Data processing appendix

Custobar Oy (business ID 2645106-1, hereinafter Custobar) provides cloud-based Customer Data Platform solution designed for the B2C sector (hereinafter the Service).

This Data Processing Appendix (DPA) is a part of the agreement for the provision of the Service whose terms and conditions have been laid out in the Service’s general Terms and Conditions or such other agreement that may have been specifically concluded (such agreement hereinafter the Agreement) between Custobar and the client (Client).

Custobar and Client are each individually referred to as the Party and together as the Parties.

1. General

1.1. This DPA forms an integral part of the Agreement and shall apply to all processing of personal data under the Agreement. Where applicable and when this DPA does not explicitly state otherwise, the terms of the Agreement, such as governing law and dispute resolution, shall be applied to this DPA. If the Agreement or any other document regulating the relationship between Custobar and the Client as set out in the Agreement contains provisions that are in conflict with this DPA, this DPA shall have precedence.

1.2. If and to the extent that the Client submits data to the Service and such data constitutes or contains personal data, the Client shall be considered the controller under the EU regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Custobar processes, by providing the Service to the Client, such personal data on behalf of Client as a processor for the purposes of the Agreement during the term thereof. If and to the extent that the Client acts as a processor in relation to other controllers, Custobar shall act as a subprocessor under this DPA. As used herein, personal data means such personal data that Custobar processes on behalf of the Client as the Client’s processor or subprocessor.

1.3. The Client is responsible for the lawful processing and collection of personal data in compliance with the GDPR and other laws, regulations and directives pertaining to the processing or collection of personal data. Custobar will not monitor the Client’s processing or collection of personal data in the Service. The Client shall be responsible for having the required rights and necessary permissions from third parties to use and disclose personal data for the purposes set out in the Agreement. The Client shall ensure that the Client is entitled to transfer the relevant personal data to Custobar so that Custobar may lawfully process, use and transfer the personal data in accordance with the Agreement and this DPA.

1.4. Each Party shall be responsible for the information security of the Party’s own communications networks. Neither Party shall be responsible or liable for the information security of general communications networks, or for interferences or other disruptions, outside of the Parties influence, that may occur in general communications networks.

1.5. The subject matter, categories and types of data as well as other details of the processing are specified in Schedule 1 of this DPA (Description of the Processing Operations).

2. Processing of personal data

2.1. Custobar shall only process personal data in accordance with this DPA and documented instructions from Client, unless required to do otherwise under European Union or Member State law to which Custobar is subject. In such case Custobar shall inform the Client of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.

2.2. Custobar may not use the Client’s personal data for any other uses than for which the personal data for the provision of the Services and as otherwise instructed by the Client. Custobar shall process information disclosed to it by the Client in accordance with this Agreement and according to written instructions or guidelines given to it by the Client. Client’s instructions must be commercially reasonable, compliant with applicable data protection legislation and regulations and consistent with this Agreement. In case Custobar detects that any instruction given by the Client is non-compliant with European Union or member state law to which Custobar is subject, Custobar shall not be obliged to comply with such instruction and shall inform the Client of that legal requirement.

2.3. In case the Client’s instructions require additional measures or work to be performed by Custobar, Custobar has the right to charge an hourly consulting fee from the Client for complying with such Client’s instructions in accordance with Custobar’s then current price for consulting services, subject to the Client’s prior approval of such additional costs.

3. Data Security

3.1. Custobar ensures that it shall implement and maintain appropriate technical and organizational security measures to protect the personal data within its area of responsibility, in order to safeguard the personal data against unauthorized or unlawful processing or access and against accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing carried out by Custobar hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, where appropriate and relevant for each processing action:

(i) the pseudonymisation and encryption of personal data;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Service;

(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

(v) the ongoing confidentiality, integrity, availability, resilience and restoration of all processing systems and services in which personal data is stored or processed

(vi) the pseudonymisation and encryption of personal data and communications containing personal data when it is appropriate and necessary to maintain the integrity and confidentiality of personal data.

Custobar also ensures that the persons processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Assistance Obligations

4.1. Taking into account the nature of the processing, Custobar shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.

4.2. Taking into account the nature of the processing and the information available to Custobar, Custobar shall further provide the Client with assistance in ensuring compliance with the Client’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority).

4.3. In case such assistance requires measures from Custobar, Custobar has the right to charge an hourly consulting fee from the Client for handling such assistance requests in accordance with Custobar’s then current price for consulting services, subject to the Client’s prior approval of such additional costs.

5. International Transfers

5.1 The Client accepts that Custobar may have personal data processed and accessible by Custobar or its subprocessors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, then Custobar shall comply with Chapter V of the GDPR and use transfer tools which ensure appropriate safeguards for protection of the personal data, including (but not necessarily limited to) entering into the standard contractual clauses adopted by the European Commission (by the implementing decision (EU) 2021/914 and as amended) and carrying out a transfer impact assessment.the Client authorizes Custobar to enter, on behalf of the Client, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or Custobar shall provide for other appropriate safeguards for the protection of the personal data transferred outside the EEA as set out in the GDPR.

