Data Processing Agreement

  1. Preamble

    In the course of providing the Services to you in accordance with the KiloMayo Terms and Conditions (“Terms)”, we may gain access to, and process personal data that you have submitted to the Services or allowed us to access, collect or otherwise process (by granting the relevant permission in the Services interface), and such processing is necessary for us to provide our Services to you (“Customer Personal Data”).

    As a data controller with respect to Customer Personal Data, you are responsible for the lawfulness of such processing, including the requisite legal titles (consents or other, as may be applicable) for processing.

    To ensure that any processing of Customer Personal Data is carried out in accordance with the Applicable Privacy Laws (as defined below), this Data Processing Agreement is incorporated into the Terms.

  2. Definitions

    1. Applicable Privacy Laws” shall mean the laws pertaining to the protection of privacy applicable to our provision of Services, including but not limited to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”); the UK Data Protection Act 2018 (“UK GDPR”), the California Consumer Privacy Act of 2018 including the California Privacy Rights Act of 2020, Civil Code sections 1798.100 et seq. (“CCPA”), and the applicable privacy laws.

    2. DPA” means this Data Processing Agreement between KiloMayo s.r.o., with registered office at Pštrossova 191/22, Nové Město, 110 00 Prague 1, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague under the file no. C 392573, ID No. 19841698 (“we”) and the person or entity that is entering into the Agreement with us (“you” or “Customer”).

    3. Services” means, for the purpose of this DPA, the types of Services or their features we provide to you under the Terms as your data processor, as specified in the Preamble of this DPA; and

    4. Standard Contractual Clauses” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as applicable.

    5. UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner and laid before UK Parliament on 2 February 2022 in accordance with section 119A of the UK Data Protection Act 2018

    The terms “personal data”, “processing” and “data subject” shall have the meaning ascribed to them in the Applicable Privacy Laws. The term “personal data” includes “personal information” as defined in the CCPA and PIPEDA; the term “data subject” includes “consumer” as defined in the CCPA. Other capitalized terms used but not defined shall have the same meaning as in the Terms.

  3. Object / Scope of the processing

    1. The object/scope of this DPA is the processing of Customer Personal Data in connection with the provision of the Services specified in this DPA. You are the data controller and we are the data processor with respect to Customer Personal Data processed under this DPA.

  4. Duration

    1. The duration of this DPA shall correspond to the term of your subscription to our Services.

  5. Specification of Processing (nature, purpose, type of personal data and categories of data subjects)

    1. The nature and purpose of the intended processing are defined in the Terms and correspond to the provision of the Services defined in this DPA.

    2. Each transfer of Customer Personal Data outside of the EU/EEA shall only take place if the specific conditions as laid down in the Applicable Privacy Laws have been fulfilled. All transfers of personal data out of the EU, EEA, United Kingdom, and Switzerland under this DPA, unless based on the European Commission’s adequacy decision, shall be governed by the applicable Standard Contractual Clauses and/or the UK SCC addendum, to the extent applicable to the parties.

    3. The types of Customer Personal Data processed under this DPA and categories of data subjects are specified in this DPA. As a principle, the scope of Customer Personal Data is determined and controlled by you in your sole discretion (as the data controller) and is further specified in Annex 1 to this DPA.

  6. Technical and Organizational Measures

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we are obliged to implement appropriate technical and organizational measures in such a manner that the processing of Customer Personal Data will meet the requirements of applicable data protection laws and this DPA.

    2. We have implemented technical and organizational measures described in our Data Security Policy.

  7. Rectification, restriction, access and erasure of data

    1. We will only erase or block Customer Personal Data upon instruction issued by you. In case of requests regarding the rectification, restriction or the erasure directly addressed to us by a data subject, we will inform you about such request without undue delay.

    2. Where appropriate we will assist and support you in fulfilment of your obligations under the Applicable Privacy Laws to respond to requests for exercising the data subject’s right, in particular the ‘right to be forgotten’, rectification, restriction, data portability, information and access rights.

    3. You hereby agree that we shall not be liable if you do not take action on the data subject’s request, or if you do not respond correctly or in a timely manner.

  8. Our obligations

    1. We undertake to:
      1. Process the Customer Personal Data within the Services specified in this DPA only on documented instructions from you and only for the specific purpose of providing the Services under the Terms unless processing is required by applicable laws to which we are subject to, in which case we shall, to the extent permitted by applicable laws, inform you of that legal requirement before the relevant processing of that Customer Personal Data. We shall not retain, use or disclose the Customer Personal Data processed on your behalf for any purpose other than for the specific purpose of providing the Services.

      2. Inform you if we consider that an instruction violates data protection laws or regulations. We shall then be entitled to suspend the execution of the relevant instructions.

      3. Keep the Customer Personal Data confidential and ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

      4. Taking into account the nature of the processing, assist you by implementing and maintaining appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to ensure an appropriate level of security and to respond to requests for exercising the data subject's rights.

      5. Assist you in ensuring compliance with the requirements of the Applicable Privacy Laws relating to the security of processing, investigation and notification of security incidents, data protection impact assessment and prior consultation where applicable, taking into account the nature of processing and the information available to us.

