Data Processing Agreement for Retail Cloud Technologies, LLC
(“Data Processing Agreement”)
Version August 2, 2021
1. Scope and Applicability
1.1 This Data Processing Agreement applies to Retail Cloud Technologies, LLC’s (“Teamwork”) Processing of Personal Information on Your behalf as a Processor for the provision of the Services specified in the Technology Services Agreement (“Your Services Agreement”). Unless otherwise expressly stated in Your Services Agreement, this version of the Data Processing Agreement shall be effective and remain in force for the term of Your Services Agreement.
1.2 In addition, any Processing of Personal Information subject to Applicable European Data Protection Law is subject to the additional terms of the European DPA Addendum set out in Exhibit 1 and the Teamwork Processor Code referenced therein.
1.1 1.3 Should you need to contact Teamwork to discuss any questions or concerns regarding this Data Processing Agreement, please contact Teamwork’s security team at the following email address: ITSecurity@teamworkcommerce.com.
2. Responsibility for Processing of Personal Information and Your instructions
2.1 You are a Controller and Teamwork is a Processor for the Processing of Personal Information as part of the provision of the Services. Each party is responsible for compliance with its respective obligations under Applicable Data Protection Law.
2.2 Teamwork will Process Personal Information solely for the purpose of providing the Services in accordance with the Services Agreement and this Data Processing Agreement.
2.3 In addition to Your instructions incorporated into the Services Agreement, You may provide additional instructions in writing to Teamwork with regard to Processing of Personal Information in accordance with Applicable Data Protection Law. Teamwork will promptly comply with all such instructions to the extent necessary for Teamwork to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist You to comply with Your Controller obligations under Applicable Data Protection Law relevant to Your use of the Services.
2.4 Teamwork will follow Your instructions at no additional cost to You and within the timeframes reasonably necessary for You to comply with your obligations under Applicable Data Protection Law. To the extent Teamwork expects to incur additional charges or fees not covered by the fees for Services payable under the Services Agreement, such as additional license or third party contractor fees, it will promptly inform You thereof upon receiving Your instructions. Without prejudice to Teamwork’s obligation to comply with Your instructions, the parties will then negotiate in good faith with respect to any such charges or fees.
2.5 Unless otherwise specified in the Services Agreement, You may not provide Teamwork with any sensitive or special Personal Information that imposes specific data security or data protection obligations on Teamwork in addition to or different from those specified in the Data Processing Agreement or Services Agreement.
3. Privacy Inquiries and Requests from Individuals
3.1 If You receive a request or inquiry from an Individual related to Personal Information processed by Teamwork for the provision of Services, You can either (i) securely access Your Services environment that holds Personal Information to address the request, or (ii) to the extent such access is not available to You, submit a “service request” via My Teamwork Support (the Teamwork Support portal, or other applicable primary support tool or support contact provided for the Services, such as Your project manager) with detailed written instructions to Teamwork on how to assist You with such request.
3.2 If Teamwork directly receives any requests or inquiries from Individuals that have identified You as the Controller, it will promptly pass on such requests to You without responding to the Individual. Otherwise, Teamwork will advise the Individual to identify and contact the relevant controller(s).
4. Teamwork Affiliates and Third Party Sub-processors
4.1 To the extent Teamwork engages Third Party Sub-processors and/or Teamwork Affiliates to Process Personal Information, such entities shall be subject to the same level of data protection and security as Teamwork under the terms of the Services Agreement. Teamwork is responsible for the performance of the Teamwork Affiliates’ and Third Party Sub-processors’ obligations in compliance with the terms of this Data Processing Agreement and Applicable Data Protection Law.
5. Cross-border data transfers
5.1 Without prejudice to any applicable regional data center restrictions for hosted Services specified in Your Services Agreement, Teamwork may Process Personal Information globally as necessary to perform the Services.
6. Security and Confidentiality
6.1 Teamwork has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Information designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These security measures govern all areas of security applicable to the Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures (including, without limitation, vulnerability scanning and control monitoring and security policies).
6.2 All Teamwork and Teamwork Affiliates employees, as well as any Third Party Sub-processors that Process Personal Information, are subject to appropriate written confidentiality arrangements, including confidentiality agreements, regular training on information protection, and compliance with Teamwork policies concerning protection of confidential information.
7. Audit Rights
7.1 Audits and Inspections. Teamwork shall make available to You information necessary to demonstrate compliance with the obligations set forth in GDPR, Article 28. Teamwork shall provide assistance reasonably necessary in order to allow You, or another auditor mandated by You, to conduct audits, including inspections, as required by law.
7.1 You shall reimburse Teamwork for any time expended for any such audit at Teamwork’s then-current professional services rates, which shall be made available to You upon request. Before the commencement of any such audit, Teamwork and You shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which You shall be responsible. The Parties shall work in good faith to schedule the audit at a time that is mutually beneficial, and so as to avoid unreasonable disruption of Teamwork’s business operations. All reimbursement rates shall be reasonable, taking into account the resources expended by Teamwork.
7.2 Audit access by any third-party representative of You shall be subject to such representative agreeing to reasonable confidentiality obligations in respect of the information obtained, provided that all information obtained may be disclosed to You as permitted by law.
