Privacy Policy & Terms and Agreements
Data Processing Addendum
Last modified date: August 23, 2024
1. Definitions
All capitalized terms that are not defined in this DPA have the meanings given in the Agreement.
1.1 “Affiliate” – Any entity that directly or indirectly controls, is controlled by, or is under common control with a party. “Control” refers to ownership of over 50% of voting interests or having power over management and policy direction.
1.2 “Agreement” – Refers to the service agreement or NextShopper Terms of Service governing the Customer’s access and use of NextShopper’s Platform, such as Web Development, App Development, SEO, Shopify store services, etc.
1.3 “Controller” – The entity that determines the purposes and means of Personal Information Processing.
1.4 “Customer” – The entity and its Authorized Affiliates that are bound by the Agreement and this DPA.
1.5 “Customer Personal Information” – All Personal Information, excluding Relationship Data, provided by the Customer to NextShopper.
1.6 “Data Breach” – Any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information.
1.7 “Data Protection Laws” – Laws applicable to NextShopper’s processing of Personal Information under the Agreement.
1.8 “Data Subject” – Any individual whose Personal Information is subject to Data Protection Laws.
1.9 “Platform” – Refers to NextShopper’s range of tech services (e.g., Web Development, App Development, SEO services).
1.10 “Processing” – Any operation performed on Personal Information (e.g., collection, recording, organization, storage, adaptation, or destruction).
1.11 “Processor” – The entity that Processes Personal Information on behalf of the Controller.
1.12 “Subprocessor” – Any Processor engaged by NextShopper to process Customer Personal Information.
1.13 “Website Content” – Any content submitted, posted, or made available on or through the Platform by Customer.
2. Relationship of the Parties
2.1 NextShopper as Processor – When Customer provides NextShopper with Personal Information, NextShopper acts as a Processor, following instructions outlined in Section 3.1.
2.2 NextShopper as Controller of Relationship Data – For Customer Relationship Data, NextShopper acts as an independent Controller, using it to manage Customer relationships, maintain business operations, and comply with applicable laws.
3. Customer Obligations
3.1 Instructions – Customer instructs NextShopper to process Personal Information in line with providing the Platform’s services.
3.2 Data Subject Requests – Customer leads all responses to Data Subjects and Regulators and, if required, will notify NextShopper for assistance.
3.3 Consent – Customer must collect and process Personal Information in compliance with Data Protection Laws, including obtaining legally required consents.
4. NextShopper’s Obligations as Processor
4.1 Scope of Processing – NextShopper will only process Personal Information per Customer’s instructions.
4.2 Security – NextShopper will implement technical and organizational measures to ensure data security as specified in Schedule 2.
4.3 Data Breach Notification – NextShopper will promptly inform Customer of any confirmed Data Breach.
4.4 Retention and Deletion – Upon Agreement termination, NextShopper will delete or return all Customer Personal Information, as per Customer’s request.
5. Use of Subprocessors
5.1 Approval of Subprocessors – Customer authorizes NextShopper to use Subprocessors for data processing. A list of current Subprocessors is available upon request.
5.2 Subprocessor Responsibilities – NextShopper will ensure Subprocessors follow the same data protection obligations in this DPA.
6. Audit
6.1 Scope – NextShopper will provide information necessary to demonstrate compliance. Customer’s inspection rights are limited to verifying NextShopper’s DPA obligations.
6.2 Process – Audits will occur with thirty (30) days’ prior written notice at Customer’s expense and will be conducted no more than once every twelve (12) months.
7. Transfers Outside the EEA, UK, and Switzerland
If Customer’s use of the Platform requires a data transfer mechanism, NextShopper will adhere to transfer safeguards as outlined in Schedule 3 (Cross-Border Transfers).
8. Jurisdiction-Specific Terms
To the extent applicable, jurisdiction-specific terms apply, as set forth in Schedule 5.
9. Post-Termination Obligations
All obligations in this DPA that naturally extend beyond termination will remain effective.
10. Limitation of Liability
This DPA is subject to limitations agreed upon in the Agreement between NextShopper and the Customer.
11. Severability
If any provision of this DPA is prohibited or unenforceable, the remaining provisions remain effective.
12. Updates
NextShopper may modify this DPA over time. Continued use of the Platform after updates constitutes acceptance of the modified DPA.
