Data Processing Agreement

SCOPE

This Data Processing Agreement ("DPA"), effective as of the Effective Date specified above, is between Intuitive Shipping Inc. ("Intuitive Shipping") and the user entity identified on the applicable order document ("User") specified above and is subject to and incorporated into the Intuitive Shipping User Agreement

Intuitive Shipping and User agree as follows:

1. Structure. This DPA states the privacy and data protection requirements that apply to the Processing of Personal Data by Intuitive Shipping and its Affiliates for the purpose of providing the Intuitive Shipping Services to User under the Intuitive Shipping User Agreement. In addition, if Intuitive Shipping or its Affiliates provide services to User or its Affiliates in any geographical region(s) outside the region covered by the Intuitive Shipping User Agreement, this DPA will apply and the corresponding Intuitive Shipping services agreement will incorporate the terms of this DPA by reference.

2. Definitions. When used in this DPA, the following terms have the following meanings. Any capitalized terms not defined in this DPA have the meanings given to them in the Intuitive Shipping User Agreement.

"CCPA" means the California Consumer Privacy Act of 2018, as may be amended or replaced from time to time.

"DP Law" means all laws and regulations that apply to Personal Data Processing under the Intuitive Shipping User Agreement, including applicable international, federal, state, provincial, and local laws, rules, regulations, directives and governmental requirements currently in effect, and as they become effective, relating in any way to privacy, data protection or data security.

"Data Controller" means the entity which, alone or jointly with others, determines the purposes and means to Process Personal Data, which may include, as applicable, a "Business " as defined under the CCPA.

"Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller, which may include, as applicable, a "Service Provider " as defined under the CCPA.

"Data Security Measures" means technical and organizational measures that are intended to secure Personal Data to a level appropriate for the risk of the Processing, which include measures protecting Personal Data from misuse, accidental or unlawful loss, and unauthorized access, disclosure, alteration, or destruction.

"Data Subject" means an identified or identifiable natural person to which Personal Data pertains.

"EEA Standard Contractual Clauses" mean the standard contractual clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as amended or replaced from time to time by a competent authority under the relevant DP Law.

"GDPR" means the General Data Protection Regulation (EU) 2016/679, as amended or replaced from time to time.

"Instructions" means this DPA and any further written agreement or documentation by way of which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data for that Data Controller.

"Personal Data" means any information relating to a Data Subject (who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person) that is collected, disclosed, stored, accessed or otherwise Processed under the Intuitive Shipping User Agreement.

"Process", "Processing" or "Processed" means to perform any operation or set of operations on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying, as defined or described under applicable DP Law.

"Standard Contractual Clauses" mean the EEA Standard Contractual Clauses and/or UK Standard Contractual Clauses, as applicable.

"Sub-processor" means an entity the Data Processor (or any Sub-processor of the Data Processor) engages to Process Personal Data on User’s behalf in connection with the Intuitive Shipping User Agreement and this DPA.

"UK GDPR" means the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended or replaced from time to time.

"UK Standard Contractual Clauses" mean the standard contractual clauses (processor) set out in Commission Decision 2010/87/EC and the standard contractual clauses (controller) set out in Commission Decision 2004/915/EC, as amended or replaced from time to time.

3. Intuitive Shipping as Data Processor.

To the extent Intuitive Shipping or its Affiliates Process Personal Data as a:

a. Data Processor (as described in the table below), it is acting as a Data Processor on behalf of User, the Data Controller;

b. Data Processing concerns the following Data Subjects: User and User’s customers

c. Personal Data: Includes where applicable: billing/shipping address, customer name, date/time/amount of transaction, email address, IP address/location, order ID, unique customer identifier, identity information including government issued documents (including national IDs and driver’s licenses).

d. Data Processing Purposes: Intuitive Shipping as Data Processor: Servicing the Intuitive Shipping platform; analyzing and developing Intuitive Shipping’s products and services; and other applicable purposes as set out in our Privacy Policy.

4. Intuitive Shipping Obligations when acting as a Data Processor.

4.1. Obligations. To the extent that Intuitive Shipping is acting as a Data Processor for User, Intuitive Shipping will:

a. Process Personal Data on behalf of and in accordance with User’s instructions. Intuitive Shipping will not sell, retain, use or disclose Personal Data for any purpose other than for the specific purposes of performing the Intuitive Shipping Services and to comply with applicable Laws, unless otherwise permitted by the Intuitive Shipping User Agreement or DP Law. Intuitive Shipping will inform User if, in its opinion, User’s instructions infringe DP Law;

b. ensure that all persons Intuitive Shipping authorizes to Process Personal Data in the context of the Intuitive Shipping Services are granted access to Personal Data on a need-to-know basis and are committed to respecting the confidentiality of Personal Data;

c. to the extent required by DP Law, inform User of all formal requests Intuitive Shipping receives from Data Subjects (including Verifiable Consumer Requests under CCPA) exercising their applicable rights under DP Law to (i) access (right to know to under the CCPA) their Personal Data, (ii) have their Personal Data corrected or erased, (iii) restrict or object to Intuitive Shipping’s Processing, or (iv) data portability. Intuitive Shipping will not respond to these requests, unless User instructs Intuitive Shipping in writing to do so;

d. to the extent required by DP Law, inform User of each request Intuitive Shipping receives from a public authority requiring Intuitive Shipping to disclose Personal Data Processed in the context of the Intuitive Shipping Services or participate in an investigation involving that Personal Data;

e. to the extent required by DP Law, provide reasonable assistance through appropriate technical and organizational measures to User, at User’s expense, to assist User in complying with User’s obligations under DP Law, which assistance would include conducting data protection impact assessments and consulting with a supervisory authority, taking into account the nature of the Processing and the information available to Intuitive Shipping;