7.3 Unless otherwise agreed to in writing by the Parties, You shall bear the costs associated with the performance of audits of Teamwork conducted pursuant to this Agreement.
7.4 You shall promptly notify Teamwork with information regarding any alleged non-compliance discovered during the course of an audit relevant to the Services or the Agreement.
7.5 Your rights set forth in this section may be exercised only once per twelve month period unless otherwise mutually agreed to in writing by the Parties or expressly required by law.
7.7 Both Parties shall make the information referred to in the DPA, including the results of any audits, available to the competent supervisory authority on request.
8. Incident Management and Breach Notification
8.1 Teamwork has implemented controls and policies designed to detect and promptly respond to incidents that create suspicion of or indicate destruction, loss, alteration, unauthorized disclosure or access to Personal Information transmitted, stored or otherwise Processed. Teamwork will promptly define escalation paths to investigate such incidents in order to confirm if a Personal Information Breach has occurred, and to take reasonable measures designed to identify the root cause(s) of the Personal Information Breach, mitigate any possible adverse effects and prevent a recurrence.
8.2 Teamwork will notify you of a confirmed Personal Information Breach without undue delay but at the latest within 48 hours. As information regarding the Personal Information Breach is collected or otherwise reasonably becomes available to Teamwork, Teamwork will also provide You with (i) a description of the nature and reasonably anticipated consequences of the Personal Information Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and (iii) where possible, information about the types of Personal Information that were the subject of the Personal Information Breach. You agree to coordinate with Teamwork on the content of Your intended public statements or required notices for the affected Individuals and/or notices to the relevant Regulators regarding the Personal Information Breach.
9. Return and Deletion of Personal Information
9.1 Upon termination of the Services, Teamwork will promptly return, including by providing available data retrieval functionality, or delete any remaining copies of Personal Information on Teamwork systems or Services environments, except as otherwise stated in the Services Agreement.
9.2 For Personal Information held on Your systems or environments, or for Services for which no data retrieval functionality is provided by Teamwork as part of the Services, You are advised to take appropriate action to back up or otherwise store separately any Personal Information while the production Services environment is still active prior to termination.
10. Legal Requirements
10.1 Teamwork may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes.
10.2 Teamwork will promptly inform You of requests to provide access to Personal Information, unless otherwise required by law.
“Applicable Data Protection Law” means all data privacy or data protection laws or regulations globally that apply to the Processing of Personal Information under this Data Processing Agreement, which may include Applicable European Data Protection Law.
“Applicable European Data Protection Law” means (i) the EU General Data Protection Regulation EU/2016/679, as supplemented by applicable EU Member State law and as incorporated into the EEA Agreement; (ii) the Swiss Federal Act of 19 June 1992 on Data Protection, as amended; and (iii) the UK Data Protection Act 2018.
“Europe” means for the purposes of this Data Processing Agreement (i) the European Economic Area, consisting of the EU Member States, Iceland, Lichtenstein and Norway; (ii) Switzerland and (iii) the UK after it withdraws from the EU.
“Individual” shall have the same meaning as the term “data subject” or the equivalent term under Applicable Data Protection Law.
“Process/Processing”, “Controller”, “Processor” and “Binding Corporate Rules” (or the equivalent terms) have the meaning set forth under Applicable Data Protection Law.
“Teamwork Affiliate(s)” means the subsidiar(y)(ies) of Teamwork Corporation that may Process Personal Information as set forth in Section 4.
“Teamwork Intra-Company Data Transfer and Mandate Agreement” means the Teamwork Intra-Company Data Transfer and Mandate Agreement for Customer Services Personal Information entered into between Teamwork Corporation and the Teamwork Affiliates.
“Teamwork Processor Code” means Teamwork’s Privacy Code for Processing Personal Information of Customer Individuals referenced in the European DPA Addendum.
“Teamwork” means the Teamwork Affiliate that has executed the Services Agreement.
“Personal Information” shall have the same meaning as the term “personal data”, “personally identifiable information (PII)” or the equivalent term under Applicable Data Protection Law.
“Personal Information Breach” means a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed on Teamwork systems or the Services environment that compromises the security, confidentiality or integrity of such Personal Information.
“Regulator” shall have the same meaning as the term “supervisory authority”, “data protection authority” or the equivalent term under Applicable Data Protection Law.
“Services” or the equivalent terms “Service Offerings” or “services” means the Cloud, Advanced Customer Support, Consulting, or Global Technical Support services specified in the Services Agreement.
“Services Agreement” means (i) the applicable order for the Services you have purchased from Teamwork;
(ii) the applicable master agreement referenced in the applicable order, and (iii) the Service Specifications.
“Third Party Subprocessor” means a third party, other than an Teamwork Affiliate, which Teamwork subcontracts with and which may Process Personal Information as set forth in Section 4.
“You” means the customer entity that has executed the Services Agreement.
Other capitalized terms have the definitions provided for them in the Services Agreement.
Exhibit 1: European Data Processing Addendum for Teamwork Services
(“European DPA Addendum”)
This European DPA Addendum supplements the Data Processing Agreement to include additional Processor terms applicable to the Processing of Personal Information subject to Applicable European Data Protection Law.
