Marzipan Data Processing Addendum

This Data Processing Addendum ("DPA") supplements and is incorporated by reference into the Contract that is formed between Marzipan and a Customer on the sole basis of the Marzipan Terms of Service when a Customer registers for or accesses any of the Services, including without limitation:

  1. the digital wine label generation and hosting service supplied by Marzipan t/a "Labls" on labls.io and labls.co (including any sub-domains thereof) that is designed for wine producers who are required by law to publish correct localised information, in an official language of the EU, about the origin and content of wines distributed within EU under Regulation (EU) 2021/2117 (the "Labls Services");
  2. the cloud-based e-commerce and data management platform supplied by Marzipan on marzipan.co (including any subdomains thereof) that enables wineries to unify their e-commerce activities by administering inventory, orders, fulfilment & shipping, payments, analytics, marketing campaigns and customer communications across each of their digital sales channels from one central dashboard interface and content management system (the "Platform Services").

This DPA shall apply if and to the extent that Marzipan processes Personal Data on behalf of a Customer as a Data Processor in connection with its provision of the Services under the Contract. The categories of Personal Data processed by Marzipan as part of the Services are detailed in full in clause 4 of this DPA.

As Regulation (EU) 2021/2117 prohibits wineries and other industry actors from processing consumers’ Personal Data by way of any electronic wine labels they attach to their products, Marzipan has designed its E-Labels hosting and generation service on labls.io and labls.co so that no Personal Data is able to collected and tracked by a Customer or Marzipan in respect of an E-Label. This DPA does not apply therefore to this aspect of the Services.

Capitalised terms that are not defined within this DPA have the meaning given to them in the Contract. For the avoidance of doubt, all references to the "Contract" shall include this DPA (including the Annexes to this DPA and the SCCs). In the case of any conflict between the Contract and this DPA, the DPA shall prevail with respect to the processing of Personal Data.

  1. Definitions

    Affiliate
    means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
    Business Purposes
    the Services to be provided by Marzipan to the Customer as defined in the Contract.
    Control
    means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
    Customer
    the natural or legal person or entity that is party to the Contract.
    Customer Account
    any online account(s) registered by the Customer with the Services that provide(s) authorised access to the Services.
    Customer Data
    means any Personal Data that Marzipan processes on behalf of the Customer via the Services.
    Data Protection Laws
    means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the California Consumer Privacy Act 2018 ("CCPA"); (ii) the General Data Protection Regulation ((EU) 2016/279) ("EU GDPR"); (iii) the Swiss Federal Act on Data Protection; (iv) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018 ("UK GDPR"); (v) the Data Protection Act 2018 (and regulations made thereunder) ("DPA 2018"); and (vi) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended ("PECR 2003"); in each case, as updated, amended or replaced from time to time. The terms "Data Controller", "Data Processor", Data Subject", "Data Subject Request", "Personal Data", "Personal Data Breach", "Processing", "Subprocessor", and "Supervisory Authority" shall have the meanings set forth in the EU GDPR.
    E-Label
    a dedicated electronic wine label hosted on labls.io and labls.co (or a third-party website on behalf of Marzipan) that compiles structured information (e-label Content) on a Customer's wine or aromatised wine product for a specific EU market in one of the EU's 24 Member State languages, and that complies with the general and sector-specific labelling requirements set out in EU Wine Labelling Regulations.
    EEA
    the European Economic Area.
    End Customers
    the consumer or business customers to whom the Customer tenders, markets or supplies any products or services through the Services.
    EU SCCs
    means the standard contractual clauses between Controllers and Processors approved by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021, as currently located here.
    EU Wine Labelling Regulations
    the rules on labelling of wines and aromatised wine products introduced by Regulation (EU) 2021/2117 of the European Parliament and of the Council amending Regulation (EU) No 1308/2013, including as such rules are implemented and take effect under Commission Delegated Regulation (EU) 2019/33 of 17 October 2018 supplementing Regulation (EU) No 1308/2013/
    Ex-EEA Transfer
    means the transfer of Customer Data, which is processed in accordance with the EU GDPR, to a server, network, computing system, undertaking, person or premise located outside of the EEA, and such transfer is not governed by an adequacy decision made by the European Commission in accordance with Article 45 EU GDPR.
    Ex-UK Transfer
    means the transfer of Customer Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, to a server, network, computing system, undertaking, person or premise located outside the UK, and such transfer is not governed by an adequacy decision by the UK Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
    Labls Services
    the e-label creation, management and hosting services supplied by Marzipan on labls.io on a subscription (or otherwise) basis that enable Customers to generate, administer and publish E-Labels for their wine or aromatised wine products.
    Marzipan Privacy Policy
    means the fair processing information notice made available by Marzipan at marzipan.co/privacy as amended, substituted and/or supplemented from time to time.
    Platform Services
    the cloud-based e-commerce and data management platform supplied by Marzipan on marzipan.co that enables wineries to unify their e-commerce activities by administering inventory, orders, fulfilment & shipping, payments, analytics, marketing campaigns and customer communications across each of their digital sales channels from one central dashboard interface and content management system.
    Security Incident
    any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Marzipan.
    Service Provider
    shall have the meaning given in the California Consumer Privacy Act of 2018 ("CCPA").
    Services
    means, individually and collectively, the Labels Services and Platform Services.
    Special Category Data
    has the meanings given in Articles 4(13), 4(14), 4(15) and 9 of EU GDPR and UK GDPR (as applicable).
    Standard Contractual Clauses (SCCs)
    means the EU SCCs and UK SCCs, as applicable.
    UK Addendum
    means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S.119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.
    UK SCCs
    means the EU SCCs as revised and amended by the UK Addendum.
    Usage Data
    any data generated in connection with Customers' access, use and configuration of the Services and data derived from it. Usage Data does not include any Customer Data or otherwise Personal Data.

  2. Customer Instructions

    1. Marzipan and the Customer agree that this DPA and the Contract, along with the Customer’s configuration of or use of any settings, features, or options in the Services (as the Customer may be able to modify from time to time), constitute the Customer’s written documented instructions regarding Marzipan’s processing of Customer Data (including for the purposes of the UK SCCs) (the "Documented Instructions"). Marzipan will process the Customer Data only in accordance with the Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Marzipan and the Customer.
    2. Marzipan is entitled to terminate this DPA and the Contract without incurring any liability to the Customer if Marzipan declines to follow instructions that are in contravention of the Data Protection Laws or any applicable data privacy provisions of the EU Wine Labelling Regulations, or that are outside of the scope of, or changed from, those given or agreed to be given in this DPA or in any otherwise written agreement between the parties.
    3. The Customer will not provide (or cause to be provided) any Special Category Data to Marzipan for processing under the Contract, and Marzipan will have no liability whatsoever for Special Category Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Special Category Data.

  3. Data Processing

    1. When Marzipan processes Customer Data while providing the Services, Marzipan will:

      (a)insofar as the UK GDPR or EU GDPR applies, process the Customer Data as a Data Processor acting on behalf of the Customer (whether itself a Data Controller or a Data Processor on behalf of a third-party Data Controller);

      (b)insofar as the CCPA applies, process the Customer Data acting on behalf of the Customer as a Service Provider (see clause 3.2 below for my details);

      (c)process and store Customer Data only on servers:

      a.operated by Laravel Holdings, Inc., an American company ("Laravel Cloud"), at its EU Central data centre in Frankfurt, Germany.

      b.operated by the data centre operator UpCloud Oy, a Finish limited liability company ("UpCloud"), at its DE-FRA1 data centre in Frankfurt, Germany.

      c.operated by the data centre operator Hetzner Online GmbH, a German limited liability company ("Hetzner"), at its data centres in Nuremberg and Falkenstein in Germany; and

      d.operated by the cloud storage provider BunnyWay d.o.o., a Slovenia limited liability company ("BunnyWay"), at its edge server location in Nuremberg, Germany.

      (d)only process the Customer Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s lawful Documented Instructions (provided such instructions are commensurate with the functionalities of the Services purchased by the Customer under the Contract);

      (e)if Marzipan is required by law to process the Customer Data for any purpose other than the Business Purposes, Marzipan will provide the Customer with notice of this requirement prior to conducting any such processing, unless Marzipan is prohibited by law from providing such notice;

      (f)promptly comply with any lawful written instructions the Customer provides requiring Marzipan to amend, transfer, delete or otherwise process the Customer Data, or to stop, mitigate or remedy any unauthorised processing;

      (g)maintain the confidentiality of the Customer Data and not disclose the Customer Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulation (including any instruction of the UK ICO Commissioner or any other competent authority in the UK and/or EEA);

      (h)reasonably assist the Customer, at no additional expense to the Customer, with meeting the Customer’s compliance obligations under the Data Protection Laws, taking into account the nature of Marzipan’s processing and the information available to Marzipan, including for illustrative purposes but not limited to, providing the Customer with reasonable information to help the Customer complete any data protection impact assessments the Customer conducts, and assisting the Customer to respond to data subject requests; and

      (i)promptly notify the Customer of any changes to the Data Protection Laws that may be reasonably interpreted as adversely affecting Marzipan’s performance of its obligations under the Contract or this DPA.

    2. CCPA. The parties acknowledge and agree that Marzipan is a Service Provider in respect of the Customer Data for the purposes of the CCPA (to the extent it applies) and is receiving personal information form the Customer to provide the Services pursuant to the Contract, which constitutes a business purpose. Marzipan shall not sell any such personal information. Marzipan shall not retain, use or disclose any personal information provided by the Customer pursuant to the Contract except as necessary for the specific purpose of performing the Services for the Customer pursuant to this Contract, or otherwise as set forth in this Contract or permitted in the CCPA. The terms "personal information", "Service Provider", "sale", and "sell" shall have the meaning given in Section 1798.140 of the CPA (as amended, re-enacted or updated from time to time). Marzipan certifies that it understands the restrictions of this clause (i).
    3. Third-Party Services. As part of the Services, Marzipan offers the Customer the opportunity to integrate and/or interface the Services with certain third-party services, integrations and applications from time to time ("Third-Party Services"). Please note that the Customer’s use of the Third-Party Services shall in each case be governed exclusively by the terms and conditions and accompanying privacy policies (together the "EULA") according to which the Third-Party Service Provider makes the relevant Third-Party Services available to the Customer (the "Third-Party Service Provider"). Each EULA is made exclusively by and between the Customer and the Third-Party Service Provider, and Marzipan is not party to such EULAs.
    4. Where the Customer instructs us to integrate the Customer’s Marzipan products or accounts with one or more Third-Party Services, the Customer agree that Marzipan shall transfer the Customer Data to the Third-Party Service Providers so that they may provide their services to the Customer. Where Third-Party Service Providers subsequently process the Customer Data, this shall be governed by the relevant privacy provisions within their EULA, and Marzipan is not responsible for such processing.
    5. Third-Party Services from the following Third-Party Service Providers are currently available to be integrated and/or interfaced with Marzipan.
      Name Description
      Fathom Analytics This integration allows Customers who are subscribed to Fathom Analytics’ web analytics service to view their Fathom Analytics dashboard within Marzipan’s e-commerce and data management platform. All EEA and UK traffic processed via the integration is processed solely on EU servers owned and operated by the German cloud service provider, a German legal entity.
      MailChimp This integration allows Customers who are subscribed to Fathom Analytics’ web analytics service to view their Fathom Analytics dashboard within Marzipan’s e-commerce and data management platform. All EEA and UK traffic processed via the integration is processed solely on EU servers owned and operated by the German cloud service provider, a German legal entity.
    6. Please note that where Marzipan allows the Customer to integrate the Services with any Third-Party Service that is not named in the table above, the Customer’s use of any such Third-Party Service shall be governed by the applicable EULA of the relevant Third-Party Service Provider on the same terms as in clause (i) of this Contract.
    7. SCCs. If Marzipan and the Customer have entered into Standard Contractual Clauses as described in clause 10 (Transfers of Customer Data), (i) the Customer’s instruction for Marzipan under clause 3.3 of this Contract to integrate the Third-Party Service(s) (as applicable) as part of the Services will constitute the Customer’s prior written consent to the transfer of Customer Data by Marzipan to the Third-Party Service Provider if such consent is required under the SCCs; (ii) the parties agree that the copies of the agreements with Third-Party Service Providers that must be provided by Marzipan to the Customer pursuant to Clause 9(c) of the EU SCCs or any relevant clause of the UK SCCs (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Marzipan beforehand, and that such redacted copies will be provided by Marzipan only upon the Customer’s written request.
    8. The Customer’s responsibilities. The Customer:

      (a)shall be the Data Controller in respect of any Customer Data;

      (b)shall remain responsible for the Customer’s compliance obligations under the applicable Data Protection Laws, including but not limited to providing any required notices and obtaining any required consents that are necessary for Marzipan to process the Customer Data for the Business Purposes;

      (c)shall not provide (or cause to be provided) any Special Category Data to Marzipan for processing under the Contract, and Marzipan will have no liability whatsoever for Special Category Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Special Category Data;

      (d)represents and warrants that it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any Documented Instructions it issues to Marzipan;

      (e)shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any content created, sent, or managed through the Services;

      (f)will ensure that Marzipan’s processing of the Customer Data in accordance with Customer’s Documented Instructions will not cause Marzipan to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Marzipan shall promptly notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from Customer violates Data Protection Laws; and

      (g)insofar as it acts as a processor on behalf of a third-party controller (or other intermediary to the ultimate controller), warrants that its Documented Instructions as set out in the Contract and this DPA, including its authorisations to Marzipan for the appointment of Sub-processors in accordance with this DPA, have been authorised by the relevant controller.

  4. Customer Data Types and Processing Purposes

    1. Subject Matter. The subject matter of the data processing under this DPA is the Customer Data processed via the Services.
    2. Duration. As between Marzipan and the Customer, it is the Customer who determines the duration of the data processing under this DPA. The Customer may suspend or terminate the data processing by suspending or terminating the Customer’s subscription to the Platform Services and/or Labls Services (as applicable) or suspending any Marzipan-hosted integrations (such as any proprietary API that Marzipan makes available to the Customer) that the Customer use as part of the Customer’s operations
    3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by the Customer from time to time, including for illustrative purposes the provision of Marzipan’s e-commerce and data management platform and/or E-Label generation and hosting service to the Customer.
    4. Nature of the processing. Marzipan enables businesses to unify their e-commerce activities and generate E-Labels for their wine products, including by providing the "Services" as defined in clause 1 of this DPA. These Services include the processing of Customer Data by Marzipan, its Sub-processors and, as applicable, the Third-Party Service Providers. Customer Data may be uploaded to and/or processed on the Services by the Customer on the Customer Account, any API that Marzipan makes available that interface with the Services from time to time; and (iii) any Third-Party Services that share Customer Data with the Services.
    5. Types of Customer Data. Customer Data uploaded to the Services:

      (a)by the Customer on the Customer Account;

      (b)by way of any of Marzipan’s APIs or web components that interface the Services with the Customer’s systems; and

      (c)by way of any Third-Party Services that Customer integrates with the Services.

      Types of Personal Data uploaded to the Services as part of the Customer Data may include:

      • Customer name, email, contact, billing and shipping information.
      • Purchase, subscription (i.e. wine club) and other transaction information (including without limitation status information) from Customer’s physical and digital storefronts;
      • End Customer activity in Customer’s digital storefronts, including order history, products viewed and products included in shopping carts.
      • End Customer device information for devices used when visiting the Customer’s storefronts, including IP address, browser, and network activity.
      • Any other Personal Data that Customer chooses to make available with Marzipan.
    6. Categories of Data Subjects. The Data Subject could include the (i) Customer, its employees, contractors, agents, suppliers and vendors and (ii) the Customer’s actual and potential End Customers.

  5. Security of Data Processing

    1. Marzipan’s shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of the Customer Data including, but not limited to the measures described in the Marzipan Security Standards (Annex A), in each case to ensure a level of security of the Customer Data appropriate to the risk in accordance with Article 32 EU/UK GDPR.
    2. Marzipan shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

      (a)the pseudonymisation and encryption of Customer Data;

      (b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      (c)the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and

      (d)a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

  6. Marzipan's Employees

    1. Marzipan will ensure its employees, contractors and agents:

      (a)are informed of the confidential nature of the Customer Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Data;

      (b)have undertaken training on the Data Protection Laws relating to handling Customer Data and how it applies to their duties; and

      (c)are aware both of Marzipan’s duties and their personal duties and obligations under the Data Protection Laws and the Contract.

  7. Security

    1. Marzipan shall always implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Customer Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Data.
    2. Marzipan shall implement such measures to ensure a level of security appropriate to the risk involved, including for illustrative purposes and as appropriate:

      (a)the pseudonymisation and encryption of Customer Data;

      (b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      (c)the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and

      (d)a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

  8. Personal Data Breach

    1. Marzipan shall within 72 hours and in any event without undue delay notify the Customer if it becomes aware of:

      (a)the loss, unintended destruction or damage, corruption or otherwise impairment of part or all of the Customer Data;

      (b)any accidental, unauthorised or unlawful processing of the Customer Data; or

      (c)any Personal Data Breach.

    2. Where Marzipan becomes aware of any of the foregoing matters described in clauses 8.1(a), (b) and/or (c) above, it shall, without undue delay, also provide the Customer with the following:

      (a)a description of the nature of the matter recorded in relation to clauses 8.1(a), (b) and/or (c), including the categories of in-scope Customer Data and approximate number of both Data Subjects and Customer Data records concerned; or

      (b)a description of the measures taken or proposed to be taken to address the matters recorded in relation to clauses 8.1(a), (b) and/or (c), including measures to mitigate its possible adverse effects.

    3. Immediately following any accidental, unauthorised or unlawful Customer Data processing or Personal Data Breach, Marzipan will contact the Customer so that we can co-ordinate our investigation of the matter.
    4. Marzipan will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Customer Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except where such disclosure is necessary as part of the measures needed to address such processing or Personal Data Breach or where such disclosure is required by applicable law.
    5. Marzipan will cover reasonable expenses associated with the performance of its obligations under clauses 8.1 and 8.2 unless the matter arose as a result of the Customer’s specific written instructions, negligence, wilful default or breach of the DPA or Contract, in which case the Customer will cover all reasonable expenses (including Marzipan’s reasonable expenses and those of its professional advisers).

  9. Sub-processors

    1. Marzipan uses the following Sub-processors to host and/or process Customer Data, to provide infrastructure and network services to support Marzipan, and to perform service functions on our behalf as part of the Services:
      Name Description
      Active Campaign LLC Trading as "Postmark", Active Campaign delivers transactional emails (e.g. password reset emails, notification emails, receipt and invoice emails) on behalf of Marzipan as part of the Services.
      Automattic, Inc. Trading as "Gravatar." Automattic allows Customers to upload pre-existing image and public profile data to the Platform Services.
      BunnyWay d.o.o BunnyWay provides Marzipan with Domain Name System (DNS), Website Application Firewall (WAF) and Content Delivery Network (CDN) services.
      Fernand SAS Marzipan uses Fernand’s customer support software to manage and administer customer support to users.
      Fathom Analytics Fathom Analytics provides web analytics services that enable Marzipan to track and analyse web traffic’s engagement with the Services.
      Functional Software Inc. Trading as "Sentry", Functional Software provides Marzipan with crash and error monitoring services in respect of the Services.
      Internet Security Research Group ISRG’s "Let’s Encrypt" service provides Marzipan with the digital certificate necessary to enable HTTPS (SLS/TLS) on its websites.
      Laravel Holdings Inc. Laravel provides Marzipan with its: (i) "Forge" server management services in relation to the provisioning and deployment of the Services on Hetzner Online GmbH’s servers; and (ii) "Envoyer" zero downtime deployment services.
      PayPal UK Ltd PayPal provides Marzipan with authorised payment gateway and payment processing services in respect of payload and payment data submitted to the Services.
      Stripe Payments UK, Ltd. Stripe provides Marzipan with authorised payment gateway and payment processing services in respect of payload and payment data submitted to the Services.
    2. The Customer authorise us to use the Sub-processors listed in clause 9.1 above as part of the Services, and further provide us with general authorisation to use other Sub-processors to provide processing activities with regard to Customer Data we collect from the Customer under the Contract, Marzipan shall notify the Customer if it adds or removes Sub-processors at least 10 days prior to any such changes.
    3. Where Marzipan engages a Sub-processor as described in clause 9.1:

      (a)Marzipan will restrict the Sub-processor’s access to any data only to what is reasonably necessary to provide, maintain or improve the Services; and

      (b)Marzipan will enter a written data processing agreement with the Sub-processor, and to extent that the Sub-processor performs the same data processing services as provided by Marzipan under this DPA, Marzipan will impose on the Sub-processor the same contractual obligations that Marzipan has herein.

    4. If Marzipan and the Customer have entered into Standard Contractual Clauses as described in clause 10 (Transfers of Customer Data):

      (a)the above authorisations will constitute the Customer’s prior written consent to the subcontracting by Marzipan of the processing of Customer Data if such consent is required under the SCCs;and

      (b)Marzipan will enter a written data processing agreement with the Sub-processor, and to extent that the Sub-processor performs the same data processing services as provided by Marzipan under this DPA, Marzipan will impose on the Sub-processor the same contractual obligations that Marzipan has herein.

    5. If Marzipan and the Customer have entered into Standard Contractual Clauses as described in clause 10 (Transfers of Customer Data):

      (a)the above authorisations will constitute the Customer’s prior written consent to the subcontracting by Marzipan of the processing of Customer Data if such consent is required under the SCCs; and

      (b)the Parties agree that the copies of the agreements with Sub-processors that must be provided by Marzipan to the Customer pursuant to Clause 9(c) of the EU SCCs or any relevant clause of the UK SCCs (as applicable) may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Marzipan beforehand, and that such redacted copies will be provided by Marzipan only upon the Customer’s written request.

  10. Transfers of Customer Data

    1. The parties agree that Marzipan may transfer Customer Data processed under the Contract outside the EEA, the UK, or Switzerland as necessary to provide the Services. The Customer acknowledge that the processing operations of many of the Third-Party Service Providers and Sub-processors take place in the United States, and the transfer of the Customer Data is necessary for the provision of the Services to the Customer. If Marzipan transfers Customer Data protected under this Contract to a jurisdiction for which the European Commission or UK Secretary of State (as applicable) has not issued an adequacy decision, Marzipan will ensure that appropriate safeguards have been implemented for the transfer of Customer Data in accordance with the Data Protection Laws.
    2. Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to Module Two (Controller to Processor) of the EU SCCs which is deemed entered (and incorporated into this DPA) and which shall apply as follows (unless stated otherwise, references to clause numbers are references to clause numbers of Module Two of the EU SCCs):

      (a)The optional docking clause in Clause 7 does not apply;

      (b)In Clause 9, Option 2 (general written authorisation) applies, and the minimum time period for prior notice of Sub-processor changes shall be as set forth in clause 9.2 of this DPA;

      (c)In Clause 11, the optional language does not apply;

      (d)All square brackets in Clause 12 are hereby removed;

      (e)In Clause 17 (Option 10, the EU SCCs will be governed by Irish law);

      (f)In Clause 18(b), disputes will be resolved before the courts of Ireland;

      (g)Part 1 of Annex B ("Cross-Border Transfers") to this DPA contains the information required in Annex I of the EU SCCs;

      (h)Part 1 of Annex B ("Cross-Border Transfers") to this DPA contains the information required in Annex II of the EU SCCs;

      (i)By entering this DPA, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.

    3. Ex-UK Transfers

      (a)The parties agree that the IDTA DPA shall apply to an ex-UK Transfer. Part 2 of Annex B ("Cross-Border Transfers") contains the information required in the IDTA DPA.

    4. Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:

      (a)The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" as utilised in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 2022 (the "FADP"), and as revised as of 25 September 2020, the "Revised FADP") with respect to data transfers subject to FADP.

