We've created this data processing addendum (“Addendum”) for the Flodesk user (“Member”) who can be considered a "controller" of personal data processed by Flodesk, Inc. and its subsidiaries (collectively “Flodesk”), or “business” where Flodesk is a “service provider”, or other term as determined by applicable law. The most common circumstance of when a Member is considered a “controller” or “business”’ is when the Member uploads the names and email addresses of people into Flodesk, or Member’s customers purchase products or services from Member using Flodesk Checkout Services.

If Member uploads the name or email of any person living or traveling in those jurisdictions with applicable data protection laws, such as the European Union, United Kingdom, and certain states in the United States, you agree to be bound by this Addendum, and to take steps to ensure your business is compliant with applicable Data Protection Laws.

Our Addendum is incorporated by reference into our Terms of Service and the Addendum supplements our Privacy Policy (the Terms of Service and Privacy Policy collectively “Agreement”) and addresses requirements for data processing agreements between controllers and processors, or between business and service provider.

To ensure that no inconsistent or additional terms are imposed on us beyond that reflected in our Addendum and model clauses, we cannot agree to sign Members' data processing addendums.

By registering for and/or using the site (as that term is defined in the Agreement) and/or uploading Personal Data, Member agrees to be bound by this Addendum. Member enters into this Addendum on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of your Authorized Affiliates. The parties agree to comply with the terms and conditions in this Addendum in connection with such Personal Data. Subject to the foregoing conditions, the parties agree as follows:

“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

“Authorized Affiliate” means any Affiliate(s) of Member that is permitted to receive or is otherwise receiving the benefit of the Services pursuant to the Agreement.

“Control” means an ownership, voting, or similar interest representing more than fifty percent (50%) of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.

“Controller” means Member, as an entity that determines the purposes and means of the processing of Personal Data.

“Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of or unauthorized disclosure of or access to Personal Data.

“Data Protection Laws” means all data protection, data privacy and data security laws, regulations, and self-regulatory frameworks applicable to any Personal Data Processed under or in connection with this Addendum, including, but not limited to, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the United Kingdom’s General Data Protection Regulation, the California Consumer Privacy Act 2018 (“CCPA”), the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act, and the Colorado Privacy Act.

“EU Standard Contractual Clauses”, which shall mean the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third party countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as supplemented by Schedule 1 attached hereto.

“Personal Data” means any personal data that Flodesk processes on Member’s behalf in the course of providing the Services under the Agreement, which data relates to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.

“DPF” means the EU-US Data Privacy Framework Program, UK Extension to the EU-US Data Privacy Framework Program, and Swiss-US Data Privacy Framework Program, as administered by the U.S. Department of Commerce, the European Commission, the UK Government and the Swiss Federal Administration.

“Processor” means Flodesk Inc., which processes Personal Data on behalf of the Member.

“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.

“Services” means any product or service provided by Flodesk to you pursuant to and as more particularly described in the Agreement.

“Sub-processor” means any processor engaged by Flodesk to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this Addendum. Sub-processors may include third parties or any Flodesk Affiliate.

2.1 Role of the Parties. As between Member and Flodesk, Member is the Controller of Personal Data, and Flodesk shall process Personal Data on your behalf only as a Processor.

2.2 Your Obligations. As the Controller, Member agrees to (i) comply with your obligations as a Controller under Data Protection Laws in respect of your processing of Personal Data and any processing instructions you issue to Flodesk; and (ii) provide notice and obtain (or shall obtain) all consents and rights necessary under Data Protection Laws for Flodesk to process Personal Data and provide the Services pursuant to the Agreement and this Addendum.

2.3 Limited Processing by Flodesk. As a Processor, Flodesk shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement and this Addendum; (ii) processing to perform any steps necessary for the performance of the Agreement and this Addendum; and (iii) to comply with other reasonable instructions provided by you to the extent they are consistent with the terms of the Agreement and this Addendum and only in accordance with your documented lawful instructions. The Personal Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain, and improve the Services provided to you; (ii) to provide you customer and technical support; and (iii) disclosures or further processing as required by law, in which case Flodesk may, to the extent permitted by the Data Protection Laws or the legal process, inform you of that legal requirement before the relevant disclosure or processing of that Personal Data. The parties agree that this Addendum and the Agreement set out your complete and final instructions to Flodesk in relation to the processing of Personal Data and that any processing outside the scope of these instructions (if any) shall require prior written agreement between you and Flodesk.