      6. Notify you without undue delay after becoming aware of a personal data breach in relation to the personal data processed on your behalf.

      7. Not sell, as defined in the CCPA, the Customer Personal Data processed on your behalf.

      8. At your choice, delete or return all Customer Personal Data to you after the end of the provision of Services relating to processing, and delete existing copies unless applicable law requires storage of the personal data.

      9. Make available to you information necessary to demonstrate our compliance with the obligations laid down in this DPA.

  9. Sub-processing

    1. We shall engage another processor (i. e. a sub-processor) only in accordance with this DPA. The mechanism hereby stipulated shall be considered a general written authorization from you.

    2. If we engage another processor for carrying out specific processing activities on your behalf, the same obligations as set out in this DPA shall be imposed on that other processor by way of a written contract.

    3. The sub-processors currently engaged by us and hereby authorized by you are listed in Annex 1 below. We will inform you of any intended changes concerning the addition or replacement of other processors, including full details of the processing to be undertaken by the new processor(s), giving you the opportunity to object to such changes.

    4. If you have a reasonable basis to object to our use of another new processor, you shall notify us promptly in writing within 5 days after being notified. For the avoidance of doubt, you hereby agree that if you are not able to show evidence that the new processor provides an unacceptable risk to the protection of Customer Personal Data (e.g., the other processor has a history of security breaches) or is your direct competitor, it would be unreasonable for you to object if the other processor has passed our vendor security evaluation.

    5. Notwithstanding the foregoing, if you object to the engagement of another processor and your objection is not unreasonable, the parties will come together in good faith to discuss an appropriate solution. We may in particular choose not to use the intended processor or engage the processor only after we take the corrective steps and / or measures requested by you.

    6. If you interconnect our Services with any third-party application and, as a result, allow data to be shared with such third-party application, the third-party vendor with whom data are shared shall not be considered our sub-processors engaged by us according to this Section 9; the processing of the shared data shall be subject to a separate data processing agreement, or a similar contractual arrangement concluded directly between you and your relevant third-party vendor.

    7. Sub-processors engaged by us are subject to technical and organizational measures that are substantially similar to the technical and organizational measures set out in our Data Security Policy.

  10. Audit rights

    1. Upon reasonable advance notice of at least 90 days and in order to ensure and review compliance with the technical and organizational security measures and the obligations laid down in this DPA, we shall permit you to conduct periodic audits or to have them carried out by an auditor mandated by you. We shall, at your written request and within a reasonable period of time, submit to you any and all information, documentation and other factual evidence necessary for the audit. The audit result shall be documented appropriately.

    2. Audits shall be conducted during reasonable times, shall be of reasonable duration, and shall not unreasonably interfere with our day-to-day operations. In the event that you conduct an audit through a third-party independent contractor, such independent contractor shall be required to enter into a non-disclosure agreement. Additionally, such independent contractor must not be our direct or indirect competitor, nor a person who can reasonably be considered by us unfit (for professional, experience and historic reasons) to perform such audit. Each party shall bear its own costs and expenses arising out of or in connection with the audit.

  11. Miscellaneous

    1. Unless otherwise stipulated herein, the provisions of the Terms shall apply, including any exclusions and limitation of warranties and liabilities provided therein. Provisions in this DPA shall have precedence over any provisions of the Terms relating to the processing of Customer Personal Data by us as your data processor, if any.

Annex 1: Specification of Customer Personal Data

Subject matter and nature of the processing of Customer Personal Data is set out in the Terms.

The nature of the processing may include any operation that we may perform on Customer Personal Data or on sets of Customer Personal Data when providing Services, which may include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, disclosure by transmission or otherwise making available, alignment or combination, erasure or destruction of data (whether or not by automated means).

Purpose of processing of Customer Personal Data is to provide the Services to you.
Categories of Customer Personal Data:
  • Any personal data that your customers or any other persons interacting with you through various communications channels share with you, either directly through our Services or that you submit to our Services. Such personal data may include, without limitation, data subjects’ contact and identification information (such as name, address, company, email, telephone); information about orders and/or data from your internal commerce systems (e.g., information relating to sales such as order values, reference numbers, receipts, cost, bestsellers, status of returning customers etc. which may, alone or in combination with other information, qualify as personal data), customer feedback, complaints and other information relating to the data subjects’ activities and contents of your conversations with them.
  • Information about data subjects’ behavior on our platform, where applicable.
Categories of data subjects are primarily designated by you, the data controller, based on how you choose to use the Services, and may include, without limitation, the following categories of data subjects:
  • Your customers and prospective customers, business partners and suppliers; your employees, agents, advisors, and freelancers and other individuals that you interact with and/or that are authorized by you to use the Services.
Locations of processing: EU (Czech Republic, Germany); USA
Sub-processors:
  • http://vercel.com
  • neon.tech
  • http://fly.io
  • contember.cloud
  • http://resend.com
  • Google API
  • http://stripe.com
  • http://upstash.com
  • AWS S3
  • Sentry