      (b)The terms of the EU SCCs shall be interpreted to protect the data of legal entities until effective under the Revised FADP.

      (c)Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU Supervisory Authority shall have authority over data transfers governed by the EU GDPR. Subject to the foregoing, all other requirements of Clause 13 of the EU SCCs shall be observed.

      (d)The term "EU Member State" as utilised in the EU SCCs shall not be interpreted in such a way to exclude the Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.

    5. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:

      (a)As of the date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Customer Data is being exported, for access to (or copies of) the Customer Data ("Government Agency Requests");

      (b)If, after the date of this DPA, the Data Importer receives any Government Agency Requests, Marzipan shall attempt to redirect the law enforcement or government agency to request the data directly from the Customer. As part of this effort, the Customer agree that we may provide the Customer’s basis contact information to the government agency. If compelled to disclose the Customer Data to a law enforcement or government agency, Marzipan shall give the Customer reasonable notice of the demand and to cooperate to allow the Customer to seek a protective order or other appropriate remedy unless Marzipan is legally prohibited from doing so. Marzipan shall not voluntarily disclose Customer Data to any law enforcement or government agency. Marzipan shall (as soon as reasonably practicable) discuss and determine whether all or any of the transfers of Customer Data pursuant to this DPA should be suspended in the light of any such Government Agency Requests;

      (c)Marzipan and the Data Exporter will meet regularly to consider whether:

      a.The protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred as part of the Customer Data is sufficient to provide broadly equivalent protection to that afforded in the EEA or UK, whichever the case may be;

      b.Additional measures are reasonably necessary to enable the transfer to be compliant with the Date Protection Legislation;

      c.It is still appropriate for Customer Data to be transferred to the relevant Data Importer, considering all relevant information available to the parties, together with guidance provided by the Supervisory Authorities.

      (d)If the Data Protection Laws require Marzipan to execute the Standard Contractual Clauses applicable to a particular transfer of Customer Data to a Data Importer as a separate Contract, the Data Importer shall, on request of Marzipan, promptly execute such Standard Contractual Clauses incorporating such amendments as may be reasonably be required by Marzipan to reflect the applicable annexes, the details of the transfer and the requirements of the Data Protection Laws; and

      (e)If either (i) any of the means of legitimising transfers outside of the EEA, UK or Switzerland set forth in this DPA ceases to be valid; or (ii) any Supervisory Authority requires transfers of Customer Data pursuant to those means to be suspended, then the Data Importer may by notice to Marzipan, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.

    6. Sub-processors. Where the Customer consent to our appointment of a Sub-processor located outside of the EEA in compliance with the provisions of clause 9, or where the Customer elect to integrate an Third-Party Service from an Third-Party Service Provider outside the EEA in accordance with clause 3, the Customer authorise us to enter SSCs with that party, including in the Customer’s name and on the Customer’s behalf.

  11. Complaints, Data Subject Requests and Third-Party Rights

    1. Marzipan will take such reasonable technical and organisational measures as appropriate, and promptly provide such information to the Customer as the Customer may require, to enable the Customer to comply with:

      (a)the rights of Data Subjects under the Data Protection Laws, including subject access rights, the rights to rectify, port and erase Customer Data, object to the processing and automated processing of Customer Data, and restrict the processing of Customer Data; and/p>

      (b)information or assessment notices served on the Customer by the UK ICO (or any other relevant regulator in the EEA) under the Data Protection Laws.

    2. Marzipan will notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of Customer Data or to either Marzipan’s or the Customer’s compliance with the Data Protection Laws.
    3. Marzipan will notify the Customer within 14 days if it receives a request from a Data Subject for access to their Customer Data or to exercise any of their other rights under the Data Protection Laws.
    4. Marzipan will give the Customer its assistance in responding to any complaint, notice, communication or Data Subject request.
    5. Marzipan will not disclose the Customer Data to any Data Subject or to a third party other than in accordance with the Customer’s written instructions, or as required by domestic law.

  12. Terms and Termination

    1. This DPA will remain in full force and effect so long as:

      (a)the Contract remains in effect; or

      (b)Marzipan retains any of the Customer Data related to the Contract in its possession or control (the "Term").

