Data Processing Addendum

This Data Processing Addendum ("Addendum") adds onto the Loox's terms of service (the "Agreement") between Loox Online Ltd. ("Loox") and merchants who use Loox’s services (the "Merchant").

WHEREAS, pursuant to the Agreement, Loox provides Merchant access to use Loox's platform (the “Service”);

WHEREAS, Privacy and data protection laws warrant special contractual arrangements;

THEREFORE, the parties have agreed as follows:

1. The parties acknowledge and agree to –
   <rte-indent>1.1 Loox Privacy Policy (for Merchants and Website Visitors) available here and Loox Privacy Policy (for Merchant’s Customers) available here (the "Privacy Policies")<rte-indent><rte-indent-last>1.2. Loox Terms of Service available here and Website Terms of Service available here<rte-indent-last>
2. Merchant commissions, authorizes and requests that Loox provide Merchant the Service, which involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), referred to as “Data Protection Law”).
3. With respect to those activities of Loox as a ‘Data Processor’ (as this term is defined and used in Data Protection Law), Loox will Process the Personal Data only on Merchant’s behalf and for as long as Merchant instructs Loox to do so. Loox shall not Process the Personal Data for any purpose other than the purpose set forth in the next section.
4. The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are Merchant's clients who interact with Merchant and use Loox Service (“Merchant’s Customers”).
5. The subject matter and purposes of the Processing activities are the provision of a review management Service, including maintenance, support, enhancement and deployment of the same.
   <rte-indent>5.1 The Merchant's Customers Personal Data Processed may include, without limitation: email address, full name, physical address, purchase amount, purchase date, item purchased, reviews submitted to Merchant's website, images, videos, meta data, statistic and analytic information about Merchant's Customers use of the Service and/or the Merchant's, all in accordance with the Merchant’s preferences.<rte-indent><rte-indent-last>5.2 The Merchant Personal Data of the Processed may include, without limitation: Merchant’s name, phone number email, location., meta data and analytics information about Merchant's use of the Service.<rte-indent-last>
6. With respect to those activities of Loox as a Data Processor, Loox will Process the Personal Data only as set forth in this Addendum. Merchant and Loox are each responsible for complying with the Data Protection Law applicable to them in their roles as Data Controller (as this term is defined and used in Data Protection Law) and Data Processor, respectively.
7. If the Data Protection Law does not apply to the Merchant, then Merchant must abide by whatever other data privacy and data security laws and regulations applicable to it, and at a minimum –
   <rte-indent>7.1 Obtain and maintain valid, any and all authorizations, permissions and informed consents, including those of individuals about whom the Service may process personal data or personally identifiable information, as may be necessary under applicable laws and regulations, in order to allow Loox to lawfully collect, handle, retain, process and use the processed data within the scope of the Service.<rte-indent><rte-indent>7.2 Substantiate the legal basis and legitimize pursuant to applicable law, any and all personal data or personally identifiable information transferred to Loox, whether directly by the Merchant or indirectly by a third party retained by and operating for the benefit of the Merchant.<rte-indent><rte-indent-last>7.3 Have, properly publish and abide by an appropriate privacy policy that complies with all applicable laws and regulations relating to personal data or personally identifiable information of Merchant’s Customers .<rte-indent-last>
8. If Merchant imports reviews into the Service from an external source, Merchant represents and warrants that it has obtained and maintains valid, any and all authorizations, permissions and informed consents necessary under applicable laws and regulations, in order to: (a) import those reviews and their accompanying data into Loox, and (b) to allow Loox lawfully collect, handle, retain, process and use the processed data within the scope of the Service.
9. With respect to those activities of Loox as a Data Processor, Loox will Process the Personal Data only on documented instructions from Merchant that are provided through the Service’s various control and configuration options, unless Loox is otherwise required to do so by law to which it is subject (and in such a case, Loox shall inform Merchant of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Loox shall immediately inform Merchant if, in Loox's opinion, an instruction is in violation of Data Protection Law. Merchant may use the Service’s certain control and configuration options to assist it in connection with its obligations under the GDPR. In light of the GDPR’s requirement under Articles 13 and 14 to have a privacy notice pursuant to the ‘transparency’ and ‘accountability’ principles of the GDPR, Loox will maintain for the benefit of Data Subjects a dedicated Privacy Notice.
10. Merchant may only use the Service to process personal data pursuant to a recognized and applicable lawful basis under Data Protection Law, such as (by way of example only) consent or legitimate basis. Merchant is solely responsible for determining the lawfulness of the data processing instructions it provides to Loox and shall provide Loox only instructions that are lawful under Data Protection Law.
11. Loox, through the Service’s various control and configuration options available to Merchant, will follow Merchant’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Loox will pass on to Merchant requests that it receives from Data Subjects regarding their Personal Data Processed by Loox.
12. Additional instructions of the Merchant outside the scope of the Service’s control and configuration options require prior and separate agreement between Merchant and Loox, including agreement on additional fees (if any) payable to Loox for executing such instructions. If Loox declines to follow Merchant’s reasonable instructions outside the scope of the Service’s control and configuration options, then Merchant may terminate this Addendum and the Agreement, without liability for such premature termination.
13. Loox will make available to Merchant all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law and Israeli data privacy law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Company upon request.
14. Merchant acknowledges and agrees that Loox uses the following sub-processors to Process Personal Data: https://loox.app/legal/service-providers‍
15. Merchant authorizes Loox to engage another sub-processor for carrying out specific processing activities of the Service, provided that Loox informs Merchant at least 7 days in advance of any new or substitute sub-processor, in which case Merchant shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Merchant so objects, Loox may not engage that new or substitute sub-processor for the purpose of Processing Personal Data in the provision of the Service to the Merchant and may terminate the Agreement with the Merchant for convenience, without liability to Merchant for such premature termination.
16. Loox and its sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or in countries which are not recognized by the European commission as having adequate protection for personal data using standard data protection clauses with adequate safeguards determined by the EU Commission and UK Information Commissioner’s Office.
17. Loox will procure that the sub-processors Process the Personal Data in a manner consistent with Loox’s obligations under this Addendum and Data Protection Law, particularly Article 28 of the GDPR, with such obligations imposed on that sub-processor by way of law or contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
18. In Processing Personal Data, Loox will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Loox will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
19. Loox shall allow for and contribute to audits, including carrying out inspections on Loox's business premises conducted by Merchant or another auditor mandated by Merchant during normal business hours and subject to a prior notice to Loox of at least 30 days as well as appropriate confidentiality undertakings by Merchant covering such inspections in order to establish Loox's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Loox processes on behalf of Merchant. If such audits entail costs or expenses to Loox, the parties shall first come to agreement on Merchant reimbursing Loox for such costs and expenses.
20. Loox shall without undue delay notify Merchant of any ‘Personal Data Breach’ (as this term is defined and used in Data Protection Law) that it becomes aware of regarding Personal Data of Data Subjects that Loox Processes. Loox will use commercial efforts to mitigate the breach and prevent its recurrence. Merchant and Loox will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
21. Loox will assist Merchant with the eventual preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Loox, the parties shall first come to agreement on Merchant reimbursing Loox for such costs and expenses.
22. Loox will provide Merchant prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Merchant’s behalf, so that Merchant may contest or attempt to limit the scope of production or disclosure request.
23. All notices required or contemplated under this Addendum to be sent by Loox will be sent either by electronic mail to Merchant to the email address that Loox has on file for the Merchant’s main contact person.
24. Upon Merchant’s request, Loox will delete the Personal Data it has Processed on Merchant’s behalf under this Addendum from its own and its sub-processor’s systems, or, at Merchant’s choice, use the Service’s tools to obtain the data before its deletion, and upon Merchant’s request, will furnish written confirmation that the Personal Data has been deleted pursuant to this section. In case of laws applicable to Loox that prohibit return or deletion of the personal data, Loox warrants that it will continue to ensure compliance with this Addendum and will only process it to the extent and for as long as required under those laws. Loox will notify the Merchant if it is required to retain the personal data under those laws, following such Merchant request.
25. The duration of Processing that Loox performs on the Personal Data is for the period set out in the Privacy Policies. This Addendum shall prevail in the event of inconsistencies between it and the Agreement between the parties or subsequent agreements entered into or purported to be entered into by the parties after the date of this Addendum – except where explicitly agreed otherwise in writing.
26. The parties’ liability under this Addendum shall be pursuant to the liability clauses in the various parts of the Agreement.
27. This Section ‎27 applies if the California Privacy Rights Act applies to the Merchant.