SCHEDULE 1
Description of Transfer and Processing
Data Exporter:
- Name: Customer
- Activities: Using NextShopper’s Platform
- Role: Controller and/or Processor
Data Importer:
- Name: NextShopper, Inc.
- Activities: Platform Services Provision
- Role: Processor
SCHEDULE 2
Technical and Organizational Measures
NextShopper has robust security measures in place, including data center security, application-level security, internal security protocols, Subprocessor controls, and support for assisting Customer with data subject rights and compliance requests.
SCHEDULE 3
Cross-Border Data Transfers
In case of transfers outside the EEA, UK, or Switzerland, NextShopper will ensure compliance with EU Standard Contractual Clauses, UK International Data Transfer Agreement, or other suitable data transfer mechanisms as applicable.
SCHEDULE 4
UK International Data Transfer Agreement
If applicable, the UK International Data Transfer Agreement has been issued by the Information Commissioner for Restricted Transfers and provides Appropriate Safeguards for Restricted Transfers when entered as a legally binding contract.
SCHEDULE 5
Jurisdiction-Specific Terms
Jurisdiction-specific terms may apply as required for compliance with relevant Data Protection Laws, based on the regions where Customer operates.
UK International Data Transfer Agreement
If applicable, this UK International Data Transfer Agreement has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
| Section | Subsection | Details |
|---|---|---|
| The parties | Exporter | Who sends the Restricted Transfer |
| Importer | Who receives the Restricted Transfer | |
| Parties' details | Customer |
Full legal name: Webflow, Inc. Main address (if a company registered address): 398 11th St. Fl 2, San Francisco, California, 94103, USA |
| Key contact |
Attn: Customer Contact details including email: email address provided by Customer Attn: Privacy Counsel Contact details including email: [email protected] |
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
| Table | Section | Details |
|---|---|---|
| Table 2: Selected SCCs, Modules and Selected Clauses | Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information. |
| Table 3: Appendix Information | Annex 1A: List of Parties | As set out in the Agreement |
| Annex 1B: Description of Transfer | As set out in Schedule 1 of this DPA | |
| Annex II: Technical and organisational measures | As set out in Schedule 2 of this DPA | |
| Annex III: List of Subprocessors (Modules 2 and 3 only) | As set out in Schedule 1 of this DPA | |
| Table 4: Ending this Addendum when the Approved Addendum Changes | Ending this Addendum | When the Approved Addendum changes, the following Parties may end this Addendum as set out in Section 19: |
| Importer | ☒ | |
| Exporter | ☒ | |
| Part 2: Mandatory Clauses | Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
Jurisdiction-Specific Terms
1. California
For the purposes of California Consumer Privacy Act of 2018 (“CCPA”) compliance, NextShopper will adhere to the following terms:
- Prohibition on Selling or Sharing: NextShopper will not sell or share any Customer Personal Information collected as part of providing services (e.g., Web Development, App Development, SEO) to the Customer.
- Processing for Business Purposes Only: NextShopper will process Customer Personal Information solely for:
- Delivering the specified services, providing the Customer with access to NextShopper’s tech solutions.
- Ensuring Platform security, including network integrity, fraud detection, and data protection.
- Limitation on Use: NextShopper will not retain, use, or disclose Customer Personal Information for any purpose other than those specified in the Agreement or as permitted under CCPA.
- Direct Business Relationship: All data processing is within the scope of NextShopper’s direct business relationship with the Customer, as permitted by the CCPA.
- Compliance: NextShopper will comply with all CCPA requirements, ensuring the level of privacy protection equivalent to that required by Businesses under the CCPA.
- Audit Rights: Customer has the right to verify NextShopper’s data practices in alignment with the CCPA, as outlined in Section 6 of the DPA.
- Notification of Inability to Meet Obligations: If NextShopper cannot fulfill its obligations under CCPA, it will notify the Customer promptly.
- Stopping Unauthorized Use: Customer can take action to stop and remediate any unauthorized use of Personal Information.
- Consumer Requests: NextShopper will support Customer compliance with consumer data access requests per Section 4.7 of the DPA.
2. Switzerland
The term “Data Protection Law” will also encompass the Swiss Federal Act on Data Protection (FADP), as revised.
3. United Kingdom (UK)
References to GDPR in the DPA will apply to UK-specific data protection laws, including UK GDPR and the Data Protection Act 2018.