    2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Contract to protect the Customer Data will remain in full force and effect.
    3. Marzipan’s failure to comply with the terms of this DPA is a material breach of the Contract. In such event, the Customer may terminate the Contract effective immediately on written notice to the Marzipan without incurring further liability or obligation.
    4. If a change in any Data Protection Laws prevents either party from fulfilling all or part of its Contract obligations, the parties may agree to suspend the processing of the Customer Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Data processing into compliance with the Data Protection Laws within 90 days, either party may terminate the Contract with immediate effect on written notice to the other party.

  13. Data Return and Destruction

    1. At the Customer’s request, Marzipan will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Customer Data in its possession or control in the format and on the media reasonably specified by the Customer.
    2. On termination or otherwise expiry of the Contract for any reason, or upon completion of the Services, Marzipan shall return or delete the Customer Data, unless further storage of Customer Data is required or authorised by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Marzipan shall take measures to block such Customer Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Customer Data remaining in its possession, custody or control. If Marzipan and the Customer have entered into Standard Contractual Clauses as described in clause 10 (Transfers of Customer Data), the parties agree that the certification of deletion that is required under Clause 8.1(d) of the EU SCCs and any applicable provision of the UK SCCs (as applicable) shall be provided by Marzipan to the Customer only upon the Customer’s written request.
    3. If any law, regulation, or government or regulatory body requires for Marzipan to retain any documents or materials or Customer Data that Marzipan would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Customer Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
    4. Marzipan will certify in writing to the Customer that it has destroyed the Customer Data within 30 days after it completes the deletion or destruction.

  14. Records

    1. Marzipan will keep detailed, accurate and up-to-date written records regarding any processing of the Customer Data, including but not limited to, the access, control and security of the Customer Data, approved subcontractors, the processing purposes, categories of processing, any transfers of Customer Data to a third country and related safeguards, and a general description of the technical and organisational security measures implemented (the "Records")
    2. Marzipan will ensure that the Records are sufficient to enable the Customer to verify Marzipan’s compliance with its obligations under this Contract and Marzipan will provide the Customer with copies of the Records upon request.

  15. Warranties

    1. TMarzipan warrants and represents that:

      (a)its employees, subcontractors, agents and any other person or persons accessing the Customer Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Laws;

      (b)it and anyone operating on its behalf will process the Customer Data in compliance with the Data Protection Laws and other laws, enactments, regulations, orders, standards and other similar instruments;

      (c)it has no reason to believe that the Data Protection Laws prevents it from providing any of the Contract's contracted services; and

      (d)considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Customer Data and the accidental loss or destruction of, or damage to, Customer Data, and ensure a level of security appropriate to:

      (i)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage;

      (ii)the nature of the Customer Data to be protected; and

      (iii)comply with all applicable Data Protection Laws and its information and security policies.

  16. Execution and Modifications

    1. The terms of this DPA are incorporated by reference into the Contract and are made a part thereof as though fully set forth in the Contract. By executing the Contract, the Customer expressly acknowledge and agree that the Customer shall be bound by the terms of this DPA.
    2. Marzipan may upon presenting thirty (30) calendar days’ prior written notice make any reasonable variations to this DPA as required because of any change in, or decision of a competent authority under, the Data Protection Laws, to allow processing of Customer Data to be made (or continue to be made) without breach of the Data Protection Laws. If the Customer does not agree to any such variations then the Customer may, within such thirty (30) calendar days’ notice period, present written notice to Marzipan to terminate the Contract (including this DPA) with immediate effect to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof). The Customer shall pay Marzipan all fees and otherwise sums that were incurred under or in connection with the Contract before the date of termination and which remains unpaid as of the date of termination. The Customer shall have no further claims (including requesting refunds for the Services) because of or in connection with the termination oof this Contract pursuant to this clause 16.2.
Domaine Jones log

“We made the switch from WooCommerce to a custom solution powered by Marzipan. Managing our orders is a breeze and the flexibility of the subscriptions API has allowed us to enhance our old vine adoptions offering.”

Kate Jones holding a Tucahn rake
Katie Jones
Owner, Domaine Jones