5.2 The Parties acknowledge that the European Commission intends to publish a set of new Standard Contract Clauses (“New SCC”). The Parties acknowledge and agree that once the New SCCs have been adopted, Custobar shall sign them with any other third-party companies who are involved in transferring personal data outside of the EEA, the New SCCs will supersede any prior agreements between the Client, Custobar, and said sub-processor that conflict with the New SCCs. The Parties also acknowledge and agree that this section shall be amended accordingly after the New SCCs have been adopted.

6. Audits

6.1. The Client or an auditor appointed by the Client shall with the assistance of Custobar have the right to audit the processing activities of Custobar under this DPA to assess the compliance of Custobar with its contractual obligations under this DPA and applicable data protection legislation during ordinary business hours of Custobar and with 30 days’ prior written notice. If Custobar’s employees or other representatives participate in such audits at the request of the Client, the Client shall compensate Custobar for the expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Custobar or threaten intellectual property rights of Custobar, the Client shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to Custobar’s benefit.

6.2. Where an audit may, in Custobar’s sole opinion, lead to the disclosure of business or trade secrets of Custobar or threaten the intellectual property rights of Custobar, the Client shall employ an independent auditor, that is not a competitor of Custobar, to carry out the audit, and the auditor shall agree to be bound to confidentiality to Custobar’s benefit.

6.3. Custobar makes available to the Client, at the Client’s request, information necessary to demonstrate compliance with the GDPR. In case the Client’s request requires measures or work to be performed by Custobar, Custobar has the right to charge an hourly consulting fee in accordance with its then current price for consulting services for handling such requests, subject to the Client’s prior approval of such additional costs.

7. Subprocessors

7.1. The Client gives its general authorization to allow Custobar to engage subcontractors as subprocessors to process personal data in connection with the provision of the Service.

7.2. Custobar is free to choose and change its subprocessors. Upon request, Custobar shall inform Client of subprocessors currently involved. In case there is a later change of a subprocessor (addition or replacement), Custobar shall notify the Client of such change, thereby giving the Client the opportunity to object to such change. If Custobar is not willing to change the subprocessor the Client has objected to, both Parties shall have the right to terminate the Agreement and this DPA.

7.3. Where Custobar engages a subprocessor for carrying out specific processing activities on behalf of the Client, the same data protection obligations as set out in this DPA shall be included in the DPA between Custobar and that subprocessor. Where a subprocessor fails to fulfil its data protection obligations, Custobar shall remain liable to the Client for the performance of the subprocessor’s obligations as further stipulated in the Agreement.

Schedule 1 Description of the Processing Operations

8. Categories and Types of Personal data

During the course of providing the Client with the Service, Custobar may process certain personal data on behalf of the Client. The individuals whom the personal data concerns are Client’s customers or potential customers.

The particular types of personal may vary on a case-by-case basis depending on what personal data the Client and its users may decide to process as part of their use of the service. Such personal data may, for example, include the following information:

  • first and last name
  • email address
  • phone number
  • postal address, postal code, country
  • delivery address
  • language
  • birth date
  • gender
  • name of the company the data subject represents
  • other Personal data the Client chooses to transfer to Custobar to be processed in connection with the provision of the Service
  • commencement date of the customer relationship
  • marketing consents (email, SMS, mail)
  • last date and time of sign-up
  • purchase history
  • information on emails opened and clicked
  • information on activities taken on the website
  • information on visits to shops
  • information provided at the shops
  • participations in competitions
  • customer feedbacks
  • IP addresses
  • device types

9. Duration of the Processing

Personal data shall be processed as long as the Agreement with the Client remains in force, unless instructed otherwise by the Client in accordance with the DPA. Following expiration of the Agreement Custobar will delete the personal data within reasonable time after the end of the customer relationship.

10. Transfers outside of the EU or the ETA

The following shall transfer outside of the EEA under this DPA:

Twilio (Sendgrid)

  1. Purpose of the transfer: Enabling the service for email messages transfer are transmission in Custobar’s service
  2. Country to which the data is transferred: United States of America
  3. Adopted safeguards for the transfer: Standard Contractual Clauses

Google Cloud

  1. Purpose of the transfer: To enable hosting of the Custobar service in Google Cloud
  2. Country to which the data is transferred: United States of America[LE1] [OL2]
  3. Adopted safeguards for the transfer: Standard Contractual Clauses

11. General description of the technical and organisational security measures

As described in Section 3 of this DPA.

12. Subprocessors

Company Purpose of processing Country or area of processing
Google Ireland Limited     Hosting services     Finland / EU
Upcloud Oy     Hosting services Finland
Infobip Ltd. SMS relay services Germany
Link Mobility SMS relay services EU/EEA
Twilio Sendgrid Services Email relay services United States of America
EU
Amazon Web Services EMEA SARL Encrypted backups Germany
Kooditon Oy Software development Finland
Stripe, Inc. Payments United States of America
Voimo / Ari Pietarinen Software development Finland
JiiriCode Oy Software Development Finland

Updated June 19, 2024: EU added as an area of processing fo Twilio Sendgrid Services.