Specifically as it relates to the CCPA, as amended by the CPRA, Flodesk further agrees and warrants: (a) that it shall act only as a service provider in the Processing of Personal Data; without limiting the foregoing, Flodesk will process Personal Data only for the business purposes and operation purposes applicable to Member’s instructions that are permissible under the CCPA for Flodesk’s provision of the services under the Agreement (the “Qualified Business Purposes”) and not for Flodesk’s own purposes; (b) that Flodesk shall not (i) sell or share the Personal Data; (ii) retain, use or disclose Personal Data for any commercial purposes other than the Qualified Business Purposes set forth in the Agreement or outside of the business relationship between Flodesk and Member; or (iii) combine the Personal Data which Flodesk received from or on behalf of Member with Personal Data it receives from or on behalf of another person or entity, or collects from its own interactions with subscriber, provided that Flodesk may combine Personal Data to perform a Qualified Business Purpose; (c) that it shall not, notwithstanding anything to the contrary, Process or use sensitive personal information or special categories of Personal Data unless instructed in writing by Member; and (d) that to the extent that Member makes available de-identified data to Flodesk, Flodesk shall use and maintain it in accordance with applicable Data Protection Laws and, without limiting the generality of the foregoing, not attempt to re-identify the de-identified data.

2.4 Flodesk Data. Notwithstanding anything to the contrary in the Agreement and/or this Addendum), you acknowledge that Flodesk may use and disclose data relating to and/or obtained in connection with the operation, support, and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development, and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, Flodesk is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws. Nothing in the Agreement or this Addendum shall prevent Flodesk from using or sharing any data that Flodesk would otherwise collect and process independently of your use of the Services.

3.1 Technical and Organizational Security Measures. Flodesk shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Data Breaches and to preserve the security and confidentiality of the Personal Data. For additional information, please review our Privacy Policy and submit specific questions to privacy@flodesk.com. You acknowledge that Flodesk’s technical and organizational security measures are subject to continued development and that Flodesk may update or modify them from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services used or purchased by you.

3.2 Confidentiality of Processing. Flodesk shall ensure that any person who is authorized by Flodesk to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

3.3 Data Breaches. Flodesk shall, to the extent permitted by law, notify you without undue delay upon Flodesk or any Sub-processor becoming aware of a Data Breach affecting your Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform data subjects of the Data Breach under the Data Protection Laws. Flodesk shall cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such Data Breach.

3.4 Recordkeeping. Flodesk shall maintain records of its security standards. Upon your written request, Flodesk shall provide (on a confidential basis) copies of relevant external certifications, audit report summaries, and/or other documentation reasonably required by you to verify Flodesk's compliance with this Addendum. Flodesk shall further provide written responses (on a confidential basis) to all reasonable requests for information made by you, including without limitation responses to information security and audit questionnaires, that you (acting reasonably) consider necessary to confirm Flodesk's compliance with this Addendum.

4.1 Authorized Sub-processors. You agree that Flodesk may engage Sub-processors to process Personal Data on your behalf.

4.2 Obligations Respecting Sub-processors. Flodesk shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the Sub-processor that cause Flodesk to breach any of its obligations under this Addendum.

4.3 Right to Object to Sub-processors. When requested by Member in writing, Flodesk will notify Member via email. To object to a Sub-processor, Member can (i) terminate the Agreement pursuant to its terms; or (ii) cease using the Service for which Flodesk has engaged the Sub-processor.

5.1 Obligations. The Parties agree that applicable transfers shall be governed by Module Two’s obligations in the EU Standard Contractual Clauses, the terms of which are incorporated herein by reference.

5.2 Processing Locations. Flodesk stores and processes Personal Data in data centers located outside the European Union. All other Personal Data may be transferred and processed in the United States and anywhere in the world where Flodesk and/or its Sub-processors maintain data processing operations. Flodesk shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

5.3 Cross-border Transfer Obligations. As required or acceptable to satisfy cross-border transfer obligations under applicable Data Protection Laws, to the extent that Flodesk receives Personal Data from Member that is subject to cross-border data transfer restrictions, the parties agree to comply with the (a) EU Standard Contractual Clauses; or (b) a legal transfer mechanism, the DPF or an equivalent, or treaty approved by a competent data protection authority for the cross-border transfer of Personal Data in accordance with applicable Data Protection Laws.

For purposes of any transfers, Flodesk shall be the “data importer,” and Member established in the relevant jurisdiction shall be the “data exporter.” Flodesk represents, warrants, and covenants to Member that it has not been, and that it is not likely to be, subject to a request for disclosure of Personal Data from a law enforcement authority or state security body that is massive, disproportionate, or indiscriminate. If, in the future, Flodesk has or obtains knowledge of any information that may prevent it from making the foregoing covenant, Flodesk shall, to the extent permitted by applicable law, immediately notify, and the parties shall discuss in good faith whether to notify the appropriate supervisory authority and/or suspend further transfers of Personal Data. If Flodesk determines that it can no longer provide this level of protection, Flodesk will promptly notify Member of this determination. To the extent required by Data Protection Laws and during the term of this Addendum, the parties shall enter into replacement Standard Contractual Clauses or additional Standard Contractual Clauses, shall comply with additional requirements for such transfers, and shall enter into supplemental data transfer terms. In the event that a successor to the DPF, Flodesk agrees it shall, as appropriate and required by applicable law, coordinate in good faith with Member to establish supplemental data transfer terms with Flodesk. Except as provided in Schedule 1 to this Addendum or in documented instructions from Member, international transfer of Personal Data by Flodesk is prohibited.

