DATA PROCESSING ADDENDUM TO

THE TERMS OF USE OF

Consentmo GDPR Compliance app

This Data Processing Addendum (“DPA”) applies to you (the “Client”) and Consentmo Ltd. (“Consentmo”), located at 4 Prof. Georgi Bradistilov, entr. A, 4th floor, Sofia, Bulgaria, for the processing of personal data. This Data Processing Addendum is applicable together with the Terms of use (available at: https://www.consentmo.com/privacy-policy-terms-of-service/en). By clicking “I accept” using our Services - Consentmo app, you agree to all terms and conditions of this Data Processing Addendum and Terms of use.

BACKGROUND

(A) The Client has appointed Consentmo for the provision of GDPR compliance services by Consentmo to the Client (the “Services”). Consentmo may process and host the visitors information of thе Client’s website in order to provide the Client with the Services. By using the Services the Client has granted Consentmo a right to make requests via the API to access and edit the customer information, log the requests submitted via the Compliance pages and log the customer policy acceptances for the visitors of the site.
(B) All capitalised terms not defined herein shall have the meaning set forth in the Terms.
(C) This DPA forms part of the Terms to reflect the parties’ agreement with regards to the processing of Client Data, including Personal data, in accordance with the requirements of the Data Protection Legislation.
(D) In the course of providing the Services to the Client pursuant to the Terms, Consentmo may Process Personal Data on behalf of the Client.
(E)The types of Personal Data and categories of Data Subjects processed by Consentmo , when acting as a Processor, under this DPA are further specified in Schedule 1 to this DPA.
I. TERMS AND DEFINITIONS
1.1. Terms below shall have the following meanings:
  1. “Terms” means Consentmo’s Terms of use, available at: https://www.consentmo.com/privacy-policy-terms-of-service/en
  2. “Consentmo” means Consentmo Ltd., UIC 112660079, with registered seat and address: 4 Prof. Georgi Bradistilov, entr. A, 4th floor, Sofia, Bulgaria.
  3. “Client means the natural person or legal entity owner of an own website - a merchant who has an account in Shopify and has installed our Consentmo app (https://apps.shopify.com/gdpr-backpack).
  4. "Client’s End User" means a person who ultimately uses and/or has interaction with the Client's website subject to compliance with GDPR laws by Consentmo.
  5. “Agency” means a Client as described in item 3 above who adds and maintains multiple websites to its subscription plan under special Agency terms. Such websites belong to the own clients of the Agency. All rights and obligations of the Client shall be considered rights and obligations of the Agency unless otherwise provided in this DPA.
  6. “Personal Data” has the meaning set out in the Data Protection Legislation and relates only to Personal Data, or any part of such Personal Data:
    ∘ supplied to Consentmo by or on behalf of the Client; and/or
    ∘ obtained by, or created by, Consentmo on behalf of the Client in the course of delivery of the Services,
    ∘ and for which, in each case, the Client is the Data Controller and the Personal Data is Processed by Consentmo in the performance of the Services;
  7. “Data Processing Addendum” or “DPA” means this Addendum, which is an inseparable part of the Terms applicable between Consentmo and the Client.
  8. “Data Protection Legislation” means, as applicable, the GDPR, as well as any national implementing legislation; as amended or replaced from time to time or, in the absence of such laws, all legislation, regulation, and mandatory guidance or mandatory codes of practice applicable to the Processing of Personal Data pursuant to the Terms.
  9. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  10. “Party” means either Consentmo or the Client.
  11. “Parties” means both Consentmo and the Client.
  12. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
  13. “Services” means the services provided by Consentmo through the Consentmo  app as described in the Terms of Use.
  14. “Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
  15. “Sub-processors” means third parties authorized under this Data Processing Addendum to have logical access to and process Client Personal Data in order to provide parts of the Services and related support.
  16. “Technical and Organisational Measures” means the technical and organisational measures considered by the parties taking into account Article 32 of the GDPR.
  17. “Third parties” means any other persons, organizations and authorities, besides Consentmo and the Client.
  18. All terms, which have not been explicitly defined above, such as “personal data”, “data subject”, “processing”, “controller”, “processor”, “supervisory authority”, etc. have the meanings given in the GDPR.
II. PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties
The parties acknowledge and agree that with regard to the Processing of Personal Data, the Client is the Data Controller, Consentmo is a Data Processor and that Consentmo may engage any Sub-Processors in accordance with the requirements set out in Section IV below.
2.2. Client’s Processing of Personal Data
(a) The Client shall process Personal Data in connection with the Services in accordance with the requirements of Data Protection Legislation.
(b) The Client’s instructions for the Processing of Personal Data shall comply with Data Protection Legislation and will not require Consentmo to undertake unlawful Processing activity in order to comply.
(c) The Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and, where the Client acquired the Personal Data, the means by which the Client acquired Personal Data.
(d) The Client warrants and undertakes that:
∘ (i) its disclosure of Personal Data to Consentmo is limited to what is necessary in order for Consentmo to perform the Services;
∘ (ii) such Personal Data is accurate and up-to-date at the time that it is provided to Consentmo and the Client will promptly notify Consentmo of any necessary corrections, amendments, deletions or restrictions;
∘ (iii) it has and will maintain the legal bases for processing, including all necessary consents of and notices to the Client’s End users required to enable Consentmo to lawfully process Personal Data for the duration and purposes of the Services; and
∘ (iv) for Clients with Agency Status - it has and will maintain the legal bases for processing, including all necessary consents of and notices to (1) Agency’s customers; and (2) Customers’ end users; both of them required to enable Consentmo to lawfully process Personal Data for the duration and purposes of the Services.
2.3. Consentmo Processing of Personal Data
(a) Consentmo shall Process Personal Data in connection with the Services in accordance with the requirements of the Data Protection Legislation, and only as specified in the Client’s written instruction.
(b) Consentmo shall, giving advance notice to the Client where unable to do so, only Process Personal Data on behalf of, and in accordance with, the Client’s written instructions, in each case to the extent permitted by law.
(c) The Client instructs Consentmo to Process Personal Data for the purposes specified in Schedule 1 as amended or supplemented in writing from time to time, provided the Client’s instructions do not materially increase the scope of the Services.
(d) It shall not be Consentmo's obligation to monitor or control the legality of the Personal data of the Client’s End user, processed for the Client at its instructions.
(e) It shall not be Consentmo’s obligation to monitor or control the legality of the Personal data of the Agency’s customers and their end users, processed for the Agency at its instructions.
(f) It is the Client’s responsibility to provide and guarantee that the processing personal data activities, performed by Client with Client’s End Users Personal Data through the respective websites shall be compliant with the requirements of the GDPR.
(g) It is the Client’s responsibility to provide and guarantee that the processing personal data activities, performed by Agency with customers and their end users Personal Data through the respective websites shall be compliant with the requirements of the GDPR.
(h) The Client agrees that it will reimburse Consentmo for any costs incurred or payments paid as a result of any claim brought by a Data Subject arising in connection with the Consentmo compliance with the Client’s instructions.
(i) Consentmo shall ensure that any persons authorised by it to process Personal Data pursuant to this DPA will maintain the confidentiality of, and shall not disclose Personal Data to, any third parties without the Client’s prior consent, except as required by law or permitted by the Terms. Consentmo is permitted to disclose Personal Data to Sub-Processors engaged as described in Section IV.
III. RIGHTS OF DATA SUBJECTS
3.1. Correction, Blocking and Deletion
(a) Consentmo shall, to the extent permitted by law, notify the Client upon receipt of any complaint or request (other than Data Subject Requests described in clause 3.2 or enquiries of regulators) relating to the Client’s obligations under Data Protection Legislation.
(b) Consentmo shall, at the Client’s cost, comply with any commercially reasonable written instructions from the Client to facilitate any actions required pursuant to clause 3.1(a), within agreed timelines and to the extent Consentmo is legally permitted to do so.
3.2. Data Subject Requests
(a) Consentmo shall, to the extent permitted by law, promptly notify the Client if it receives a request from a Data Subject for access to, correction, amendment, restriction or deletion of that person’s Personal Data.
(b) Consentmo shall provide the Client with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, within agreed timelines, to the extent permitted by law, and to the extent the Client does not have access to or the ability to correct, amend, restrict or delete such Personal Data itself. The Client shall be responsible for any costs arising from the provision of such assistance by Consentmo.
IV. SUB-PROCESSORS
4.1. Appointment of Sub-Processors
(a) The Client acknowledges and agrees that Consentmo may engage third-party Sub-Processors in connection with the provision of the Services, and, if requested by the Client, Consentmo shall make available to the Client a current list of Sub-Processors engaged for the respective Services (“Sub-Processor List”). Consentmo shall also notify the Client of any change made in the Sub-Processor list in a timely manner.
(b) Where Consentmo engages a Sub-Processor with whom the same terms as set out in this DPA cannot reasonably be imposed or negotiated (for example, but not limited to, where the Sub-Processor operates on fixed, non-negotiable terms) but where such terms are consistent with the obligations on Processors under Article 28 of the GDPR, provided Consentmo has notified the Client of the relevant Sub-Processor terms, those Sub-processor terms shall:
∘ (i) apply to the processing carried out by the Sub-Processor;
∘ (ii) be deemed to state that entire set of obligations, responsibility and liability of Consentmo with respect to the relevant processing, as though Consentmo were carrying out that processing under those Sub-Processor terms in place of the Sub-Processor; and
∘ (iii) be deemed by the Client to provide sufficient guarantees and adequate safeguards in relation to the Processing.
