Okendo Data Processing Addendum

1. Definitions

   1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
      1. Applicable Laws means
         1. European Union or Member State laws with respect to any Merchant Personal Data in respect of which any Merchant Group Member is subject to EU Data Protection Laws; and
         2. the UK Data Protection Laws in respect of which any Merchant Group Member is subject to the laws of the United Kingdom of Great Britain and Northern Ireland;
         3. the CCPA in respect of which any Merchant Group Member is subject to the laws of the State of California, United States of America; and
         4. any other Data Protection Laws that any Merchant Group Member is subject to.
      2. CCPA means the California Consumer Privacy Act of 2018, AB 375.
      3. Contracted Processor means Okendo or a Subprocessor;
      4. Data Subject means an Identifiable Natural Person about whom the Merchant or Okendo holds Personal Data and who is subject to the Data Protection Laws.
      5. Data Protection Laws means to the extent applicable:
         1. the EU Data Protection Laws;
         2. the UK Data Protection Laws;
         3. the US Data Protection Laws;
         4. any data protection or privacy laws of:
            1. The Commonwealth of Australia, or any state therein;
            2. Canada, or any province therein; and
            3. New Zealand.
      6. EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
      7. GDPR means EU General Data Protection
         Regulation 2016/679;
      8. GPRR Zone means:
         1. The European Economic Area with respect to any Merchant Personal Data in respect of which any Merchant Group Member is subject to EU Data Protection Laws; or
         2. The United Kingdom of Great Britain and Northern Ireland in respect of which any Merchant Group Member is subject to the laws of the United Kingdom of Great Britain and Northern Ireland.
      9. Identifiable Natural Person means a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
      10. Merchant Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Merchant, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
      11. Merchant Group Member means Merchant or any Merchant Affiliate;
      12. Merchant Personal Data means any Personal Data Processed by a Contracted Processor on behalf of a Merchant Group Member pursuant to or in connection with the Principal Agreement;
      13. Okendo Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Okendo, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
      14. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      15. Personal Data means any information relating to an Identifiable Natural Person;
      16. Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
      17. Services means the services and other activities to be supplied to or carried out by or on behalf of Okendo for Merchant Group Members pursuant to the Principal Agreement;
      18. Standard Contractual Clauses means:
          1. the European Commission’s Standard Contractual Clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in European Commission Decision 2021/914/EU under Module Two (transfer controller to processor); and
          2. includes, where any Merchant Group Member is subject to the laws of the United Kingdom of Great Britain and Northern Ireland, the International Data Transfer Addendum issued by the United Kingdom Information Commissioner under section 119(A)(1) of the Data Protection Act 2018.
      19. Subprocessor means any person (including any third party and any Okendo Affiliate, but excluding an employee of Okendo or any of its sub-contractors) appointed by or on behalf of Okendo or any Okendo Affiliate to Process Personal Data on behalf of any Merchant Group Member in connection with the Principal Agreement; and
      20. UK Data Protection Laws means the UK Data
          Protection Act 2018 and the UK-GDPR.
      21. UK-GDPR means the GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419);
      22. US Data Protection Laws means any data protection or privacy laws of the United States of America and any states therein, including the CCPA;
      23. The terms used in this Addendum shall have the meanings set forth in this Addendum, and their cognate terms shall be construed accordingly. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
      24. The terms, "Commission", "Controller", "Member State", and "Supervisory Authority" shall have the same meaning as in the GDPR or UK-GDPR as context requires, and their cognate terms shall be construed accordingly.
      25. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Authority

   1. Okendo warrants and represents that, before any Okendo Affiliate Processes any Merchant Personal Data on behalf of any Merchant Group Member, Okendo’s entry into this Addendum as agent for and on behalf of that Okendo Affiliate will have been duly and effectively authorised (or subsequently ratified) by that Okendo Affiliate.

3. Processing of Merchant Personal Data

   1. Okendo is a Processor of Personal Data on behalf of the Merchant.
   2. Okendo and each Okendo Affiliate shall:
      1. comply with all applicable Applicable Laws in the Processing of Merchant Personal Data; and
      2. not Process Merchant Personal Data other than on the relevant Merchant Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Okendo or the relevant Okendo Affiliate shall to the extent permitted by Applicable Laws inform the relevant Merchant Group Member of that legal requirement before the relevant Processing of that Personal Data.
   3. Each Merchant Group Member:
      1. instructs Okendo and each Okendo Affiliate (and authorises Okendo and each Okendo Affiliate to instruct each Subprocessor) to:
         1. Process Merchant Personal Data; and
         2. in particular, transfer Merchant Personal Data to any country or territory,

         as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and

      2. warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 2(a) on behalf of each relevant Merchant Affiliate.