6.1 Response to Requests. To the extent Flodesk is required under Data Protection Laws, Flodesk shall (at your expense) provide reasonably requested information regarding Flodesk's processing of Personal Data under the Agreement and/or this Addendum to enable you to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

6.2 Correction or Erasure by You. Flodesk shall comply with any commercially reasonable request by you to correct, amend, block, or delete Personal Data, as required by Data Protection Laws, to the extent Flodesk is legally permitted to do so.

6.3 Access. To the extent that you are unable to independently access the relevant Personal Data within the Services, Flodesk shall (at your expense) taking into account the nature of the processing, provide reasonable cooperation to assist you, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement and/or this Addendum. In the event that any such request is made directly to Flodesk, Flodesk shall not respond to such communication directly without your prior authorization, unless legally compelled to do so. If Flodesk is required to respond to such a request, Flodesk shall promptly notify you and provide it with a copy of the request unless legally prohibited from doing so.

6.4 Exercise of Rights by Data Subjects. Taking into account the nature of the processing, Flodesk shall assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligations, as reasonably understood by you, to respond to requests by data subjects to exercise rights under the Data Protection Laws. To the extent legally permitted, you shall be responsible for any costs arising from Flodesk's provision of such assistance (to the extent the provision of such assistance is not included in the Services to which you are entitled under the Agreement).

6.5 Return of Deletion of Data Upon Termination. Upon the end of the provisions of Services to you, all Personal Data will be treated as identified in the Privacy Policy, incorporated herein by reference, and may be deleted, save that this requirement shall not apply to the extent Flodesk is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data Flodesk shall securely isolate and protect from any further processing, except to the extent required by applicable law.

7.1 Conflict. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of that conflict.

7.2 Liability. Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Agreement, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitations of liability’ section of the Agreement. For the avoidance of doubt, Flodesk's total liability for all claims arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.

7.3 Governance. This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless required otherwise by Data Protection Laws.

This Schedule 1 forms part of the Agreement, and supplements the EU Standard Contractual Clauses. Capitalized terms not defined in this Schedule 1 have the meaning set forth in the Agreement.

The parties agree that the following terms shall supplement the EU Standard Contractual Clauses:

1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the EU Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the EU Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) for Module Two, Option 1 in Clause 9 is struck and Option 2 is kept, and data importer will provide notice of Sub-processors in accordance with Section 4.3 of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

2. Clarifying Terms. The Parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the EU Standard Contractual Clauses will be provided upon Exporter’s written request; (ii) the measures Importer is required to take under Clause 8.6(c) of the EU Standard Contractual Clauses will only cover Importer’s impacted systems; (iii) the audit described in Clause 8.9 of the EU Standard Contractual Clauses shall be carried out in accordance with Section 3.4 of this Addendum; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the EU Standard Contractual Clauses will be limited to the termination of the EU Standard Contractual Clauses; (v) unless otherwise stated by Importer, Exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the EU Standard Contractual Clauses; and (vi) the information required under Clause 15.1(c) of the EU Standard Contractual Clauses will be provided upon Exporter’s written request.

3. Annex I.

A. List of Parties

Data exporter: Member

Email: See information provided by Member

Data importer: Flodesk

Address: 2093 Philadelphia Pike #3380, Claymont, DE 19703

Email: privacy@flodesk.com

Data Protection Officer: dpo@flodesk.com

B. Description of Transfer

Categories of Data subjects

Flodesk may process the Personal Data of Member or Member’s customers.

Purposes of the transfer(s)

To provide the Flodesk Services requested by Member or Member’s customers.

Categories of data transferred

The personal data transferred concern the following categories of data:

- name

- email address

- address

- payer’s account verification status information

- browser information, including IP address

- financial information

Recipients

Recipients of the personal data transferred may be:

Sensitive categories of data (if appropriate)

-None

Criteria used to determine storage limits

The personal data transferred may be stored for the period necessary to fulfill the intended purpose for which the data was collected and further processed (unless otherwise required by applicable law).

C. Competent Supervisory Authority

Office of the Information Commissioner of the Republic of Ireland and Switzerland’s Federal Data Protection and Information Commissioner*

* The Swiss Federal Data Protection and Information Commissioner is the supervisory authority only with respect to residents of Switzerland and their personal data.

4. Annex II. Annex II of the EU Standard Contractual Clauses shall read as follows: Data importer shall implement and maintain technical and organization measures designed to protect personal data in accordance with the Addendum.

5. Annex III. A new Annex III shall be added to the EU Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the Agreement. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Agreement.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The parties agree that Exporter may end the UK Addendum as set out in Section 19.