4.2. Objection Right for new Sub-Processors
(a) The Client may (provided it has reasonable grounds for doing so), object to the engagement of a new Sub-Processor following notification in accordance with clause 4.1 above. The Client shall notify Consentmo in writing, stating the reasons for the objection, within 10 business days after receipt of the notification. The Client’s failure to object in writing within such time period shall constitute approval to use the new Sub-Processor.
(b) In the event the Client objects to the notification in accordance with clause 4.2(a) above, the Client acknowledges that the inability to use a particular Sub-Processor may result in delay in performing the Services, inability to perform the Services and/or increased fees and Consentmo shall not be responsible or liable for any delay in, or failure to provide, any affected Services. Consentmo will notify the Client in writing of any change to the Services or fees that would result from Consentmo not using a particular Sub-Processor to which the Client has objected. The Client may either execute a written amendment to the Terms implementing such change or require the parties to discuss in good faith and seek to resolve the objection.
V. TECHNICAL AND ORGANISATIONAL MEASURES. SECURITY AND BREACH NOTIFICATION
(a) Consentmo will implement and maintain Technical and Organizational Measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The Technical and Organizational Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Consentmo’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Consentmo may update or modify the Technical and Organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
(b) Consentmo will take appropriate steps to ensure compliance with the Technical and Organizational Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) The Client has assessed the level of security appropriate to the processing in the context of its obligations under Data Protection Legislation and agrees that the Technical and Organisational Measures are consistent with such assessment.
(d) Consentmo shall, without undue delay, notify the Client upon becoming aware of the occurrence of a Security Breach.
VI. RETURN AND DELETION OF CLIENT DATA
Upon termination or expiration of the Services, or at the written request of the Client, Consentmo shall (at the Client’s selection), delete or return all Personal Data, save as necessary to keep it for compliance with legal or regulatory purposes. The Personal Data shall be deleted within 60 days upon receiving a written request by the Client for deletion of the Personal data. In all other cases, Consentmo shall delete all personal data within 5 years from termination or expiration of the Services. Consentmo shall cease to retain any documents containing Personal Data when it considers that (a) the purpose for which that Personal Data was collected is no longer being served by retention of the Personal Data; and (b) retention is no longer necessary for any business purposes or required by law. The parties agree that a certification of deletion of Personal Data shall be provided by Consentmo to the Client only upon the Client’s request. The Client acknowledges and agrees that Consentmo shall have no liability for any losses arising from any inability on the Consentmo’s part to provide the Services as a result of a request made by the Client during the course of the Terms. Furthermore, we comply with the Shopify mandatory webhooks, and clear all the data as requested via the platform.
VII. AUDITS AND ASSISTANCE
Consentmo shall permit the Client (or its appointed third party auditors) to audit compliance of Consentmo with this DPA, and shall make available to the Client information necessary for the Client to conduct such audit, provided that the Client gives Consentmo reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Consentmo operations. The Client will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a regulator; or (ii) the Client believes a further audit is necessary due to a security incident suffered by Consentmo.
VIII. DATA TRANSFERS OUTSIDE OF THE EEA
8.1. Consentmo shall not process, store or transfer Personal Data outside of the European Economic Area (“EEA”) without prior written authorisation from the Client. By agreeing to this DPA, Consentmo is deemed to have authorisation to transfer data to a Sub-Processor located outside of the EEA if there is a valid lawful transfer mechanism in place (such as, but not limited to, the European Commission’s Standard Contractual Clauses), as necessary for the provision of the Services.
8.2. If any Personal Data transferred between the Client and Consentmo requires execution of the European Commission’s Standard Contractual Clauses in order to comply with the Data Protection Legislation, the parties will complete all relevant details in, and execute, the European Commission’s Standard Contractual Clauses, and take all other actions required to legitimise the transfer. The Client authorises Consentmo to enter into the European Commission’s Standard Contractual Clauses with Sub-Processors on the Client’s behalf and in its name where necessary to account for authorised transfers of, or access to, Personal Data outside the EEA.
IX. LIABILITY AND INDEMNITY
9.1. The parties agree that the provisions of this DPA will not be subject to the limitations and exclusions of liability and other terms of the Terms applicable to the Services in question.
9.2. Nothing in this DPA will exclude or in any way limit either party’s liability for fraud, or for death or personal injury caused by its negligence or any other liability to the extent such liability may not be excluded or limited as a matter of law.
