligations as those set out in this DPA and remain fully liable to the Controller for the performance of each Sub-processor's obligations.

The Controller allows the Processor to transfer the personal data outside of the European Union / European Economic Area (hereinafter "EU/EEA"), including engage any Sub-processors located outside the EU/EEA, if the Processor transfers personal data to countries in relation to which the European Commission has issued an adequacy decision or if the Processor uses other appropriate safeguards set out in Chapter V of the GDPR (e.g., standard contractual clauses adopted by the European Commission).

Before transferring personal data outside the EU/EEA to the country in relation to which the European Commission has not issued an adequacy decision, the Processor must carry out a data transfer impact assessment to ensure that the laws of the country to which the personal data are to be transferred provide an essentially equivalent level of protection as those in the EU/EEA.

The Controller is entitled to request information from the Processor regarding the countries to which the personal data is transferred to and of the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate safeguards, as well as, if applicable, a copy of the data transfer impact assessment referred to in Section 5.2 of the DPA.

In the event that any of the measures referred to in Section 5.1 of the DPA are no longer sufficient to satisfy the requirements of the Legislation applicable to the processing of personal data under the DPA to legalise the transfer of personal data outside the EU/EEA, the Processor shall implement either an alternative transfer mechanism which satisfies the requirements of the Legislation in order to legalise the transfer of personal data outside the EU/EEA or cease with such transfer.

Notwithstanding any other provisions in the Agreement with regard to the Processor's liability and indemnity obligations, the Processor shall be liable, without any limitation, for any claims, damages, fines, penalties, costs and expenses caused to the Controller by the Processor as a result of the Processor's breach of its obligations under the DPA, Agreement and/or Legislation.

Without prejudice to the Legislation, in the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the processing of personal data until the latter complies with this DPA or the DPA is terminated. The Processor shall promptly inform the Controller in case it is unable to comply with this DPA, for whatever reason.

The Controller shall be entitled to terminate the DPA extraordinarily without notice if:

The processing of personal data by the Processor has been suspended by the Controller pursuant to Section 7.1 and if compliance with this DPA is not restored within a reasonable time and in any event within fourteen (14) days following suspension.

The Processor is in substantial or persistent breach of this DPA or its obligations under the Legislation.

The Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA and/or the Legislation.

Termination of the DPA causes automatic termination of the Agreement and vice versa. Termination of this DPA does not exempt the Parties from fulfilling their obligations as specified in the Legislation.

Upon termination of this DPA and the Agreement, the Processor shall return to the Controller and permanently delete from its systems, including backup systems, all of the personal data processed under this DPA within ten (10) calendar days as of termination of the DPA and the Agreement, unless storage of any personal data is required by the Legislation.

This DPA becomes effective upon entering into the Agreement by the Parties and is valid until the termination of the Agreement.

In all other aspects, including governing law, and jurisdiction, the provisions of the Agreement shall apply.

Annex 1 – Details of data processing.

Annex 2 – Technical and organisational measures.

Annex 3 – Sub-processors.

Subject-matter and purpose of processing

The Processor will process the personal data as necessary to provide the Service according to the Agreement.

Nature of the processing

The Processor may conduct the following processing activities: receiving data, including collection, accessing, retrieval, recording and data entry; using data, including analysing by provision of the Service; returning data to the Controller; erasing data, including destruction and deletion.

Categories of data subjects and Types of personal data

Merchant's sub-account users: name, email address, login information and other properties received from third-party authentication providers.

For the purpose of generating AI-based statistics, the following personal data of Buyers (as defined in the Agreement) shall be processed: name, email address, and IP address.

Duration of processing

The Processor will process the personal data as long it is necessary for the provision of the Service.

To ensure the minimum level of security of the personal data processed, the Processor is required to implement at least the following technical and organisational measures:

Access Regulation

Access to the personal data and Controller's systems is restricted only to persons who have been authorised to do so by the Processor. The authentication information (username, password, proof of identity, etc.) must be kept confidential and may not be disclosed without authorisation. The authentication information received is intended for one user only. Sharing authentication information (username/password) with other persons is prohibited.

IT Security

Access to the Controller's system and personal data is only permitted from properly secured IT devices. Requirements include: operating systems must have vendor support; security patches must be installed regularly; IT devices must be protected against malicious software; user privileges must be restricted; security logging must be enabled; devices shall lock after 15 minutes of inactivity; access must be protected by secure passwords or double authentication; personal data must be stored encrypted; proper procedures for device decommissioning must be followed.

Network Security

Access to the Controller system and personal data is only permitted over properly secured networks. Connection over unsecured networks (e.g., public WiFi) is prohibited. The Internet connection must be protected by a firewall. WiFi networks must be securely encrypted.

Management of Personal Data

Electronic data or documents may not be stored for longer than is necessary. After data has been returned to the Controller, it must be securely deleted. Personal data may only be transmitted over the network after reliable identification and must be encrypted.

Physical Security

IT devices and documents containing personal data must be protected from unauthorised physical access. Access to premises must be restricted and controlled, and equipment and documents not in use must be kept locked.

Awareness

Security awareness training shall be provided to all staff with access to personal data to ensure they are aware of information security risks and safeguards.

The Processor uses the following Sub-processors: