Data Processing Addendum

Last modified: July 2023

This Data Processing Addendum (“DPA”), forms part of, and is subject to, agreement between the customer accepting this DPA (“Customer”) and TradeTrax, Inc. (“TradeTrax”) that references this DPA (the “Agreement”). The parties enter into this DPA on behalf of themselves and, to the extent required under applicable Data Protection Laws, in the name and on behalf of their affiliates, and this DPA shall be effective on the effective date of the Agreement (“Effective Date”).

1. Definitions

Business Purpose” has the meaning given in subdivision (e) of Cal. Civ. Code §1798.140 and “purpose” will be interpreted accordingly.

Customer Data” means any information or other data (including Personal Data) provided by or on behalf of Customer to TradeTrax for purposes of the Agreement and/or any related services.

Customer Personal Data” means any Customer Data that is Personal Data.

Consumer” has the meaning given in subdivision (i) of Cal. Civ. Code §1798.140.

Contractor” has the meaning given in subdivision (j)(1) of Cal. Civ. Code §1798.140.

Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, in the EU, the GDPR and its implementing regulations, the UK GDPR and in the U.S., the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), the Virginia Consumer Data Protection Act of 2021, the Colorado Privacy Act of 2021, the Utah Consumer Privacy Act of 2022, and the Connecticut Data Privacy Act of 2022.

Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.

Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.

EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (“Directive”) and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), and repealing Directive 95/46/EC.

EEA” means, for the purposes of this DPA, the European Economic Area and/or its member states, United Kingdom and/or Switzerland.

Model Clauses” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries available at https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_en and as updated from time to time.

Personal Data” means information that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers); (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, biometric or health data, answers to security questions and other personal identifiers); or (iii) relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual, including inferences about such individual.  In the case of subclauses (i) through (iii), this information includes, without limitation, all Sensitive Personal Data. Customer’s business contact information is not by itself deemed to be Personal Data. Further, the term “Personal Information” as defined in the CCPA/CPRA shall have the same meaning as Personal Data used herein.

Processing” has the meaning given to it in subdivision (y) of Cal. Civ. Code §1798.150 and “process,” “processes” and “processed” will be interpreted accordingly.

Purposes” shall mean the data Processing purposes described and defined in Section 3.4 of this DPA.

Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data, but does not include any unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, such as pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers).

Services” means the services provided by TradeTrax to Customer pursuant to the Agreement.

Sensitive Personal Data” is a subset of Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Further, the term “Sensitive Personal Information” as defined in the CPRA shall have the same meaning as Sensitive Personal Data used herein.

Sell, Selling, Sale or Sold” has the meaning given in subdivision (ad)(1) of Cal. Civ. Code §1798.140.

Service Provider” has the meaning given in subdivision (ag)(1) of Cal. Civ. Code §1798.140.

Sharing” has the meaning given in subdivision (ah)(1) of Cal. Civ. Code §1798.140.

Sub-processor” means any Data Processor engaged by or on behalf of TradeTrax to assist in fulfilling its obligations pursuant to the Agreement or this DPA.

Third Party” has the meaning given in subdivision (ai) of Cal. Civ. Code §1798.140.

UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

Verifiable Consumer Request” has the meaning given in subdivision (y) of Cal. Civ. Code §1798.140.

2. Scope and Applicability of this DPA

2.1 Scope and Applicability: This DPA applies where and only to the extent that TradeTrax Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement. Any other Processing of Personal Data with respect to Customer and its users conducted by TradeTrax as a Data Controller, including business relationship administration and system security, will be carried out in accordance with TradeTrax’s then-current privacy policy. Notwithstanding expiry or termination of the Agreement, this DPA and Model Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Customer Personal Data processed by TradeTrax as described in this DPA.