Except as expressly stated otherwise in the Data Processing Agreement, the Services Agreement, this European DPA Addendum or the Teamwork Processor Code, in the event of any conflict between these documents, the following order of precedence applies (in descending order): (i) the Teamwork Processor Code; (ii) this European DPA Addendum; (iii) the body of the Data Processing Agreement; and (iv) the Services Agreement.
2. Cross-Border Data Transfers – Teamwork Processor Code
2.1 The Teamwork Processor Code (Standard Contractual Clauses) applies to the Processing of Personal Information by Teamwork on Your behalf in its role as a Processor as part of the provision of Services under the Services Agreement and this European DPA Addendum, where such Personal Information is:
(i) subject to any data transfer restrictions under Applicable European Data Protection Law; and (ii) processed by Teamwork or an Teamwork Affiliate in a country outside Europe.
2.2 Transfers to Third Party Sub-processors shall be subject to security and data privacy requirements consistent with the Teamwork Processor Code, the Data Processing Agreement and the Services Agreement.
3. Description of Processing
3.1 Duration of processing activities. Teamwork may Process Personal Information during the term of the Services Agreement and to perform its obligations under Section 9 of the Data Processing Agreement, unless otherwise required by applicable law.
3.2 Processing activities. Teamwork may Process Personal Information as necessary to perform the Services, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems and IT infrastructure; and migration, implementation, configuration and performance testing.
3.3 Categories of Personal Information. In order to perform the Services and depending on the Services You have ordered, Teamwork may Process some or all of the following categories of Personal Information: personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, identification numbers, and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers; IP addresses and online behavior and interest data.
3.4 Categories of Data Subjects. Categories of Data Subjects whose Personal Information may be Processed in order to perform the Services may include, among others, Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
3.5 Additional or more specific descriptions of Processing activities, categories of Personal Information and Data Subjects may be described in the Services Agreement.
4. Your Instructions
4.1 Your right to provide instructions to Teamwork as specified in Section 2 of the Data Processing Agreement encompasses instructions regarding (i) data transfers as set forth in Section 1 of this European DPA Addendum; and (ii) assistance with Data Subject requests to access, delete or erase, restrict, rectify, receive and transmit (data portability), block access to or object to Processing of specific Personal Information or sets of Personal Information as described in Section 3 of the Data Processing Agreement.
4.2 To the extent required by the Applicable EEA Data Protection Law, Teamwork will immediately inform You if, in its opinion, Your instruction infringes Applicable European Data Protection Law. You acknowledge and agree that Teamwork is not responsible for performing legal research and/or for providing legal advice to You.
5. Notice and Objection Right to New Teamwork Affiliates and Third Party Subprocessors
5.1 Subject to the terms and restrictions specified in this Section 4 of the European DPA Addendum and Section 4 of the Data Processing Agreement, You provide Teamwork general written authorization to engage Teamwork Affiliates and Third Party Sub-processors to assist in the performance of the Services.
5.2 Within fourteen (14) calendar days of Teamwork providing such notice to You, You may object to the intended involvement of a Third Party Subprocessor or Teamwork Affiliate in the performance of the Services, providing objective justifiable grounds related to the ability of such Third Party Subprocessor or Teamwork Affiliate to adequately protect Personal Information in accordance with the Data Processing Agreement or Applicable European Data Protection Law in writing by submitting a “service request” via (i) My Teamwork Support (or other applicable primary support tool) or (ii) for ACS and Consulting Services, the project manager for the Services. You and Teamwork will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Sub-processor’s or Teamwork Affiliate’s compliance with the Data Processing Agreement or Applicable European Data Protection Law, or delivering the Services without the involvement of such Third Party Sub-processor. To the extent You and Teamwork do not reach a mutually acceptable resolution within a reasonable timeframe, You shall have the right to terminate the relevant Services (i) upon serving thirty (30) days prior notice; (ii) without liability to You or Teamwork and (iii) without relieving You from Your payment obligations under the Services Agreement up to the date of termination. If the termination in accordance with this Section 4.2 only pertains to a portion of Services under an order, You will enter into an amendment or replacement order to reflect such partial termination.
6. Information and Assistance
6.1 For hosted Services, Your audit rights under Section 7 of the Data Processing Agreement.
6.2 In addition, You may request that Teamwork audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist You in obtaining a third-party audit report concerning the Third Party Sub-processor’s operations) to verify compliance with the Third Party Sub-processor’s obligations. You will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of Teamwork’s agreement with any Third Party Subprocessors and Teamwork Affiliates that may Process Personal Information.
6.3 Teamwork provides You with information and assistance reasonable necessary for You to conduct Your data protection impact assessments or consult with Your Regulator(s), contact Your Teawmwork Customer Success Team who will provide assistance and documentation.
7. Data Protection Officer/Security Team
7.1 Teamwork has a security team that can be contacted at the following email address: ITSecurity@teamworkcommerce.com.
7.2 If You have appointed a Data Protection Officer, You may request Teamwork to include the contact details of Your Data Protection Officer in the relevant Services order.