.png)
UPDATED: February 2025
THIS DATA PROCESSING ADDENDUM (this “DPA”) supplements and is a part of the Master Collaboration Agreement or other written or electronic agreement (in either case, the “Agreement”) for the purchase of services (identified in the Agreement as either “Services” or otherwise, and hereinafter defined as “Services”) entered into between Seel, Inc. (“Seel”, “we”, “us” and “our”), and the entity that has offered our services pursuant to the Agreement (“Merchant-Customer”, “you” and “your”). This English language version controls regardless of any translation.
1. Defined Terms. The terms used in this Addendum have the meaning set forth in this Addendum. Capitalized terms not defined herein have the meaning given to them in the Agreement.
a. “Controller” or “Business” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
b. “Consumer-Customer” means a customer of a Merchant that uses Seel’s Services.
c. “Data Protection Laws” means all applicable federal, state, and local laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”).
d. “Data Subject” means any natural person whose Personal Data is Processed in the context of this Addendum.
e. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Section 4 below and available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
f. “Europe” means the member states of the European Union (“EU”), Switzerland, the United Kingdom (“UK”), the European Economic Area (“EEA”), the European Free Trade Agreement, and Monaco.
g. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws.
h. “Processor” or “Service Provider” means the entity which Processes Personal Data on behalf of a Controller.
i. “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
j. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, loss, destruction or deletion of Personal Data transmitted, Processed by or otherwise in the possession or control of Seel. A Security Breach shall include any breach of Seel’s obligations as a Processor/Service Provider or any breach of its sub-processors’ obligations as a Processor/Service Provider, including under this DPA, and/or any actual data security incident involving the actual unlawful access, loss, destruction, restriction, anonymization and/or deletion of Personal Data in Vendor’s possession or control.
k. “Services” means the services provided to Merchant-Customer under the Agreement.
l. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf)
2. Relationship of the Parties
a. Merchant-Customer Personal Data. Pursuant to the Agreement, Seel may collect certain data related to a Merchant-Customer’s end users (such as Merchant-Customer’s personnel) such as their name, email address and credentials to access the Services (“Merchant-Customer Personal Data”). Seel acts as a Processor or Service Provider (as applicable under Data Protection Laws) of such Merchant-Customer Personal Data.
b. Consumer-Customer Personal Data. Merchant-Customer offers Seel’s add-on services (“Features”) to Consumer-Customers for the Merchant-Customer’s legitimate business purposes. Merchant-Customer may determine the scope of Personal Data to collect from Consumer-Customers in the course of offering the Features and are independent Controllers/Businesses of such Personal Data. Depending on the different ways in which you, and we, may interact with Consumer-Customers, our role with respect to Consumer-Customer Personal Data differs depending upon the circumstances. Seel acts as:
i. A Processor/Service Provider with respect to Personal Data that a Merchant-Customer provides us for Processing in our systems relating to Consumer-Customers that did not affirmatively opt in to the Features (i.e., where Merchant-Customer automatically applies the Features to all orders);
ii. a Joint Controller/Business, along with you, when you provide us Personal Data from Consumer-Customers who affirmatively choose to enroll in the Features, which we Process to provide the Services; and
iii. an Independent Controller/Business for Personal Data provided to us directly by Consumer-Customers (notwithstanding the nature of such Consumer-Customers’ interactions with you, if any), including but not limited to information provided to us by the Consumer-Customer’s use of our online and mobile resources (e.g. our mobile application).
3. Seel’s Obligations when Acting as a Processor or Service Provider.
a. Obligations. Solely to the extent Seel is acting as a Processor/Service Provider to Merchant-Customer with respect to Merchant-Customer Personal Data and Consumer-Customer Personal Data, Seel will:
i. Process Personal Data solely: (1) to fulfill its obligations to Merchant-Customer under the Agreement, including this Addendum; (2) on Merchant-Customer’s behalf; and (3) in compliance with Data Protection Laws. Seel will not “sell” Personal Data or “share” or Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Merchant-Customer. Seel will not use Personal Data to train any artificial intelligence technologies, whether machine learning, large language models, or other similar neural networks, algorithms, or systems.
ii. not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data (including Personal Data from other sources).
iii. Ensure that it keeps the Personal Data confidential, that only persons it authorizes have access to Personal Data, and that the persons it authorizes to Process Personal Data have committed themselves to written obligations to keep the Personal Data confidential in accordance with this Agreement or are under an appropriate statutory obligation of confidentiality.
iv. Taking into account the nature of the processing, implement appropriate technical and organizational measures so that Personal Data is protected against loss, destruction and damage, unauthorized access, use, modification, disclosure or other misuse.
v. Take appropriate measures to assist Merchant-Customer and ensure that Merchant-Customer may respond to request(s) from their Consumer-Customers or Merchant-Customer personnel exercising their rights under Data Protection Laws.
vi. Promptly notify Merchant-Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data that Seel Processes as a Processor/Service Provider under this DPA; or (ii) any government or Data Subject requests for access to or information about Seel’s Processing of Personal Data that Seel Processes as a Processor/Service Provider on Merchant-Customer’s behalf, except to the extent prohibited by applicable Data Protection Laws. Seel will provide Merchant-Customer with reasonable cooperation and assistance in relation to any such request. If Seel is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Merchant-Customer, Seel shall inform Merchant-Customer that it can no longer comply with Merchant-Customer’s instructions under this Addendum without providing more details and await Merchant-Customer’s further instructions.
vii. Provide reasonable assistance to and cooperation with Merchant-Customer for Merchant-Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws, and at Merchant-Customer’s reasonable expense.
viii. Provide reasonable assistance to and cooperation with Merchant-Customer for Merchant-Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Seel under Data Protection Laws to consult with a regulatory authority in relation to Seel’s Processing or proposed Processing of Consumer-Customer Personal Data.
b. Security Breach. Seel will notify Merchant-Customer without undue delay on becoming aware of any Security Breach of Personal Data that Seel Processes as a Processor/Service Provider on behalf of Merchant-Customer and will assist Merchant-Customer in compliance with Security Breach-related obligations, including without limitation, by:
i. Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
ii. Providing Merchant-Customer with the following information, to the extent known:
1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
2. The likely consequences of the Security Breach; and
3. Measures taken or proposed to be taken by Seel to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
c. Subprocessors. Solely to the extent Seel is acting as a Processor/Service Provider to Merchant-Customer with respect to Personal Data:
i. Merchant-Customer acknowledges and agrees that Seel may use subprocessors to Process Personal Data solely as necessary to provide the Services provided such Processing is in accordance with the provisions in this Addendum and Data Protection Laws. Seel will enter into a written agreement with the subprocessors that requires the subprocessor to comply with obligations that are substantially similar to those in this Addendum. Where Seel sub-contracts any of its rights or obligations concerning Personal Data, Seel will ensure that it selects and retains subprocessors that are capable of maintaining appropriate privacy and security measures to protect Merchant-Customer Personal Data and Consumer-Customer Personal Data consistent with applicable Data Protection Laws and that such subprocessors are subject to the same data protection obligations as Seel under this Addendum and Seel will remain responsible for any breach of the including this Addendum by such subprocessors.
ii. Seel’s current list of subprocessors shall be provided, and Merchant-Customer hereby consents to Seel’s use of such subprocessors. Seel will maintain an up-to-date list of its subprocessors, and it will provide Merchant-Customer with commercially reasonable prior notice of any new subprocessor added to the list. In the event Merchant-Customer has a commercially reasonable objection to a new subprocessor, Seel will use reasonable efforts to make available to Merchant-Customer a change in the services or recommend a commercially reasonable change to, Merchant-Customer’s use of the services to avoid Processing of Personal Data by the objected-to subprocessor without unreasonably burdening the Merchant-Customer. Merchant-Customer may, in its sole discretion, terminate the Agreement in the event that Seel is not able to provide a reasonable change to cure Merchant-Customer’s subprocessor objection.
d. Audits. Seel shall permit Merchant-Customer or its appointed third-party auditors (the “Auditors”) to audit Seel’s compliance with this Addendum, at Merchant-Customer’s sole expense, and shall make available to the Auditors all information systems and staff reasonably necessary for the Auditors to conduct such audit. Seel acknowledges that the Auditors may enter its premises for the purposes of conducting its audit, provided that Merchant-Customer gives at least 30 days’ prior notice of its intention to audit (except [1]where required by instruction of a relevant regulator or [2] following a Security Breach, in which event, Merchant-Customer shall provide Seel with such reasonable notice under the circumstances), conducts its audit during normal business hours and takes all reasonable measures to prevent unnecessary disruption to Seel’s operations. Merchant-Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (1) required by instruction of a relevant regulator; or (2) following a Security Breach.
e. Return or Destruction of Personal Data. When the Agreement terminates or when Seel ceases to Process Consumer-Customer Personal Data as a Processor/Service Provider on behalf of Merchant-Customer, Seel shall either delete or return all Consumer-Customer Personal Data, at Merchant-Customer’s discretion, that Seel Processes as a Processor/Service Provider, unless Seel is required or authorized by applicable Data Protection Law to store such Consumer-Customer Personal Data for a longer period provided that its obligations hereunder shall continue for such period.
4. The Parties’ Obligations as Independent Controllers or Businesses. Where the Parties serve as Independent or Joint Controllers or Businesses under the Agreement, the Parties agree as follows:
a. The parties acknowledge and agree that each party is acting as a separate and independent Data Controller and Business in its own right with regard to their respective Processing of Personal Data. Each party shall independently determine in its own right the purposes and means of their respective Processing of Personal Data. Each party shall Process Personal Data in accordance with its own legal obligations under applicable laws, including Data Protection Law and such party’s privacy policy. b. Cooperation. Each party will cooperate with the other party to fulfill compliance obligations under applicable Data Protection Law. The parties agree to cooperate with one another in responding to requests from relevant supervisory authorities and in responding to Data Subject requests related to the Processing of Personal Data under the Agreement.
5. Data Security. Seel will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Appendix 1.
6. Data Transfers.
a. transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where Seel engages in an onward transfer of Personal Data, Seel shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
b. With respect to Personal Data transferred pursuant to applicable Data Protection Laws in Europe, and except as provided below in Sections 7(c) and 7(d), the Parties agree that:
i. Where Seel acts as a Controller of Personal Data, Module 1 of the EU SCCs applies;
ii. Where Seel acts as a Processor of Personal Data, Module 2 of the EU SCCs applies;
iii. Clause 7 (the optional docking clause) is included;
iv. The optional language in Clause 11 (Redress) is not included;
v. Under Clauses 17, 18, and 13(a), the Parties choose the laws of Ireland, the courts of Ireland, and the relevant supervisory authorities in Ireland to govern the Addendum for transfers; and (v) Annex I(A), I(B), and II are completed as set forth in Appendix 1 to this Addendum.
c. With respect to Personal Data transferred from the United Kingdom for which UK data protection law governs the international nature of the transfer, the UK SCCs form part of this Addendum and take precedence over the rest of this Addendum as set forth in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: The Parties’ details shall be the Parties and their affiliates; the Key Contacts shall be the contacts set forth in the Agreement; the approved clauses referenced in Table 2 shall be the EU SCCs; the Annexes shall be completed as set forth in Appendices 1 and 2 below; and either Party may end this Addendum as set out in Section 19 of the UK SCCs.
d. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
Appendix 1
Annex I
1. LIST OF PARTIES
o Data exporter(s):
o Data importer(s):
2. DESCRIPTION OF TRANSFER
o Categories of data subjects whose personal data is transferred
o Categories of personal data transferred
o Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
o The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
o Nature of the processing
o Purpose(s) of the data transfer and further processing
o The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
o For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
3. COMPETENT SUPERVISORY AUTHORITY
o Identify the competent supervisory authority/ies in accordance with Clause 13