3. Roles of the Parties; Details of Processing

3.1 Role of the Parties. If and to the extent that the Services provided by TradeTrax under the Agreement require TradeTrax to Process Personal Data, then as between TradeTrax and Customer, TradeTrax shall process Customer Personal Data only as a Data Processor acting on behalf of Customer. Customer is either the Data Controller of Customer Personal Data, or in the case that Customer is acting on behalf of a third-party Data Controller, then a Data Processor.

3.2 Customer Processing of Personal Data. Customer represents to TradeTrax: (i) Customer will comply with its obligations under Data Protection Laws in respect of its Processing of Personal Data, including any obligations specific to its role as a Data Controller; and (ii) Customer has provided all notices and obtained all consents, assignments, licenses, authorizations, permissions and/or rights necessary under Data Protection Laws for TradeTrax to lawfully Process Personal Data as contemplated under this Agreement for the Purpose. If Customer is itself a Data Processor acting on behalf of a third-party Data Controller, Customer further represents to TradeTrax that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of TradeTrax as another Data Processor, have been authorized by the relevant Data Controller.

3.3 TradeTrax Processing of Personal Data. TradeTrax shall process Customer Personal Data only to the extent, and in such a manner, as is necessary for the Purposes and in accordance with Customer’s documented lawful instructions. TradeTrax will not, and will ensure its Sub-processors do not, combine Customer Personal Data with any Personal Data from other sources, or which TradeTrax or its Sub-processor collected on its own behalf, except as permitted by Data Protection Laws, and will not “sell” any Customer Personal Data within the meaning of the CCPA or otherwise. Additionally, TradeTrax will comply with applicable obligations under the CPRA, including that TradeTrax will provide the same level of privacy protection as required under the CPRA. The parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to TradeTrax in relation to the Processing of Customer Personal Data. Additional Processing outside the scope of such instructions will require prior written agreement between the parties.

3.4 Details of Processing. The following describes the details of the Processing to be provided by TradeTrax to Customer under this DPA.

(a) Subject Matter. The subject matter of the Processing under this DPA is Customer Personal Data.
(b) Duration. The duration of the Processing under this DPA is the Term of the Agreement.
(c) Purposes. The Purposes of the Processing under this DPA is the provision of the Services to Customer.
(d) Nature of Processing. The nature of the Processing under this DPA is the provision of computation, storage and other Services agreed to by TradeTrax and Customer.
(e) Type of Data. The type of Customer Data to be Processed under this DPA includes Customer Personal Data uploaded to the Services through Customer’s accounts.
(f) Categories of Data Subjects. The data subjects of the Processing under this DPA may include Customer’s customers, employees, suppliers, and end users.

3.5 Notice of Processing Obligations. If, at any time, TradeTrax cannot meet its obligations under this DPA: (i) TradeTrax shall provide notice to Customer; (ii) Customer may retrieve all Customer Personal Data provided under this DPA; and (iii) TradeTrax shall properly dispose of Customer Personal Data in accordance with the retention requirements of this DPA.

4. Subprocessing

4.1 Authorized Sub-processors. Customer agrees that TradeTrax may engage Sub-processors to process Customer Personal Data on Customer’s behalf. TradeTrax shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer if it adds or removes Sub-processors at least fourteen (14) days’ prior to allowing such Sub-processor to process Customer Personal Data. Customer may object in writing to TradeTrax’s appointment of a new Sub-processor within ten (10) calendar days of such notice. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If TradeTrax cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer may terminate the Agreement (including this DPA) upon written notice to TradeTrax.

4.2 Sub-processor Obligations. TradeTrax will: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to Process the Customer Personal Data in a manner that is substantially similar to the standards set forth in this DPA, and, to the extent applicable to the Services provided by TradeTrax, to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of each Sub-processor.

5. Security

5.1 Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, TradeTrax shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data Processed by TradeTrax on behalf of Customer (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that TradeTrax may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services or Customer Data, including Customer Personal Data.

5.2 Confidentiality of Processing. TradeTrax shall ensure that any person who is authorized by TradeTrax to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality.

