888-475-FLOW (3569)
Login
888-475-FLOW (3569)
Login
Why Flow
Solutions
Customers
Resources
Blog
Solutions
Launch Globally
Get started selling cross-border.
Customer Experience
Deliver frictionless experiences everywhere.
Scale Globally
Maximize existing cross-border revenue.
Global Operations
Streamline international delivery and returns.
Why Flow
Solutions
Global Operations
Streamline international delivery and returns.
Scale Globally
Maximize existing cross-border revenue.
Customer Experience
Deliver frictionless experiences everywhere.
Launch Globally
Get started selling cross-border.
Customers
Resources
Blog
US EN
Request a Demo

Data Protection Addendum

1. INTERPRETATION

1.1 In this Data Processing Addendum the following terms shall have the meanings set out in this Paragraph 1, unless expressly stated otherwise:

(a) “Addendum Effective Date”: means May 25, 2018 if the Client accepted and returned the countersigned DPA OR the date on which the Client commenced utilizing the Solution to sell its Product in any EU country, if such date is after May 25, 2018.

(b) "Adequate Country”: means a country or territory outside the EU/EEA that is recognised for the purposes of EU Data Protection Laws (including by virtue of a decision of the European Commission) as providing an adequate level of protection for Personal Data.

(c) “Agreement”: means the Client Subscription Terms and Conditions entered into by and between the Parties by way of execution of a Client Subscription Order.

(d) “Anonymised Data”: means any Personal Data (including Client EU Personal Data), which has been anonymised such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Flow or any other party reasonably likely to receive or access that Personal Data.

(e) “Business Day”: means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business.

(f) “Client EU Personal Data”: means any Personal Data, of an identified or identifiable natural person who is physically (based on geolocation data) located in the EU/EEA, that is Processed by Flow on behalf of Client pursuant to or in connection with the Agreement.

(g) “Customer Obligations”: means processing any Customer Orders placed, and processing any Returns (together with all activities and communications relating to each of the foregoing, including: order acknowledgement, order confirmation, shipment confirmation, returns authorisation and instructions or other customer service requirements), and related activities under or in connection with the Agreement.

(h) “Data Deletion Date”: means the date falling sixty (60) days after the earlier of: (i) the expiry of the Data Retention Period; or (ii) the date on which Client submits a request (pursuant to and in accordance with Paragraph 9.4) that Flow Delete the Client EU Personal Data.

(i) “Data Subject Request”: means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.

(j) “Data Subject”: means the identified or identifiable natural person located in the EU/EEA to whom Client EU Personal Data relates.

(k) “Delete”: means to irretrievably ‘de-identify’ Personal Data such that it is physically removed or otherwise rendered as Anonymised Data. “Deletion” and “Deleted” shall be construed accordingly.

(l) “EU Data Protection Laws”: means until 24 May 2018, EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and, with effect from 25 May 2018, the GDPR.

(m) “Flow Offering”: means the making available of the Flow Solution (together with the processing of Customer Orders, Returns and any other associated activities) under, and as further described in, the Agreement.

(n) “GDPR”: means the EU General Data Protection Regulation 2016/679 and, to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom that is identical to the GDPR in all material respects. References to “Articles” or “Chapters” of the GDPR shall be construed accordingly.

(o) “Personnel”: means a person’s employees, agents, consultants or contractors.

(p) “Subprocessor”: means any third party appointed by or on behalf of Flow to Process Client EU Personal Data.

(q) “Termination Date”: means the effective date of termination or expiry of the Agreement.

(r) “Third Country”: means a country or territory outside the EU/EEA that is not an Adequate Country.

(s) “Transfer”: means the transfer of Client EU Personal Data to a Third Country.

1.2 In this Data Processing Addendum:

(a) the terms “Data Controller”, “Data Processor”, “Member State”, “Personal Data”, “Personal Data Breach”, “Process/Processing” and "Supervisory Authority" shall have the meaning ascribed to such terms in the EU Data Protection Laws;

(b) unless otherwise defined in this Data Processing Addendum, all capitalised terms shall have the meaning given to them in the Agreement;

(c) any reference to a “Section” in this Data Processing Addendum is a reference to the corresponding section in the Agreement; and

(d) any reference to ‘legislation’ in this Data Processing Addendum shall be construed as meaning that legislation itself, together with any applicable judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

2. PROCESSING OF CLIENT EU PERSONAL DATA

2.1 With respect to Client EU Personal Data, the Parties acknowledge that:

(a) Flow acts as a Data Processor; and

(b) Client acts as the Data Controller.

2.2 Flow shall:

(a) comply with all applicable EU Data Protection Laws in Processing Client EU Personal Data; and

(b) not Process Client EU Personal Data other than:

             (i). on Client’s instructions (subject always to Paragraph 2.7); and

             (ii). as required by applicable laws.

2.3 Client instructs Flow to Process Client EU Personal Data as necessary:

(a) to provide the Flow Offering to Client in the fashion described in the Agreement;

(b) to perform Flow’s obligations and exercise Flow’s rights under the Agreement; and

(c) (where Client elects to receive such services as part of the Flow Solution) to transfer Client EU Personal Data to providers of various services, including logistics, payment processing, and the FPS to enable them to provide such services to Client and their other customers and partners (in the fashion described in Flow’s Privacy Policy posted at: https://www.flow.io/policies/privacy).

2.4 The Appendix to this Data Processing Addendum sets out certain information regarding Flow’s Processing of Client EU Personal Data as required by Article 28(3) of the GDPR.

2.5 Client may request to amend the Appendix to this Data Processing Addendum with sixty (60) days’ written notice to Flow from time to time as Client reasonably considers necessary to meet any applicable requirements of EU Data Protection Laws. Nothing in the Appendix to this Data Processing Addendum (including as amended pursuant to this Paragraph 2.5) confers any right or imposes any obligation on any Party to this Data Processing Addendum.

2.6 Where Flow receives an instruction from Client that, in its reasonable opinion, infringes the GDPR, Flow shall inform Client.

2.7 Client acknowledges and agrees that any instructions issued by Client with regards to the Processing by Flow of Client EU Personal Data pursuant to or in connection with the Agreement shall:

(a) be strictly required for the sole purpose of ensuring compliance with EU Data Protection Laws; and

(b) not relate to the scope of the Flow Offering or otherwise materially change: (i) the Flow Offering, or (ii) Flow’s obligations or responsibilities to Client or any third party.

2.8 If Flow considers (in its reasonable discretion) that:

(a) it is unable to adhere to, perform or implement any instructions issued by Client due to the technical limitations of its systems, equipment and/or facilities; and/or

(b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise),

the Parties shall work together to establish an agreeable alternative method of ensuring compliance with EU Data Protection Laws.

2.9 Client represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Flow of Client EU Personal Data in accordance with this Data Processing Addendum and the Agreement (including, any and all instructions issued by Client from time to time with respect to such Processing).

3. FLOW PERSONNEL

Flow shall take reasonable steps to ensure the reliability of any Flow Personnel who may Process Client EU Personal Data subject to its Information Security Policy.

4. SECURITY

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Flow shall in relation to the Client EU Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Flow shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.

5. SUBPROCESSING

5.1 Client authorises Flow to appoint Subprocessors in accordance with this Paragraph 5.

5.2 Flow may continue to use those Subprocessors already engaged by Flow as at the date of this Data Processing Addendum, subject to Flow in each case as soon as reasonably practicable meeting the obligations set out in Paragraph 5.4.

5.3 Flow may from time-to-time appoint new Subprocessors to Process Client EU Personal Data in their provision of the following elements of the Flow Offering:

(a) the hosting of the Flow Solution;

(b) the shipping, tracking and delivery of Customer Orders and Returns;

(c) the processing of payments and refunds for Customer Orders;

(d) tax and duty calculation associated with Customer Orders;

(e) the tracking of inventory associated with Customer Orders;

(f) localization of content;

(g) the analysis of data and insights that may be obtained from Customer Orders;

(h) other third parties that facilitate services provided by the Flow Solution or expansion of Flow’s product suite; and

(i) any other services provided by the Flow Solution or expansion of Flow’s product suite.

5.4 With respect to each Subprocessor, Flow shall:

(a) before the Subprocessor first Processes Client EU Personal Data (or, as soon as reasonably practicable, in accordance with Paragraph 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Client EU Personal Data required by this Data Processing Addendum; and

ensure that the arrangement between Flow and the Subprocessor is governed by a written contract including terms which meet the requirements of Article 28(3) of the GDPR.

6. DATA SUBJECT RIGHTS

6.1 Taking into account the nature of the Processing, Flow shall provide Client with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Client in fulfilling its obligation to respond to Data Subject Requests.

6.2 In the event that Flow receives a Data Subject Request:

(a) Client instructs Flow to:

             (i). notify that Data Subject of Client’s status as ‘Data Controller’, request that the Data Subject contact the Client directly; and

             (ii). provide Data Subject with appropriate information (eg, Client’s contact details) to enable the Data Subject to make such direct contact with Client; and

(b) save in respect of the process described in Paragraph 6.2(a), Flow will not respond to such Data Subject Request except on the documented instructions of Client (and in such circumstances, at Client’s cost) or as required by applicable laws.

7. PERSONAL DATA BREACH

7.1 Flow shall notify Client without undue delay upon Flow becoming aware of a Personal Data Breach affecting Client EU Personal Data, providing Client with sufficient information (insofar as such information is within Flow’s possession) to allow Client to meet any obligations to report or inform affected Data Subjects of the Personal Data Breach under EU Data Protection Laws.

7.2 Flow shall co-operate with Client and take such reasonable commercial steps as may be directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Flow shall provide reasonable assistance to Client, at Client’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Client reasonably considers to be required of Client by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Client EU Personal Data by, and taking into account the nature of the Processing and information available to, Flow.

9. DELETION OF CLIENT EU PERSONAL DATA

9.1 By the Data Deletion Date, Flow shall have Deleted, and/or procured the Deletion of, all Client EU Personal Data. Client acknowledges and agrees that the foregoing obligation is expressly subject to Paragraph 9.6, and without prejudice to Flow’s right to purge and delete certain elements of Client Data (together with any Client EU Personal Data comprised therein) under Section 3.4.

9.2 Client hereby acknowledges and agrees that, due to the data security practices implemented by and on behalf of Flow, return (as opposed to Deletion) of Client EU Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Client agrees that (for the purposes of Article 28(3)(g)) it is hereby deemed to have selected deletion, in preference of return, of the Client EU Personal Data.

9.3 Following the Termination Date, and without prejudice to Flow’s right to purge and delete certain elements of Client Data (together with any Client EU Personal Data comprised therein) pursuant to Section 3.4, Client instructs Flow to retain and Process Client EU Personal Data:

(a) to enable Client to retrieve the Client Data via the Flow Solution tools in accordance with Section 3.4 for the period determined by such Section; and

(b) to enable Flow to perform the Customer Obligations for such period as may be required to enable Flow to perform the Customer Obligations (the “Data Retention Period”).

9.4 Notwithstanding paragraph 9.3, but subject always to paragraph 9.5, on written request from Client, made after the Termination Date, Flow shall Delete the Client EU Personal Data in accordance with Paragraph 9.1.

9.5 In the event that, as a result of Flow’s Deletion of Client EU Personal Data in fulfilment of Client’s request to do so pursuant to Paragraph 9.4, Flow is unable to perform any Customer Obligations, Client will indemnify, defend, and hold Flow, its affiliates, and each of their respective officers, directors, agents, independent contractors, and employees harmless from and against any and all claims, damages, losses, or expenses (including without limitation reasonable attorneys' fees incurred) arising out of any claim by a third party (including without limitation, customers or governmental authorities) relating to, or arising as a result of, such inability to perform any Customer Obligations.

9.6 Notwithstanding Paragraph 9.1, Flow may retain Client EU Personal Data after the Data Deletion Date to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Flow shall ensure the confidentiality of all such Client EU Personal Data and shall ensure that such Client EU Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

10. AUDIT RIGHTS

10.1 Flow shall make available to Client on request such information as Flow considers reasonably appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.

10.2 Subject to Paragraphs 10.3 and 10.4, in the event that Client (acting reasonably) is able to provide documentary evidence that the information made available by Flow pursuant to Paragraph 10.1 is insufficient to demonstrate Flow’s compliance with this Data Processing Addendum, Flow shall allow for and contribute to audits, by Client or an auditor mandated by Client in relation to the Processing of the Client EU Personal Data by Flow.

10.3 Client shall give Flow reasonable notice of any audit to be conducted under Paragraph 10.2 (which shall in no event be less than sixty (60) days’ written notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Flow in respect of, any damage or disruption to Flow’s equipment, data, and business (including any interference with the confidentiality or security of the data of Flow’s other customers, or the availability or performance of the Flow Solution, or any services provided to such other customers) that occurs in the course any such audits.

10.4 Flow need not permit any audit to take place:

(a) by any auditor to whom Flow has not given its prior written approval (not to be unreasonably withheld);

(b) unless the relevant auditor enters into a non-disclosure agreement with Flow on terms acceptable to Flow;

(c) where, and to the extent that, Flow considers (acting reasonably) that such audit would result in interference with either: (i) the confidentiality or security of the data of Flow’s other customers or the availability or performance of the Flow Solution; or (ii) its provision of any services to any other customers; or

(d) on more than one (1) occasion in each period of twelve (12) months during the term of the Agreement (or where the term of the Agreement is less than (12) months, on more than one (1) occasion during such shorter term).

10.5 Client shall:

(a) bear any third party costs in connection with such audit; and

(b) reimburse Flow for all costs incurred by Flow for any time spent by Flow (at Flow’s then-current professional services rates) in connection with any such audit.

11. RESTRICTED TRANSFERS

11.1 Client acknowledges and agrees that, in the event that the Processing by Flow carried out in the provision of the Flow Offering constitutes a Transfer from Client to Flow, such Transfer does not contravene Chapter V of the GDPR due to the fact of Flow’s EU-U.S. Privacy Shield certification.

11.2 Flow commits to comply with the EU-U.S. Privacy Shield Principles in performance of its obligations under this Data Processing Addendum, including in respect of onward transfer to any Subprocessor based in a Third Country.

12. CHANGE IN LAWS

12.1 In the event that there is a change in the EU Data Protection Laws that Flow considers (acting reasonably) would mean that Flow is no longer able to provide the Flow Offering (including Processing Client EU Personal Data) in accordance with its obligations under EU Data Protection Laws Flow reserves the right to make such changes to the Flow Offering and to amend any part of this Data Processing Addendum as it considers reasonably necessary to ensure that Flow is able to provide the Flow Offering in accordance with EU Data Protection Laws.

12.2 In the event that Client considers (acting reasonably) that any required changes made either to the Flow Offering and/or this Data Processing Addendum pursuant to Paragraph 12.1 will cause material harm to Client may terminate the Agreement in its entirety upon written notice to Client with immediate effect.

13. ANONYMOUS DATA

Client acknowledges and agrees that Flow shall be freely able to use and disclose Anonymised Data for Flow’s own business purposes.

Appendix to Data Processing Addendum

Data Processing Details

This Appendix to the Data Processing Addendum includes certain details of the Processing of Client EU Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Client EU Personal Data

The subject matter and duration of the Processing of the Client EU Personal Data are set out in the Agreement and the Data Processing Addendum.

The nature and purpose of the Processing of Client EU Personal Data

        - To liaise with Client’s Personnel in relating to the parties’ performance of the Agreement.

        - As part of Flow’s provision of the Flow Solution, including:

             o the hosting of the Flow Solution;

             o the presentation to Customers of geo-targeted checkout and/or payment pages or facilities;

             o the shipping, tracking and delivery of Customer Orders and Returns;

             o the processing of payments and refunds for Customer Orders;

             o FPS

             o tax and duty calculation associated with Customer Orders;

             o the tracking of inventory associated with Customer Orders;

             o the analysis for Client of data and insights that may be obtained from Customer Orders; and

             o any other services provided by the Flow Solution or expansion of Flow’s product suite.

The types of Client EU Personal Data to be Processed

        - The names, email addresses, postal addresses, other contact details and payment details of Client’s customers

        - The names and email addresses, and other Personal Data, provided by Client’s Personnel to use access the Flow Solution (including any Personal Data comprised in the log-in details or other access protocols therefor).

        - The names, email addresses and other contact details of Client’s Personnel with whom Flow needs to liaise in the provision of the Flow Offering.

        - Certain technical information relating to Customers (including IP addresses, geo-location, cookie data (including opt-in/opt-out status and other session/tracking data).

The categories of Data Subject to whom the Client EU Personal Data relates

        - (Only to the extent such individuals are based in the EU/EEA) Client’s Personnel

        - Client’s Customers who place Customer Orders via Flow.

The obligations and rights of Client

The obligations and rights of Client are set out in the Agreement and the Data Processing Addendum.

Read Flow Commerce reviews on G2
Why Flow
Solutions
Global Operations
Scale Globally
Customer Experience
Launch Globally
Company
About
Press
Careers
Contact Us
Blog
Partners

Stay in touch

Sign up for our newsletter.
Privacy PolicyGoGreen Climate NeutralDo not Sell My Data
© Flow Commerce Inc. 2022