f. implement and maintain a written information security program with the Data Security Measures. In addition, Intuitive Shipping implements a data security incident management program that addresses how Intuitive Shipping manages data security incidents, including any loss, theft, misuse, or unauthorized access, disclosure, or acquisition, or destruction, or other compromise of Personal Data ( "Incident "). If Intuitive Shipping is required by DP Law to notify User of an Incident, then Intuitive Shipping will notify User without unreasonable delay, but in no event later than any time period required by the applicable DP Law. In addition, for Incidents affecting Personal Data subject to GDPR or UK GDPR, Intuitive Shipping will notify User no later than 48 hours after Intuitive Shipping becomes aware of the Incident. Intuitive Shipping will partner with User to respond to the Incident. The response may include identifying key partners, investigation of the Incident, providing regular updates, and liaising with regards to notice obligations. Except as required by DP Law, Intuitive Shipping will not notify User’s affected Data Subjects about an Incident without first consulting User;

g. engage Sub-processors as necessary to perform the Intuitive Shipping Services on the basis of the general written authorization User gives Intuitive Shipping under Section 4.2 below;

h. to the extent required by DP Law and upon User’s written request, contribute to audits or inspections by making audit reports available to User, which reports are Intuitive Shipping’s confidential information;

i. at User’s choice, and subject to Intuitive Shipping exercising its rights and performing its obligations under the Intuitive Shipping User Agreement, delete or return all Personal Data to User after the end of the provision of the Intuitive Shipping Services, and delete existing copies, unless Intuitive Shipping is required or authorized by DP Law to store Personal Data for a longer period; and

j. to the extent applicable to the Intuitive Shipping Services, Intuitive Shipping certifies that it understands and will comply with the requirements in this DPA relating to CCPA.

4.2 Sub-processors.

a. User specifically authorizes the engagement of the Sub-processors from the agreed list of Sub-processors which URL may be updated or replaced ( "Intuitive Shipping Service Providers List "). User acknowledges that Intuitive Shipping’s Sub-processors are essential to provide the Intuitive Shipping Services and that if it objects to Intuitive Shipping’s use of a Sub-processor, then notwithstanding anything to the contrary in the Intuitive Shipping User Agreement, Intuitive Shipping will not be obligated to provide User the Intuitive Shipping Services for which Intuitive Shipping uses that Sub-processor.

b. Intuitive Shipping will enter into an agreement with each Sub-processor that imposes on the Sub-processor obligations comparable to those imposed on Intuitive Shipping under this DPA, including implementing appropriate Data Security Measures. If a Sub-processor fails to fulfill its data protection obligations under that agreement, Intuitive Shipping will remain liable to User for the acts and omissions of its Sub-processor to the same extent Intuitive Shipping would be liable if performing the relevant Intuitive Shipping Services directly under this DPA.

4.3. LIABILITY DISCLAIMER. INTUITIVE SHIPPING WILL NOT BE LIABLE FOR ANY CLAIM BROUGHT BY A DATA SUBJECT ARISING FROM OR RELATED TO INTUITIVE SHIPPING’S OR ITS AFFILIATE’S ACTION OR OMISSION TO THE EXTENT THAT INTUITIVE SHIPPING WAS ACTING IN ACCORDANCE WITH USER’S INSTRUCTIONS.

5. User Obligations when acting as a Data Controller.

User will:

a. only provide Instructions to Intuitive Shipping that are lawful;

b. comply with and perform all of its obligations under DP Law, including with regard to Data Subject rights, data security and confidentiality, and ensure it has an appropriate legal basis for the Processing of Personal Data as described in the Intuitive Shipping User Agreement and this DPA; and

c. provide Data Subjects with all necessary information (including by means of offering a transparent and easily accessible public privacy notice) regarding, respectively, Intuitive Shipping’s and User’s Processing of Personal Data for the purposes described in the Intuitive Shipping User Agreement and this DPA.

6. Data transfers. To the extent necessary to provide the Intuitive Shipping Services, Intuitive Shipping or its Affiliate may transfer Personal Data Processed under this DPA outside the territory in which the Intuitive Shipping Services are provided, subject to Intuitive Shipping’s compliance with DP Law. In respect of any transfers of Personal Data from the EEA, Switzerland or the UK to any third country that is not subject to an adequacy decision under DP Law, Intuitive Shipping will implement appropriate safeguards, specified or permitted under DP Law, to ensure Intuitive Shipping and its Affiliates comply with DP Law.

7. Term. The term of this DPA begins on the Effective Date and terminates on the date on which the Intuitive Shipping User Agreement expires or terminates. Section 4.3 will survive termination of this DPA.

8. Entire Agreement. This DPA supersedes and replaces any data processing agreement in effect as of the Effective Date that governs the Processing of Personal Data by Intuitive Shipping or its Affiliates in performing the Intuitive Shipping Services for User or its Affiliates.

9. Modifications. We may update this Data Processing Agreement where such update: (a) is required to comply with applicable law, regulation, court order, or guidance issued by a governmental regulator or agency; (b) is permitted by applicable law, is commercially reasonable; and does not result in a material reduction of security of the Personal Data; and (c) does not have an adverse impact on User’s rights under this Agreement.

10. Conflict. If there is any conflict or ambiguity between the provisions of this DPA and the provisions of the Intuitive Shipping User Agreement, with respect to Personal Data Processing, the provisions of this DPA will prevail.

11. Contact.If You have any questions about this Agreement, please send us an email at privacy@intuitiveshipping.com or write us at:

Intuitive Shipping Inc.
261 Martindale Road, Unit 9
St. Catharines, ON L2W 1A2
Canada