    <rte-indent>27.1. Capitalized terms used in this Section 27 but not defined in this Addendum have the meaning ascribed to them in the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq., Cal. Civ. Code §1798.140 or the regulations at 11 C.C.R. §7000 et seq., collectively, the “CPRA”).<rte-indent><rte-indent>27.2. The parties acknowledge and agree that Loox is a Service Provider. To that end, and unless otherwise required by law:<rte-indent><rte-indent-sub>27.2.1. Loox will process, retain, use, and disclose Personal Information on behalf of the Merchant, only as necessary to provide the Service as specified in the Agreement. The parties agree that Merchant is disclosing the Merchant’s Personal Information to Loox only for the purpose of properly performing the Service, or for any commercial purpose other than as reasonably necessary to provide the Service, to comply with other reasonable and lawful instructions provided by Merchant or as otherwise permitted under 11 CCR §7051(c) (the “Business Purpose”)<rte-indent-sub><rte-indent-sub>27.2.2. Loox shall not sell or share Merchant‘s Personal Information; retain, use or disclose Merchant’s Personal Information for any commercial purpose outside of the direct business relationship between the parties, or for any purpose other than the Business Purposes, unless expressly permitted by the CPRALoox certifies that it understands its obligations under the CPRA and will comply with them.<rte-indent-sub><rte-indent-sub>27.2.3. Loox is prohibited from combining the Merchant’s Personal Information with Personal Information from other sources, or on behalf of another person, or that it collects from its own interaction with a Consumer, unless expressly permitted by the CPRA.<rte-indent-sub><rte-indent-sub>27.2.4. If Loox receives a request from a California Consumer of the Merchant, about his or her Personal Information, Loox shall not comply with the request itself, but shall inform the Consumer that Loox’s basis for denying the request is that Loox is merely a Service Provider that follows Merchant’s instruction, and inform the Consumer that they should submit the request directly to the Merchant and provide the Consumer with the Merchant’s contact information.<rte-indent-sub><rte-indent-sub>27.2.5. Commensurate with the nature of Loox’s services to Merchant and in accordance with Merchant’s specified instructions to Loox, Loox shall help Merchant to comply with California Consumers requests made pursuant to the CPRA of which Loox is informed of by Merchant.<rte-indent-sub><rte-indent>27.3. At Merchant’s direction, Loox shall delete or return to Merchant the Personal Information it has Processed on Merchant’s behalf from its own and its service provider’s systems, shortly after it completes the requested Service, and upon Merchant’s request, will furnish written confirmation that the Personal Information has been deleted pursuant to this section, unless retention of the Personal Information is required by law.<rte-indent><rte-indent>27.4. Loox shall comply with all applicable sections of the CPRA and shall provide, with respect to the Personal Information it Collects pursuant to the Agreement, the same level of privacy protection as required of Businesses by the CPRA, and as follows:<rte-indent><rte-indent-sub>27.4.1. Loox shall cooperate with the Merchant in responding to and complying with Consumers’ requests made pursuant to the CPRA , such as assisting Merchant by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Merchant’s obligation to respond to requests for exercising Consumer rights under the CPRA.<rte-indent-sub><rte-indent-sub>27.4.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Loox’s processing of Personal Information of the Merchant, as well as the nature of personal information processed for Merchant, Loox shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure (including data breaches), in accordance with Cal. Civ. Code §1798.81.5, and commensurate with the 18 Critical Security Controls published by the Center for Internet Security (CIS).<rte-indent-sub><rte-indent>27.5. Loox grants Merchant the right to take reasonable and appropriate steps to ensure that Loox uses the Merchant’s Personal Information in a manner consistent with Merchant’s obligations under the CPRA. Merchant may, in coordination with Loox, monitor Loox’s compliance with the Agreement through measures, including, but not limited to ongoing manual reviews and automated scans of Loox’s system, at least once every 12 months. Loox shall perform regular internal or third-party assessments, audits, or other technical and operational testing of its security procedures and practices at least once every 12 months. Upon the reasonable request of Merchant, Loox shall make available to Merchant all information in its possession necessary to demonstrate Loox’s compliance with the obligations in this clause.<rte-indent><rte-indent>27.6. Loox shall promptly notify Merchant once it makes a determination that it can no longer meet its obligations under the CPRA.<rte-indent><rte-indent>27.7. Loox grants Merchant the right, upon notice, including under section ‎‎27.6, to take reasonable and appropriate steps to stop and remediate Loox’s unauthorized use of Merchant’s Personal Information.<rte-indent><rte-indent>27.8. Loox shall ensure that each person involved in Processing the Merchant’s Personal Information it collects pursuant to the Agreement is subject to a contractual or statutory duty of confidentiality with respect to that Merchant’s Personal Information.<rte-indent>

‍