4. Okendo and Okendo Affiliate Personnel

   1. Okendo and each Okendo Affiliate shall take reasonable steps to ensure that with respect to any Merchant Personal Data, access is strictly limited to those employees, agents or contractors of Okendo, or any Contracted Processor, who need to know or access the relevant Merchant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality

5. Security

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Okendo and each Okendo Affiliate shall in relation to the Merchant Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate:
      1. the pseudonymisation and encryption of personal data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
   2. In assessing the appropriate level of security, Okendo and each Okendo Affiliate shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach.
   3. We will notify you of all data security vulnerabilities affecting the Service of which we become aware within 24 hours.

6. Subprocessing

   1. Each Merchant Group Member authorises Okendo and each Okendo Affiliate to appoint (and permit each Subprocessor appointed in accordance with this clause 6 to appoint) Subprocessors in accordance with this clause 6 and any restrictions in the Principal Agreement.
   2. Okendo and each Okendo Affiliate may continue to use those Subprocessors already engaged by Okendo or any Okendo Affiliate as at the date of this Addendum, subject to Okendo and each Okendo Affiliate in each case as soon as practicable meeting the obligations set out in clause 3(b).
   3. Okendo shall give Merchant prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 7 days of receipt of that notice, Merchant notifies Okendo in writing of any objections (on reasonable grounds) to the proposed appointment:
      1. Neither Okendo nor any Okendo Affiliate shall appoint (or disclose any Merchant Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Merchant Group Member and Merchant has been provided with a reasonable written explanation of the steps taken.
      2. With respect to each Subprocessor, Okendo or the relevant Okendo Affiliate shall:
         1. before the Subprocessor first Processes Merchant Personal Data (or, where relevant, in accordance with clause 2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Merchant Personal Data required by the Principal Agreement;
         2. ensure that the arrangement between on the one hand (a) Okendo, or (b) the relevant Okendo Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Merchant Personal Data as those set out in this Addendum and meet the requirements of the Applicable Laws;
         3. provide to Merchant for review such copies of the Contracted Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Merchant may request from time to time.
      3. Okendo and each Okendo Affiliate shall ensure that each Subprocessor performs the obligations under clauses 1, 4, 5, 7.1, 8.2, 1 and 10.1, as they apply to Processing of Merchant Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Okendo.

7. Data Subject Rights

   1. Okendo and each Okendo Affiliate will make available technical and organisational measures for the fulfilment of the Merchant Group Members’ obligations to respond to requests to exercise any Data Subject rights under the Applicable Laws.
   2. The Merchant authorises Okendo, each Okendo Affiliate, and each Contracted Processor to comply with any request from a Data Subject under any Data Protection Law in respect of Merchant Personal Data.
   3. Okendo shall notify the Merchant, if Okendo, any Okendo Affiliate, or any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Merchant Personal Data.

8. Personal Data Breach

   1. Okendo shall notify Merchant without undue delay upon Okendo or any Subprocessor becoming aware of a Personal Data Breach affecting Merchant Personal Data, providing Merchant with sufficient information to allow each Merchant Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Applicable Laws.
   2. Okendo shall co-operate with Merchant and each Merchant Group Member and take such reasonable commercial steps as are directed by Merchant to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
   3. Okendo shall maintain a register of all Personal Data Breaches provide reasonable access to such records as is necessary for the Merchant to comply with any Applicable Laws.

9. Deletion or return of Merchant Personal Data

   1. Subject to clauses 2 and 9.3 Okendo and each Okendo Affiliate shall
      1. in the case of any live or operational data, promptly and in any event within 90 days; and2
      2. in the case of any data contained in systems backups, within 365 days;

      of the date of cessation of any Services involving the Processing of Merchant Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Merchant Personal Data.

   2. Subject to clause 9.3, Merchant may in its absolute discretion by written notice to Okendo within 14 days of the Cessation Date require Okendo and each Okendo Affiliate to (a) return a complete copy of all Merchant Personal Data to Merchant by secure file transfer in such format as is reasonably notified by Merchant to Okendo; and (b) delete and procure the deletion of all other copies of Merchant Personal Data Processed by any Contracted Processor. Okendo and each Okendo Affiliate shall comply with any such written request within 90 days of the Cessation Date.
   3. Each Contracted Processor may retain Merchant Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Okendo and each Okendo Affiliate shall ensure the confidentiality of all such Merchant Personal Data and shall ensure that such Merchant Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
   4. Okendo shall provide written certification to Merchant that it and each Okendo Affiliate has fully complied with this clause 9 within 90 days of the Cessation Date.

10. Audit rights

    1. Subject to clause 10.2, Okendo and each Okendo Affiliate shall
       1. make reasonably available to each Merchant Group Member on request all information which must be made available under applicable Data Protection Law, and
       2. shall allow for and contribute to audits, including inspections of any Okendo premises, by any Merchant Group Member or an auditor mandated by any Merchant Group Member required under any Data Protection Law;

       in relation to the Processing of the Merchant Personal Data by the Contracted Processors.

    2. The Merchant or the relevant Merchant Affiliate undertaking an audit shall give Okendo or the relevant Okendo Affiliate reasonable notice of any audit or inspection to be conducted under clause 1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
       1. to any individual unless he or she produces reasonable evidence of identity and authority;
       2. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Merchant or the relevant Merchant Affiliate undertaking an audit has given notice to Okendo or the relevant Okendo Affiliate that this is the case before attendance outside those hours begins; or
       3. for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any audits or inspections which a Merchant Group Member is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Merchant or the relevant Merchant Affiliate undertaking an audit has identified the relevant requirement or request in its notice to Okendo or the relevant Okendo Affiliate of the audit or inspection.

11. International Transfers of Personal Data

    1. If Okendo transfers any Personal Data to subprocessors in countries which do not ensure an adequate level of data protection within the meaning of the Applicable Laws, Okendo will take such measures as are necessary to ensure the transfer is in compliance with the Applicable Laws.

12. GDPR Specific Provisions

    1. ANNEX 1 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Merchant Personal Data as required by article 28(3) of the GDPR (and equivalent requirements of other Data Protection Laws). Nothing in Annex 1 (including as amended pursuant to this section 1) confers any right or imposes any obligation on any party to this Addendum.
    2. Okendo and each Okendo Affiliate shall provide reasonable assistance to each Merchant Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Merchant reasonably considers to be required of any Merchant Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Merchant Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
    3. Standard Contractual Clauses

       To the extent that Okendo processes any personal data under this Addendum that originates from a GDPR Zone to a country that has not been designated by the Commission as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses, which are hereby incorporated into and form part of this Addendum. The parties hereby agree that:

       1. Data processing details set out in ANNEX 1 of this Addendum shall apply for the purposes of Appendix 1 of the Standard Contractual Clauses;
       2. The technical and organizational security measures set out in ANNEX 2 of this Addendum shall apply for the purpose of Appendix 2 to the Standard Contractual Clauses; and
       3. Okendo shall be deemed the “data importer” and the Merchant the “data exporter” under the Standard Contractual Clauses.

13. CCPA Specific Provisions

    1. Okendo is a “Service Provider” as defined in CCPA Section 1798.140(v). The Merchant discloses personal data to Okendo solely for:
       1. a valid business purpose; and
       2. for Okendo to perform the Services.

14. General Terms

    Governing law and jurisdiction

    1. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
    2. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

       Order of precedence

    3. Nothing in this Addendum reduces Okendo’s or any Okendo Affiliate’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Okendo or any Okendo Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement.
    4. Subject to clause 3, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

       Changes in Data Protection Laws, etc.

    5. Merchant may propose any other variations to this Addendum which Merchant reasonably considers to be necessary to address the requirements of any Data Protection Law.

       Severance

    6. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either
       1. amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible; or, if this is not possible
       2. construed in a manner as if the invalid or unenforceable part had never been contained therein.

Annex 1 – Details of Processing of Merchant Personal Data

This ANNEX 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.

1. LIST OF PARTIES
   1. Data Exporter
      1. Name: The entity identified as the "Company" on this Addendum.
      2. Address: The Company’s Billing Address specified in the Company’s account.
      3. Contact person’s name, position and contact details: The Primary Contact Name, Primary Contact Position and Primary Contact Email in the Company’s account.
      4. Activities relevant to the data transferred under these Clauses: The data exporter is a customer of the data importer and utilising the data importer’s services to conduct ecommerce customer review requests.
      5. Role (controller/processor): Controller
   2. Data Importer
      1. Name: Okendo.
      2. Address: Okendo Pty Ltd, Level 13, 333 George St,Sydney NSW.
      3. Contact person’s name, position and contact details: C/O- Viridian Lawyers, Richard Prangell, Consulting Data Protection Officer, richard@viridianlawyers.com.
      4. Activities relevant to the data transferred under these Clauses: The data importer operates an ecommerce marketing platform and
         service.
      5. Role (controller/processor): Processor
2. DESCRIPTION OF TRANSFER

   1. Categories of Data Subjects

      Customers, Merchant

   2. Categories of Personal Data to be Processed

      Customer data including

      1. Name
      2. Email Address
      3. Country of Residence
      4. Purchase History

      Review content including

      1. Reviewer Name
      2. Reviewer Email Address
      3. Review Rating
      4. Review Text
      5. Images / Videos ²
      6. Reviewer Social Media Profile Picture ²
      7. Additional review structured data (“Attributes”) as configured by the Company ¹
      8. Reviewer State / Zone of Residence ¹
      9. Reviewer IP Address (for anti-fraud purposes only)
      10. Reviewer Device Fingerprint (for anti-fraud purposes only)

      Question content including

      1. Questioner Name
      2. Questioner Email Address
      3. Question Text
      4. Questioner Social Media Profile Picture ²

      ¹ Optional at the discretion of the Company

      ² Optional at the discretion of the End-user or Company

3. Sensitive data transferred (if applicable) and applied restrictions or safeguards:

   Any sensitive data included by the Company or End Users, the extent of which is determined and controlled by the Company in its sole discretion. See Annex 2 for applied restrictions and safeguards.

4. Frequency of the transfer

   Continuous

5. Subject matter and duration of the Processing of Company Personal Data

   The subject matter and duration of the Processing of the Company Personal Data are set out in the Principal Agreement and this Addendum.

6. The nature and purpose of the Processing of Company Personal Data

   Provision of services in accordance with the Principal Agreement by Okendo to the Company.

7. The obligations and rights of Company and Company Affiliates

   The obligations and rights of Company and Company Affiliates are set out in the Principal Agreement and this Addendum.

8. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

   The personal data will be retained until termination or expiry of the Agreement

9. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   See Annex 4.

ANNEX 2 – Technical and Organisational Safety Measures

Okendo will maintain administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of the Merchant’s personal data processed by Okendo, as described in the Principal Agreement and the Addendum.

Okendo will not materially decrease the overall security of the Services during a subscription term.

ANNEX 3 – Standard Contractural Clauses – Supplementary Terms To Provide Additional Safeguards

1. This Annex is supplemental to, and should be read in conjunction with, the Standard Contractual Clauses. Any references to the ‘Clauses’ in this Annex should be read as references to the Standard Contractual Clauses.
2. The data importer agrees and warrants:
   1. without prejudice to Clause 5(b) of the Clauses, that, in the event the Clauses cease to be an appropriate safeguard for the transfer of the personal data as described in Appendix 1 of the Clauses, in accordance with applicable data protection law, by virtue of a binding decision by a competent supervisory authority, or at the discretion of the data exporter as notified to the data importer, the data exporter shall be entitled to suspend the transfer of data and/or terminate the contract;
   2. to assist the data exporter with the data exporter’s continuing assessment of the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law and pursuant to Clause 5(a) of the Clauses; and
   3. that, in the event the data transfer and data processing activities are suspended or terminated pursuant to the Clauses or this Annex, its cessation of the data processing activities will not be prevented by, or be in breach of, and will not give rise to any third party rights or remedies pursuant to, any binding obligation on the data importer under the Clauses or any other agreement between the data importer and the data exporter (or any of its affiliates) in relation to the personal data and data processing activities.

ANNEX 4 – List of Sub-processors

The Company has authorised the use of the sub-processors set out at: https://www.okendo.io/gdpr/