9.3. Subject to clause 9.2, neither party will be liable under this DPA for any loss of actual or anticipated income or profits, loss of contracts or for any special, indirect or consequential loss or damage of any kind howsoever arising and whether caused by tort (including negligence), breach of contract or otherwise, whether or not such loss or damage is foreseeable, foreseen, or known. Consentmo’s liability in respect of any breach of this DPA shall, in aggregated, be capped not more than the amounts paid according to the chosen subscription plan by the Client.
9.4. Consentmo shall indemnify and hold harmless the Client against all losses, damages, liabilities, claims, demands, actions, penalties, fines, awards, costs and expenses (including reasonable legal and other professional expenses), fines and sanctions which may be incurred by the Client as the result of any claim, suit, proceeding or Regulator action brought against the Client directly arising out of any breach by Consentmo of this DPA except:
(a) where Consentmo has acted in accordance with the Client’s instructions, this DPA, the Data Protection Laws or other applicable laws; and
(b) to the extent that Client or any third party acting on behalf of the Client has breached this DPA or any applicable Data Protection Laws.
9.5. The Client shall indemnify and hold harmless Consentmo against all losses, damages, liabilities, claims, demands, actions, penalties, fines, awards, costs and expenses (including reasonable legal and other professional expenses), fines and sanctions which may be incurred by Consentmo as the result of any claim, suit, proceeding brought by: (1) Clients’ End user; (2) Agency’s Customer; or (3) Customers’ end user; or Regulator action brought or threatened against Consentmo directly arising out of or in connection with Consentmo complying with the Client’s written instructions regarding Personal Data Processing.
9.6. To claim under an indemnity set out in this DPA, the claiming party must:
(a) give written notice of the underlying claim, suit, proceeding or Regulator action to the other as soon as reasonably practicable;
(b) not making any admission of liability in relation to the underlying claim, suit, proceeding or Regulator action without the prior written consent of the other;
(c) allow the other to conduct the defence of the underlying claim, suit, proceeding or Regulator action; and
(d) at the other's expense, co-operate and assist to a reasonable extent with the defence of the underlying claim, suit, proceeding or Regulator action.
X. EFFECT OF ADDENDUM
To the extent of any conflict or inconsistency between the terms of this Data Processing Addendum and the Terms of use, the terms of this Data Processing Addendum will govern.
XI. APPLICABLE LAW
This DPA shall be governed by the law of Bulgaria. The place of jurisdiction for all disputes regarding this DPA shall be Sofia, Bulgaria, except as otherwise stipulated by applicable data protection law.
SCHEDULE 1 – Description of the Processing of Personal Data
  1. Subject Matter
    Provision of GDPR Compliance services which may include processing, and keeping a log of the visitor’s information of the Client’s website. We keep a log of the Policy Acceptances and requests for the visitors of the website. This data is kept for 12 months after which it gets automatically deleted.
  2. Nature
    By using the Services the Client has granted Consentmo a right to make requests via the API to access and edit the customer information, log the requests submited via the compliance pages and log the customer policy acceptances for the visitors of the site.
  3. Purpose
    (i) Provision of the Services.
    (ii) Ensuring of quality, maintaining safety, and improving the Services.
    (iii) Fixing problems with the Service.
    (iv) Customizing the end user experience.
  4. Categories of Personal Data and Data Subjects:
    (A) Client’s End User Personal Data:
    - Access log information: visitor IP address and emails only if data subject request is submitted;
    (B) When the Client has the status of an Agency (e.g. the Client subscribes for and maintain multiple websites with us under special Agency terms):
    - with respect to the Agency as Client of our Services and its end users - all information as described above in item (A);
    - with respect to the customers of the Agency and their end users - all information and data as described above in item (A);
  5. Recipients of the Personal Data
    (i) Sub-contractors appointed as Sub-Processors of Consentmo;
    (ii) Authorized employees of Consentmo;
  6. Data Transfers
Name Service Locations Relevant Links
Shopify Main customer Records holder USA https://www.shopify.com/legal/dpa> https://www.shopify.com/legal/terms
Google Analaytics Analytics services USA https://support.google.com/analytics/answer/9019185?hl=en#zippy=%2Cin-this-article
Tawk Communication and support EU https://www.tawk.to/data-protection/gdpr-2/
Twilio SendGrid Communication and support USA https://www.twilio.com/legal/data-pro tection-addendum
Amazon Web Services Data/CDN services EU https://aws.amazon.com/compliance/gdpr-center/
BunnyCDN Data/CDN services EU https://www.tawk.to/data-protection/gdpr-2/
DigitalOcean Hosting services EU https://www.digitalocean.com/legal/gdpr/
HotJar Analytics services EU, USA https://www.hotjar.com/legal/compliance/gdpr-commitment/
7. Retention
All Personal Data shall be deleted within 5 years from termination or performance of the Services by means of encryption solutions or deletion from the Servers where they have been stored.
Last updated: 13 April, 2023