6. Security Reports and Audits

6.1 Reports. TradeTrax acknowledges that TradeTrax is regularly audited by independent third-party auditors and/or internal auditors against TradeTrax’s Security Measures. Upon request, TradeTrax shall supply (on a confidential basis) a summary of its then-current audit report(s) and any other published materials made available by TradeTrax, which further describe TradeTrax’s principles, programs, and practices regarding information security and privacy (collectively, “Report”) to Customer, so that Customer can verify TradeTrax’s compliance with this DPA. Notwithstanding the foregoing, Customer may disclose a Report as allowed under the applicable confidentiality section of the Agreement, including where requested or required by data protection authorities having jurisdiction over Customer even if not legally required (“Data Protection Authority Request”), provided, however, that Customer, as permitted by law, shall give TradeTrax prior written notice of the Data Protection Authority Request such that TradeTrax can attempt to secure confidential treatment for the Report. If Customer is not legally permitted to give TradeTrax prior notice, Customer agrees to use reasonable efforts to secure confidential treatment for the Report and further agrees to not remove or obscure any “confidential,” “proprietary,” or similar markings from the Report.

6.2 Information requests. TradeTrax shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires that are necessary to confirm TradeTrax’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year, except that this right may also be exercised in the event Customer is expressly requested or required to provide this information to a data protection authority, or TradeTrax has experienced a Security Incident, or other reasonably similar basis.

7. Transfers

7.1 International Processing. TradeTrax may process Customer Data anywhere in the world where TradeTrax, its affiliates or its Sub-processors maintain data Processing operations. TradeTrax will at all times provide appropriate safeguards for Customer Personal Data wherever it is processed, in accordance with the requirements of Data Protection Laws.

EEA Transfers. To the extent TradeTrax processes any Customer Personal Data protected by applicable Data Protection Laws of the EEA (“EEA Data”), the parties agree that TradeTrax makes available the transfer mechanisms listed below, for any transfers of EEA Data from the EEA to TradeTrax located in a country which does not ensure an adequate level of protection (within the meaning of applicable Data Protection Law) and to the extent such transfers are subject to such Data Protection Laws of the EEA, TradeTrax agrees to abide by and process EEA Data in compliance with the Model Clauses and for these purposes TradeTrax agrees that it is a “data importer” and Customer is the “data exporter” under the Model Clauses (notwithstanding that Customer may be an entity located outside of the EEA).

8. Return or Deletion of Data

8.1 Deletion by Customer. TradeTrax will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Service.

8.2 Deletion on Termination. For thirty (30) days following termination or expiration of the Agreement, Customer shall have the option to retrieve any remaining Customer Personal Data in accordance with the Agreement. Thereafter, Customer instructs TradeTrax to automatically delete all remaining (if any) Customer Personal Data (including copies). TradeTrax shall not be required to delete Customer Personal Data to the extent (i) TradeTrax is required by applicable law or order of a governmental or regulatory body to retain some or all of the Customer Personal Data; and/or (ii), Customer Personal Data has been archived on back-up systems, which Customer Personal Data TradeTrax shall securely isolate and protect from any further Processing, except to the extent required by applicable law.

8.3 Security Incident Response. Upon confirming a Security Incident, TradeTrax shall: (i) notify Customer without undue delay after TradeTrax becomes aware of the Security Incident; (ii) provide information relating to the Security Incident; and (iii) take reasonable steps to contain, investigate, and mitigate such Security Incident.

9.Compliance

9.1 Cooperation. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority. If a law enforcement agency sends TradeTrax a demand for Customer Personal Data (e.g., a subpoena or court order), TradeTrax will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, TradeTrax may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then TradeTrax will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent TradeTrax is legally permitted to do so.

9.2 Consumer Access Requests. Taking into account the nature of the Processing, TradeTrax shall (at Customer’s request and expense) provide reasonable cooperation to enable Customer to respond to any requests from applicable data protection authorities or a Verifiable Consumer Request to exercise rights (to the extent available to them under Data Protection Laws) of: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to Processing, not to be subject to automated individual decision making, opt-out of the sale of Personal Data, or the right not to be discriminated against, in each case solely to the extent relating to the Processing of Customer Personal Data through the Services under the Agreement. In the event that any Verifiable Consumer Request is made directly to TradeTrax where such request identifies Customer, TradeTrax shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so, and instead, after being notified by TradeTrax, Customer shall respond to the Verifiable Consumer Request. If TradeTrax is required to respond to such a Verifiable Consumer Request, TradeTrax will promptly notify Customer and provide Customer with a copy of the Verifiable Consumer Request unless legally prohibited from doing so.

9.3 Records. Customer acknowledges that TradeTrax may be required under the GDPR or the UK GDPR, as applicable to: (a) collect and maintain records of certain information, including the name and contact details of each Data Processor and/or Data Controller on behalf of which TradeTrax is acting and, where applicable, of such Data Processor’s or Data Controller’s local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR or UK GDPR applies to the Processing of Customer Personal Data, Customer will, where requested, provide such information to TradeTrax via the Services or other means provided by TradeTrax, and will ensure that all information provided is kept accurate and up-to-date.

9.4 DIPA. To the extent TradeTrax is required under applicable Data Protection Law, TradeTrax shall (at Customer’s request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

10. Relationship with the Agreement

10.1 The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit the parties may have previously entered into in connection with the Services. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.

10.2 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

10.3 TradeTrax certifies that it understands its obligations under this DPA and shall comply with them.

Logo
Terms of Use

These Terms and Conditions of Use (these “Terms”) set forth the terms and conditions under which TradeTrax, Inc (“TradeTrax”, “we”, “us”, or “our”) makes the TradeTrax Platform (the “Platform”) available to you (“you” or “your”) as a registered Platform user. By completing and maintaining your registration on the Platform, you confirm your agreement to be bound by these Terms. Initially capitalized terms used but not defined in these Terms have the meanings given to them in the Service Agreements (“Services Agreements”) available to authorized parties of these agreements.

  1. Use of Platform. You will only use the Platform for the purposes described in the Services Agreements.
  2. Protection of Login Credentials. You agree to keep and protect your Platform login credentials confidential, not share them with any person or entity, and otherwise protect them from unauthorized use. Failure on your part to adequately protect your login credentials or your providing any person or entity with use of your login credentials are grounds for immediate termination of your Platform account.
  3. Authorization to Disclose Information. In connection with the registration process, by disclosing to TradeTrax and/or uploading to the Platform information regarding yourself and/or any other person or entity to whom or to which such information relates, you represent and warrant to TradeTrax that you are authorized to disclose and/or upload such information, and that TradeTrax is authorized to retain, use and disclose such information as it deems necessary or appropriate in connection with the conduct of its business.
  4. Platform Access.You are responsible for obtaining and maintaining, at your own cost, all equipment and data network access necessary to use access and use the Platform. Your mobile network’s data and messaging rates and fees may apply if you access or use the Platform from your mobile device(s). You are responsible for acquiring and updating compatible hardware or devices necessary to access and use the Platform, including as a result of any updates thereto. We do not guarantee that the Platform, or any portion thereof, will function on any particular hardware or device. Further, access to and use of the Platform may be subject to malfunctions and delays inherent in the use of the Internet and electronic communications. We disclaim any liability arising from any such malfunction or delay
  5. Prohibited Conduct. In connection with your use of the Platform, you agree that you will not do any of the following:
    1. knowingly provide or submit false or misleading information;
    2. use the Platform in connection with the distribution of unsolicited commercial, political or other messages (i.e., spam) unrelated to the receipt or performance of services available on the Platform;
    3. discriminate against or harass anyone on the basis of race, national origin, religion, gender, gender identity, physical or mental disability, medical condition, marital status, age or sexual orientation, or otherwise engage in any violent, harmful, abusive or disruptive behavior;
    4. use, display or disseminate (including by inclusion in your own website or other printed materials) TradeTrax’s name, trademark(s), Platform content or other proprietary copyrights of TradeTrax without TradeTrax’s express written consent;
    5. dilute, tarnish or otherwise harm the TradeTrax brand in any way, including through registering and/or using internet domain names, trade names, trademarks or other source identifiers that are confusingly similar to TradeTrax domain names, trademarks, trade names or other copyrighted material;
    6. use any technology (including robots, spiders, crawlers, scrapers, viruses, trojan horses) or other automated means or processes to (i) access or collect data or other content from the Platform for any purpose, or (ii) avoid, bypass, remove, deactivate, impair, descramble,
    7. or otherwise attempt to circumvent any technological measure implemented by TradeTrax to secure and protect the Platform; or
    8. take any other action that damages or adversely affects, or could damage or adversely affect the performance or proper functioning of the Platform.
  6. User-Supplied Content.
    1. We may, in our sole discretion, permit you from time to time to submit, upload, publish or otherwise make available to us through the Platform textual, audio, and/or visual content and information, including commentary and feedback related to the provision or receipt of services available on the Platform (“User-Supplied Content”). Any User-Supplied Content provided by you remains your property.
    2. You represent and warrant that: (i) you either are the sole and exclusive owner of all User-Supplied Content or you have all rights, licenses, consents and releases necessary to grant to us the license to the User-Supplied Content as set forth above; (ii) each person identified, depicted, or shown in in your User-Supplied Content, if any, has provided consent to the use of such User-Supplied Content consistent with these Terms of Use; and (iii) neither the User-Supplied Content, nor your submission, uploading, publishing or otherwise making available of such User-Supplied Content, nor our use of any User-Supplied Content as permitted herein will infringe, misappropriate or violate a third party’s intellectual property or proprietary rights, or rights of publicity or privacy, or result in the violation of any applicable law or regulation. We reserve the right but are not obligated, to review, monitor, or remove User-Supplied Content, in our sole discretion and at any time and for any reason, without notice to you.
    3. We do not guarantee the accuracy, integrity, quality or appropriateness of any User-Supplied Content appearing on or accessed through the Platform. Any such User-Supplied Content is the sole responsibility of the person or entity from whom or which such User-Supplied Content originated. By using the Platform, you understand that you may be exposed to User-Supplied Content that is incorrect, inaccurate or misleading. We have no obligation to screen, preview, monitor or approve any User-Supplied Content. However, we reserve the right to review and delete any User-Supplied Content that, in our sole discretion, violates any Services Agreements between TradeTrax and any User, these Terms or any other policies of TradeTrax. You agree that You must evaluate and make your own judgment, and bear all risks associated with, your use of, or any decision that you make with respect to, any User-Supplied Content. Under no circumstances will we be liable in any way for any User-Supplied Content that contains any errors, omissions, defamatory statements, or confidential or private information, or for any loss or damage of any kind incurred as a result of the use of any User-Supplied Content submitted, accessed, transmitted or otherwise conveyed through the Platform. You waive the right to bring or assert any claim against us or any of our affiliates relating to User-Supplied Content, and release us and our affiliates from any and all liability for or relating to any User-Supplied Content.
  7. Amendment We may amend these Terms from time to time in our sole discretion. Amendments will be effective upon our posting of such updated Terms at this location and available at [email protected]. Your continued access to and use of the Platform after such posting confirms your consent to be bound by these Terms, as so amended
Logo
Let’s talk!

Send us a message so we can get to know you and give you full access.

  • Builder
  • Trade
[contact-form-7 id="4688a6c" title="Builder Form"]
[contact-form-7 id="49aa4c0" title="Trade Form"]
Logo
Our team is happy to give you a personalized walkthrough with one of our platform experts.
  • Builder
  • Trade
[contact-form-7 id="85abc9f" title="Builder Form (Request a demo)"]
[contact-form-7 id="5e7d3cc" title="Trade Form (Request a demo)"]