Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Customer”, “Controller”) and Simplits Limited (“Simplits”, “Processor”) for the provision of the Simplits software-as-a-service platform (the “Service”), as set out in our Terms of Service or any applicable order form (together, the “Agreement”).

This DPA reflects the parties’ commitments under applicable data protection laws, including, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK Data Protection Act 2018 and the UK GDPR, and the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486).

If you enter into the Agreement on behalf of an entity, you represent that you are authorised to bind that entity to this DPA. In the event of any conflict, this DPA prevails over the Agreement with respect to the processing of Personal Data.

Capitalised terms not defined here have the meaning given in the Agreement. For this DPA:

• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Simplits on behalf of Customer under the Agreement.
• “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given under applicable data protection law.
• “Sub-processor” means any third party engaged by Simplits to process Personal Data on Customer’s behalf.
• “SCCs” means the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914.
• “UK Addendum” means the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner’s Office.

Customer is the Controller of the Personal Data it submits to, or that is generated through its use of, the Service. Simplits acts as Processor on Customer’s behalf.

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Schedule 1 — Processing details.

Each party will comply with its obligations under applicable data protection law in respect of the Personal Data.

Simplits will process Personal Data only on documented instructions from Customer, including in relation to international transfers, unless required to do otherwise by law. The Agreement, this DPA, Customer’s configuration of the Service, and Customer’s use of the Service constitute Customer’s complete and final instructions to Simplits for processing Personal Data.

Simplits will promptly notify Customer if, in its opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so.

Simplits ensures that persons authorised to process Personal Data are subject to appropriate written confidentiality obligations or statutory duties of confidentiality, and are trained on their obligations regarding Personal Data.

Simplits implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. A summary of these measures is set out in Schedule 3 — Technical and organisational measures.

Simplits may update its security measures from time to time, provided the overall level of security is not materially reduced.

Customer grants Simplits general written authorisation to engage the Sub-processors listed in Schedule 2 — Sub-processors. Simplits will enter into a written contract with each Sub-processor imposing data protection obligations substantially equivalent to those set out in this DPA.

Simplits will inform Customer of any intended addition or replacement of Sub-processors, giving Customer a reasonable opportunity (at least 30 days, unless shorter for security or legal reasons) to object on reasonable data-protection grounds. If Customer reasonably objects, the parties will work in good faith to reach a resolution; if no resolution can be reached, Customer may terminate the affected portion of the Service.

Simplits remains liable to Customer for the acts and omissions of its Sub-processors to the same extent it would be liable for its own.

Taking into account the nature of the processing, Simplits will assist Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law.

If Simplits receives a request from a Data Subject directly in relation to Personal Data processed on Customer’s behalf, Simplits will promptly forward the request to Customer and will not respond except on Customer’s documented instructions or as required by law.

Simplits will provide Customer with reasonable assistance necessary for Customer to comply with its obligations under applicable data protection law, including in relation to security of processing, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to Simplits.

Simplits will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer’s Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.

Simplits’ notification of or response to a breach is not an acknowledgment of fault or liability.

On termination or expiry of the Agreement, Simplits will, at Customer’s choice, delete or return all Personal Data to Customer and delete existing copies, unless storage is required by law. Where Customer does not make a choice, Simplits will delete Personal Data within 30 days after termination, subject to technical limitations that prevent immediate deletion (for example, rolling backups), in which case Simplits will continue to protect the data in accordance with this DPA until it is deleted.

Simplits will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports and summaries, under appropriate confidentiality obligations.

Where required by applicable data protection law, Simplits will allow for and contribute to audits, including inspections, conducted by Customer or an independent mandated auditor, subject to reasonable prior notice, confidentiality obligations, and limits on frequency and scope designed to avoid disruption to the Service and third parties.

Customer authorises Simplits and its Sub-processors to transfer Personal Data across borders as necessary to provide the Service, including to Hong Kong, the European Economic Area, the United Kingdom, and the United States.

Where a transfer of Personal Data from the EEA is subject to the GDPR and is made to a country that has not received an adequacy decision from the European Commission, the SCCs (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor, as applicable) are incorporated into this DPA by reference and apply to the transfer. For transfers subject to the UK GDPR, the UK Addendum is incorporated and applies. For transfers subject to the Swiss Federal Act on Data Protection, the SCCs apply as amended by the Swiss Federal Data Protection and Information Commissioner’s guidance.

Where the parties use the SCCs: (a) Clause 7 (docking clause) is not included; (b) in Clause 9, Option 2 (general written authorisation) applies with a minimum notice period of 30 days; (c) in Clause 11, the optional language is not included; (d) in Clause 17, Option 1 applies and the governing law is that of Ireland; (e) in Clause 18, the courts of Ireland are the competent forum; and (f) Annexes I, II, and III are populated by reference to Schedule 1, Schedule 3, and Schedule 2 respectively.

Each party’s liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, any references to the liability of a party in the Agreement mean aggregate liability of that party under the Agreement and this DPA together.

This DPA takes effect on the effective date of the Agreement or the date Customer accepts it, whichever is later, and continues for as long as Simplits processes Personal Data on Customer’s behalf.

This DPA is governed by the same law as the Agreement, except where applicable data protection law or the SCCs require otherwise. If any provision of this DPA is held unenforceable, the remaining provisions remain in full force and effect.

Subject matter. Provision of the Service as described in the Agreement.

Duration. For as long as Customer uses the Service, plus any post-termination retention or return period described in the Agreement or this DPA.

Nature and purpose. Hosting, storing, transmitting, analysing, and otherwise processing Personal Data as necessary to operate marketplace order automation, shipping workflows, customer messaging, and related features of the Service.

Categories of Data Subjects. Customer’s representatives and authorised users; Customer’s end-buyers whose order data flows through the Service; other individuals whose Personal Data Customer submits to the Service.

Types of Personal Data. Identification and contact data (name, email, phone); shipping and billing addresses; order metadata and product details; communications content; account and authentication data; technical identifiers (IP address, device metadata); any other Personal Data Customer chooses to submit.

Frequency. Continuous, for the duration of the Agreement.

Sensitive data. The Service is not designed to process special categories of personal data. Customer should not submit such data unless expressly agreed.

The following Sub-processors are authorised to process Personal Data on behalf of Customer. Simplits maintains an up-to-date list and will notify Customer of changes in accordance with Section 7.

Simplits maintains a security programme designed to protect the confidentiality, integrity, and availability of Personal Data. The programme includes, at a minimum, the following measures:

• Access control. Role-based access to production systems, least-privilege principles, mandatory multi-factor authentication for personnel, centralised identity management, regular access reviews.
• Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using industry-standard algorithms.
• Network and system security. Segregated environments, firewalls, perimeter protection, vulnerability scanning, hardened baseline configurations, timely patching.
• Application security. Secure development lifecycle, code review, dependency and secret scanning, periodic penetration testing by qualified third parties.
• Logging and monitoring. Centralised logging of security-relevant events, alerting on anomalous activity, retention of audit logs.
• Resilience. Redundant infrastructure, regular backups with integrity checks, documented disaster recovery and business continuity plans.
• Personnel. Background checks where permitted by law, confidentiality agreements, ongoing security and privacy training.
• Incident response. Documented procedures for detection, triage, containment, notification, and post-incident review.
• Vendor management. Risk-based assessment and contractual controls for Sub-processors and other vendors handling Personal Data.

For DPA questions or to submit a signed copy, contact: